Merge "Changes made in keystore2_client_tests to avoid test timeout issues."
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index 17d8914..c555760 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -112,6 +112,7 @@
) -> binder::Result<KeyMetadata> {
let mut key_attest = false;
let mut gen_params = AuthSetBuilder::new()
+ .no_auth_required()
.algorithm(Algorithm::EC)
.purpose(KeyPurpose::SIGN)
.purpose(KeyPurpose::VERIFY)
@@ -151,8 +152,8 @@
}
/// Generate EC signing key.
-pub fn generate_ec_key<S: IKeystoreSecurityLevel + ?Sized>(
- sec_level: &S,
+pub fn generate_ec_key(
+ sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
domain: Domain,
nspace: i64,
alias: Option<String>,
diff --git a/keystore2/tests/keystore2_client_aes_key_tests.rs b/keystore2/tests/keystore2_client_aes_key_tests.rs
index c56eef6..885cbf5 100644
--- a/keystore2/tests/keystore2_client_aes_key_tests.rs
+++ b/keystore2/tests/keystore2_client_aes_key_tests.rs
@@ -26,7 +26,8 @@
};
use crate::keystore2_client_test_utils::{
- perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
+ has_trusty_keymint, perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op,
+ SAMPLE_PLAIN_TEXT,
};
/// Generate a AES key. Create encrypt and decrypt operations using the generated key.
@@ -391,7 +392,12 @@
&mut None,
));
assert!(result.is_err());
- assert_eq!(Error::Km(ErrorCode::MISSING_MAC_LENGTH), result.unwrap_err());
+
+ if has_trusty_keymint() {
+ assert_eq!(result.unwrap_err(), Error::Km(ErrorCode::MISSING_MAC_LENGTH));
+ } else {
+ assert_eq!(result.unwrap_err(), Error::Km(ErrorCode::UNSUPPORTED_MAC_LENGTH));
+ }
}
/// Generate a AES-GCM key with `MIN_MAC_LENGTH`. Try to create an operation using this
diff --git a/keystore2/tests/keystore2_client_ec_key_tests.rs b/keystore2/tests/keystore2_client_ec_key_tests.rs
index 60bcddf..726d61c 100644
--- a/keystore2/tests/keystore2_client_ec_key_tests.rs
+++ b/keystore2/tests/keystore2_client_ec_key_tests.rs
@@ -20,7 +20,9 @@
KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
};
use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, KeyDescriptor::KeyDescriptor, ResponseCode::ResponseCode,
+ CreateOperationResponse::CreateOperationResponse, Domain::Domain,
+ IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
+ ResponseCode::ResponseCode,
};
use keystore2_test_utils::{
@@ -28,9 +30,171 @@
};
use crate::keystore2_client_test_utils::{
- execute_op_run_as_child, perform_sample_sign_operation, BarrierReached, ForcedOp, TestOutcome,
+ delete_app_key, execute_op_run_as_child, perform_sample_sign_operation, BarrierReached,
+ ForcedOp, TestOutcome,
};
+macro_rules! test_ec_sign_key_op_success {
+ ( $test_name:ident, $digest:expr, $ec_curve:expr ) => {
+ #[test]
+ fn $test_name() {
+ perform_ec_sign_key_op_success(stringify!($test_name), $digest, $ec_curve);
+ }
+ };
+}
+
+macro_rules! test_ec_sign_key_op_with_none_or_md5_digest {
+ ( $test_name:ident, $digest:expr, $ec_curve:expr ) => {
+ #[test]
+ fn $test_name() {
+ perform_ec_sign_key_op_with_none_or_md5_digest(
+ stringify!($test_name),
+ $digest,
+ $ec_curve,
+ );
+ }
+ };
+}
+
+fn create_ec_key_and_operation(
+ sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ domain: Domain,
+ nspace: i64,
+ alias: Option<String>,
+ digest: Digest,
+ ec_curve: EcCurve,
+) -> binder::Result<CreateOperationResponse> {
+ let key_metadata =
+ key_generations::generate_ec_key(sec_level, domain, nspace, alias, ec_curve, digest)?;
+
+ sec_level.createOperation(
+ &key_metadata.key,
+ &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
+ false,
+ )
+}
+
+fn perform_ec_sign_key_op_success(alias: &str, digest: Digest, ec_curve: EcCurve) {
+ let keystore2 = get_keystore_service();
+ let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+ let op_response = create_ec_key_and_operation(
+ &sec_level,
+ Domain::APP,
+ -1,
+ Some(alias.to_string()),
+ digest,
+ ec_curve,
+ )
+ .unwrap();
+
+ assert!(op_response.iOperation.is_some());
+ assert_eq!(
+ Ok(()),
+ key_generations::map_ks_error(perform_sample_sign_operation(
+ &op_response.iOperation.unwrap()
+ ))
+ );
+
+ delete_app_key(&keystore2, alias).unwrap();
+}
+
+fn perform_ec_sign_key_op_with_none_or_md5_digest(alias: &str, digest: Digest, ec_curve: EcCurve) {
+ let keystore2 = get_keystore_service();
+ let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+ match key_generations::map_ks_error(create_ec_key_and_operation(
+ &sec_level,
+ Domain::APP,
+ -1,
+ Some(alias.to_string()),
+ digest,
+ ec_curve,
+ )) {
+ Ok(op_response) => {
+ assert!(op_response.iOperation.is_some());
+ assert_eq!(
+ Ok(()),
+ key_generations::map_ks_error(perform_sample_sign_operation(
+ &op_response.iOperation.unwrap()
+ ))
+ );
+ }
+ Err(e) => {
+ assert_eq!(e, Error::Km(ErrorCode::UNSUPPORTED_DIGEST));
+ assert!(digest == Digest::NONE || digest == Digest::MD5);
+ }
+ }
+
+ delete_app_key(&keystore2, alias).unwrap();
+}
+
+// Below macros generate tests for generating EC keys with curves EcCurve::P_224, EcCurve::P_256,
+// EcCurve::P_384, EcCurve::P_521 and various digest modes. Tests tries to create operations using
+// the generated keys. Operations with digest modes `SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and
+// SHA-2 512` should be created successfully. Creation of operations with digest modes NONE and
+// MD5 should fail with an error code `UNSUPPORTED_DIGEST`.
