Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 28abde6189193b948a5dbf952a2223af5f9dbb61 / . / keystore2 / test_utils / key_generations.rs
blob: 3422ce8682d62c99cdc527d837f3a0f2c9348723 [file] [log] [blame]
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]1// Copyright 2022, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! This module implements test utils to generate various types of keys.
16
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]17use anyhow::Result;
18
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]19use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]20 Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]21 ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
22 KeyOrigin::KeyOrigin, KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue,
23 KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, Tag::Tag,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]24};
25use android_system_keystore2::aidl::android::system::keystore2::{
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]26 AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization, Domain::Domain,
27 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
28 KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]29};
30
31use crate::authorizations::AuthSetBuilder;
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]32use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]33
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]34/// Shell namespace.
35pub const SELINUX_SHELL_NAMESPACE: i64 = 1;
Rajesh Nyamagouddc6fb232021-12-08 21:27:15 +0000[diff] [blame]36/// Vold namespace.
37pub const SELINUX_VOLD_NAMESPACE: i64 = 100;
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]38
Rajesh Nyamagoudfa7c0f12021-12-02 17:15:48 +0000[diff] [blame]39/// SU context.
40pub const TARGET_SU_CTX: &str = "u:r:su:s0";
41
42/// Vold context
43pub const TARGET_VOLD_CTX: &str = "u:r:vold:s0";
44
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]45/// Key parameters to generate a key.
46pub struct KeyParams {
47 /// Key Size.
48 pub key_size: i32,
49 /// Key Purposes.
50 pub purpose: Vec<KeyPurpose>,
51 /// Padding Mode.
52 pub padding: Option<PaddingMode>,
53 /// Digest.
54 pub digest: Option<Digest>,
55 /// MFG Digest.
56 pub mgf_digest: Option<Digest>,
57 /// Block Mode.
58 pub block_mode: Option<BlockMode>,
59 /// Attestation challenge.
60 pub att_challenge: Option<Vec<u8>>,
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]61}
62
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]63/// DER-encoded PKCS#8 format RSA key. Generated using:
64/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
65pub static RSA_2048_KEY: &[u8] = &[
66 0x30, 0x82, 0x04, 0xBD, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
67 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xA7, 0x30, 0x82, 0x04, 0xA3, 0x02, 0x01,
68 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xE5, 0x14, 0xE3, 0xC2, 0x43, 0xF3, 0x0F, 0xCC, 0x22, 0x73,
69 0x9C, 0x84, 0xCC, 0x1B, 0x6C, 0x97, 0x4B, 0xC9, 0xDF, 0x1F, 0xE2, 0xB8, 0x80, 0x85, 0xF9, 0x27,
70 0xAB, 0x97, 0x94, 0x58, 0x4B, 0xC9, 0x40, 0x94, 0x5A, 0xB4, 0xD4, 0xF8, 0xD0, 0x36, 0xC4, 0x86,
71 0x17, 0x7D, 0xA2, 0x48, 0x6D, 0x40, 0xF0, 0xB9, 0x61, 0x4F, 0xCE, 0x65, 0x80, 0x88, 0x81, 0x59,
72 0x95, 0x11, 0x24, 0xF4, 0x36, 0xB7, 0xB7, 0x37, 0x44, 0xF4, 0x6C, 0x1C, 0xEB, 0x04, 0x19, 0x78,
73 0xB2, 0x29, 0x4D, 0x21, 0x44, 0x16, 0x57, 0x58, 0x6D, 0x7D, 0x56, 0xB5, 0x99, 0xDD, 0xD2, 0xAD,
74 0x02, 0x9A, 0x72, 0x16, 0x67, 0xD6, 0x00, 0x9F, 0x69, 0xE0, 0x25, 0xEE, 0x7C, 0x86, 0x54, 0x27,
75 0x4B, 0x50, 0xEF, 0x60, 0x52, 0x60, 0x82, 0xAA, 0x09, 0x15, 0x72, 0xD2, 0xEB, 0x01, 0x52, 0x04,
76 0x39, 0x60, 0xBC, 0x5E, 0x95, 0x07, 0xC8, 0xC2, 0x3A, 0x3A, 0xE2, 0xA4, 0x99, 0x6B, 0x27, 0xE3,
77 0xA3, 0x55, 0x69, 0xC4, 0xB3, 0x2D, 0x19, 0xC4, 0x34, 0x76, 0xFC, 0x27, 0xDA, 0x22, 0xB2, 0x62,
78 0x69, 0x25, 0xDE, 0x0D, 0xE7, 0x54, 0x3C, 0xBB, 0x61, 0xD2, 0x20, 0xDA, 0x7B, 0x6E, 0x63, 0xBD,
79 0x9A, 0x4B, 0xCD, 0x75, 0xC6, 0xA1, 0x5E, 0x1C, 0x3E, 0xD5, 0x63, 0x59, 0x22, 0x7E, 0xE0, 0x6C,
80 0x98, 0x25, 0x63, 0x97, 0x56, 0xDF, 0x71, 0xF5, 0x4C, 0x78, 0xE9, 0xE1, 0xD5, 0xFC, 0xF8, 0x5A,
81 0x5B, 0xF6, 0x1D, 0xFA, 0x5A, 0x99, 0x4C, 0x99, 0x19, 0x21, 0x1D, 0xF5, 0x24, 0x07, 0xEF, 0x8A,
82 0xC9, 0x9F, 0xE7, 0x3F, 0xBB, 0x46, 0x1A, 0x16, 0x96, 0xC6, 0xD6, 0x12, 0x7E, 0xDA, 0xCB, 0xEB,
83 0x2F, 0x1D, 0x3B, 0x31, 0xCC, 0x55, 0x63, 0xA2, 0x6F, 0x8A, 0xDE, 0x35, 0x52, 0x40, 0x04, 0xBF,
