Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / ec26dcf2ce07e670d92475597c295d6381c02021 / . / keystore2 / test_utils / key_generations.rs
blob: 53597af889d71ec88fe22b3aaa485cd021d03f1b [file] [log] [blame]
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]1// Copyright 2022, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! This module implements test utils to generate various types of keys.
16
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]17use anyhow::Result;
18
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]19use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]20 Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]21 ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
22 KeyOrigin::KeyOrigin, KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue,
23 KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, Tag::Tag,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]24};
25use android_system_keystore2::aidl::android::system::keystore2::{
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]26 AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization, Domain::Domain,
27 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
28 KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]29};
30
31use crate::authorizations::AuthSetBuilder;
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]32use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]33
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]34/// Shell namespace.
35pub const SELINUX_SHELL_NAMESPACE: i64 = 1;
Rajesh Nyamagouddc6fb232021-12-08 21:27:15 +0000[diff] [blame]36/// Vold namespace.
37pub const SELINUX_VOLD_NAMESPACE: i64 = 100;
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]38
Rajesh Nyamagoudfa7c0f12021-12-02 17:15:48 +0000[diff] [blame]39/// SU context.
40pub const TARGET_SU_CTX: &str = "u:r:su:s0";
41
42/// Vold context
43pub const TARGET_VOLD_CTX: &str = "u:r:vold:s0";
44
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]45/// Key parameters to generate a key.
46pub struct KeyParams {
47 /// Key Size.
48 pub key_size: i32,
49 /// Key Purposes.
50 pub purpose: Vec<KeyPurpose>,
51 /// Padding Mode.
52 pub padding: Option<PaddingMode>,
53 /// Digest.
54 pub digest: Option<Digest>,
55 /// MFG Digest.
56 pub mgf_digest: Option<Digest>,
57 /// Block Mode.
58 pub block_mode: Option<BlockMode>,
59 /// Attestation challenge.
60 pub att_challenge: Option<Vec<u8>>,
61 /// Attestation app id.
62 pub att_app_id: Option<Vec<u8>>,
63}
64
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]65/// DER-encoded PKCS#8 format RSA key. Generated using:
66/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
67pub static RSA_2048_KEY: &[u8] = &[
68 0x30, 0x82, 0x04, 0xBD, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
69 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xA7, 0x30, 0x82, 0x04, 0xA3, 0x02, 0x01,
70 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xE5, 0x14, 0xE3, 0xC2, 0x43, 0xF3, 0x0F, 0xCC, 0x22, 0x73,
71 0x9C, 0x84, 0xCC, 0x1B, 0x6C, 0x97, 0x4B, 0xC9, 0xDF, 0x1F, 0xE2, 0xB8, 0x80, 0x85, 0xF9, 0x27,
72 0xAB, 0x97, 0x94, 0x58, 0x4B, 0xC9, 0x40, 0x94, 0x5A, 0xB4, 0xD4, 0xF8, 0xD0, 0x36, 0xC4, 0x86,
73 0x17, 0x7D, 0xA2, 0x48, 0x6D, 0x40, 0xF0, 0xB9, 0x61, 0x4F, 0xCE, 0x65, 0x80, 0x88, 0x81, 0x59,
74 0x95, 0x11, 0x24, 0xF4, 0x36, 0xB7, 0xB7, 0x37, 0x44, 0xF4, 0x6C, 0x1C, 0xEB, 0x04, 0x19, 0x78,
75 0xB2, 0x29, 0x4D, 0x21, 0x44, 0x16, 0x57, 0x58, 0x6D, 0x7D, 0x56, 0xB5, 0x99, 0xDD, 0xD2, 0xAD,
76 0x02, 0x9A, 0x72, 0x16, 0x67, 0xD6, 0x00, 0x9F, 0x69, 0xE0, 0x25, 0xEE, 0x7C, 0x86, 0x54, 0x27,
77 0x4B, 0x50, 0xEF, 0x60, 0x52, 0x60, 0x82, 0xAA, 0x09, 0x15, 0x72, 0xD2, 0xEB, 0x01, 0x52, 0x04,
78 0x39, 0x60, 0xBC, 0x5E, 0x95, 0x07, 0xC8, 0xC2, 0x3A, 0x3A, 0xE2, 0xA4, 0x99, 0x6B, 0x27, 0xE3,
79 0xA3, 0x55, 0x69, 0xC4, 0xB3, 0x2D, 0x19, 0xC4, 0x34, 0x76, 0xFC, 0x27, 0xDA, 0x22, 0xB2, 0x62,
80 0x69, 0x25, 0xDE, 0x0D, 0xE7, 0x54, 0x3C, 0xBB, 0x61, 0xD2, 0x20, 0xDA, 0x7B, 0x6E, 0x63, 0xBD,
81 0x9A, 0x4B, 0xCD, 0x75, 0xC6, 0xA1, 0x5E, 0x1C, 0x3E, 0xD5, 0x63, 0x59, 0x22, 0x7E, 0xE0, 0x6C,
82 0x98, 0x25, 0x63, 0x97, 0x56, 0xDF, 0x71, 0xF5, 0x4C, 0x78, 0xE9, 0xE1, 0xD5, 0xFC, 0xF8, 0x5A,
83 0x5B, 0xF6, 0x1D, 0xFA, 0x5A, 0x99, 0x4C, 0x99, 0x19, 0x21, 0x1D, 0xF5, 0x24, 0x07, 0xEF, 0x8A,
84 0xC9, 0x9F, 0xE7, 0x3F, 0xBB, 0x46, 0x1A, 0x16, 0x96, 0xC6, 0xD6, 0x12, 0x7E, 0xDA, 0xCB, 0xEB,
85 0x2F, 0x1D, 0x3B, 0x31, 0xCC, 0x55, 0x63, 0xA2, 0x6F, 0x8A, 0xDE, 0x35, 0x52, 0x40, 0x04, 0xBF,