+test_ec_sign_key_op_with_none_or_md5_digest!(
+ sign_ec_key_op_none_ec_p224,
+ Digest::NONE,
+ EcCurve::P_224
+);
+test_ec_sign_key_op_with_none_or_md5_digest!(
+ sign_ec_key_op_md5_ec_p224,
+ Digest::MD5,
+ EcCurve::P_224
+);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha1_ec_p224, Digest::SHA1, EcCurve::P_224);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha224_ec_p224, Digest::SHA_2_224, EcCurve::P_224);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha256_ec_p224, Digest::SHA_2_256, EcCurve::P_224);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha384_ec_p224, Digest::SHA_2_384, EcCurve::P_224);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha512_ec_p224, Digest::SHA_2_512, EcCurve::P_224);
+test_ec_sign_key_op_with_none_or_md5_digest!(
+ sign_ec_key_op_none_ec_p256,
+ Digest::NONE,
+ EcCurve::P_256
+);
+test_ec_sign_key_op_with_none_or_md5_digest!(
+ sign_ec_key_op_md5_ec_p256,
+ Digest::MD5,
+ EcCurve::P_256
+);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha1_ec_p256, Digest::SHA1, EcCurve::P_256);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha224_ec_p256, Digest::SHA_2_224, EcCurve::P_256);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha256_ec_p256, Digest::SHA_2_256, EcCurve::P_256);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha384_ec_p256, Digest::SHA_2_384, EcCurve::P_256);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha512_ec_p256, Digest::SHA_2_512, EcCurve::P_256);
+test_ec_sign_key_op_with_none_or_md5_digest!(
+ sign_ec_key_op_none_ec_p384,
+ Digest::NONE,
+ EcCurve::P_384
+);
+test_ec_sign_key_op_with_none_or_md5_digest!(
+ sign_ec_key_op_md5_ec_p384,
+ Digest::MD5,
+ EcCurve::P_384
+);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha1_ec_p384, Digest::SHA1, EcCurve::P_384);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha224_ec_p384, Digest::SHA_2_224, EcCurve::P_384);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha256_ec_p384, Digest::SHA_2_256, EcCurve::P_384);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha384_ec_p384, Digest::SHA_2_384, EcCurve::P_384);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha512_ec_p384, Digest::SHA_2_512, EcCurve::P_384);
+test_ec_sign_key_op_with_none_or_md5_digest!(
+ sign_ec_key_op_none_ec_p521,
+ Digest::NONE,
+ EcCurve::P_521
+);
+test_ec_sign_key_op_with_none_or_md5_digest!(
+ sign_ec_key_op_md5_ec_p521,
+ Digest::MD5,
+ EcCurve::P_521
+);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha1_ec_p521, Digest::SHA1, EcCurve::P_521);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha224_ec_p521, Digest::SHA_2_224, EcCurve::P_521);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha256_ec_p521, Digest::SHA_2_256, EcCurve::P_521);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha384_ec_p521, Digest::SHA_2_384, EcCurve::P_521);
+test_ec_sign_key_op_success!(sign_ec_key_op_sha512_ec_p521, Digest::SHA_2_512, EcCurve::P_521);
+
/// This test will try to load the key with Domain::BLOB.
/// INVALID_ARGUMENT error is expected.
#[test]
@@ -66,7 +230,7 @@
let alias = format!("ks_invalid_test_key_{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain(99), // Invalid domain.
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias),
@@ -146,64 +310,6 @@
assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_PURPOSE), result.unwrap_err());
}
-/// Generate EC keys with curves EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521 and
-/// various digest modes. Try to create operations using generated keys. Operations with digest
-/// modes `SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512` should be created successfully.
-/// Creation of operations with digest modes NONE and MD5 should fail with an error code
-/// `UNSUPPORTED_DIGEST`.
-#[test]
-fn keystore2_ec_generate_key() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
-
- let digests = [
- Digest::NONE,
- Digest::MD5,
- Digest::SHA1,
- Digest::SHA_2_224,
- Digest::SHA_2_256,
- Digest::SHA_2_384,
- Digest::SHA_2_512,
- ];
-
- let ec_curves = [EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521];
-
- for ec_curve in ec_curves {
- for digest in digests {
- let alias = format!("ks_ec_test_key_gen_{}{}{}", getuid(), ec_curve.0, digest.0);
- let key_metadata = key_generations::generate_ec_key(
- &*sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- ec_curve,
- digest,
- )
- .unwrap();
-
- match key_generations::map_ks_error(sec_level.createOperation(
- &key_metadata.key,
- &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
- false,
- )) {
- Ok(op_response) => {
- assert!(op_response.iOperation.is_some());
- assert_eq!(
- Ok(()),
- key_generations::map_ks_error(perform_sample_sign_operation(
- &op_response.iOperation.unwrap()
- ))
- );
- }
- Err(e) => {
- assert_eq!(e, Error::Km(ErrorCode::UNSUPPORTED_DIGEST));
- assert!(digest == Digest::NONE || digest == Digest::MD5);
- }
- }
- }
- }
-}
-
/// Generate EC key with curve `CURVE_25519` and digest mode NONE. Try to create an operation using
/// generated key. `CURVE_25519` key should support `Digest::NONE` digest mode and test should be
/// able to create an operation successfully.
@@ -214,7 +320,7 @@
let alias = format!("ks_ec_25519_none_test_key_gen_{}", getuid());
let key_metadata = key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain::APP,
-1,
Some(alias),
@@ -260,7 +366,7 @@
for digest in digests {
let alias = format!("ks_ec_25519_test_key_gen_{}{}", getuid(), digest.0);
let key_metadata = key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -289,7 +395,7 @@
let alias = "ks_ec_test_incomp_key_digest";
let key_metadata = key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -378,7 +484,7 @@
let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
let key_metadata = key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain::BLOB,
key_generations::SELINUX_SHELL_NAMESPACE,
None,
diff --git a/keystore2/tests/keystore2_client_key_id_domain_tests.rs b/keystore2/tests/keystore2_client_key_id_domain_tests.rs
index 2a1d990..09b1378 100644
--- a/keystore2/tests/keystore2_client_key_id_domain_tests.rs
+++ b/keystore2/tests/keystore2_client_key_id_domain_tests.rs
@@ -37,7 +37,7 @@
let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
let result = key_generations::map_ks_error(key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain::KEY_ID,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -58,7 +58,7 @@
let alias = "ks_key_id_test_key";
let key_metadata = key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -115,7 +115,7 @@
let alias = format!("ks_key_id_test_alias_rebind_1_{}", getuid());
let key_metadata = key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -127,7 +127,7 @@
// Generate a key with same alias as above generated key, so that alias will be rebound
// to this key.
let new_key_metadata = key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain::APP,
-1,
Some(alias),
@@ -182,7 +182,7 @@
let alias = format!("ks_key_id_test_alias_rebind_2_{}", getuid());
let key_metadata = key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -210,7 +210,7 @@
// Generate another key with same alias as above generated key, so that alias will be rebound
// to this key.
let new_key_metadata = key_generations::generate_ec_key(
- &*sec_level,
+ &sec_level,
Domain::APP,
-1,
Some(alias),
diff --git a/keystore2/tests/keystore2_client_rsa_key_tests.rs b/keystore2/tests/keystore2_client_rsa_key_tests.rs
index aa822b9..3139c2b 100644
--- a/keystore2/tests/keystore2_client_rsa_key_tests.rs
+++ b/keystore2/tests/keystore2_client_rsa_key_tests.rs
@@ -12,8 +12,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::getuid;
-
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
BlockMode::BlockMode, Digest::Digest, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
PaddingMode::PaddingMode, SecurityLevel::SecurityLevel,
@@ -27,7 +25,59 @@
authorizations, get_keystore_service, key_generations, key_generations::Error,
};
-use crate::keystore2_client_test_utils::{perform_sample_sign_operation, ForcedOp};
+use crate::keystore2_client_test_utils::{
+ delete_app_key, has_trusty_keymint, perform_sample_sign_operation, ForcedOp,
+};
+
+/// This macro is used for creating signing key operation tests using digests and paddings
+/// for various key sizes.