84 0xE0, 0x82, 0x32, 0xE1, 0x6D, 0x8B, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x2D,
85 0x1F, 0x71, 0x41, 0x79, 0xBA, 0xED, 0xD8, 0xAA, 0xCC, 0x94, 0xFE, 0xFF, 0x69, 0x43, 0x79, 0x85,
86 0xBF, 0x2C, 0xC9, 0x0E, 0x12, 0x83, 0x96, 0x60, 0x1E, 0x75, 0x49, 0x35, 0x3A, 0x33, 0x2B, 0x60,
87 0x22, 0x18, 0xBF, 0xD7, 0xD7, 0x6E, 0xC3, 0xEA, 0xEF, 0xF2, 0xBE, 0x97, 0x71, 0xA6, 0xBB, 0x8C,
88 0xEF, 0x27, 0x00, 0xDE, 0x49, 0xD6, 0x08, 0x8D, 0x5A, 0x04, 0xE7, 0xCC, 0x9C, 0xA2, 0x0E, 0x8B,
89 0xF3, 0x42, 0x0C, 0xD7, 0x22, 0xD7, 0x14, 0x06, 0xA4, 0x64, 0x8B, 0x88, 0x1A, 0xCE, 0x5B, 0x8C,
90 0x36, 0xE9, 0xD2, 0x2F, 0x7B, 0x33, 0xE4, 0xA2, 0xB3, 0xDB, 0x78, 0x6A, 0x92, 0x89, 0x3F, 0x78,
91 0xFD, 0xED, 0x8F, 0xEE, 0x48, 0xCC, 0x94, 0x75, 0x0D, 0x0C, 0x63, 0xD3, 0xD2, 0xE8, 0x47, 0x04,
92 0x55, 0xD3, 0xD6, 0x3A, 0xB8, 0xDA, 0xFB, 0x76, 0x99, 0x48, 0x68, 0x0A, 0x92, 0xA2, 0xCD, 0xF7,
93 0x45, 0x8B, 0x50, 0xFE, 0xF9, 0x1A, 0x33, 0x24, 0x3C, 0x2E, 0xDE, 0x88, 0xAD, 0xB2, 0x5B, 0x9F,
94 0x44, 0xEA, 0xD1, 0x9F, 0xC7, 0x9F, 0x02, 0x5E, 0x31, 0x61, 0xB3, 0xD6, 0xE2, 0xE1, 0xBC, 0xFB,
95 0x1C, 0xDB, 0xBD, 0xB2, 0x9A, 0xE5, 0xEF, 0xDA, 0xCD, 0x29, 0xA5, 0x45, 0xCC, 0x67, 0x01, 0x8B,
96 0x1C, 0x1D, 0x0E, 0x8F, 0x73, 0x69, 0x4D, 0x4D, 0xF6, 0x9D, 0xA6, 0x6C, 0x9A, 0x1C, 0xF4, 0x5C,
97 0xE4, 0x83, 0x9A, 0x77, 0x12, 0x01, 0xBD, 0xCE, 0x66, 0x3A, 0x4B, 0x3D, 0x6E, 0xE0, 0x6E, 0x82,
98 0x98, 0xDE, 0x74, 0x11, 0x47, 0xEC, 0x7A, 0x3A, 0xA9, 0xD8, 0x48, 0x00, 0x26, 0x64, 0x47, 0x7B,
99 0xAE, 0x55, 0x9D, 0x29, 0x22, 0xB4, 0xB3, 0xB9, 0xB1, 0x64, 0xEA, 0x3B, 0x5A, 0xD3, 0x3F, 0x8D,
100 0x0F, 0x14, 0x7E, 0x4E, 0xB8, 0x1B, 0x06, 0xFC, 0xB1, 0x7E, 0xCD, 0xB9, 0x1A, 0x4E, 0xA1, 0x02,
101 0x81, 0x81, 0x00, 0xF9, 0xDE, 0xEE, 0xED, 0x13, 0x2F, 0xBB, 0xE7, 0xE2, 0xB3, 0x2D, 0x98, 0xD2,
102 0xE8, 0x25, 0x07, 0x5A, 0x1E, 0x51, 0x0A, 0xC8, 0xAD, 0x50, 0x4B, 0x80, 0xC6, 0x22, 0xF5, 0x9B,
103 0x08, 0xE6, 0x3D, 0x01, 0xC6, 0x3E, 0xC8, 0xD2, 0x54, 0x9F, 0x91, 0x77, 0x95, 0xCD, 0xCA, 0xC7,
104 0xE7, 0x47, 0x94, 0xA9, 0x5F, 0x4E, 0xBE, 0x31, 0x3D, 0xB4, 0xAF, 0x43, 0x0F, 0xDC, 0x8D, 0x9C,
105 0x1E, 0x52, 0x7B, 0x72, 0x21, 0x34, 0xB3, 0x96, 0x7C, 0x9C, 0xB8, 0x51, 0x65, 0x60, 0xAC, 0x3D,
106 0x11, 0x32, 0xB8, 0xD6, 0x34, 0x35, 0x66, 0xD0, 0x30, 0xB9, 0xE9, 0x67, 0x2C, 0x87, 0x73, 0x43,
107 0x9C, 0x12, 0x16, 0x7D, 0x4A, 0xD9, 0xA3, 0x4C, 0x24, 0x64, 0x6A, 0x32, 0x8E, 0xC3, 0xD8, 0x00,
108 0x90, 0x5C, 0x4D, 0x65, 0x01, 0x53, 0x8A, 0xD0, 0x87, 0xCE, 0x96, 0xEF, 0xFA, 0x73, 0x03, 0xF1,
109 0xDC, 0x1B, 0x9B, 0x02, 0x81, 0x81, 0x00, 0xEA, 0xB3, 0x69, 0x00, 0x11, 0x0E, 0x50, 0xAA, 0xD3,
110 0x22, 0x51, 0x78, 0x9D, 0xFF, 0x05, 0x62, 0xBC, 0x9A, 0x67, 0x86, 0xE1, 0xC5, 0x02, 0x2D, 0x14,
111 0x11, 0x29, 0x30, 0xE7, 0x90, 0x5D, 0x72, 0x6F, 0xC5, 0x62, 0xEB, 0xD4, 0xB0, 0x3F, 0x3D, 0xDC,
112 0xB9, 0xFC, 0x2B, 0x5C, 0xBD, 0x9E, 0x71, 0x81, 0x5C, 0xC5, 0xFE, 0xDF, 0x69, 0x73, 0x12, 0x66,
113 0x92, 0x06, 0xD4, 0xD5, 0x8F, 0xDF, 0x14, 0x2E, 0x9C, 0xD0, 0x4C, 0xC2, 0x4D, 0x31, 0x2E, 0x47,
114 0xA5, 0xDC, 0x8A, 0x83, 0x7B, 0xE8, 0xA5, 0xC3, 0x03, 0x98, 0xD8, 0xBF, 0xF4, 0x7D, 0x6E, 0x87,
115 0x55, 0xE4, 0x0F, 0x15, 0x10, 0xC8, 0x76, 0x4F, 0xAD, 0x1D, 0x1C, 0x95, 0x41, 0x9D, 0x88, 0xEC,
116 0x8C, 0xDA, 0xBA, 0x90, 0x7F, 0x8D, 0xD9, 0x8B, 0x47, 0x6C, 0x0C, 0xFF, 0xBA, 0x73, 0x00, 0x20,
117 0x1F, 0xF7, 0x7E, 0x5F, 0xF4, 0xEC, 0xD1, 0x02, 0x81, 0x80, 0x16, 0xB7, 0x43, 0xB5, 0x5D, 0xD7,
118 0x2B, 0x18, 0x0B, 0xAE, 0x0A, 0x69, 0x28, 0x53, 0x5E, 0x7A, 0x6A, 0xA0, 0xF2, 0xF1, 0x2E, 0x09,
119 0x43, 0x91, 0x79, 0xA5, 0x89, 0xAC, 0x16, 0x6A, 0x1A, 0xB4, 0x55, 0x22, 0xF6, 0xB6, 0x3F, 0x18,
120 0xDE, 0x60, 0xD5, 0x24, 0x53, 0x4F, 0x2A, 0x19, 0x46, 0x92, 0xA7, 0x4B, 0x38, 0xD7, 0x65, 0x96,
121 0x9C, 0x84, 0x8A, 0x6E, 0x38, 0xB8, 0xCF, 0x06, 0x9A, 0xAD, 0x0A, 0x55, 0x26, 0x7B, 0x65, 0x24,
122 0xF3, 0x02, 0x76, 0xB3, 0xE6, 0xB4, 0x01, 0xE1, 0x3C, 0x61, 0x3D, 0x68, 0x05, 0xAA, 0xD1, 0x26,
123 0x7C, 0xE0, 0x51, 0x36, 0xE5, 0x21, 0x7F, 0x76, 0x02, 0xD6, 0xF4, 0x91, 0x07, 0x74, 0x27, 0x09,
124 0xEF, 0xEF, 0x0F, 0xA5, 0x96, 0xFC, 0x5E, 0x20, 0xC1, 0xA3, 0x6F, 0x99, 0x4D, 0x45, 0x03, 0x6C,
125 0x35, 0x45, 0xD7, 0x8F, 0x47, 0x41, 0x86, 0x8D, 0x62, 0x1D, 0x02, 0x81, 0x81, 0x00, 0xC3, 0x93,
126 0x85, 0xA7, 0xFC, 0x8E, 0x85, 0x42, 0x14, 0x76, 0xC0, 0x95, 0x56, 0x73, 0xB0, 0xB5, 0x3A, 0x9D,
127 0x20, 0x30, 0x11, 0xEA, 0xED, 0x89, 0x4A, 0xF3, 0x91, 0xF3, 0xA2, 0xC3, 0x76, 0x5B, 0x6A, 0x30,
128 0x7D, 0xE2, 0x2F, 0x76, 0x3E, 0xFC, 0xF9, 0xF6, 0x31, 0xE0, 0xA0, 0x83, 0x92, 0x88, 0xDB, 0x57,