86 0xE0, 0x82, 0x32, 0xE1, 0x6D, 0x8B, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x2D,
87 0x1F, 0x71, 0x41, 0x79, 0xBA, 0xED, 0xD8, 0xAA, 0xCC, 0x94, 0xFE, 0xFF, 0x69, 0x43, 0x79, 0x85,
88 0xBF, 0x2C, 0xC9, 0x0E, 0x12, 0x83, 0x96, 0x60, 0x1E, 0x75, 0x49, 0x35, 0x3A, 0x33, 0x2B, 0x60,
89 0x22, 0x18, 0xBF, 0xD7, 0xD7, 0x6E, 0xC3, 0xEA, 0xEF, 0xF2, 0xBE, 0x97, 0x71, 0xA6, 0xBB, 0x8C,
90 0xEF, 0x27, 0x00, 0xDE, 0x49, 0xD6, 0x08, 0x8D, 0x5A, 0x04, 0xE7, 0xCC, 0x9C, 0xA2, 0x0E, 0x8B,
91 0xF3, 0x42, 0x0C, 0xD7, 0x22, 0xD7, 0x14, 0x06, 0xA4, 0x64, 0x8B, 0x88, 0x1A, 0xCE, 0x5B, 0x8C,
92 0x36, 0xE9, 0xD2, 0x2F, 0x7B, 0x33, 0xE4, 0xA2, 0xB3, 0xDB, 0x78, 0x6A, 0x92, 0x89, 0x3F, 0x78,
93 0xFD, 0xED, 0x8F, 0xEE, 0x48, 0xCC, 0x94, 0x75, 0x0D, 0x0C, 0x63, 0xD3, 0xD2, 0xE8, 0x47, 0x04,
94 0x55, 0xD3, 0xD6, 0x3A, 0xB8, 0xDA, 0xFB, 0x76, 0x99, 0x48, 0x68, 0x0A, 0x92, 0xA2, 0xCD, 0xF7,
95 0x45, 0x8B, 0x50, 0xFE, 0xF9, 0x1A, 0x33, 0x24, 0x3C, 0x2E, 0xDE, 0x88, 0xAD, 0xB2, 0x5B, 0x9F,
96 0x44, 0xEA, 0xD1, 0x9F, 0xC7, 0x9F, 0x02, 0x5E, 0x31, 0x61, 0xB3, 0xD6, 0xE2, 0xE1, 0xBC, 0xFB,
97 0x1C, 0xDB, 0xBD, 0xB2, 0x9A, 0xE5, 0xEF, 0xDA, 0xCD, 0x29, 0xA5, 0x45, 0xCC, 0x67, 0x01, 0x8B,
98 0x1C, 0x1D, 0x0E, 0x8F, 0x73, 0x69, 0x4D, 0x4D, 0xF6, 0x9D, 0xA6, 0x6C, 0x9A, 0x1C, 0xF4, 0x5C,
99 0xE4, 0x83, 0x9A, 0x77, 0x12, 0x01, 0xBD, 0xCE, 0x66, 0x3A, 0x4B, 0x3D, 0x6E, 0xE0, 0x6E, 0x82,
100 0x98, 0xDE, 0x74, 0x11, 0x47, 0xEC, 0x7A, 0x3A, 0xA9, 0xD8, 0x48, 0x00, 0x26, 0x64, 0x47, 0x7B,
101 0xAE, 0x55, 0x9D, 0x29, 0x22, 0xB4, 0xB3, 0xB9, 0xB1, 0x64, 0xEA, 0x3B, 0x5A, 0xD3, 0x3F, 0x8D,
102 0x0F, 0x14, 0x7E, 0x4E, 0xB8, 0x1B, 0x06, 0xFC, 0xB1, 0x7E, 0xCD, 0xB9, 0x1A, 0x4E, 0xA1, 0x02,
103 0x81, 0x81, 0x00, 0xF9, 0xDE, 0xEE, 0xED, 0x13, 0x2F, 0xBB, 0xE7, 0xE2, 0xB3, 0x2D, 0x98, 0xD2,
104 0xE8, 0x25, 0x07, 0x5A, 0x1E, 0x51, 0x0A, 0xC8, 0xAD, 0x50, 0x4B, 0x80, 0xC6, 0x22, 0xF5, 0x9B,
105 0x08, 0xE6, 0x3D, 0x01, 0xC6, 0x3E, 0xC8, 0xD2, 0x54, 0x9F, 0x91, 0x77, 0x95, 0xCD, 0xCA, 0xC7,
106 0xE7, 0x47, 0x94, 0xA9, 0x5F, 0x4E, 0xBE, 0x31, 0x3D, 0xB4, 0xAF, 0x43, 0x0F, 0xDC, 0x8D, 0x9C,
107 0x1E, 0x52, 0x7B, 0x72, 0x21, 0x34, 0xB3, 0x96, 0x7C, 0x9C, 0xB8, 0x51, 0x65, 0x60, 0xAC, 0x3D,
108 0x11, 0x32, 0xB8, 0xD6, 0x34, 0x35, 0x66, 0xD0, 0x30, 0xB9, 0xE9, 0x67, 0x2C, 0x87, 0x73, 0x43,
109 0x9C, 0x12, 0x16, 0x7D, 0x4A, 0xD9, 0xA3, 0x4C, 0x24, 0x64, 0x6A, 0x32, 0x8E, 0xC3, 0xD8, 0x00,
110 0x90, 0x5C, 0x4D, 0x65, 0x01, 0x53, 0x8A, 0xD0, 0x87, 0xCE, 0x96, 0xEF, 0xFA, 0x73, 0x03, 0xF1,
111 0xDC, 0x1B, 0x9B, 0x02, 0x81, 0x81, 0x00, 0xEA, 0xB3, 0x69, 0x00, 0x11, 0x0E, 0x50, 0xAA, 0xD3,
112 0x22, 0x51, 0x78, 0x9D, 0xFF, 0x05, 0x62, 0xBC, 0x9A, 0x67, 0x86, 0xE1, 0xC5, 0x02, 0x2D, 0x14,
113 0x11, 0x29, 0x30, 0xE7, 0x90, 0x5D, 0x72, 0x6F, 0xC5, 0x62, 0xEB, 0xD4, 0xB0, 0x3F, 0x3D, 0xDC,
114 0xB9, 0xFC, 0x2B, 0x5C, 0xBD, 0x9E, 0x71, 0x81, 0x5C, 0xC5, 0xFE, 0xDF, 0x69, 0x73, 0x12, 0x66,
115 0x92, 0x06, 0xD4, 0xD5, 0x8F, 0xDF, 0x14, 0x2E, 0x9C, 0xD0, 0x4C, 0xC2, 0x4D, 0x31, 0x2E, 0x47,
116 0xA5, 0xDC, 0x8A, 0x83, 0x7B, 0xE8, 0xA5, 0xC3, 0x03, 0x98, 0xD8, 0xBF, 0xF4, 0x7D, 0x6E, 0x87,
117 0x55, 0xE4, 0x0F, 0x15, 0x10, 0xC8, 0x76, 0x4F, 0xAD, 0x1D, 0x1C, 0x95, 0x41, 0x9D, 0x88, 0xEC,
118 0x8C, 0xDA, 0xBA, 0x90, 0x7F, 0x8D, 0xD9, 0x8B, 0x47, 0x6C, 0x0C, 0xFF, 0xBA, 0x73, 0x00, 0x20,
119 0x1F, 0xF7, 0x7E, 0x5F, 0xF4, 0xEC, 0xD1, 0x02, 0x81, 0x80, 0x16, 0xB7, 0x43, 0xB5, 0x5D, 0xD7,
120 0x2B, 0x18, 0x0B, 0xAE, 0x0A, 0x69, 0x28, 0x53, 0x5E, 0x7A, 0x6A, 0xA0, 0xF2, 0xF1, 0x2E, 0x09,
121 0x43, 0x91, 0x79, 0xA5, 0x89, 0xAC, 0x16, 0x6A, 0x1A, 0xB4, 0x55, 0x22, 0xF6, 0xB6, 0x3F, 0x18,
122 0xDE, 0x60, 0xD5, 0x24, 0x53, 0x4F, 0x2A, 0x19, 0x46, 0x92, 0xA7, 0x4B, 0x38, 0xD7, 0x65, 0x96,
123 0x9C, 0x84, 0x8A, 0x6E, 0x38, 0xB8, 0xCF, 0x06, 0x9A, 0xAD, 0x0A, 0x55, 0x26, 0x7B, 0x65, 0x24,
124 0xF3, 0x02, 0x76, 0xB3, 0xE6, 0xB4, 0x01, 0xE1, 0x3C, 0x61, 0x3D, 0x68, 0x05, 0xAA, 0xD1, 0x26,
125 0x7C, 0xE0, 0x51, 0x36, 0xE5, 0x21, 0x7F, 0x76, 0x02, 0xD6, 0xF4, 0x91, 0x07, 0x74, 0x27, 0x09,
126 0xEF, 0xEF, 0x0F, 0xA5, 0x96, 0xFC, 0x5E, 0x20, 0xC1, 0xA3, 0x6F, 0x99, 0x4D, 0x45, 0x03, 0x6C,
127 0x35, 0x45, 0xD7, 0x8F, 0x47, 0x41, 0x86, 0x8D, 0x62, 0x1D, 0x02, 0x81, 0x81, 0x00, 0xC3, 0x93,
128 0x85, 0xA7, 0xFC, 0x8E, 0x85, 0x42, 0x14, 0x76, 0xC0, 0x95, 0x56, 0x73, 0xB0, 0xB5, 0x3A, 0x9D,
129 0x20, 0x30, 0x11, 0xEA, 0xED, 0x89, 0x4A, 0xF3, 0x91, 0xF3, 0xA2, 0xC3, 0x76, 0x5B, 0x6A, 0x30,
130 0x7D, 0xE2, 0x2F, 0x76, 0x3E, 0xFC, 0xF9, 0xF6, 0x31, 0xE0, 0xA0, 0x83, 0x92, 0x88, 0xDB, 0x57,