+macro_rules! test_rsa_sign_key_op {
+ ( $test_name:ident, $digest:expr, $key_size:expr, $padding:expr ) => {
+ #[test]
+ fn $test_name() {
+ perform_rsa_sign_key_op_success($digest, $key_size, stringify!($test_name), $padding);
+ }
+ };
+
+ ( $test_name:ident, $digest:expr, $padding:expr ) => {
+ #[test]
+ fn $test_name() {
+ perform_rsa_sign_key_op_failure($digest, stringify!($test_name), $padding);
+ }
+ };
+}
+
+/// This macro is used for creating encrypt/decrypt key operation tests using digests, mgf-digests
+/// and paddings for various key sizes.
+macro_rules! test_rsa_encrypt_key_op {
+ ( $test_name:ident, $digest:expr, $key_size:expr, $padding:expr ) => {
+ #[test]
+ fn $test_name() {
+ create_rsa_encrypt_decrypt_key_op_success(
+ $digest,
+ $key_size,
+ stringify!($test_name),
+ $padding,
+ None,
+ None,
+ );
+ }
+ };
+
+ ( $test_name:ident, $digest:expr, $key_size:expr, $padding:expr, $mgf_digest:expr ) => {
+ #[test]
+ fn $test_name() {
+ create_rsa_encrypt_decrypt_key_op_success(
+ $digest,
+ $key_size,
+ stringify!($test_name),
+ $padding,
+ $mgf_digest,
+ Some(BlockMode::ECB),
+ );
+ }
+ };
+}
/// Generate a RSA key and create an operation using the generated key.
fn create_rsa_key_and_operation(
@@ -60,115 +110,1431 @@
sec_level.createOperation(&key_metadata.key, &op_params, forced_op.0)
}
-/// Generate RSA signing keys with -
-/// Padding mode: RSA_PKCS1_1_5_SIGN
-/// Digest modes: `NONE, MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
-/// Create operations with these generated keys. Test should create operations successfully.
-#[test]
-fn keystore2_rsa_generate_signing_key_padding_pkcs1_1_5() {
+/// Generate RSA signing key with given parameters and perform signing operation.
+fn perform_rsa_sign_key_op_success(
+ digest: Digest,
+ key_size: i32,
+ alias: &str,
+ padding: PaddingMode,
+) {
let keystore2 = get_keystore_service();
let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
- let digests = [
- Digest::NONE,
- Digest::MD5,
- Digest::SHA1,
- Digest::SHA_2_224,
- Digest::SHA_2_256,
- Digest::SHA_2_384,
- Digest::SHA_2_512,
- ];
+ let op_response = create_rsa_key_and_operation(
+ &sec_level,
+ Domain::APP,
+ -1,
+ Some(alias.to_string()),
+ &key_generations::KeyParams {
+ key_size,
+ purpose: vec![KeyPurpose::SIGN, KeyPurpose::VERIFY],
+ padding: Some(padding),
+ digest: Some(digest),
+ mgf_digest: None,
+ block_mode: None,
+ att_challenge: None,
+ att_app_id: None,
+ },
+ KeyPurpose::SIGN,
+ ForcedOp(false),
+ )
+ .expect("Failed to create an operation.");
- let key_sizes = [2048, 3072, 4096];
+ assert!(op_response.iOperation.is_some());
+ assert_eq!(
+ Ok(()),
+ key_generations::map_ks_error(perform_sample_sign_operation(
+ &op_response.iOperation.unwrap()
+ ))
+ );
- for key_size in key_sizes {
- for digest in digests {
- let alias = format!("ks_rsa_key_test_{}{}{}", getuid(), key_size, digest.0);
- let op_response = create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::SIGN, KeyPurpose::VERIFY],
- padding: Some(PaddingMode::RSA_PKCS1_1_5_SIGN),
- digest: Some(digest),
- mgf_digest: None,
- block_mode: None,
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::SIGN,
- ForcedOp(false),
- )
- .unwrap();
-
- assert!(op_response.iOperation.is_some());
- assert_eq!(
- Ok(()),
- key_generations::map_ks_error(perform_sample_sign_operation(
- &op_response.iOperation.unwrap()
- ))
- );
- } // End of digests.
- } // End of key-sizes.
+ delete_app_key(&keystore2, alias).unwrap();
}
-/// Generate RSA signing keys with -
-/// Padding mode: RSA_PSS
-/// Digest modes: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
-/// Create operations with these generated keys. Test should create operations successfully.
-#[test]
-fn keystore2_rsa_generate_signing_key_padding_pss_success() {
+/// Generate RSA signing key with given parameters and try to perform signing operation.
+/// Error `INCOMPATIBLE_DIGEST | UNKNOWN_ERROR` is expected while creating an opearation.
+fn perform_rsa_sign_key_op_failure(digest: Digest, alias: &str, padding: PaddingMode) {
let keystore2 = get_keystore_service();
let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
- let digests = [
- Digest::MD5,
- Digest::SHA1,
- Digest::SHA_2_224,
- Digest::SHA_2_256,
- Digest::SHA_2_384,
- Digest::SHA_2_512,
- ];
+ let result = key_generations::map_ks_error(create_rsa_key_and_operation(
+ &sec_level,
+ Domain::APP,
+ -1,
+ Some(alias.to_string()),
+ &key_generations::KeyParams {
+ key_size: 2048,
+ purpose: vec![KeyPurpose::SIGN, KeyPurpose::VERIFY],
+ padding: Some(padding),
+ digest: Some(digest),
+ mgf_digest: None,
+ block_mode: None,
+ att_challenge: None,
+ att_app_id: None,
+ },
+ KeyPurpose::SIGN,
+ ForcedOp(false),
+ ));
+ assert!(result.is_err());
- let key_sizes = [2048, 3072, 4096];
+ if has_trusty_keymint() {
+ assert_eq!(result.unwrap_err(), Error::Km(ErrorCode::UNKNOWN_ERROR));
+ } else {
+ assert_eq!(result.unwrap_err(), Error::Km(ErrorCode::INCOMPATIBLE_DIGEST));
+ }
- for key_size in key_sizes {
- for digest in digests {
- let alias = format!("ks_rsa_key_test_{}{}{}", getuid(), key_size, digest.0);
- let op_response = create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::SIGN, KeyPurpose::VERIFY],
- padding: Some(PaddingMode::RSA_PSS),
- digest: Some(digest),
- mgf_digest: None,
- block_mode: None,
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::SIGN,
- ForcedOp(false),
- )
- .unwrap();
-
- assert!(op_response.iOperation.is_some());
- assert_eq!(
- Ok(()),
- key_generations::map_ks_error(perform_sample_sign_operation(
- &op_response.iOperation.unwrap()
- ))
- );
- } // End of digests.