129 0xC7, 0xD6, 0x3F, 0xAD, 0xCB, 0xAA, 0x45, 0xB6, 0xE1, 0xE2, 0x71, 0xA4, 0x56, 0x2C, 0xA7, 0x3B,
130 0x1D, 0x89, 0x19, 0x50, 0xE1, 0xEE, 0xC2, 0xDD, 0xC0, 0x0D, 0xDC, 0xCB, 0x60, 0x6E, 0xE1, 0x37,
131 0x1A, 0x23, 0x64, 0xB2, 0x03, 0xE4, 0x1A, 0xFA, 0xC3, 0xF4, 0x9D, 0x85, 0x42, 0xC6, 0xF4, 0x56,
132 0x39, 0xB0, 0x1B, 0xE0, 0x75, 0xBA, 0x28, 0x04, 0xA8, 0x30, 0x57, 0x41, 0x33, 0x9F, 0x58, 0xA4,
133 0xC7, 0xB1, 0x7D, 0x58, 0x8D, 0x84, 0x49, 0x40, 0xDA, 0x28, 0x81, 0x25, 0xC4, 0x41, 0x02, 0x81,
134 0x80, 0x13, 0x20, 0x65, 0xD5, 0x96, 0x98, 0x8D, 0x16, 0x73, 0xA1, 0x31, 0x73, 0x79, 0xBA, 0xEC,
135 0xB0, 0xD9, 0x0C, 0xF6, 0xEF, 0x2F, 0xC2, 0xE7, 0x96, 0x9B, 0xA1, 0x2D, 0xE9, 0xFB, 0x45, 0xB9,
136 0xD0, 0x30, 0xE2, 0xBD, 0x30, 0x4F, 0xB6, 0xFE, 0x24, 0x02, 0xCF, 0x8D, 0x51, 0x48, 0x45, 0xD9,
137 0xF7, 0x20, 0x53, 0x1C, 0x0B, 0xA9, 0x7E, 0xC2, 0xA2, 0x65, 0xCC, 0x3E, 0x0E, 0x0D, 0xF1, 0x62,
138 0xDD, 0x5F, 0xBC, 0x55, 0x9B, 0x58, 0x26, 0x40, 0x6A, 0xEE, 0x02, 0x55, 0x36, 0xE9, 0xBA, 0x82,
139 0x5A, 0xFD, 0x3C, 0xDF, 0xA6, 0x26, 0x32, 0x81, 0xA9, 0x5E, 0x46, 0xBE, 0xBA, 0xDC, 0xD3, 0x2A,
140 0x3A, 0x3B, 0xC1, 0x4E, 0xF7, 0x1A, 0xDC, 0x4B, 0xAF, 0x67, 0x1B, 0x3A, 0x83, 0x0D, 0x04, 0xDE,
141 0x27, 0x47, 0xFC, 0xE6, 0x39, 0x89, 0x7B, 0x66, 0xF9, 0x50, 0x4D, 0xF1, 0xAC, 0x20, 0x43, 0x7E,
142 0xEE,
143];
144
145/// DER-encoded PKCS#8 format EC key. Generated using:
146/// openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
147pub static EC_P_256_KEY: &[u8] = &[
148 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02,
149 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02,
150 0x01, 0x01, 0x04, 0x20, 0xB9, 0x1D, 0xAF, 0x50, 0xFD, 0xD8, 0x6A, 0x40, 0xAB, 0x2C, 0xCB, 0x54,
151 0x4E, 0xED, 0xF1, 0x64, 0xBC, 0x30, 0x25, 0xFB, 0xC4, 0x69, 0x00, 0x34, 0x1A, 0x82, 0xA3, 0x72,
152 0x5D, 0xC7, 0xA9, 0x85, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xE8, 0x53, 0x0A, 0xF2, 0xD3, 0x68,
153 0x40, 0x48, 0x8C, 0xB4, 0x2F, 0x11, 0x34, 0xD7, 0xF4, 0x4A, 0x5C, 0x33, 0xFF, 0xF6, 0x2B, 0xF7,
154 0x98, 0x0F, 0x02, 0xA5, 0xD7, 0x4F, 0xF9, 0xDE, 0x60, 0x9C, 0x6E, 0xB0, 0x45, 0xDA, 0x3F, 0xF4,
155 0x34, 0x23, 0x9B, 0x4C, 0x3A, 0x09, 0x9C, 0x5E, 0x5D, 0x37, 0x96, 0xAC, 0x4A, 0xE7, 0x65, 0x2B,
156 0xD6, 0x84, 0x98, 0xEA, 0x96, 0x91, 0xFB, 0x78, 0xED, 0x86,
157];
158
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]159/// DER-encoded PKCS#8 format RSA key -
160/// Size: 2048
161/// Public Exponent: 65537
162/// Purpose: WRAP_KEY, ENCRYPT, DECRYPT
163/// Encryption scheme: RSAES-PKCS1-v1_5
164/// Digest: SHA_2_256
165/// Padding: RSA_OAEP
166/// This sample wrapping_key is taken from KeyMint tests
167/// (see hardware/interfaces/security/keymint/aidl/vts/functional/KeyMintTest.cpp).
168/// Similarly more test keys can be generated with below command -
169/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
170pub static WRAPPING_KEY: &[u8] = &[
171 0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
172 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xa8, 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01,
173 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xae, 0xc3, 0x67, 0x93, 0x1d, 0x89, 0x00, 0xce, 0x56, 0xb0,
174 0x06, 0x7f, 0x7d, 0x70, 0xe1, 0xfc, 0x65, 0x3f, 0x3f, 0x34, 0xd1, 0x94, 0xc1, 0xfe, 0xd5, 0x00,
175 0x18, 0xfb, 0x43, 0xdb, 0x93, 0x7b, 0x06, 0xe6, 0x73, 0xa8, 0x37, 0x31, 0x3d, 0x56, 0xb1, 0xc7,
176 0x25, 0x15, 0x0a, 0x3f, 0xef, 0x86, 0xac, 0xbd, 0xdc, 0x41, 0xbb, 0x75, 0x9c, 0x28, 0x54, 0xea,
177 0xe3, 0x2d, 0x35, 0x84, 0x1e, 0xfb, 0x5c, 0x18, 0xd8, 0x2b, 0xc9, 0x0a, 0x1c, 0xb5, 0xc1, 0xd5,
178 0x5a, 0xdf, 0x24, 0x5b, 0x02, 0x91, 0x1f, 0x0b, 0x7c, 0xda, 0x88, 0xc4, 0x21, 0xff, 0x0e, 0xba,
179 0xfe, 0x7c, 0x0d, 0x23, 0xbe, 0x31, 0x2d, 0x7b, 0xd5, 0x92, 0x1f, 0xfa, 0xea, 0x13, 0x47, 0xc1,
180 0x57, 0x40, 0x6f, 0xef, 0x71, 0x8f, 0x68, 0x26, 0x43, 0xe4, 0xe5, 0xd3, 0x3c, 0x67, 0x03, 0xd6,
181 0x1c, 0x0c, 0xf7, 0xac, 0x0b, 0xf4, 0x64, 0x5c, 0x11, 0xf5, 0xc1, 0x37, 0x4c, 0x38, 0x86, 0x42,
182 0x74, 0x11, 0xc4, 0x49, 0x79, 0x67, 0x92, 0xe0, 0xbe, 0xf7, 0x5d, 0xec, 0x85, 0x8a, 0x21, 0x23,
183 0xc3, 0x67, 0x53, 0xe0, 0x2a, 0x95, 0xa9, 0x6d, 0x7c, 0x45, 0x4b, 0x50, 0x4d, 0xe3, 0x85, 0xa6,
184 0x42, 0xe0, 0xdf, 0xc3, 0xe6, 0x0a, 0xc3, 0xa7, 0xee, 0x49, 0x91, 0xd0, 0xd4, 0x8b, 0x01, 0x72,
185 0xa9, 0x5f, 0x95, 0x36, 0xf0, 0x2b, 0xa1, 0x3c, 0xec, 0xcc, 0xb9, 0x2b, 0x72, 0x7d, 0xb5, 0xc2,
186 0x7e, 0x5b, 0x2f, 0x5c, 0xec, 0x09, 0x60, 0x0b, 0x28, 0x6a, 0xf5, 0xcf, 0x14, 0xc4, 0x20, 0x24,