131 0xC7, 0xD6, 0x3F, 0xAD, 0xCB, 0xAA, 0x45, 0xB6, 0xE1, 0xE2, 0x71, 0xA4, 0x56, 0x2C, 0xA7, 0x3B,
132 0x1D, 0x89, 0x19, 0x50, 0xE1, 0xEE, 0xC2, 0xDD, 0xC0, 0x0D, 0xDC, 0xCB, 0x60, 0x6E, 0xE1, 0x37,
133 0x1A, 0x23, 0x64, 0xB2, 0x03, 0xE4, 0x1A, 0xFA, 0xC3, 0xF4, 0x9D, 0x85, 0x42, 0xC6, 0xF4, 0x56,
134 0x39, 0xB0, 0x1B, 0xE0, 0x75, 0xBA, 0x28, 0x04, 0xA8, 0x30, 0x57, 0x41, 0x33, 0x9F, 0x58, 0xA4,
135 0xC7, 0xB1, 0x7D, 0x58, 0x8D, 0x84, 0x49, 0x40, 0xDA, 0x28, 0x81, 0x25, 0xC4, 0x41, 0x02, 0x81,
136 0x80, 0x13, 0x20, 0x65, 0xD5, 0x96, 0x98, 0x8D, 0x16, 0x73, 0xA1, 0x31, 0x73, 0x79, 0xBA, 0xEC,
137 0xB0, 0xD9, 0x0C, 0xF6, 0xEF, 0x2F, 0xC2, 0xE7, 0x96, 0x9B, 0xA1, 0x2D, 0xE9, 0xFB, 0x45, 0xB9,
138 0xD0, 0x30, 0xE2, 0xBD, 0x30, 0x4F, 0xB6, 0xFE, 0x24, 0x02, 0xCF, 0x8D, 0x51, 0x48, 0x45, 0xD9,
139 0xF7, 0x20, 0x53, 0x1C, 0x0B, 0xA9, 0x7E, 0xC2, 0xA2, 0x65, 0xCC, 0x3E, 0x0E, 0x0D, 0xF1, 0x62,
140 0xDD, 0x5F, 0xBC, 0x55, 0x9B, 0x58, 0x26, 0x40, 0x6A, 0xEE, 0x02, 0x55, 0x36, 0xE9, 0xBA, 0x82,
141 0x5A, 0xFD, 0x3C, 0xDF, 0xA6, 0x26, 0x32, 0x81, 0xA9, 0x5E, 0x46, 0xBE, 0xBA, 0xDC, 0xD3, 0x2A,
142 0x3A, 0x3B, 0xC1, 0x4E, 0xF7, 0x1A, 0xDC, 0x4B, 0xAF, 0x67, 0x1B, 0x3A, 0x83, 0x0D, 0x04, 0xDE,
143 0x27, 0x47, 0xFC, 0xE6, 0x39, 0x89, 0x7B, 0x66, 0xF9, 0x50, 0x4D, 0xF1, 0xAC, 0x20, 0x43, 0x7E,
144 0xEE,
145];
146
147/// DER-encoded PKCS#8 format EC key. Generated using:
148/// openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
149pub static EC_P_256_KEY: &[u8] = &[
150 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02,
151 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02,
152 0x01, 0x01, 0x04, 0x20, 0xB9, 0x1D, 0xAF, 0x50, 0xFD, 0xD8, 0x6A, 0x40, 0xAB, 0x2C, 0xCB, 0x54,
153 0x4E, 0xED, 0xF1, 0x64, 0xBC, 0x30, 0x25, 0xFB, 0xC4, 0x69, 0x00, 0x34, 0x1A, 0x82, 0xA3, 0x72,
154 0x5D, 0xC7, 0xA9, 0x85, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xE8, 0x53, 0x0A, 0xF2, 0xD3, 0x68,
155 0x40, 0x48, 0x8C, 0xB4, 0x2F, 0x11, 0x34, 0xD7, 0xF4, 0x4A, 0x5C, 0x33, 0xFF, 0xF6, 0x2B, 0xF7,
156 0x98, 0x0F, 0x02, 0xA5, 0xD7, 0x4F, 0xF9, 0xDE, 0x60, 0x9C, 0x6E, 0xB0, 0x45, 0xDA, 0x3F, 0xF4,
157 0x34, 0x23, 0x9B, 0x4C, 0x3A, 0x09, 0x9C, 0x5E, 0x5D, 0x37, 0x96, 0xAC, 0x4A, 0xE7, 0x65, 0x2B,
158 0xD6, 0x84, 0x98, 0xEA, 0x96, 0x91, 0xFB, 0x78, 0xED, 0x86,
159];
160
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]161/// DER-encoded PKCS#8 format RSA key -
162/// Size: 2048
163/// Public Exponent: 65537
164/// Purpose: WRAP_KEY, ENCRYPT, DECRYPT
165/// Encryption scheme: RSAES-PKCS1-v1_5
166/// Digest: SHA_2_256
167/// Padding: RSA_OAEP
168/// This sample wrapping_key is taken from KeyMint tests
169/// (see hardware/interfaces/security/keymint/aidl/vts/functional/KeyMintTest.cpp).
170/// Similarly more test keys can be generated with below command -
171/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
172pub static WRAPPING_KEY: &[u8] = &[
173 0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
174 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xa8, 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01,
175 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xae, 0xc3, 0x67, 0x93, 0x1d, 0x89, 0x00, 0xce, 0x56, 0xb0,
176 0x06, 0x7f, 0x7d, 0x70, 0xe1, 0xfc, 0x65, 0x3f, 0x3f, 0x34, 0xd1, 0x94, 0xc1, 0xfe, 0xd5, 0x00,
177 0x18, 0xfb, 0x43, 0xdb, 0x93, 0x7b, 0x06, 0xe6, 0x73, 0xa8, 0x37, 0x31, 0x3d, 0x56, 0xb1, 0xc7,
178 0x25, 0x15, 0x0a, 0x3f, 0xef, 0x86, 0xac, 0xbd, 0xdc, 0x41, 0xbb, 0x75, 0x9c, 0x28, 0x54, 0xea,
179 0xe3, 0x2d, 0x35, 0x84, 0x1e, 0xfb, 0x5c, 0x18, 0xd8, 0x2b, 0xc9, 0x0a, 0x1c, 0xb5, 0xc1, 0xd5,
180 0x5a, 0xdf, 0x24, 0x5b, 0x02, 0x91, 0x1f, 0x0b, 0x7c, 0xda, 0x88, 0xc4, 0x21, 0xff, 0x0e, 0xba,
181 0xfe, 0x7c, 0x0d, 0x23, 0xbe, 0x31, 0x2d, 0x7b, 0xd5, 0x92, 0x1f, 0xfa, 0xea, 0x13, 0x47, 0xc1,
182 0x57, 0x40, 0x6f, 0xef, 0x71, 0x8f, 0x68, 0x26, 0x43, 0xe4, 0xe5, 0xd3, 0x3c, 0x67, 0x03, 0xd6,
183 0x1c, 0x0c, 0xf7, 0xac, 0x0b, 0xf4, 0x64, 0x5c, 0x11, 0xf5, 0xc1, 0x37, 0x4c, 0x38, 0x86, 0x42,
184 0x74, 0x11, 0xc4, 0x49, 0x79, 0x67, 0x92, 0xe0, 0xbe, 0xf7, 0x5d, 0xec, 0x85, 0x8a, 0x21, 0x23,
185 0xc3, 0x67, 0x53, 0xe0, 0x2a, 0x95, 0xa9, 0x6d, 0x7c, 0x45, 0x4b, 0x50, 0x4d, 0xe3, 0x85, 0xa6,
186 0x42, 0xe0, 0xdf, 0xc3, 0xe6, 0x0a, 0xc3, 0xa7, 0xee, 0x49, 0x91, 0xd0, 0xd4, 0x8b, 0x01, 0x72,
187 0xa9, 0x5f, 0x95, 0x36, 0xf0, 0x2b, 0xa1, 0x3c, 0xec, 0xcc, 0xb9, 0x2b, 0x72, 0x7d, 0xb5, 0xc2,