- } // End of key-sizes.
+ delete_app_key(&keystore2, alias).unwrap();
}
+/// Generate RSA encrypt/decrypt key with given parameters and perform decrypt operation.
+fn create_rsa_encrypt_decrypt_key_op_success(
+ digest: Option<Digest>,
+ key_size: i32,
+ alias: &str,
+ padding: PaddingMode,
+ mgf_digest: Option<Digest>,
+ block_mode: Option<BlockMode>,
+) {
+ let keystore2 = get_keystore_service();
+ let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+ let result = create_rsa_key_and_operation(
+ &sec_level,
+ Domain::APP,
+ -1,
+ Some(alias.to_string()),
+ &key_generations::KeyParams {
+ key_size,
+ purpose: vec![KeyPurpose::ENCRYPT, KeyPurpose::DECRYPT],
+ padding: Some(padding),
+ digest,
+ mgf_digest,
+ block_mode,
+ att_challenge: None,
+ att_app_id: None,
+ },
+ KeyPurpose::DECRYPT,
+ ForcedOp(false),
+ );
+
+ assert!(result.is_ok());
+
+ delete_app_key(&keystore2, alias).unwrap();
+}
+
+// Below macros generate tests for generating RSA signing keys with -
+// Padding mode: RSA_PKCS1_1_5_SIGN
+// Digest modes: `NONE, MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
+// and create operations with generated keys. Tests should create operations successfully.
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_none_2048,
+ Digest::NONE,
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_md5_2048,
+ Digest::MD5,
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha1_2048,
+ Digest::SHA1,
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha224_2048,
+ Digest::SHA_2_224,
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha256_2048,
+ Digest::SHA_2_256,
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha384_2048,
+ Digest::SHA_2_384,
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha512_2048,
+ Digest::SHA_2_512,
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_none_3072,
+ Digest::NONE,
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_md5_3072,
+ Digest::MD5,
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha1_3072,
+ Digest::SHA1,
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha224_3072,
+ Digest::SHA_2_224,
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha256_3072,
+ Digest::SHA_2_256,
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha384_3072,
+ Digest::SHA_2_384,
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha512_3072,
+ Digest::SHA_2_512,
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_none_4096,
+ Digest::NONE,
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_md5_4096,
+ Digest::MD5,
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha1_4096,
+ Digest::SHA1,
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha224_4096,
+ Digest::SHA_2_224,
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha256_4096,
+ Digest::SHA_2_256,
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha384_4096,
+ Digest::SHA_2_384,
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+test_rsa_sign_key_op!(
+ sign_key_pkcs1_1_5_sha512_4096,
+ Digest::SHA_2_512,
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_SIGN
+);
+
+// Below macros generate tests for generating RSA signing keys with -
+// Padding mode: RSA_PSS
+// Digest modes: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
+// and create operations with generated keys. Tests should create operations
+// successfully.
+test_rsa_sign_key_op!(sign_key_pss_md5_2048, Digest::MD5, 2048, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha1_2048, Digest::SHA1, 2048, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha224_2048, Digest::SHA_2_224, 2048, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha256_2048, Digest::SHA_2_256, 2048, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha384_2048, Digest::SHA_2_384, 2048, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha512_2048, Digest::SHA_2_512, 2048, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_md5_3072, Digest::MD5, 3072, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha1_3072, Digest::SHA1, 3072, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha224_3072, Digest::SHA_2_224, 3072, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha256_3072, Digest::SHA_2_256, 3072, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha384_3072, Digest::SHA_2_384, 3072, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha512_3072, Digest::SHA_2_512, 3072, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_md5_4096, Digest::MD5, 4096, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha1_4096, Digest::SHA1, 4096, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha224_4096, Digest::SHA_2_224, 4096, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha256_4096, Digest::SHA_2_256, 4096, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha384_4096, Digest::SHA_2_384, 4096, PaddingMode::RSA_PSS);
+test_rsa_sign_key_op!(sign_key_pss_sha512_4096, Digest::SHA_2_512, 4096, PaddingMode::RSA_PSS);
+
+// Below macros generate tests for generating RSA signing keys with -
+// Padding mode: `NONE`
+// Digest mode `NONE`
+// and try to create operations with generated keys. Tests should create operations
+// successfully.
+test_rsa_sign_key_op!(sign_key_none_none_2048, Digest::NONE, 2048, PaddingMode::NONE);
+test_rsa_sign_key_op!(sign_key_none_none_3072, Digest::NONE, 3072, PaddingMode::NONE);
+test_rsa_sign_key_op!(sign_key_none_none_4096, Digest::NONE, 4096, PaddingMode::NONE);
+
+// Below macros generate tests for generating RSA signing keys with -
+// Padding mode: `NONE`
+// Digest modes: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
+// and create operations with generated keys. Tests should fail to create operations with
+// an error code `UNKNOWN_ERROR | INCOMPATIBLE_DIGEST`.
+test_rsa_sign_key_op!(sign_key_none_md5_2048, Digest::MD5, PaddingMode::NONE);
+test_rsa_sign_key_op!(sign_key_none_sha1_2048, Digest::SHA1, PaddingMode::NONE);
+test_rsa_sign_key_op!(sign_key_none_sha224_2048, Digest::SHA_2_224, PaddingMode::NONE);
+test_rsa_sign_key_op!(sign_key_none_sha256_2048, Digest::SHA_2_256, PaddingMode::NONE);
+test_rsa_sign_key_op!(sign_key_none_sha384_2048, Digest::SHA_2_384, PaddingMode::NONE);
+test_rsa_sign_key_op!(sign_key_none_sha512_2048, Digest::SHA_2_512, PaddingMode::NONE);
+
+// Below macros generate tests for generating RSA encryption keys with various digest mode
+// and padding mode combinations.
+// Digest modes: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
+// Padding modes: `NONE, RSA_PKCS1_1_5_ENCRYPT`
+// and try to create operations using generated keys, tests should create operations successfully.