187 0xc6, 0x1d, 0xdf, 0xe7, 0x1c, 0x2a, 0x8d, 0x74, 0x58, 0xf1, 0x85, 0x23, 0x4c, 0xb0, 0x0e, 0x01,
188 0xd2, 0x82, 0xf1, 0x0f, 0x8f, 0xc6, 0x72, 0x1d, 0x2a, 0xed, 0x3f, 0x48, 0x33, 0xcc, 0xa2, 0xbd,
189 0x8f, 0xa6, 0x28, 0x21, 0xdd, 0x55, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x43,
190 0x14, 0x47, 0xb6, 0x25, 0x19, 0x08, 0x11, 0x2b, 0x1e, 0xe7, 0x6f, 0x99, 0xf3, 0x71, 0x1a, 0x52,
191 0xb6, 0x63, 0x09, 0x60, 0x04, 0x6c, 0x2d, 0xe7, 0x0d, 0xe1, 0x88, 0xd8, 0x33, 0xf8, 0xb8, 0xb9,
192 0x1e, 0x4d, 0x78, 0x5c, 0xae, 0xee, 0xaf, 0x4f, 0x0f, 0x74, 0x41, 0x4e, 0x2c, 0xda, 0x40, 0x64,
193 0x1f, 0x7f, 0xe2, 0x4f, 0x14, 0xc6, 0x7a, 0x88, 0x95, 0x9b, 0xdb, 0x27, 0x76, 0x6d, 0xf9, 0xe7,
194 0x10, 0xb6, 0x30, 0xa0, 0x3a, 0xdc, 0x68, 0x3b, 0x5d, 0x2c, 0x43, 0x08, 0x0e, 0x52, 0xbe, 0xe7,
195 0x1e, 0x9e, 0xae, 0xb6, 0xde, 0x29, 0x7a, 0x5f, 0xea, 0x10, 0x72, 0x07, 0x0d, 0x18, 0x1c, 0x82,
196 0x2b, 0xcc, 0xff, 0x08, 0x7d, 0x63, 0xc9, 0x40, 0xba, 0x8a, 0x45, 0xf6, 0x70, 0xfe, 0xb2, 0x9f,
197 0xb4, 0x48, 0x4d, 0x1c, 0x95, 0xe6, 0xd2, 0x57, 0x9b, 0xa0, 0x2a, 0xae, 0x0a, 0x00, 0x90, 0x0c,
198 0x3e, 0xbf, 0x49, 0x0e, 0x3d, 0x2c, 0xd7, 0xee, 0x8d, 0x0e, 0x20, 0xc5, 0x36, 0xe4, 0xdc, 0x5a,
199 0x50, 0x97, 0x27, 0x28, 0x88, 0xcd, 0xdd, 0x7e, 0x91, 0xf2, 0x28, 0xb1, 0xc4, 0xd7, 0x47, 0x4c,
200 0x55, 0xb8, 0xfc, 0xd6, 0x18, 0xc4, 0xa9, 0x57, 0xbb, 0xdd, 0xd5, 0xad, 0x74, 0x07, 0xcc, 0x31,
201 0x2d, 0x8d, 0x98, 0xa5, 0xca, 0xf7, 0xe0, 0x8f, 0x4a, 0x0d, 0x6b, 0x45, 0xbb, 0x41, 0xc6, 0x52,
202 0x65, 0x9d, 0x5a, 0x5b, 0xa0, 0x5b, 0x66, 0x37, 0x37, 0xa8, 0x69, 0x62, 0x81, 0x86, 0x5b, 0xa2,
203 0x0f, 0xbd, 0xd7, 0xf8, 0x51, 0xe6, 0xc5, 0x6e, 0x8c, 0xbe, 0x0d, 0xdb, 0xbf, 0x24, 0xdc, 0x03,
204 0xb2, 0xd2, 0xcb, 0x4c, 0x3d, 0x54, 0x0f, 0xb0, 0xaf, 0x52, 0xe0, 0x34, 0xa2, 0xd0, 0x66, 0x98,
205 0xb1, 0x28, 0xe5, 0xf1, 0x01, 0xe3, 0xb5, 0x1a, 0x34, 0xf8, 0xd8, 0xb4, 0xf8, 0x61, 0x81, 0x02,
206 0x81, 0x81, 0x00, 0xde, 0x39, 0x2e, 0x18, 0xd6, 0x82, 0xc8, 0x29, 0x26, 0x6c, 0xc3, 0x45, 0x4e,
207 0x1d, 0x61, 0x66, 0x24, 0x2f, 0x32, 0xd9, 0xa1, 0xd1, 0x05, 0x77, 0x75, 0x3e, 0x90, 0x4e, 0xa7,
208 0xd0, 0x8b, 0xff, 0x84, 0x1b, 0xe5, 0xba, 0xc8, 0x2a, 0x16, 0x4c, 0x59, 0x70, 0x00, 0x70, 0x47,
209 0xb8, 0xc5, 0x17, 0xdb, 0x8f, 0x8f, 0x84, 0xe3, 0x7b, 0xd5, 0x98, 0x85, 0x61, 0xbd, 0xf5, 0x03,
210 0xd4, 0xdc, 0x2b, 0xdb, 0x38, 0xf8, 0x85, 0x43, 0x4a, 0xe4, 0x2c, 0x35, 0x5f, 0x72, 0x5c, 0x9a,
211 0x60, 0xf9, 0x1f, 0x07, 0x88, 0xe1, 0xf1, 0xa9, 0x72, 0x23, 0xb5, 0x24, 0xb5, 0x35, 0x7f, 0xdf,
212 0x72, 0xe2, 0xf6, 0x96, 0xba, 0xb7, 0xd7, 0x8e, 0x32, 0xbf, 0x92, 0xba, 0x8e, 0x18, 0x64, 0xea,
213 0xb1, 0x22, 0x9e, 0x91, 0x34, 0x61, 0x30, 0x74, 0x8a, 0x6e, 0x3c, 0x12, 0x4f, 0x91, 0x49, 0xd7,
214 0x1c, 0x74, 0x35, 0x02, 0x81, 0x81, 0x00, 0xc9, 0x53, 0x87, 0xc0, 0xf9, 0xd3, 0x5f, 0x13, 0x7b,
215 0x57, 0xd0, 0xd6, 0x5c, 0x39, 0x7c, 0x5e, 0x21, 0xcc, 0x25, 0x1e, 0x47, 0x00, 0x8e, 0xd6, 0x2a,
216 0x54, 0x24, 0x09, 0xc8, 0xb6, 0xb6, 0xac, 0x7f, 0x89, 0x67, 0xb3, 0x86, 0x3c, 0xa6, 0x45, 0xfc,
217 0xce, 0x49, 0x58, 0x2a, 0x9a, 0xa1, 0x73, 0x49, 0xdb, 0x6c, 0x4a, 0x95, 0xaf, 0xfd, 0xae, 0x0d,
218 0xae, 0x61, 0x2e, 0x1a, 0xfa, 0xc9, 0x9e, 0xd3, 0x9a, 0x2d, 0x93, 0x4c, 0x88, 0x04, 0x40, 0xae,
219 0xd8, 0x83, 0x2f, 0x98, 0x43, 0x16, 0x3a, 0x47, 0xf2, 0x7f, 0x39, 0x21, 0x99, 0xdc, 0x12, 0x02,
220 0xf9, 0xa0, 0xf9, 0xbd, 0x08, 0x30, 0x80, 0x07, 0xcb, 0x1e, 0x4e, 0x7f, 0x58, 0x30, 0x93, 0x66,
221 0xa7, 0xde, 0x25, 0xf7, 0xc3, 0xc9, 0xb8, 0x80, 0x67, 0x7c, 0x06, 0x8e, 0x1b, 0xe9, 0x36, 0xe8,
222 0x12, 0x88, 0x81, 0x52, 0x52, 0xa8, 0xa1, 0x02, 0x81, 0x80, 0x57, 0xff, 0x8c, 0xa1, 0x89, 0x50,
223 0x80, 0xb2, 0xca, 0xe4, 0x86, 0xef, 0x0a, 0xdf, 0xd7, 0x91, 0xfb, 0x02, 0x35, 0xc0, 0xb8, 0xb3,
224 0x6c, 0xd6, 0xc1, 0x36, 0xe5, 0x2e, 0x40, 0x85, 0xf4, 0xea, 0x5a, 0x06, 0x32, 0x12, 0xa4, 0xf1,
225 0x05, 0xa3, 0x76, 0x47, 0x43, 0xe5, 0x32, 0x81, 0x98, 0x8a, 0xba, 0x07, 0x3f, 0x6e, 0x00, 0x27,
226 0x29, 0x8e, 0x1c, 0x43, 0x78, 0x55, 0x6e, 0x0e, 0xfc, 0xa0, 0xe1, 0x4e, 0xce, 0x1a, 0xf7, 0x6a,
227 0xd0, 0xb0, 0x30, 0xf2, 0x7a, 0xf6, 0xf0, 0xab, 0x35, 0xfb, 0x73, 0xa0, 0x60, 0xd8, 0xb1, 0xa0,
228 0xe1, 0x42, 0xfa, 0x26, 0x47, 0xe9, 0x3b, 0x32, 0xe3, 0x6d, 0x82, 0x82, 0xae, 0x0a, 0x4d, 0xe5,
229 0x0a, 0xb7, 0xaf, 0xe8, 0x55, 0x00, 0xa1, 0x6f, 0x43, 0xa6, 0x47, 0x19, 0xd6, 0xe2, 0xb9, 0x43,
230 0x98, 0x23, 0x71, 0x9c, 0xd0, 0x8b, 0xcd, 0x03, 0x17, 0x81, 0x02, 0x81, 0x81, 0x00, 0xba, 0x73,