188 0x7e, 0x5b, 0x2f, 0x5c, 0xec, 0x09, 0x60, 0x0b, 0x28, 0x6a, 0xf5, 0xcf, 0x14, 0xc4, 0x20, 0x24,
189 0xc6, 0x1d, 0xdf, 0xe7, 0x1c, 0x2a, 0x8d, 0x74, 0x58, 0xf1, 0x85, 0x23, 0x4c, 0xb0, 0x0e, 0x01,
190 0xd2, 0x82, 0xf1, 0x0f, 0x8f, 0xc6, 0x72, 0x1d, 0x2a, 0xed, 0x3f, 0x48, 0x33, 0xcc, 0xa2, 0xbd,
191 0x8f, 0xa6, 0x28, 0x21, 0xdd, 0x55, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x43,
192 0x14, 0x47, 0xb6, 0x25, 0x19, 0x08, 0x11, 0x2b, 0x1e, 0xe7, 0x6f, 0x99, 0xf3, 0x71, 0x1a, 0x52,
193 0xb6, 0x63, 0x09, 0x60, 0x04, 0x6c, 0x2d, 0xe7, 0x0d, 0xe1, 0x88, 0xd8, 0x33, 0xf8, 0xb8, 0xb9,
194 0x1e, 0x4d, 0x78, 0x5c, 0xae, 0xee, 0xaf, 0x4f, 0x0f, 0x74, 0x41, 0x4e, 0x2c, 0xda, 0x40, 0x64,
195 0x1f, 0x7f, 0xe2, 0x4f, 0x14, 0xc6, 0x7a, 0x88, 0x95, 0x9b, 0xdb, 0x27, 0x76, 0x6d, 0xf9, 0xe7,
196 0x10, 0xb6, 0x30, 0xa0, 0x3a, 0xdc, 0x68, 0x3b, 0x5d, 0x2c, 0x43, 0x08, 0x0e, 0x52, 0xbe, 0xe7,
197 0x1e, 0x9e, 0xae, 0xb6, 0xde, 0x29, 0x7a, 0x5f, 0xea, 0x10, 0x72, 0x07, 0x0d, 0x18, 0x1c, 0x82,
198 0x2b, 0xcc, 0xff, 0x08, 0x7d, 0x63, 0xc9, 0x40, 0xba, 0x8a, 0x45, 0xf6, 0x70, 0xfe, 0xb2, 0x9f,
199 0xb4, 0x48, 0x4d, 0x1c, 0x95, 0xe6, 0xd2, 0x57, 0x9b, 0xa0, 0x2a, 0xae, 0x0a, 0x00, 0x90, 0x0c,
200 0x3e, 0xbf, 0x49, 0x0e, 0x3d, 0x2c, 0xd7, 0xee, 0x8d, 0x0e, 0x20, 0xc5, 0x36, 0xe4, 0xdc, 0x5a,
201 0x50, 0x97, 0x27, 0x28, 0x88, 0xcd, 0xdd, 0x7e, 0x91, 0xf2, 0x28, 0xb1, 0xc4, 0xd7, 0x47, 0x4c,
202 0x55, 0xb8, 0xfc, 0xd6, 0x18, 0xc4, 0xa9, 0x57, 0xbb, 0xdd, 0xd5, 0xad, 0x74, 0x07, 0xcc, 0x31,
203 0x2d, 0x8d, 0x98, 0xa5, 0xca, 0xf7, 0xe0, 0x8f, 0x4a, 0x0d, 0x6b, 0x45, 0xbb, 0x41, 0xc6, 0x52,
204 0x65, 0x9d, 0x5a, 0x5b, 0xa0, 0x5b, 0x66, 0x37, 0x37, 0xa8, 0x69, 0x62, 0x81, 0x86, 0x5b, 0xa2,
205 0x0f, 0xbd, 0xd7, 0xf8, 0x51, 0xe6, 0xc5, 0x6e, 0x8c, 0xbe, 0x0d, 0xdb, 0xbf, 0x24, 0xdc, 0x03,
206 0xb2, 0xd2, 0xcb, 0x4c, 0x3d, 0x54, 0x0f, 0xb0, 0xaf, 0x52, 0xe0, 0x34, 0xa2, 0xd0, 0x66, 0x98,
207 0xb1, 0x28, 0xe5, 0xf1, 0x01, 0xe3, 0xb5, 0x1a, 0x34, 0xf8, 0xd8, 0xb4, 0xf8, 0x61, 0x81, 0x02,
208 0x81, 0x81, 0x00, 0xde, 0x39, 0x2e, 0x18, 0xd6, 0x82, 0xc8, 0x29, 0x26, 0x6c, 0xc3, 0x45, 0x4e,
209 0x1d, 0x61, 0x66, 0x24, 0x2f, 0x32, 0xd9, 0xa1, 0xd1, 0x05, 0x77, 0x75, 0x3e, 0x90, 0x4e, 0xa7,
210 0xd0, 0x8b, 0xff, 0x84, 0x1b, 0xe5, 0xba, 0xc8, 0x2a, 0x16, 0x4c, 0x59, 0x70, 0x00, 0x70, 0x47,
211 0xb8, 0xc5, 0x17, 0xdb, 0x8f, 0x8f, 0x84, 0xe3, 0x7b, 0xd5, 0x98, 0x85, 0x61, 0xbd, 0xf5, 0x03,
212 0xd4, 0xdc, 0x2b, 0xdb, 0x38, 0xf8, 0x85, 0x43, 0x4a, 0xe4, 0x2c, 0x35, 0x5f, 0x72, 0x5c, 0x9a,
213 0x60, 0xf9, 0x1f, 0x07, 0x88, 0xe1, 0xf1, 0xa9, 0x72, 0x23, 0xb5, 0x24, 0xb5, 0x35, 0x7f, 0xdf,
214 0x72, 0xe2, 0xf6, 0x96, 0xba, 0xb7, 0xd7, 0x8e, 0x32, 0xbf, 0x92, 0xba, 0x8e, 0x18, 0x64, 0xea,
215 0xb1, 0x22, 0x9e, 0x91, 0x34, 0x61, 0x30, 0x74, 0x8a, 0x6e, 0x3c, 0x12, 0x4f, 0x91, 0x49, 0xd7,
216 0x1c, 0x74, 0x35, 0x02, 0x81, 0x81, 0x00, 0xc9, 0x53, 0x87, 0xc0, 0xf9, 0xd3, 0x5f, 0x13, 0x7b,
217 0x57, 0xd0, 0xd6, 0x5c, 0x39, 0x7c, 0x5e, 0x21, 0xcc, 0x25, 0x1e, 0x47, 0x00, 0x8e, 0xd6, 0x2a,
218 0x54, 0x24, 0x09, 0xc8, 0xb6, 0xb6, 0xac, 0x7f, 0x89, 0x67, 0xb3, 0x86, 0x3c, 0xa6, 0x45, 0xfc,
219 0xce, 0x49, 0x58, 0x2a, 0x9a, 0xa1, 0x73, 0x49, 0xdb, 0x6c, 0x4a, 0x95, 0xaf, 0xfd, 0xae, 0x0d,
220 0xae, 0x61, 0x2e, 0x1a, 0xfa, 0xc9, 0x9e, 0xd3, 0x9a, 0x2d, 0x93, 0x4c, 0x88, 0x04, 0x40, 0xae,
221 0xd8, 0x83, 0x2f, 0x98, 0x43, 0x16, 0x3a, 0x47, 0xf2, 0x7f, 0x39, 0x21, 0x99, 0xdc, 0x12, 0x02,
222 0xf9, 0xa0, 0xf9, 0xbd, 0x08, 0x30, 0x80, 0x07, 0xcb, 0x1e, 0x4e, 0x7f, 0x58, 0x30, 0x93, 0x66,
223 0xa7, 0xde, 0x25, 0xf7, 0xc3, 0xc9, 0xb8, 0x80, 0x67, 0x7c, 0x06, 0x8e, 0x1b, 0xe9, 0x36, 0xe8,
224 0x12, 0x88, 0x81, 0x52, 0x52, 0xa8, 0xa1, 0x02, 0x81, 0x80, 0x57, 0xff, 0x8c, 0xa1, 0x89, 0x50,
225 0x80, 0xb2, 0xca, 0xe4, 0x86, 0xef, 0x0a, 0xdf, 0xd7, 0x91, 0xfb, 0x02, 0x35, 0xc0, 0xb8, 0xb3,
226 0x6c, 0xd6, 0xc1, 0x36, 0xe5, 0x2e, 0x40, 0x85, 0xf4, 0xea, 0x5a, 0x06, 0x32, 0x12, 0xa4, 0xf1,
227 0x05, 0xa3, 0x76, 0x47, 0x43, 0xe5, 0x32, 0x81, 0x98, 0x8a, 0xba, 0x07, 0x3f, 0x6e, 0x00, 0x27,
228 0x29, 0x8e, 0x1c, 0x43, 0x78, 0x55, 0x6e, 0x0e, 0xfc, 0xa0, 0xe1, 0x4e, 0xce, 0x1a, 0xf7, 0x6a,
229 0xd0, 0xb0, 0x30, 0xf2, 0x7a, 0xf6, 0xf0, 0xab, 0x35, 0xfb, 0x73, 0xa0, 0x60, 0xd8, 0xb1, 0xa0,
230 0xe1, 0x42, 0xfa, 0x26, 0x47, 0xe9, 0x3b, 0x32, 0xe3, 0x6d, 0x82, 0x82, 0xae, 0x0a, 0x4d, 0xe5,
231 0x0a, 0xb7, 0xaf, 0xe8, 0x55, 0x00, 0xa1, 0x6f, 0x43, 0xa6, 0x47, 0x19, 0xd6, 0xe2, 0xb9, 0x43,
232 0x98, 0x23, 0x71, 0x9c, 0xd0, 0x8b, 0xcd, 0x03, 0x17, 0x81, 0x02, 0x81, 0x81, 0x00, 0xba, 0x73,