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_none_2048,
+ Some(Digest::NONE),
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_md5_2048,
+ Some(Digest::MD5),
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha1_2048,
+ Some(Digest::SHA1),
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha224_2048,
+ Some(Digest::SHA_2_224),
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha256_2048,
+ Some(Digest::SHA_2_256),
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha384_2048,
+ Some(Digest::SHA_2_384),
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha512_2048,
+ Some(Digest::SHA_2_512),
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_none_3072,
+ Some(Digest::NONE),
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_md5_3072,
+ Some(Digest::MD5),
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha1_3072,
+ Some(Digest::SHA1),
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha224_3072,
+ Some(Digest::SHA_2_224),
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha256_3072,
+ Some(Digest::SHA_2_256),
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha384_3072,
+ Some(Digest::SHA_2_384),
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha512_3072,
+ Some(Digest::SHA_2_512),
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_none_4096,
+ Some(Digest::NONE),
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_md5_4096,
+ Some(Digest::MD5),
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha1_4096,
+ Some(Digest::SHA1),
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha224_4096,
+ Some(Digest::SHA_2_224),
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha256_4096,
+ Some(Digest::SHA_2_256),
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha384_4096,
+ Some(Digest::SHA_2_384),
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_sha512_4096,
+ Some(Digest::SHA_2_512),
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT
+);
+test_rsa_encrypt_key_op!(encrypt_key_none_none_2048, Some(Digest::NONE), 2048, PaddingMode::NONE);
+test_rsa_encrypt_key_op!(encrypt_key_none_md5_2048, Some(Digest::MD5), 2048, PaddingMode::NONE);
+test_rsa_encrypt_key_op!(encrypt_key_none_sha1_2048, Some(Digest::SHA1), 2048, PaddingMode::NONE);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha224_2048,
+ Some(Digest::SHA_2_224),
+ 2048,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha256_2048,
+ Some(Digest::SHA_2_256),
+ 2048,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha384_2048,
+ Some(Digest::SHA_2_384),
+ 2048,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha512_2048,
+ Some(Digest::SHA_2_512),
+ 2048,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(encrypt_key_none_none_3072, Some(Digest::NONE), 3072, PaddingMode::NONE);
+test_rsa_encrypt_key_op!(encrypt_key_none_md5_3072, Some(Digest::MD5), 3072, PaddingMode::NONE);
+test_rsa_encrypt_key_op!(encrypt_key_none_sha1_3072, Some(Digest::SHA1), 3072, PaddingMode::NONE);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha224_3072,
+ Some(Digest::SHA_2_224),
+ 3072,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha256_3072,
+ Some(Digest::SHA_2_256),
+ 3072,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha384_3072,
+ Some(Digest::SHA_2_384),
+ 3072,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha512_3072,
+ Some(Digest::SHA_2_512),
+ 3072,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(encrypt_key_none_none_4096, Some(Digest::NONE), 4096, PaddingMode::NONE);
+test_rsa_encrypt_key_op!(encrypt_key_none_md5_4096, Some(Digest::MD5), 4096, PaddingMode::NONE);
+test_rsa_encrypt_key_op!(encrypt_key_none_sha1_4096, Some(Digest::SHA1), 4096, PaddingMode::NONE);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha224_4096,
+ Some(Digest::SHA_2_224),
+ 4096,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha256_4096,
+ Some(Digest::SHA_2_256),
+ 4096,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha384_4096,
+ Some(Digest::SHA_2_384),
+ 4096,
+ PaddingMode::NONE
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_none_sha512_4096,
+ Some(Digest::SHA_2_512),
+ 4096,
+ PaddingMode::NONE
+);
+
+// Below macros generate tests for generating RSA keys with -
+// Padding Mode: `RSA_OAEP`
+// Digest modes: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
+// mgf-digests: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
+// and create a decrypt operations using generated keys. Tests should create operations
+// successfully.
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_md5_2048,
+ Some(Digest::MD5),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha1_2048,
+ Some(Digest::MD5),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha224_2048,
+ Some(Digest::MD5),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha256_2048,
+ Some(Digest::MD5),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha384_2048,
+ Some(Digest::MD5),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha512_2048,
+ Some(Digest::MD5),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_md5_2048,
+ Some(Digest::SHA1),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha1_2048,
+ Some(Digest::SHA1),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha224_2048,
+ Some(Digest::SHA1),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha256_2048,
+ Some(Digest::SHA1),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha384_2048,
+ Some(Digest::SHA1),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha512_2048,
+ Some(Digest::SHA1),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_md5_2048,
+ Some(Digest::SHA_2_224),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha1_2048,
+ Some(Digest::SHA_2_224),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha224_2048,
+ Some(Digest::SHA_2_224),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha256_2048,
+ Some(Digest::SHA_2_224),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha384_2048,
+ Some(Digest::SHA_2_224),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha512_2048,
+ Some(Digest::SHA_2_224),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_md5_2048,
+ Some(Digest::SHA_2_256),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha1_2048,
+ Some(Digest::SHA_2_256),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha224_2048,
+ Some(Digest::SHA_2_256),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha256_2048,
+ Some(Digest::SHA_2_256),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha384_2048,
+ Some(Digest::SHA_2_256),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha512_2048,
+ Some(Digest::SHA_2_256),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_md5_2048,
+ Some(Digest::SHA_2_384),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha1_2048,
+ Some(Digest::SHA_2_384),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha224_2048,
+ Some(Digest::SHA_2_384),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha256_2048,
+ Some(Digest::SHA_2_384),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha384_2048,
+ Some(Digest::SHA_2_384),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha512_2048,
+ Some(Digest::SHA_2_384),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_md5_2048,
+ Some(Digest::SHA_2_512),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha1_2048,
+ Some(Digest::SHA_2_512),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha224_2048,
+ Some(Digest::SHA_2_512),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha256_2048,
+ Some(Digest::SHA_2_512),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha384_2048,
+ Some(Digest::SHA_2_512),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha512_2048,
+ Some(Digest::SHA_2_512),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_md5_3072,
+ Some(Digest::MD5),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha1_3072,
+ Some(Digest::MD5),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha224_3072,
+ Some(Digest::MD5),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha256_3072,
+ Some(Digest::MD5),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha384_3072,
+ Some(Digest::MD5),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha512_3072,
+ Some(Digest::MD5),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_md5_3072,
+ Some(Digest::SHA1),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha1_3072,
+ Some(Digest::SHA1),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha224_3072,
+ Some(Digest::SHA1),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha256_3072,
+ Some(Digest::SHA1),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha384_3072,
+ Some(Digest::SHA1),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha512_3072,
+ Some(Digest::SHA1),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_md5_3072,
+ Some(Digest::SHA_2_224),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha1_3072,
+ Some(Digest::SHA_2_224),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha224_3072,
+ Some(Digest::SHA_2_224),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha256_3072,
+ Some(Digest::SHA_2_224),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha384_3072,