231 0xb0, 0xbb, 0x28, 0xe3, 0xf8, 0x1e, 0x9b, 0xd1, 0xc5, 0x68, 0x71, 0x3b, 0x10, 0x12, 0x41, 0xac,
232 0xc6, 0x07, 0x97, 0x6c, 0x4d, 0xdc, 0xcc, 0x90, 0xe6, 0x5b, 0x65, 0x56, 0xca, 0x31, 0x51, 0x60,
233 0x58, 0xf9, 0x2b, 0x6e, 0x09, 0xf3, 0xb1, 0x60, 0xff, 0x0e, 0x37, 0x4e, 0xc4, 0x0d, 0x78, 0xae,
234 0x4d, 0x49, 0x79, 0xfd, 0xe6, 0xac, 0x06, 0xa1, 0xa4, 0x00, 0xc6, 0x1d, 0xd3, 0x12, 0x54, 0x18,
235 0x6a, 0xf3, 0x0b, 0x22, 0xc1, 0x05, 0x82, 0xa8, 0xa4, 0x3e, 0x34, 0xfe, 0x94, 0x9c, 0x5f, 0x3b,
236 0x97, 0x55, 0xba, 0xe7, 0xba, 0xa7, 0xb7, 0xb7, 0xa6, 0xbd, 0x03, 0xb3, 0x8c, 0xef, 0x55, 0xc8,
237 0x68, 0x85, 0xfc, 0x6c, 0x19, 0x78, 0xb9, 0xce, 0xe7, 0xef, 0x33, 0xda, 0x50, 0x7c, 0x9d, 0xf6,
238 0xb9, 0x27, 0x7c, 0xff, 0x1e, 0x6a, 0xaa, 0x5d, 0x57, 0xac, 0xa5, 0x28, 0x46, 0x61, 0x02, 0x81,
239 0x81, 0x00, 0xc9, 0x31, 0x61, 0x7c, 0x77, 0x82, 0x9d, 0xfb, 0x12, 0x70, 0x50, 0x2b, 0xe9, 0x19,
240 0x5c, 0x8f, 0x28, 0x30, 0x88, 0x5f, 0x57, 0xdb, 0xa8, 0x69, 0x53, 0x68, 0x11, 0xe6, 0x86, 0x42,
241 0x36, 0xd0, 0xc4, 0x73, 0x6a, 0x00, 0x08, 0xa1, 0x45, 0xaf, 0x36, 0xb8, 0x35, 0x7a, 0x7c, 0x3d,
242 0x13, 0x99, 0x66, 0xd0, 0x4c, 0x4e, 0x00, 0x93, 0x4e, 0xa1, 0xae, 0xde, 0x3b, 0xb6, 0xb8, 0xec,
243 0x84, 0x1d, 0xc9, 0x5e, 0x3f, 0x57, 0x97, 0x51, 0xe2, 0xbf, 0xdf, 0xe2, 0x7a, 0xe7, 0x78, 0x98,
244 0x3f, 0x95, 0x93, 0x56, 0x21, 0x07, 0x23, 0x28, 0x7b, 0x0a, 0xff, 0xcc, 0x9f, 0x72, 0x70, 0x44,
245 0xd4, 0x8c, 0x37, 0x3f, 0x1b, 0xab, 0xde, 0x07, 0x24, 0xfa, 0x17, 0xa4, 0xfd, 0x4d, 0xa0, 0x90,
246 0x2c, 0x7c, 0x9b, 0x9b, 0xf2, 0x7b, 0xa6, 0x1b, 0xe6, 0xad, 0x02, 0xdf, 0xdd, 0xda, 0x8f, 0x4e,
247 0x68, 0x22,
248];
249
250/// WrappedKeyData as ASN.1 DER-encoded data corresponding to the `SecureKeyWrapper` schema
251/// specified in IKeyMintDevice.aidl. Wrapped key parameters are -
252/// Algorithm: AES
253/// Key size: 256
254/// Block mode: ECB
255/// Padding mode: PKCS7
256/// This sample wrapped_key is taken from KeyMint tests (see KeyMintTest.cpp).
257pub static WRAPPED_KEY: &[u8] = &[
258 0x30, 0x82, 0x01, 0x79, 0x02, 0x01, 0x00, 0x04, 0x82, 0x01, 0x00, 0x93, 0x4b, 0xf9, 0x4e, 0x2a,
259 0xa2, 0x8a, 0x3f, 0x83, 0xc9, 0xf7, 0x92, 0x97, 0x25, 0x02, 0x62, 0xfb, 0xe3, 0x27, 0x6b, 0x5a,
260 0x1c, 0x91, 0x15, 0x9b, 0xbf, 0xa3, 0xef, 0x89, 0x57, 0xaa, 0xc8, 0x4b, 0x59, 0xb3, 0x0b, 0x45,
261 0x5a, 0x79, 0xc2, 0x97, 0x34, 0x80, 0x82, 0x3d, 0x8b, 0x38, 0x63, 0xc3, 0xde, 0xef, 0x4a, 0x8e,
262 0x24, 0x35, 0x90, 0x26, 0x8d, 0x80, 0xe1, 0x87, 0x51, 0xa0, 0xe1, 0x30, 0xf6, 0x7c, 0xe6, 0xa1,
263 0xac, 0xe9, 0xf7, 0x9b, 0x95, 0xe0, 0x97, 0x47, 0x4f, 0xeb, 0xc9, 0x81, 0x19, 0x5b, 0x1d, 0x13,
264 0xa6, 0x90, 0x86, 0xc0, 0x86, 0x3f, 0x66, 0xa7, 0xb7, 0xfd, 0xb4, 0x87, 0x92, 0x22, 0x7b, 0x1a,
265 0xc5, 0xe2, 0x48, 0x9f, 0xeb, 0xdf, 0x08, 0x7a, 0xb5, 0x48, 0x64, 0x83, 0x03, 0x3a, 0x6f, 0x00,
266 0x1c, 0xa5, 0xd1, 0xec, 0x1e, 0x27, 0xf5, 0xc3, 0x0f, 0x4c, 0xec, 0x26, 0x42, 0x07, 0x4a, 0x39,
267 0xae, 0x68, 0xae, 0xe5, 0x52, 0xe1, 0x96, 0x62, 0x7a, 0x8e, 0x3d, 0x86, 0x7e, 0x67, 0xa8, 0xc0,
268 0x1b, 0x11, 0xe7, 0x5f, 0x13, 0xcc, 0xa0, 0xa9, 0x7a, 0xb6, 0x68, 0xb5, 0x0c, 0xda, 0x07, 0xa8,
269 0xec, 0xb7, 0xcd, 0x8e, 0x3d, 0xd7, 0x00, 0x9c, 0x96, 0x36, 0x53, 0x4f, 0x6f, 0x23, 0x9c, 0xff,
270 0xe1, 0xfc, 0x8d, 0xaa, 0x46, 0x6f, 0x78, 0xb6, 0x76, 0xc7, 0x11, 0x9e, 0xfb, 0x96, 0xbc, 0xe4,
271 0xe6, 0x9c, 0xa2, 0xa2, 0x5d, 0x0b, 0x34, 0xed, 0x9c, 0x3f, 0xf9, 0x99, 0xb8, 0x01, 0x59, 0x7d,
272 0x52, 0x20, 0xe3, 0x07, 0xea, 0xa5, 0xbe, 0xe5, 0x07, 0xfb, 0x94, 0xd1, 0xfa, 0x69, 0xf9, 0xe5,
273 0x19, 0xb2, 0xde, 0x31, 0x5b, 0xac, 0x92, 0xc3, 0x6f, 0x2e, 0xa1, 0xfa, 0x1d, 0xf4, 0x47, 0x8c,
274 0x0d, 0xde, 0xde, 0xae, 0x8c, 0x70, 0xe0, 0x23, 0x3c, 0xd0, 0x98, 0x04, 0x0c, 0xd7, 0x96, 0xb0,
275 0x2c, 0x37, 0x0f, 0x1f, 0xa4, 0xcc, 0x01, 0x24, 0xf1, 0x30, 0x2e, 0x02, 0x01, 0x03, 0x30, 0x29,
276 0xa1, 0x08, 0x31, 0x06, 0x02, 0x01, 0x00, 0x02, 0x01, 0x01, 0xa2, 0x03, 0x02, 0x01, 0x20, 0xa3,
277 0x04, 0x02, 0x02, 0x01, 0x00, 0xa4, 0x05, 0x31, 0x03, 0x02, 0x01, 0x01, 0xa6, 0x05, 0x31, 0x03,
278 0x02, 0x01, 0x40, 0xbf, 0x83, 0x77, 0x02, 0x05, 0x00, 0x04, 0x20, 0xcc, 0xd5, 0x40, 0x85, 0x5f,
279 0x83, 0x3a, 0x5e, 0x14, 0x80, 0xbf, 0xd2, 0xd3, 0x6f, 0xaf, 0x3a, 0xee, 0xe1, 0x5d, 0xf5, 0xbe,
280 0xab, 0xe2, 0x69, 0x1b, 0xc8, 0x2d, 0xde, 0x2a, 0x7a, 0xa9, 0x10, 0x04, 0x10, 0x64, 0xc9, 0xf6,
281 0x89, 0xc6, 0x0f, 0xf6, 0x22, 0x3a, 0xb6, 0xe6, 0x99, 0x9e, 0x0e, 0xb6, 0xe5,
282];
283
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]284/// To map Keystore errors.