233 0xb0, 0xbb, 0x28, 0xe3, 0xf8, 0x1e, 0x9b, 0xd1, 0xc5, 0x68, 0x71, 0x3b, 0x10, 0x12, 0x41, 0xac,
234 0xc6, 0x07, 0x97, 0x6c, 0x4d, 0xdc, 0xcc, 0x90, 0xe6, 0x5b, 0x65, 0x56, 0xca, 0x31, 0x51, 0x60,
235 0x58, 0xf9, 0x2b, 0x6e, 0x09, 0xf3, 0xb1, 0x60, 0xff, 0x0e, 0x37, 0x4e, 0xc4, 0x0d, 0x78, 0xae,
236 0x4d, 0x49, 0x79, 0xfd, 0xe6, 0xac, 0x06, 0xa1, 0xa4, 0x00, 0xc6, 0x1d, 0xd3, 0x12, 0x54, 0x18,
237 0x6a, 0xf3, 0x0b, 0x22, 0xc1, 0x05, 0x82, 0xa8, 0xa4, 0x3e, 0x34, 0xfe, 0x94, 0x9c, 0x5f, 0x3b,
238 0x97, 0x55, 0xba, 0xe7, 0xba, 0xa7, 0xb7, 0xb7, 0xa6, 0xbd, 0x03, 0xb3, 0x8c, 0xef, 0x55, 0xc8,
239 0x68, 0x85, 0xfc, 0x6c, 0x19, 0x78, 0xb9, 0xce, 0xe7, 0xef, 0x33, 0xda, 0x50, 0x7c, 0x9d, 0xf6,
240 0xb9, 0x27, 0x7c, 0xff, 0x1e, 0x6a, 0xaa, 0x5d, 0x57, 0xac, 0xa5, 0x28, 0x46, 0x61, 0x02, 0x81,
241 0x81, 0x00, 0xc9, 0x31, 0x61, 0x7c, 0x77, 0x82, 0x9d, 0xfb, 0x12, 0x70, 0x50, 0x2b, 0xe9, 0x19,
242 0x5c, 0x8f, 0x28, 0x30, 0x88, 0x5f, 0x57, 0xdb, 0xa8, 0x69, 0x53, 0x68, 0x11, 0xe6, 0x86, 0x42,
243 0x36, 0xd0, 0xc4, 0x73, 0x6a, 0x00, 0x08, 0xa1, 0x45, 0xaf, 0x36, 0xb8, 0x35, 0x7a, 0x7c, 0x3d,
244 0x13, 0x99, 0x66, 0xd0, 0x4c, 0x4e, 0x00, 0x93, 0x4e, 0xa1, 0xae, 0xde, 0x3b, 0xb6, 0xb8, 0xec,
245 0x84, 0x1d, 0xc9, 0x5e, 0x3f, 0x57, 0x97, 0x51, 0xe2, 0xbf, 0xdf, 0xe2, 0x7a, 0xe7, 0x78, 0x98,
246 0x3f, 0x95, 0x93, 0x56, 0x21, 0x07, 0x23, 0x28, 0x7b, 0x0a, 0xff, 0xcc, 0x9f, 0x72, 0x70, 0x44,
247 0xd4, 0x8c, 0x37, 0x3f, 0x1b, 0xab, 0xde, 0x07, 0x24, 0xfa, 0x17, 0xa4, 0xfd, 0x4d, 0xa0, 0x90,
248 0x2c, 0x7c, 0x9b, 0x9b, 0xf2, 0x7b, 0xa6, 0x1b, 0xe6, 0xad, 0x02, 0xdf, 0xdd, 0xda, 0x8f, 0x4e,
249 0x68, 0x22,
250];
251
252/// WrappedKeyData as ASN.1 DER-encoded data corresponding to the `SecureKeyWrapper` schema
253/// specified in IKeyMintDevice.aidl. Wrapped key parameters are -
254/// Algorithm: AES
255/// Key size: 256
256/// Block mode: ECB
257/// Padding mode: PKCS7
258/// This sample wrapped_key is taken from KeyMint tests (see KeyMintTest.cpp).
259pub static WRAPPED_KEY: &[u8] = &[
260 0x30, 0x82, 0x01, 0x79, 0x02, 0x01, 0x00, 0x04, 0x82, 0x01, 0x00, 0x93, 0x4b, 0xf9, 0x4e, 0x2a,
261 0xa2, 0x8a, 0x3f, 0x83, 0xc9, 0xf7, 0x92, 0x97, 0x25, 0x02, 0x62, 0xfb, 0xe3, 0x27, 0x6b, 0x5a,
262 0x1c, 0x91, 0x15, 0x9b, 0xbf, 0xa3, 0xef, 0x89, 0x57, 0xaa, 0xc8, 0x4b, 0x59, 0xb3, 0x0b, 0x45,
263 0x5a, 0x79, 0xc2, 0x97, 0x34, 0x80, 0x82, 0x3d, 0x8b, 0x38, 0x63, 0xc3, 0xde, 0xef, 0x4a, 0x8e,
264 0x24, 0x35, 0x90, 0x26, 0x8d, 0x80, 0xe1, 0x87, 0x51, 0xa0, 0xe1, 0x30, 0xf6, 0x7c, 0xe6, 0xa1,
265 0xac, 0xe9, 0xf7, 0x9b, 0x95, 0xe0, 0x97, 0x47, 0x4f, 0xeb, 0xc9, 0x81, 0x19, 0x5b, 0x1d, 0x13,
266 0xa6, 0x90, 0x86, 0xc0, 0x86, 0x3f, 0x66, 0xa7, 0xb7, 0xfd, 0xb4, 0x87, 0x92, 0x22, 0x7b, 0x1a,
267 0xc5, 0xe2, 0x48, 0x9f, 0xeb, 0xdf, 0x08, 0x7a, 0xb5, 0x48, 0x64, 0x83, 0x03, 0x3a, 0x6f, 0x00,
268 0x1c, 0xa5, 0xd1, 0xec, 0x1e, 0x27, 0xf5, 0xc3, 0x0f, 0x4c, 0xec, 0x26, 0x42, 0x07, 0x4a, 0x39,
269 0xae, 0x68, 0xae, 0xe5, 0x52, 0xe1, 0x96, 0x62, 0x7a, 0x8e, 0x3d, 0x86, 0x7e, 0x67, 0xa8, 0xc0,
270 0x1b, 0x11, 0xe7, 0x5f, 0x13, 0xcc, 0xa0, 0xa9, 0x7a, 0xb6, 0x68, 0xb5, 0x0c, 0xda, 0x07, 0xa8,
271 0xec, 0xb7, 0xcd, 0x8e, 0x3d, 0xd7, 0x00, 0x9c, 0x96, 0x36, 0x53, 0x4f, 0x6f, 0x23, 0x9c, 0xff,
272 0xe1, 0xfc, 0x8d, 0xaa, 0x46, 0x6f, 0x78, 0xb6, 0x76, 0xc7, 0x11, 0x9e, 0xfb, 0x96, 0xbc, 0xe4,
273 0xe6, 0x9c, 0xa2, 0xa2, 0x5d, 0x0b, 0x34, 0xed, 0x9c, 0x3f, 0xf9, 0x99, 0xb8, 0x01, 0x59, 0x7d,
274 0x52, 0x20, 0xe3, 0x07, 0xea, 0xa5, 0xbe, 0xe5, 0x07, 0xfb, 0x94, 0xd1, 0xfa, 0x69, 0xf9, 0xe5,
275 0x19, 0xb2, 0xde, 0x31, 0x5b, 0xac, 0x92, 0xc3, 0x6f, 0x2e, 0xa1, 0xfa, 0x1d, 0xf4, 0x47, 0x8c,
276 0x0d, 0xde, 0xde, 0xae, 0x8c, 0x70, 0xe0, 0x23, 0x3c, 0xd0, 0x98, 0x04, 0x0c, 0xd7, 0x96, 0xb0,
277 0x2c, 0x37, 0x0f, 0x1f, 0xa4, 0xcc, 0x01, 0x24, 0xf1, 0x30, 0x2e, 0x02, 0x01, 0x03, 0x30, 0x29,
278 0xa1, 0x08, 0x31, 0x06, 0x02, 0x01, 0x00, 0x02, 0x01, 0x01, 0xa2, 0x03, 0x02, 0x01, 0x20, 0xa3,
279 0x04, 0x02, 0x02, 0x01, 0x00, 0xa4, 0x05, 0x31, 0x03, 0x02, 0x01, 0x01, 0xa6, 0x05, 0x31, 0x03,
280 0x02, 0x01, 0x40, 0xbf, 0x83, 0x77, 0x02, 0x05, 0x00, 0x04, 0x20, 0xcc, 0xd5, 0x40, 0x85, 0x5f,
281 0x83, 0x3a, 0x5e, 0x14, 0x80, 0xbf, 0xd2, 0xd3, 0x6f, 0xaf, 0x3a, 0xee, 0xe1, 0x5d, 0xf5, 0xbe,
282 0xab, 0xe2, 0x69, 0x1b, 0xc8, 0x2d, 0xde, 0x2a, 0x7a, 0xa9, 0x10, 0x04, 0x10, 0x64, 0xc9, 0xf6,
283 0x89, 0xc6, 0x0f, 0xf6, 0x22, 0x3a, 0xb6, 0xe6, 0x99, 0x9e, 0x0e, 0xb6, 0xe5,
284];
285
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]286/// To map Keystore errors.