+ Some(Digest::SHA_2_224),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha512_3072,
+ Some(Digest::SHA_2_224),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_md5_3072,
+ Some(Digest::SHA_2_256),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha1_3072,
+ Some(Digest::SHA_2_256),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha224_3072,
+ Some(Digest::SHA_2_256),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha256_3072,
+ Some(Digest::SHA_2_256),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha384_3072,
+ Some(Digest::SHA_2_256),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha512_3072,
+ Some(Digest::SHA_2_256),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_md5_3072,
+ Some(Digest::SHA_2_384),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha1_3072,
+ Some(Digest::SHA_2_384),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha224_3072,
+ Some(Digest::SHA_2_384),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha256_3072,
+ Some(Digest::SHA_2_384),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha384_3072,
+ Some(Digest::SHA_2_384),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha512_3072,
+ Some(Digest::SHA_2_384),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_md5_3072,
+ Some(Digest::SHA_2_512),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha1_3072,
+ Some(Digest::SHA_2_512),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha224_3072,
+ Some(Digest::SHA_2_512),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha256_3072,
+ Some(Digest::SHA_2_512),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha384_3072,
+ Some(Digest::SHA_2_512),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha512_3072,
+ Some(Digest::SHA_2_512),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_md5_4096,
+ Some(Digest::MD5),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha1_4096,
+ Some(Digest::MD5),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha224_4096,
+ Some(Digest::MD5),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha256_4096,
+ Some(Digest::MD5),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha384_4096,
+ Some(Digest::MD5),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_sha512_4096,
+ Some(Digest::MD5),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_md5_4096,
+ Some(Digest::SHA1),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha1_4096,
+ Some(Digest::SHA1),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha224_4096,
+ Some(Digest::SHA1),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha256_4096,
+ Some(Digest::SHA1),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha384_4096,
+ Some(Digest::SHA1),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_sha512_4096,
+ Some(Digest::SHA1),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_md5_4096,
+ Some(Digest::SHA_2_224),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha1_4096,
+ Some(Digest::SHA_2_224),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha224_4096,
+ Some(Digest::SHA_2_224),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha256_4096,
+ Some(Digest::SHA_2_224),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha384_4096,
+ Some(Digest::SHA_2_224),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_sha512_4096,
+ Some(Digest::SHA_2_224),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_md5_4096,
+ Some(Digest::SHA_2_256),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha1_4096,
+ Some(Digest::SHA_2_256),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha224_4096,
+ Some(Digest::SHA_2_256),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha256_4096,
+ Some(Digest::SHA_2_256),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha384_4096,
+ Some(Digest::SHA_2_256),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_sha512_4096,
+ Some(Digest::SHA_2_256),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_md5_4096,
+ Some(Digest::SHA_2_384),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha1_4096,
+ Some(Digest::SHA_2_384),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha224_4096,
+ Some(Digest::SHA_2_384),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha256_4096,
+ Some(Digest::SHA_2_384),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha384_4096,
+ Some(Digest::SHA_2_384),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_sha512_4096,
+ Some(Digest::SHA_2_384),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_md5_4096,
+ Some(Digest::SHA_2_512),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::MD5)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha1_4096,
+ Some(Digest::SHA_2_512),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA1)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha224_4096,
+ Some(Digest::SHA_2_512),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_224)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha256_4096,
+ Some(Digest::SHA_2_512),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_256)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha384_4096,
+ Some(Digest::SHA_2_512),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_384)
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_sha512_4096,
+ Some(Digest::SHA_2_512),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ Some(Digest::SHA_2_512)
+);
+
+// Below macros generate tests for generating RSA keys with -
+// Padding mode: `RSA_OAEP`
+// Digest modes: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
+// and create a decrypt operations using generated keys. Tests should create operations
+// successfully.
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_no_mgf_2048,
+ Some(Digest::MD5),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_no_mgf_2048,
+ Some(Digest::SHA1),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_no_mgf_2048,
+ Some(Digest::SHA_2_224),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_no_mgf_2048,
+ Some(Digest::SHA_2_256),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_no_mgf_2048,
+ Some(Digest::SHA_2_384),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_no_mgf_2048,
+ Some(Digest::SHA_2_512),
+ 2048,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_no_mgf_3072,
+ Some(Digest::MD5),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_no_mgf_3072,
+ Some(Digest::SHA1),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_no_mgf_3072,
+ Some(Digest::SHA_2_224),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_no_mgf_3072,
+ Some(Digest::SHA_2_256),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_no_mgf_3072,
+ Some(Digest::SHA_2_384),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_no_mgf_3072,
+ Some(Digest::SHA_2_512),
+ 3072,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_md5_no_mgf_4096,
+ Some(Digest::MD5),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha1_no_mgf_4096,
+ Some(Digest::SHA1),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha224_no_mgf_4096,
+ Some(Digest::SHA_2_224),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha256_no_mgf_4096,
+ Some(Digest::SHA_2_256),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha384_no_mgf_4096,
+ Some(Digest::SHA_2_384),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_oaep_sha512_no_mgf_4096,
+ Some(Digest::SHA_2_512),
+ 4096,
+ PaddingMode::RSA_OAEP,
+ None
+);
+
+// Below macros generate tests for generating RSA encryption keys with only padding modes.
+// Padding modes: `NONE, RSA_PKCS1_1_5_ENCRYPT`
+// and try to create operations using generated keys, tests should create operations
+// successfully.
+test_rsa_encrypt_key_op!(encrypt_key_none_pad_2048, None, 2048, PaddingMode::NONE, None);
+test_rsa_encrypt_key_op!(encrypt_key_none_pad_3072, None, 3072, PaddingMode::NONE, None);
+test_rsa_encrypt_key_op!(encrypt_key_none_pad_4096, None, 4096, PaddingMode::NONE, None);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_pad_2048,
+ None,
+ 2048,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_pad_3072,
+ None,
+ 3072,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT,
+ None
+);
+test_rsa_encrypt_key_op!(
+ encrypt_key_pkcs1_1_5_pad_4096,
+ None,
+ 4096,
+ PaddingMode::RSA_PKCS1_1_5_ENCRYPT,
+ None
+);
+
/// Generate RSA signing key with -
/// Padding mode: RSA_PSS
/// Digest mode: `NONE`.
@@ -179,227 +1545,27 @@
let keystore2 = get_keystore_service();
let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
- let key_sizes = [2048, 3072, 4096];
-
- for key_size in key_sizes {
- let alias = format!("ks_rsa_pss_none_key_test_{}{}", getuid(), key_size);
- let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::SIGN, KeyPurpose::VERIFY],
- padding: Some(PaddingMode::RSA_PSS),
- digest: Some(Digest::NONE),
- mgf_digest: None,
- block_mode: None,
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::SIGN,
- ForcedOp(false),
- ));
- assert!(result.is_err());
- assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_DIGEST), result.unwrap_err());
- }
-}
-
-/// Generate RSA signing key with -
-/// Padding mode: `NONE`
-/// Digest mode `NONE`
-/// Try to create an operation with this generated key. Test should create an operation successfully.