285#[derive(thiserror::Error, Debug, Eq, PartialEq)]
286pub enum Error {
287 /// Keystore2 error code
288 #[error("ResponseCode {0:?}")]
289 Rc(ResponseCode),
290 /// Keymint error code
291 #[error("ErrorCode {0:?}")]
292 Km(ErrorCode),
293 /// Exception
294 #[error("Binder exception {0:?}")]
295 Binder(ExceptionCode),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]296 /// This is returned if the C implementation of extractSubjectFromCertificate failed.
297 #[error("Failed to validate certificate chain.")]
298 ValidateCertChainFailed,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]299 /// Error code to indicate error in ASN.1 DER-encoded data creation.
300 #[error("Failed to create and encode ASN.1 data.")]
301 DerEncodeFailed,
Rajesh Nyamagoud28abde62023-04-01 01:32:32 +0000[diff] [blame^]302 /// Error code to indicate error while using keystore-engine API.
303 #[error("Failed to perform crypto op using keystore-engine APIs.")]
304 Keystore2EngineOpFailed,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]305}
306
307/// Keystore2 error mapping.
308pub fn map_ks_error<T>(r: BinderResult<T>) -> Result<T, Error> {
309 r.map_err(|s| {
310 match s.exception_code() {
311 ExceptionCode::SERVICE_SPECIFIC => {
312 match s.service_specific_error() {
313 se if se < 0 => {
314 // Negative service specific errors are KM error codes.
315 Error::Km(ErrorCode(se))
316 }
317 se => {
318 // Positive service specific errors are KS response codes.
319 Error::Rc(ResponseCode(se))
320 }
321 }
322 }
323 // We create `Error::Binder` to preserve the exception code
324 // for logging.
325 e_code => Error::Binder(e_code),
326 }
327 })
328}
329
330/// Generate EC Key using given security level and domain with below key parameters and
331/// optionally allow the generated key to be attested with factory provisioned attest key using
332/// given challenge and application id -
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]333/// Purposes: SIGN and VERIFY
334/// Digest: SHA_2_256
335/// Curve: P_256
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]336pub fn generate_ec_p256_signing_key(
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]337 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]338 domain: Domain,
339 nspace: i64,
340 alias: Option<String>,
341 att_challenge: Option<&[u8]>,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]342) -> binder::Result<KeyMetadata> {
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]343 let mut key_attest = false;
344 let mut gen_params = AuthSetBuilder::new()
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]345 .no_auth_required()
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]346 .algorithm(Algorithm::EC)
347 .purpose(KeyPurpose::SIGN)
348 .purpose(KeyPurpose::VERIFY)
349 .digest(Digest::SHA_2_256)
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]350 .ec_curve(EcCurve::P_256);
351
352 if let Some(challenge) = att_challenge {
353 key_attest = true;
354 gen_params = gen_params.clone().attestation_challenge(challenge.to_vec());
355 }
356
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]357 match sec_level.generateKey(
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]358 &KeyDescriptor { domain, nspace, alias, blob: None },
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]359 None,
360 &gen_params,
361 0,
362 b"entropy",
363 ) {
364 Ok(key_metadata) => {
365 assert!(key_metadata.certificate.is_some());
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]366 if key_attest {
367 assert!(key_metadata.certificateChain.is_some());
368 }
369 if domain == Domain::BLOB {
370 assert!(key_metadata.key.blob.is_some());
371 }
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]372
373 Ok(key_metadata)
374 }
375 Err(e) => Err(e),
376 }
377}
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]378
379/// Generate EC signing key.
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]380pub fn generate_ec_key(
381 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]382 domain: Domain,
383 nspace: i64,
384 alias: Option<String>,
385 ec_curve: EcCurve,
386 digest: Digest,
387) -> binder::Result<KeyMetadata> {
388 let gen_params = AuthSetBuilder::new()
389 .no_auth_required()
390 .algorithm(Algorithm::EC)
391 .purpose(KeyPurpose::SIGN)
392 .purpose(KeyPurpose::VERIFY)
393 .digest(digest)
394 .ec_curve(ec_curve);
395
396 let key_metadata = sec_level.generateKey(
397 &KeyDescriptor { domain, nspace, alias, blob: None },
398 None,
399 &gen_params,
400 0,
401 b"entropy",
402 )?;
403
404 // Must have a public key.
405 assert!(key_metadata.certificate.is_some());
406
407 // Should not have an attestation record.
408 assert!(key_metadata.certificateChain.is_none());
409
410 if domain == Domain::BLOB {
411 assert!(key_metadata.key.blob.is_some());
412 } else {
413 assert!(key_metadata.key.blob.is_none());
414 }
415 Ok(key_metadata)
416}
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]417
418/// Generate a RSA key with the given key parameters, alias, domain and namespace.
419pub fn generate_rsa_key(
420 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
421 domain: Domain,
422 nspace: i64,
423 alias: Option<String>,
424 key_params: &KeyParams,
425 attest_key: Option<&KeyDescriptor>,
426) -> binder::Result<KeyMetadata> {
427 let mut gen_params = AuthSetBuilder::new()
428 .no_auth_required()
429 .algorithm(Algorithm::RSA)
430 .rsa_public_exponent(65537)
431 .key_size(key_params.key_size);
432
433 for purpose in &key_params.purpose {
434 gen_params = gen_params.purpose(*purpose);
435 }
436 if let Some(value) = key_params.digest {
437 gen_params = gen_params.digest(value)
438 }
439 if let Some(value) = key_params.padding {
440 gen_params = gen_params.padding_mode(value);
441 }
442 if let Some(value) = key_params.mgf_digest {
443 gen_params = gen_params.mgf_digest(value);
444 }
445 if let Some(value) = key_params.block_mode {
446 gen_params = gen_params.block_mode(value)
447 }
448 if let Some(value) = &key_params.att_challenge {
449 gen_params = gen_params.attestation_challenge(value.to_vec())
450 }
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]451
452 let key_metadata = sec_level.generateKey(
453 &KeyDescriptor { domain, nspace, alias, blob: None },
454 attest_key,
455 &gen_params,
456 0,
457 b"entropy",
458 )?;
459
460 // Must have a public key.
461 assert!(key_metadata.certificate.is_some());
462
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]463 if attest_key.is_none() && key_params.att_challenge.is_some() {
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]464 // Should have an attestation record.
465 assert!(key_metadata.certificateChain.is_some());
466 } else {
467 // Should not have an attestation record.
468 assert!(key_metadata.certificateChain.is_none());
469 }
470
471 assert!(
472 (domain == Domain::BLOB && key_metadata.key.blob.is_some())
473 || key_metadata.key.blob.is_none()
474 );
475
476 Ok(key_metadata)
477}
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]478
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]479/// Generate AES/3DES key.
480pub fn generate_sym_key(
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]481 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]482 algorithm: Algorithm,
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]483 size: i32,
484 alias: &str,
485 padding_mode: &PaddingMode,
486 block_mode: &BlockMode,
487 min_mac_len: Option<i32>,
488) -> binder::Result<KeyMetadata> {
489 let mut gen_params = AuthSetBuilder::new()
490 .no_auth_required()
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]491 .algorithm(algorithm)
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]492 .purpose(KeyPurpose::ENCRYPT)
493 .purpose(KeyPurpose::DECRYPT)
494 .key_size(size)
495 .padding_mode(*padding_mode)
496 .block_mode(*block_mode);
497
498 if let Some(val) = min_mac_len {
499 gen_params = gen_params.min_mac_length(val);
500 }
501
502 let key_metadata = sec_level.generateKey(
503 &KeyDescriptor {
504 domain: Domain::APP,
505 nspace: -1,
506 alias: Some(alias.to_string()),
507 blob: None,
508 },
509 None,
510 &gen_params,
511 0,
512 b"entropy",
513 )?;
514
515 // Should not have public certificate.
516 assert!(key_metadata.certificate.is_none());
517
518 // Should not have an attestation record.
519 assert!(key_metadata.certificateChain.is_none());
520 Ok(key_metadata)
521}
Rajesh Nyamagoud4c6193c2022-02-03 01:15:34 +0000[diff] [blame]522
523/// Generate HMAC key.