287#[derive(thiserror::Error, Debug, Eq, PartialEq)]
288pub enum Error {
289 /// Keystore2 error code
290 #[error("ResponseCode {0:?}")]
291 Rc(ResponseCode),
292 /// Keymint error code
293 #[error("ErrorCode {0:?}")]
294 Km(ErrorCode),
295 /// Exception
296 #[error("Binder exception {0:?}")]
297 Binder(ExceptionCode),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]298 /// This is returned if the C implementation of extractSubjectFromCertificate failed.
299 #[error("Failed to validate certificate chain.")]
300 ValidateCertChainFailed,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]301 /// Error code to indicate error in ASN.1 DER-encoded data creation.
302 #[error("Failed to create and encode ASN.1 data.")]
303 DerEncodeFailed,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]304}
305
306/// Keystore2 error mapping.
307pub fn map_ks_error<T>(r: BinderResult<T>) -> Result<T, Error> {
308 r.map_err(|s| {
309 match s.exception_code() {
310 ExceptionCode::SERVICE_SPECIFIC => {
311 match s.service_specific_error() {
312 se if se < 0 => {
313 // Negative service specific errors are KM error codes.
314 Error::Km(ErrorCode(se))
315 }
316 se => {
317 // Positive service specific errors are KS response codes.
318 Error::Rc(ResponseCode(se))
319 }
320 }
321 }
322 // We create `Error::Binder` to preserve the exception code
323 // for logging.
324 e_code => Error::Binder(e_code),
325 }
326 })
327}
328
329/// Generate EC Key using given security level and domain with below key parameters and
330/// optionally allow the generated key to be attested with factory provisioned attest key using
331/// given challenge and application id -
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]332/// Purposes: SIGN and VERIFY
333/// Digest: SHA_2_256
334/// Curve: P_256
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]335pub fn generate_ec_p256_signing_key(
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]336 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]337 domain: Domain,
338 nspace: i64,
339 alias: Option<String>,
340 att_challenge: Option<&[u8]>,
341 att_app_id: Option<&[u8]>,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]342) -> binder::Result<KeyMetadata> {
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]343 let mut key_attest = false;
344 let mut gen_params = AuthSetBuilder::new()
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]345 .no_auth_required()
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]346 .algorithm(Algorithm::EC)
347 .purpose(KeyPurpose::SIGN)
348 .purpose(KeyPurpose::VERIFY)
349 .digest(Digest::SHA_2_256)
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]350 .ec_curve(EcCurve::P_256);
351
352 if let Some(challenge) = att_challenge {
353 key_attest = true;
354 gen_params = gen_params.clone().attestation_challenge(challenge.to_vec());
355 }
356
357 if let Some(app_id) = att_app_id {
358 key_attest = true;
359 gen_params = gen_params.clone().attestation_app_id(app_id.to_vec());
360 }
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]361
362 match sec_level.generateKey(
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]363 &KeyDescriptor { domain, nspace, alias, blob: None },
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]364 None,
365 &gen_params,
366 0,
367 b"entropy",
368 ) {
369 Ok(key_metadata) => {
370 assert!(key_metadata.certificate.is_some());
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]371 if key_attest {
372 assert!(key_metadata.certificateChain.is_some());
373 }
374 if domain == Domain::BLOB {
375 assert!(key_metadata.key.blob.is_some());
376 }
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]377
378 Ok(key_metadata)
379 }
380 Err(e) => Err(e),
381 }
382}
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]383
384/// Generate EC signing key.
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]385pub fn generate_ec_key(
386 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]387 domain: Domain,
388 nspace: i64,
389 alias: Option<String>,
390 ec_curve: EcCurve,
391 digest: Digest,
392) -> binder::Result<KeyMetadata> {
393 let gen_params = AuthSetBuilder::new()
394 .no_auth_required()
395 .algorithm(Algorithm::EC)
396 .purpose(KeyPurpose::SIGN)
397 .purpose(KeyPurpose::VERIFY)
398 .digest(digest)
399 .ec_curve(ec_curve);
400
401 let key_metadata = sec_level.generateKey(
402 &KeyDescriptor { domain, nspace, alias, blob: None },
403 None,
404 &gen_params,
405 0,
406 b"entropy",
407 )?;
408
409 // Must have a public key.
410 assert!(key_metadata.certificate.is_some());
411
412 // Should not have an attestation record.
413 assert!(key_metadata.certificateChain.is_none());
414
415 if domain == Domain::BLOB {
416 assert!(key_metadata.key.blob.is_some());
417 } else {
418 assert!(key_metadata.key.blob.is_none());
419 }
420 Ok(key_metadata)
421}
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]422
423/// Generate a RSA key with the given key parameters, alias, domain and namespace.
424pub fn generate_rsa_key(
425 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
426 domain: Domain,
427 nspace: i64,
428 alias: Option<String>,
429 key_params: &KeyParams,
430 attest_key: Option<&KeyDescriptor>,
431) -> binder::Result<KeyMetadata> {
432 let mut gen_params = AuthSetBuilder::new()
433 .no_auth_required()
434 .algorithm(Algorithm::RSA)
435 .rsa_public_exponent(65537)
436 .key_size(key_params.key_size);
437
438 for purpose in &key_params.purpose {
439 gen_params = gen_params.purpose(*purpose);
440 }
441 if let Some(value) = key_params.digest {
442 gen_params = gen_params.digest(value)
443 }
444 if let Some(value) = key_params.padding {
445 gen_params = gen_params.padding_mode(value);
446 }
447 if let Some(value) = key_params.mgf_digest {
448 gen_params = gen_params.mgf_digest(value);
449 }
450 if let Some(value) = key_params.block_mode {
451 gen_params = gen_params.block_mode(value)
452 }
453 if let Some(value) = &key_params.att_challenge {
454 gen_params = gen_params.attestation_challenge(value.to_vec())
455 }
456 if let Some(value) = &key_params.att_app_id {
457 gen_params = gen_params.attestation_app_id(value.to_vec())
458 }
459
460 let key_metadata = sec_level.generateKey(
461 &KeyDescriptor { domain, nspace, alias, blob: None },
462 attest_key,
463 &gen_params,
464 0,
465 b"entropy",
466 )?;
467
468 // Must have a public key.
469 assert!(key_metadata.certificate.is_some());
470
471 if attest_key.is_none() && key_params.att_challenge.is_some() && key_params.att_app_id.is_some()
472 {
473 // Should have an attestation record.
474 assert!(key_metadata.certificateChain.is_some());
475 } else {
476 // Should not have an attestation record.
477 assert!(key_metadata.certificateChain.is_none());
478 }
479
480 assert!(
481 (domain == Domain::BLOB && key_metadata.key.blob.is_some())
482 || key_metadata.key.blob.is_none()
483 );
484
485 Ok(key_metadata)
486}
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]487
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]488/// Generate AES/3DES key.