-#[test]
-fn keystore2_rsa_generate_signing_key_padding_none_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
-
- let key_sizes = [2048, 3072, 4096];
-
- for key_size in key_sizes {
- let alias = format!("ks_rsa_pad_none_key_test_{}{}", getuid(), key_size);
- let op_response = create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::SIGN, KeyPurpose::VERIFY],
- padding: Some(PaddingMode::NONE),
- digest: Some(Digest::NONE),
- mgf_digest: None,
- block_mode: None,
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::SIGN,
- ForcedOp(false),
- )
- .unwrap();
-
- assert!(op_response.iOperation.is_some());
- assert_eq!(
- Ok(()),
- key_generations::map_ks_error(perform_sample_sign_operation(
- &op_response.iOperation.unwrap()
- ))
- );
- }
-}
-
-/// Generate RSA signing keys with -
-/// Padding mode: `NONE`
-/// Digest modes: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
-/// Create operations with these generated keys. Test should fail to create operations with
-/// an error code `UNKNOWN_ERROR`.
-#[test]
-fn keystore2_rsa_generate_signing_key_padding_none_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
-
- let digests = [
- Digest::MD5,
- Digest::SHA1,
- Digest::SHA_2_224,
- Digest::SHA_2_256,
- Digest::SHA_2_384,
- Digest::SHA_2_512,
- ];
-
- let key_sizes = [2048, 3072, 4096];
-
- for key_size in key_sizes {
- for digest in digests {
- let alias = format!("ks_rsa_key_test_{}{}{}", getuid(), key_size, digest.0);
- let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::SIGN, KeyPurpose::VERIFY],
- padding: Some(PaddingMode::NONE),
- digest: Some(digest),
- mgf_digest: None,
- block_mode: None,
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::SIGN,
- ForcedOp(false),
- ));
- assert!(result.is_err());
- assert_eq!(Error::Km(ErrorCode::UNKNOWN_ERROR), result.unwrap_err());
- }
- }
-}
-
-/// Generate RSA keys with -
-/// Padding Mode: `RSA_OAEP`
-/// Digest modes: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
-/// mgf-digests: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
-/// Create a decrypt operations using generated keys. Test should create operations successfully.
-#[test]
-fn keystore2_rsa_generate_key_with_oaep_padding_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
-
- let digests = [
- Digest::MD5,
- Digest::SHA1,
- Digest::SHA_2_224,
- Digest::SHA_2_256,
- Digest::SHA_2_384,
- Digest::SHA_2_512,
- ];
-
- let mgf_digests = [
- Digest::MD5,
- Digest::SHA1,
- Digest::SHA_2_224,
- Digest::SHA_2_256,
- Digest::SHA_2_384,
- Digest::SHA_2_512,
- ];
-
- let key_sizes = [2048, 3072, 4096];
-
- for key_size in key_sizes {
- for digest in digests {
- for mgf_digest in mgf_digests {
- let alias =
- format!("ks_rsa_key_pair_oaep_test_{}{}{}", getuid(), key_size, digest.0);
- let result = create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::ENCRYPT, KeyPurpose::DECRYPT],
- padding: Some(PaddingMode::RSA_OAEP),
- digest: Some(digest),
- mgf_digest: Some(mgf_digest),
- block_mode: Some(BlockMode::ECB),
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::DECRYPT,
- ForcedOp(false),
- );
- assert!(result.is_ok());
- } // End of mgf-digests.
- } // End of digests.
- } // End of key-sizes.
-}
-
-/// Generate RSA keys with -
-/// Padding mode: `RSA_OAEP`
-/// Digest modes: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
-/// Create a decrypt operations using generated keys. Test should create operations successfully.
-#[test]
-fn keystore2_rsa_generate_key_with_oaep_padding_and_digests_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
-
- let digests = [
- Digest::MD5,
- Digest::SHA1,
- Digest::SHA_2_224,
- Digest::SHA_2_256,
- Digest::SHA_2_384,
- Digest::SHA_2_512,
- ];
-
- let key_sizes = [2048, 3072, 4096];
-
- for key_size in key_sizes {
- for digest in digests {
- let alias = format!("ks_rsa_key_pair_oaep_test_{}{}{}", getuid(), key_size, digest.0);
- let result = create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::ENCRYPT, KeyPurpose::DECRYPT],
- padding: Some(PaddingMode::RSA_OAEP),
- digest: Some(digest),
- mgf_digest: None,
- block_mode: Some(BlockMode::ECB),
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::DECRYPT,
- ForcedOp(false),
- );
- assert!(result.is_ok());
- } // End of digests.
- } // End of key-sizes.
+ let alias = "ks_rsa_pss_none_key_op_test";
+ let result = key_generations::map_ks_error(create_rsa_key_and_operation(
+ &sec_level,
+ Domain::APP,
+ -1,
+ Some(alias.to_string()),
+ &key_generations::KeyParams {
+ key_size: 2048,
+ purpose: vec![KeyPurpose::SIGN, KeyPurpose::VERIFY],
+ padding: Some(PaddingMode::RSA_PSS),
+ digest: Some(Digest::NONE),
+ mgf_digest: None,
+ block_mode: None,
+ att_challenge: None,
+ att_app_id: None,
+ },
+ KeyPurpose::SIGN,
+ ForcedOp(false),
+ ));
+ assert!(result.is_err());
+ assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_DIGEST), result.unwrap_err());
}
/// Generate RSA encryption key with -
@@ -412,122 +1578,28 @@
let keystore2 = get_keystore_service();
let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
- let key_sizes = [2048, 3072, 4096];
+ let alias = "ks_rsa_key_oaep_padding_fail_test";
+ let result = key_generations::map_ks_error(create_rsa_key_and_operation(
+ &sec_level,
+ Domain::APP,
+ -1,
+ Some(alias.to_string()),
+ &key_generations::KeyParams {
+ key_size: 2048,
+ purpose: vec![KeyPurpose::ENCRYPT, KeyPurpose::DECRYPT],
+ padding: Some(PaddingMode::RSA_OAEP),
+ digest: Some(Digest::NONE),
+ mgf_digest: None,
+ block_mode: None,
+ att_challenge: None,
+ att_app_id: None,
+ },
+ KeyPurpose::DECRYPT,
+ ForcedOp(false),
+ ));
- for key_size in key_sizes {
- let alias = format!("ks_rsa_key_padding_{}{}", getuid(), key_size);
- let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::ENCRYPT, KeyPurpose::DECRYPT],
- padding: Some(PaddingMode::RSA_OAEP),
- digest: Some(Digest::NONE),
- mgf_digest: None,
- block_mode: None,
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::DECRYPT,
- ForcedOp(false),
- ));
-
- assert!(result.is_err());
- assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_DIGEST), result.unwrap_err());
- }
-}
-
-/// Generate RSA encryption keys with various digest mode and padding mode combinations.