524pub fn generate_hmac_key(
525 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
526 alias: &str,
527 key_size: i32,
528 min_mac_len: i32,
529 digest: Digest,
530) -> binder::Result<KeyMetadata> {
531 let gen_params = AuthSetBuilder::new()
532 .no_auth_required()
533 .algorithm(Algorithm::HMAC)
534 .purpose(KeyPurpose::SIGN)
535 .purpose(KeyPurpose::VERIFY)
536 .key_size(key_size)
537 .min_mac_length(min_mac_len)
538 .digest(digest);
539
540 let key_metadata = sec_level.generateKey(
541 &KeyDescriptor {
542 domain: Domain::APP,
543 nspace: -1,
544 alias: Some(alias.to_string()),
545 blob: None,
546 },
547 None,
548 &gen_params,
549 0,
550 b"entropy",
551 )?;
552
553 // Should not have public certificate.
554 assert!(key_metadata.certificate.is_none());
555
556 // Should not have an attestation record.
557 assert!(key_metadata.certificateChain.is_none());
558
559 Ok(key_metadata)
560}
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]561
562/// Generate RSA or EC attestation keys using below parameters -
563/// Purpose: ATTEST_KEY
564/// Digest: Digest::SHA_2_256
565/// Padding: PaddingMode::RSA_PKCS1_1_5_SIGN
566/// RSA-Key-Size: 2048
567/// EC-Curve: EcCurve::P_256
568pub fn generate_attestation_key(
569 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
570 algorithm: Algorithm,
571 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]572) -> binder::Result<KeyMetadata> {
573 assert!(algorithm == Algorithm::RSA || algorithm == Algorithm::EC);
574
575 if algorithm == Algorithm::RSA {
576 let alias = "ks_rsa_attest_test_key";
577 let metadata = generate_rsa_key(
578 sec_level,
579 Domain::APP,
580 -1,
581 Some(alias.to_string()),
582 &KeyParams {
583 key_size: 2048,
584 purpose: vec![KeyPurpose::ATTEST_KEY],
585 padding: Some(PaddingMode::RSA_PKCS1_1_5_SIGN),
586 digest: Some(Digest::SHA_2_256),
587 mgf_digest: None,
588 block_mode: None,
589 att_challenge: Some(att_challenge.to_vec()),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]590 },
591 None,
592 )
593 .unwrap();
594 Ok(metadata)
595 } else {
596 let metadata = generate_ec_attestation_key(
597 sec_level,
598 att_challenge,
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]599 Digest::SHA_2_256,
600 EcCurve::P_256,
601 )
602 .unwrap();
603
604 Ok(metadata)
605 }
606}
607
608/// Generate EC attestation key with the given
609/// curve, attestation-challenge and attestation-app-id.
610pub fn generate_ec_attestation_key(
611 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
612 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]613 digest: Digest,
614 ec_curve: EcCurve,
615) -> binder::Result<KeyMetadata> {
616 let alias = "ks_attest_ec_test_key";
617 let gen_params = AuthSetBuilder::new()
618 .no_auth_required()
619 .algorithm(Algorithm::EC)
620 .purpose(KeyPurpose::ATTEST_KEY)
621 .ec_curve(ec_curve)
622 .digest(digest)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]623 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]624
625 let attestation_key_metadata = sec_level.generateKey(
626 &KeyDescriptor {
627 domain: Domain::APP,
628 nspace: -1,
629 alias: Some(alias.to_string()),
630 blob: None,
631 },
632 None,
633 &gen_params,
634 0,
635 b"entropy",
636 )?;
637
638 // Should have public certificate.
639 assert!(attestation_key_metadata.certificate.is_some());
640 // Should have an attestation record.
641 assert!(attestation_key_metadata.certificateChain.is_some());
642
643 Ok(attestation_key_metadata)
644}
645
646/// Generate EC-P-256 key and attest it with given attestation key.
647pub fn generate_ec_256_attested_key(
648 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
649 alias: Option<String>,
650 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]651 attest_key: &KeyDescriptor,
652) -> binder::Result<KeyMetadata> {
653 let ec_gen_params = AuthSetBuilder::new()
654 .no_auth_required()
655 .algorithm(Algorithm::EC)
656 .purpose(KeyPurpose::SIGN)
657 .purpose(KeyPurpose::VERIFY)
658 .digest(Digest::SHA_2_256)
659 .ec_curve(EcCurve::P_256)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]660 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]661
662 let ec_key_metadata = sec_level
663 .generateKey(
664 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
665 Some(attest_key),
666 &ec_gen_params,
667 0,
668 b"entropy",
669 )
670 .unwrap();
671
672 // Should have public certificate.
673 assert!(ec_key_metadata.certificate.is_some());
674 // Shouldn't have an attestation record.
675 assert!(ec_key_metadata.certificateChain.is_none());
676
677 Ok(ec_key_metadata)
678}
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]679
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]680/// Verify that given key param is listed in given authorizations list.
681pub fn check_key_param(authorizations: &[Authorization], key_param: KeyParameter) -> bool {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]682 for authrization in authorizations {
683 if authrization.keyParameter == key_param {
684 return true;
685 }
686 }
687
688 false
689}
690
691/// Imports above defined RSA key - `RSA_2048_KEY` and validates imported key parameters.
692pub fn import_rsa_2048_key(
693 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
694 domain: Domain,
695 nspace: i64,
696 alias: Option<String>,
697 import_params: AuthSetBuilder,
698) -> binder::Result<KeyMetadata> {
699 let key_metadata = sec_level
700 .importKey(
701 &KeyDescriptor { domain, nspace, alias, blob: None },
702 None,
703 &import_params,
704 0,
705 RSA_2048_KEY,
706 )
707 .unwrap();
708
709 assert!(key_metadata.certificate.is_some());
710 assert!(key_metadata.certificateChain.is_none());
711
712 assert!(check_key_param(
713 &key_metadata.authorizations,
714 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::RSA) }
715 ));
716
717 assert!(check_key_param(
718 &key_metadata.authorizations,
719 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(2048) }
720 ));
721
722 assert!(check_key_param(
723 &key_metadata.authorizations,
724 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
725 ));
726
727 assert!(check_key_param(
728 &key_metadata.authorizations,
729 KeyParameter {
730 tag: Tag::RSA_PUBLIC_EXPONENT,
731 value: KeyParameterValue::LongInteger(65537)
732 }
733 ));
734
735 assert!(check_key_param(
736 &key_metadata.authorizations,
737 KeyParameter {
738 tag: Tag::PADDING,
739 value: KeyParameterValue::PaddingMode(PaddingMode::RSA_PSS)
740 }
741 ));
742
743 assert!(check_key_param(
744 &key_metadata.authorizations,
745 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
746 ));
747
748 Ok(key_metadata)
749}
750
751/// Imports above defined EC key - `EC_P_256_KEY` and validates imported key parameters.
752pub fn import_ec_p_256_key(
753 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
754 domain: Domain,
755 nspace: i64,
756 alias: Option<String>,
757 import_params: AuthSetBuilder,
758) -> binder::Result<KeyMetadata> {
759 let key_metadata = sec_level
760 .importKey(
761 &KeyDescriptor { domain, nspace, alias, blob: None },
762 None,
763 &import_params,
764 0,
765 EC_P_256_KEY,
766 )
767 .unwrap();
768
769 assert!(key_metadata.certificate.is_some());
770 assert!(key_metadata.certificateChain.is_none());
771
772 assert!(check_key_param(
773 &key_metadata.authorizations,
774 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::EC) }
775 ));
776
777 assert!(check_key_param(
778 &key_metadata.authorizations,
779 KeyParameter { tag: Tag::EC_CURVE, value: KeyParameterValue::EcCurve(EcCurve::P_256) }
780 ));
781
782 assert!(check_key_param(
783 &key_metadata.authorizations,
784 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
785 ));
786 assert!(check_key_param(
787 &key_metadata.authorizations,
788 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
789 ));
790
791 Ok(key_metadata)
792}
793
794/// Import sample AES key and validate its key parameters.
795pub fn import_aes_key(
796 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
797 domain: Domain,
798 nspace: i64,
799 alias: Option<String>,
800) -> binder::Result<KeyMetadata> {
801 static AES_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
802 let key_size = AES_KEY.len() * 8;
803
804 let import_params = AuthSetBuilder::new()
805 .no_auth_required()
806 .algorithm(Algorithm::AES)
807 .block_mode(BlockMode::ECB)
808 .key_size(key_size.try_into().unwrap())
809 .purpose(KeyPurpose::ENCRYPT)
810 .purpose(KeyPurpose::DECRYPT)
811 .padding_mode(PaddingMode::PKCS7);
812
813 let key_metadata = sec_level.importKey(
814 &KeyDescriptor { domain, nspace, alias, blob: None },
815 None,
816 &import_params,
817 0,
818 AES_KEY,
819 )?;
820
821 assert!(check_key_param(
822 &key_metadata.authorizations,
823 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::AES) }
824 ));
825 assert!(check_key_param(
826 &key_metadata.authorizations,
827 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
828 ));
829 assert!(check_key_param(
830 &key_metadata.authorizations,
831 KeyParameter {
832 tag: Tag::PADDING,
833 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
834 }
835 ));
836 assert!(check_key_param(
837 &key_metadata.authorizations,
838 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
839 ));
840 assert!(check_key_param(
841 &key_metadata.authorizations,
842 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
843 ));
844
845 Ok(key_metadata)
846}
847
848/// Import sample 3DES key and validate its key parameters.