489pub fn generate_sym_key(
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]490 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]491 algorithm: Algorithm,
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]492 size: i32,
493 alias: &str,
494 padding_mode: &PaddingMode,
495 block_mode: &BlockMode,
496 min_mac_len: Option<i32>,
497) -> binder::Result<KeyMetadata> {
498 let mut gen_params = AuthSetBuilder::new()
499 .no_auth_required()
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]500 .algorithm(algorithm)
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]501 .purpose(KeyPurpose::ENCRYPT)
502 .purpose(KeyPurpose::DECRYPT)
503 .key_size(size)
504 .padding_mode(*padding_mode)
505 .block_mode(*block_mode);
506
507 if let Some(val) = min_mac_len {
508 gen_params = gen_params.min_mac_length(val);
509 }
510
511 let key_metadata = sec_level.generateKey(
512 &KeyDescriptor {
513 domain: Domain::APP,
514 nspace: -1,
515 alias: Some(alias.to_string()),
516 blob: None,
517 },
518 None,
519 &gen_params,
520 0,
521 b"entropy",
522 )?;
523
524 // Should not have public certificate.
525 assert!(key_metadata.certificate.is_none());
526
527 // Should not have an attestation record.
528 assert!(key_metadata.certificateChain.is_none());
529 Ok(key_metadata)
530}
Rajesh Nyamagoud4c6193c2022-02-03 01:15:34 +0000[diff] [blame]531
532/// Generate HMAC key.
533pub fn generate_hmac_key(
534 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
535 alias: &str,
536 key_size: i32,
537 min_mac_len: i32,
538 digest: Digest,
539) -> binder::Result<KeyMetadata> {
540 let gen_params = AuthSetBuilder::new()
541 .no_auth_required()
542 .algorithm(Algorithm::HMAC)
543 .purpose(KeyPurpose::SIGN)
544 .purpose(KeyPurpose::VERIFY)
545 .key_size(key_size)
546 .min_mac_length(min_mac_len)
547 .digest(digest);
548
549 let key_metadata = sec_level.generateKey(
550 &KeyDescriptor {
551 domain: Domain::APP,
552 nspace: -1,
553 alias: Some(alias.to_string()),
554 blob: None,
555 },
556 None,
557 &gen_params,
558 0,
559 b"entropy",
560 )?;
561
562 // Should not have public certificate.
563 assert!(key_metadata.certificate.is_none());
564
565 // Should not have an attestation record.
566 assert!(key_metadata.certificateChain.is_none());
567
568 Ok(key_metadata)
569}
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]570
571/// Generate RSA or EC attestation keys using below parameters -
572/// Purpose: ATTEST_KEY
573/// Digest: Digest::SHA_2_256
574/// Padding: PaddingMode::RSA_PKCS1_1_5_SIGN
575/// RSA-Key-Size: 2048
576/// EC-Curve: EcCurve::P_256
577pub fn generate_attestation_key(
578 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
579 algorithm: Algorithm,
580 att_challenge: &[u8],
581 att_app_id: &[u8],
582) -> binder::Result<KeyMetadata> {
583 assert!(algorithm == Algorithm::RSA || algorithm == Algorithm::EC);
584
585 if algorithm == Algorithm::RSA {
586 let alias = "ks_rsa_attest_test_key";
587 let metadata = generate_rsa_key(
588 sec_level,
589 Domain::APP,
590 -1,
591 Some(alias.to_string()),
592 &KeyParams {
593 key_size: 2048,
594 purpose: vec![KeyPurpose::ATTEST_KEY],
595 padding: Some(PaddingMode::RSA_PKCS1_1_5_SIGN),
596 digest: Some(Digest::SHA_2_256),
597 mgf_digest: None,
598 block_mode: None,
599 att_challenge: Some(att_challenge.to_vec()),
600 att_app_id: Some(att_app_id.to_vec()),
601 },
602 None,
603 )
604 .unwrap();
605 Ok(metadata)
606 } else {
607 let metadata = generate_ec_attestation_key(
608 sec_level,
609 att_challenge,
610 att_app_id,
611 Digest::SHA_2_256,
612 EcCurve::P_256,
613 )
614 .unwrap();
615
616 Ok(metadata)
617 }
618}
619
620/// Generate EC attestation key with the given
621/// curve, attestation-challenge and attestation-app-id.
622pub fn generate_ec_attestation_key(
623 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
624 att_challenge: &[u8],
625 att_app_id: &[u8],
626 digest: Digest,
627 ec_curve: EcCurve,
628) -> binder::Result<KeyMetadata> {
629 let alias = "ks_attest_ec_test_key";
630 let gen_params = AuthSetBuilder::new()
631 .no_auth_required()
632 .algorithm(Algorithm::EC)
633 .purpose(KeyPurpose::ATTEST_KEY)
634 .ec_curve(ec_curve)
635 .digest(digest)
636 .attestation_challenge(att_challenge.to_vec())
637 .attestation_app_id(att_app_id.to_vec());
638
639 let attestation_key_metadata = sec_level.generateKey(
640 &KeyDescriptor {
641 domain: Domain::APP,
642 nspace: -1,
643 alias: Some(alias.to_string()),
644 blob: None,
645 },
646 None,
647 &gen_params,
648 0,
649 b"entropy",
650 )?;
651
652 // Should have public certificate.
653 assert!(attestation_key_metadata.certificate.is_some());
654 // Should have an attestation record.
655 assert!(attestation_key_metadata.certificateChain.is_some());
656
657 Ok(attestation_key_metadata)
658}
659
660/// Generate EC-P-256 key and attest it with given attestation key.
661pub fn generate_ec_256_attested_key(
662 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
663 alias: Option<String>,
664 att_challenge: &[u8],
665 att_app_id: &[u8],
666 attest_key: &KeyDescriptor,
667) -> binder::Result<KeyMetadata> {
668 let ec_gen_params = AuthSetBuilder::new()
669 .no_auth_required()
670 .algorithm(Algorithm::EC)
671 .purpose(KeyPurpose::SIGN)
672 .purpose(KeyPurpose::VERIFY)
673 .digest(Digest::SHA_2_256)
674 .ec_curve(EcCurve::P_256)
675 .attestation_challenge(att_challenge.to_vec())
676 .attestation_app_id(att_app_id.to_vec());
677
678 let ec_key_metadata = sec_level
679 .generateKey(
680 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
681 Some(attest_key),
682 &ec_gen_params,
683 0,
684 b"entropy",
685 )
686 .unwrap();
687
688 // Should have public certificate.
689 assert!(ec_key_metadata.certificate.is_some());
690 // Shouldn't have an attestation record.
691 assert!(ec_key_metadata.certificateChain.is_none());
692
693 Ok(ec_key_metadata)
694}
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]695
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]696/// Verify that given key param is listed in given authorizations list.
697pub fn check_key_param(authorizations: &[Authorization], key_param: KeyParameter) -> bool {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]698 for authrization in authorizations {
699 if authrization.keyParameter == key_param {
700 return true;
701 }
702 }
703
704 false
705}
706
707/// Imports above defined RSA key - `RSA_2048_KEY` and validates imported key parameters.
708pub fn import_rsa_2048_key(
709 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
710 domain: Domain,
711 nspace: i64,
712 alias: Option<String>,
713 import_params: AuthSetBuilder,
714) -> binder::Result<KeyMetadata> {
715 let key_metadata = sec_level
716 .importKey(
717 &KeyDescriptor { domain, nspace, alias, blob: None },
718 None,
719 &import_params,
720 0,
721 RSA_2048_KEY,
722 )
723 .unwrap();
724
725 assert!(key_metadata.certificate.is_some());
726 assert!(key_metadata.certificateChain.is_none());
727
728 assert!(check_key_param(
729 &key_metadata.authorizations,
730 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::RSA) }
731 ));
732
733 assert!(check_key_param(
734 &key_metadata.authorizations,
735 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(2048) }
736 ));
737
738 assert!(check_key_param(
739 &key_metadata.authorizations,
740 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
741 ));
742
743 assert!(check_key_param(
744 &key_metadata.authorizations,
745 KeyParameter {
746 tag: Tag::RSA_PUBLIC_EXPONENT,
747 value: KeyParameterValue::LongInteger(65537)
748 }
749 ));
750
751 assert!(check_key_param(
752 &key_metadata.authorizations,
753 KeyParameter {
754 tag: Tag::PADDING,
755 value: KeyParameterValue::PaddingMode(PaddingMode::RSA_PSS)
756 }
757 ));
758
759 assert!(check_key_param(
760 &key_metadata.authorizations,
761 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
762 ));
763
764 Ok(key_metadata)
765}
766
767/// Imports above defined EC key - `EC_P_256_KEY` and validates imported key parameters.