-/// Digest modes: `MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
-/// Padding modes: `NONE, RSA_PKCS1_1_5_ENCRYPT`
-/// Try to create operations using generated keys, test should create operations successfully.
-#[test]
-fn keystore2_rsa_generate_keys_with_digest_paddings() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
-
- let digests = [
- Digest::NONE,
- Digest::MD5,
- Digest::SHA1,
- Digest::SHA_2_224,
- Digest::SHA_2_256,
- Digest::SHA_2_384,
- Digest::SHA_2_512,
- ];
-
- let paddings = [PaddingMode::NONE, PaddingMode::RSA_PKCS1_1_5_ENCRYPT];
-
- let key_sizes = [2048, 3072, 4096];
-
- for key_size in key_sizes {
- for digest in digests {
- for padding in paddings {
- let alias = format!("ks_rsa_key_padding_{}{}{}", getuid(), key_size, digest.0);
- let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::ENCRYPT, KeyPurpose::DECRYPT],
- padding: Some(padding),
- digest: Some(digest),
- mgf_digest: None,
- block_mode: None,
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::DECRYPT,
- ForcedOp(false),
- ));
-
- assert!(result.is_ok());
- } // End of paddings.
- } // End of digests.
- } // End of key-sizes.
-}
-
-/// Generate RSA encryption keys with only padding modes.
-/// Padding modes: `NONE, RSA_PKCS1_1_5_ENCRYPT`
-/// Try to create operations using generated keys, test should create operations successfully.
-#[test]
-fn keystore2_rsa_generate_keys_with_paddings() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
-
- let paddings = [PaddingMode::NONE, PaddingMode::RSA_PKCS1_1_5_ENCRYPT];
-
- let key_sizes = [2048, 3072, 4096];
-
- for key_size in key_sizes {
- for padding in paddings {
- let alias = format!("ks_rsa_key_padding_{}{}", getuid(), key_size);
- let result = create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::ENCRYPT, KeyPurpose::DECRYPT],
- padding: Some(padding),
- digest: None,
- mgf_digest: None,
- block_mode: None,
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::DECRYPT,
- ForcedOp(false),
- );
- assert!(result.is_ok());
- } // End of paddings.
- } // End of key-sizes.
+ assert!(result.is_err());
+ assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_DIGEST), result.unwrap_err());
}
/// Generate RSA keys without padding and digest modes. Try to create decrypt operation without
@@ -538,31 +1610,27 @@
let keystore2 = get_keystore_service();
let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
- let key_sizes = [2048, 3072, 4096];
-
- for key_size in key_sizes {
- let alias = format!("ks_rsa_key_test_{}{}", getuid(), key_size);
- let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias.to_string()),
- &key_generations::KeyParams {
- key_size,
- purpose: vec![KeyPurpose::ENCRYPT, KeyPurpose::DECRYPT],
- padding: None,
- digest: None,
- mgf_digest: None,
- block_mode: None,
- att_challenge: None,
- att_app_id: None,
- },
- KeyPurpose::DECRYPT,
- ForcedOp(false),
- ));
- assert!(result.is_err());
- assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_PADDING_MODE), result.unwrap_err());
- }
+ let alias = "ks_rsa_key_unsupport_padding_test";
+ let result = key_generations::map_ks_error(create_rsa_key_and_operation(
+ &sec_level,
+ Domain::APP,
+ -1,
+ Some(alias.to_string()),
+ &key_generations::KeyParams {
+ key_size: 2048,
+ purpose: vec![KeyPurpose::ENCRYPT, KeyPurpose::DECRYPT],
+ padding: None,
+ digest: None,
+ mgf_digest: None,
+ block_mode: None,
+ att_challenge: None,
+ att_app_id: None,
+ },
+ KeyPurpose::DECRYPT,
+ ForcedOp(false),
+ ));
+ assert!(result.is_err());
+ assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_PADDING_MODE), result.unwrap_err());
}
/// Generate a RSA encryption key. Try to create a signing operation with it, an error
@@ -665,7 +1733,7 @@
let paddings = [PaddingMode::RSA_PKCS1_1_5_SIGN, PaddingMode::RSA_PSS];
for padding in paddings {
- let alias = format!("ks_rsa_key_test_4_{}{}", getuid(), padding.0);
+ let alias = format!("ks_rsa_encrypt_key_unsupported_pad_test{}", padding.0);
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
&sec_level,
Domain::APP,
@@ -699,7 +1767,7 @@
let paddings = [PaddingMode::RSA_PKCS1_1_5_ENCRYPT, PaddingMode::RSA_OAEP];
for padding in paddings {
- let alias = format!("ks_rsa_key_test_4_{}{}", getuid(), padding.0);
+ let alias = format!("ks_rsa_sign_key_unsupported_pad_test_4_{}", padding.0);
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
&sec_level,
Domain::APP,
diff --git a/keystore2/tests/keystore2_client_test_utils.rs b/keystore2/tests/keystore2_client_test_utils.rs
index 006f2f9..2f739b5 100644
--- a/keystore2/tests/keystore2_client_test_utils.rs
+++ b/keystore2/tests/keystore2_client_test_utils.rs
@@ -23,7 +23,8 @@
use android_system_keystore2::aidl::android::system::keystore2::{
CreateOperationResponse::CreateOperationResponse, Domain::Domain,
IKeystoreOperation::IKeystoreOperation, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
- KeyDescriptor::KeyDescriptor, KeyParameters::KeyParameters, ResponseCode::ResponseCode,
+ IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor, KeyParameters::KeyParameters,
+ ResponseCode::ResponseCode,
};
use keystore2_test_utils::{
@@ -50,6 +51,11 @@
/// Sample plain text input for encrypt operation.
pub const SAMPLE_PLAIN_TEXT: &[u8] = b"my message 11111";
+pub fn has_trusty_keymint() -> bool {
+ binder::is_declared("android.hardware.security.keymint.IKeyMintDevice/default")
+ .expect("Could not check for declared keymint interface")
+}
+
/// Generate a EC_P256 key using given domain, namespace and alias.
/// Create an operation using the generated key and perform sample signing operation.
pub fn create_signing_operation(
@@ -202,3 +208,16 @@
let op = op_response.iOperation.unwrap();
op.finish(Some(input), None)
}
+
+/// Delete a key with domain APP.
+pub fn delete_app_key(
+ keystore2: &binder::Strong<dyn IKeystoreService>,
+ alias: &str,
+) -> binder::Result<()> {
+ keystore2.deleteKey(&KeyDescriptor {
+ domain: Domain::APP,
+ nspace: -1,
+ alias: Some(alias.to_string()),
+ blob: None,
+ })
+}