849pub fn import_3des_key(
850 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
851 domain: Domain,
852 nspace: i64,
853 alias: Option<String>,
854) -> binder::Result<KeyMetadata> {
855 static TRIPLE_DES_KEY: &[u8] = &[
856 0xa4, 0x9d, 0x75, 0x64, 0x19, 0x9e, 0x97, 0xcb, 0x52, 0x9d, 0x2c, 0x9d, 0x97, 0xbf, 0x2f,
857 0x98, 0xd3, 0x5e, 0xdf, 0x57, 0xba, 0x1f, 0x73, 0x58,
858 ];
859
860 let import_params = AuthSetBuilder::new()
861 .no_auth_required()
862 .algorithm(Algorithm::TRIPLE_DES)
863 .block_mode(BlockMode::ECB)
864 .key_size(168)
865 .purpose(KeyPurpose::ENCRYPT)
866 .purpose(KeyPurpose::DECRYPT)
867 .padding_mode(PaddingMode::PKCS7);
868
869 let key_metadata = sec_level.importKey(
870 &KeyDescriptor { domain, nspace, alias, blob: None },
871 None,
872 &import_params,
873 0,
874 TRIPLE_DES_KEY,
875 )?;
876
877 assert!(check_key_param(
878 &key_metadata.authorizations,
879 KeyParameter {
880 tag: Tag::ALGORITHM,
881 value: KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES)
882 }
883 ));
884 assert!(check_key_param(
885 &key_metadata.authorizations,
886 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(168) }
887 ));
888 assert!(check_key_param(
889 &key_metadata.authorizations,
890 KeyParameter {
891 tag: Tag::PADDING,
892 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
893 }
894 ));
895 assert!(check_key_param(
896 &key_metadata.authorizations,
897 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
898 ));
899 assert!(check_key_param(
900 &key_metadata.authorizations,
901 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
902 ));
903
904 Ok(key_metadata)
905}
906
907/// Import sample HMAC key and validate its key parameters.
908pub fn import_hmac_key(
909 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
910 domain: Domain,
911 nspace: i64,
912 alias: Option<String>,
913) -> binder::Result<KeyMetadata> {
914 static HMAC_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
915 let key_size = HMAC_KEY.len() * 8;
916
917 let import_params = AuthSetBuilder::new()
918 .no_auth_required()
919 .algorithm(Algorithm::HMAC)
920 .key_size(key_size.try_into().unwrap())
921 .purpose(KeyPurpose::SIGN)
922 .purpose(KeyPurpose::VERIFY)
923 .digest(Digest::SHA_2_256)
924 .min_mac_length(256);
925
926 let key_metadata = sec_level.importKey(
927 &KeyDescriptor { domain, nspace, alias, blob: None },
928 None,
929 &import_params,
930 0,
931 HMAC_KEY,
932 )?;
933
934 assert!(check_key_param(
935 &key_metadata.authorizations,
936 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::HMAC) }
937 ));
938 assert!(check_key_param(
939 &key_metadata.authorizations,
940 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
941 ));
942 assert!(check_key_param(
943 &key_metadata.authorizations,
944 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
945 ));
946 assert!(check_key_param(
947 &key_metadata.authorizations,
948 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
949 ));
950
951 Ok(key_metadata)
952}
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]953
954/// Imports RSA encryption key with WRAP_KEY purpose.
955pub fn import_wrapping_key(
956 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
957 wrapping_key_data: &[u8],
958 wrapping_key_alias: Option<String>,
959) -> binder::Result<KeyMetadata> {
960 let wrapping_key_params = AuthSetBuilder::new()
961 .no_auth_required()
962 .algorithm(Algorithm::RSA)
963 .digest(Digest::SHA_2_256)
964 .purpose(KeyPurpose::ENCRYPT)
965 .purpose(KeyPurpose::DECRYPT)
966 .purpose(KeyPurpose::WRAP_KEY)
967 .padding_mode(PaddingMode::RSA_OAEP)
968 .key_size(2048)
969 .rsa_public_exponent(65537)
970 .cert_not_before(0)
971 .cert_not_after(253402300799000);
972
973 sec_level.importKey(
974 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: wrapping_key_alias, blob: None },
975 None,
976 &wrapping_key_params,
977 0,
978 wrapping_key_data,
979 )
980}
981
982/// Import wrapped key using given wrapping key.
983pub fn import_wrapped_key(
984 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
985 alias: Option<String>,
986 wrapping_key_metadata: &KeyMetadata,
987 wrapped_key: Option<Vec<u8>>,
988) -> binder::Result<KeyMetadata> {
989 let unwrap_params =
990 AuthSetBuilder::new().digest(Digest::SHA_2_256).padding_mode(PaddingMode::RSA_OAEP);
991
992 let authenticator_spec: &[AuthenticatorSpec] = &[AuthenticatorSpec {
993 authenticatorType: HardwareAuthenticatorType::NONE,
994 authenticatorId: 0,
995 }];
996
997 let key_metadata = sec_level.importWrappedKey(
998 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: wrapped_key },
999 &wrapping_key_metadata.key,
1000 None,
1001 &unwrap_params,
1002 authenticator_spec,
1003 )?;
1004
1005 Ok(key_metadata)
1006}
1007
1008/// Import wrapping key and then import wrapped key using wrapping key.
1009pub fn import_wrapping_key_and_wrapped_key(
1010 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1011 domain: Domain,
1012 nspace: i64,
1013 alias: Option<String>,
1014 wrapping_key_alias: Option<String>,
1015 wrapping_key_params: AuthSetBuilder,
1016) -> binder::Result<KeyMetadata> {
1017 let wrapping_key_metadata = sec_level.importKey(
1018 &KeyDescriptor { domain, nspace, alias: wrapping_key_alias, blob: None },
1019 None,
1020 &wrapping_key_params,
1021 0,
1022 WRAPPING_KEY,
1023 )?;
1024
1025 import_wrapped_key(sec_level, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
1026}
1027
1028/// Import given key material as AES-256-GCM-NONE transport key.
1029pub fn import_transport_key(
1030 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1031 transport_key_alias: Option<String>,
1032 transport_key: &[u8],
1033) -> binder::Result<KeyMetadata> {
1034 let transport_key_params = AuthSetBuilder::new()
1035 .no_auth_required()
1036 .algorithm(Algorithm::AES)
1037 .block_mode(BlockMode::GCM)
1038 .padding_mode(PaddingMode::NONE)
1039 .key_size(256)
1040 .caller_nonce()
1041 .min_mac_length(128)
1042 .purpose(KeyPurpose::ENCRYPT)
1043 .purpose(KeyPurpose::DECRYPT);
1044
1045 sec_level.importKey(
1046 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: transport_key_alias, blob: None },
1047 None,
1048 &transport_key_params,
1049 0,
1050 transport_key,
1051 )
1052}
Rajesh Nyamagoudaf050562022-11-11 01:56:45 +0000[diff] [blame]1053
1054/// Generate EC key with purpose AGREE_KEY.
1055pub fn generate_ec_agree_key(
1056 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1057 ec_curve: EcCurve,
1058 digest: Digest,
1059 domain: Domain,
1060 nspace: i64,
1061 alias: Option<String>,
1062) -> binder::Result<KeyMetadata> {
1063 let gen_params = AuthSetBuilder::new()
1064 .no_auth_required()
1065 .algorithm(Algorithm::EC)
1066 .purpose(KeyPurpose::AGREE_KEY)
1067 .digest(digest)
1068 .ec_curve(ec_curve);
1069
1070 match sec_level.generateKey(
1071 &KeyDescriptor { domain, nspace, alias, blob: None },
1072 None,
1073 &gen_params,
1074 0,
1075 b"entropy",
1076 ) {
1077 Ok(key_metadata) => {
1078 assert!(key_metadata.certificate.is_some());
1079 if domain == Domain::BLOB {
1080 assert!(key_metadata.key.blob.is_some());
1081 }
1082
1083 Ok(key_metadata)
1084 }
1085 Err(e) => Err(e),
1086 }
1087}