768pub fn import_ec_p_256_key(
769 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
770 domain: Domain,
771 nspace: i64,
772 alias: Option<String>,
773 import_params: AuthSetBuilder,
774) -> binder::Result<KeyMetadata> {
775 let key_metadata = sec_level
776 .importKey(
777 &KeyDescriptor { domain, nspace, alias, blob: None },
778 None,
779 &import_params,
780 0,
781 EC_P_256_KEY,
782 )
783 .unwrap();
784
785 assert!(key_metadata.certificate.is_some());
786 assert!(key_metadata.certificateChain.is_none());
787
788 assert!(check_key_param(
789 &key_metadata.authorizations,
790 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::EC) }
791 ));
792
793 assert!(check_key_param(
794 &key_metadata.authorizations,
795 KeyParameter { tag: Tag::EC_CURVE, value: KeyParameterValue::EcCurve(EcCurve::P_256) }
796 ));
797
798 assert!(check_key_param(
799 &key_metadata.authorizations,
800 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
801 ));
802 assert!(check_key_param(
803 &key_metadata.authorizations,
804 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
805 ));
806
807 Ok(key_metadata)
808}
809
810/// Import sample AES key and validate its key parameters.
811pub fn import_aes_key(
812 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
813 domain: Domain,
814 nspace: i64,
815 alias: Option<String>,
816) -> binder::Result<KeyMetadata> {
817 static AES_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
818 let key_size = AES_KEY.len() * 8;
819
820 let import_params = AuthSetBuilder::new()
821 .no_auth_required()
822 .algorithm(Algorithm::AES)
823 .block_mode(BlockMode::ECB)
824 .key_size(key_size.try_into().unwrap())
825 .purpose(KeyPurpose::ENCRYPT)
826 .purpose(KeyPurpose::DECRYPT)
827 .padding_mode(PaddingMode::PKCS7);
828
829 let key_metadata = sec_level.importKey(
830 &KeyDescriptor { domain, nspace, alias, blob: None },
831 None,
832 &import_params,
833 0,
834 AES_KEY,
835 )?;
836
837 assert!(check_key_param(
838 &key_metadata.authorizations,
839 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::AES) }
840 ));
841 assert!(check_key_param(
842 &key_metadata.authorizations,
843 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
844 ));
845 assert!(check_key_param(
846 &key_metadata.authorizations,
847 KeyParameter {
848 tag: Tag::PADDING,
849 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
850 }
851 ));
852 assert!(check_key_param(
853 &key_metadata.authorizations,
854 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
855 ));
856 assert!(check_key_param(
857 &key_metadata.authorizations,
858 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
859 ));
860
861 Ok(key_metadata)
862}
863
864/// Import sample 3DES key and validate its key parameters.
865pub fn import_3des_key(
866 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
867 domain: Domain,
868 nspace: i64,
869 alias: Option<String>,
870) -> binder::Result<KeyMetadata> {
871 static TRIPLE_DES_KEY: &[u8] = &[
872 0xa4, 0x9d, 0x75, 0x64, 0x19, 0x9e, 0x97, 0xcb, 0x52, 0x9d, 0x2c, 0x9d, 0x97, 0xbf, 0x2f,
873 0x98, 0xd3, 0x5e, 0xdf, 0x57, 0xba, 0x1f, 0x73, 0x58,
874 ];
875
876 let import_params = AuthSetBuilder::new()
877 .no_auth_required()
878 .algorithm(Algorithm::TRIPLE_DES)
879 .block_mode(BlockMode::ECB)
880 .key_size(168)
881 .purpose(KeyPurpose::ENCRYPT)
882 .purpose(KeyPurpose::DECRYPT)
883 .padding_mode(PaddingMode::PKCS7);
884
885 let key_metadata = sec_level.importKey(
886 &KeyDescriptor { domain, nspace, alias, blob: None },
887 None,
888 &import_params,
889 0,
890 TRIPLE_DES_KEY,
891 )?;
892
893 assert!(check_key_param(
894 &key_metadata.authorizations,
895 KeyParameter {
896 tag: Tag::ALGORITHM,
897 value: KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES)
898 }
899 ));
900 assert!(check_key_param(
901 &key_metadata.authorizations,
902 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(168) }
903 ));
904 assert!(check_key_param(
905 &key_metadata.authorizations,
906 KeyParameter {
907 tag: Tag::PADDING,
908 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
909 }
910 ));
911 assert!(check_key_param(
912 &key_metadata.authorizations,
913 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
914 ));
915 assert!(check_key_param(
916 &key_metadata.authorizations,
917 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
918 ));
919
920 Ok(key_metadata)
921}
922
923/// Import sample HMAC key and validate its key parameters.
924pub fn import_hmac_key(
925 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
926 domain: Domain,
927 nspace: i64,
928 alias: Option<String>,
929) -> binder::Result<KeyMetadata> {
930 static HMAC_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
931 let key_size = HMAC_KEY.len() * 8;
932
933 let import_params = AuthSetBuilder::new()
934 .no_auth_required()
935 .algorithm(Algorithm::HMAC)
936 .key_size(key_size.try_into().unwrap())
937 .purpose(KeyPurpose::SIGN)
938 .purpose(KeyPurpose::VERIFY)
939 .digest(Digest::SHA_2_256)
940 .min_mac_length(256);
941
942 let key_metadata = sec_level.importKey(
943 &KeyDescriptor { domain, nspace, alias, blob: None },
944 None,
945 &import_params,
946 0,
947 HMAC_KEY,
948 )?;
949
950 assert!(check_key_param(
951 &key_metadata.authorizations,
952 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::HMAC) }
953 ));
954 assert!(check_key_param(
955 &key_metadata.authorizations,
956 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
957 ));
958 assert!(check_key_param(
959 &key_metadata.authorizations,
960 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
961 ));
962 assert!(check_key_param(
963 &key_metadata.authorizations,
964 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
965 ));
966
967 Ok(key_metadata)
968}
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]969
970/// Imports RSA encryption key with WRAP_KEY purpose.
971pub fn import_wrapping_key(
972 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
973 wrapping_key_data: &[u8],
974 wrapping_key_alias: Option<String>,
975) -> binder::Result<KeyMetadata> {
976 let wrapping_key_params = AuthSetBuilder::new()
977 .no_auth_required()
978 .algorithm(Algorithm::RSA)
979 .digest(Digest::SHA_2_256)
980 .purpose(KeyPurpose::ENCRYPT)
981 .purpose(KeyPurpose::DECRYPT)
982 .purpose(KeyPurpose::WRAP_KEY)
983 .padding_mode(PaddingMode::RSA_OAEP)
984 .key_size(2048)
985 .rsa_public_exponent(65537)
986 .cert_not_before(0)
987 .cert_not_after(253402300799000);
988
989 sec_level.importKey(
990 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: wrapping_key_alias, blob: None },
991 None,
992 &wrapping_key_params,
993 0,
994 wrapping_key_data,
995 )
996}
997
998/// Import wrapped key using given wrapping key.
999pub fn import_wrapped_key(
1000 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1001 alias: Option<String>,
1002 wrapping_key_metadata: &KeyMetadata,
1003 wrapped_key: Option<Vec<u8>>,
1004) -> binder::Result<KeyMetadata> {
1005 let unwrap_params =
1006 AuthSetBuilder::new().digest(Digest::SHA_2_256).padding_mode(PaddingMode::RSA_OAEP);
1007
1008 let authenticator_spec: &[AuthenticatorSpec] = &[AuthenticatorSpec {
1009 authenticatorType: HardwareAuthenticatorType::NONE,
1010 authenticatorId: 0,
1011 }];
1012
1013 let key_metadata = sec_level.importWrappedKey(
1014 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: wrapped_key },
1015 &wrapping_key_metadata.key,
1016 None,
1017 &unwrap_params,
1018 authenticator_spec,
1019 )?;
1020
1021 Ok(key_metadata)
1022}
1023
1024/// Import wrapping key and then import wrapped key using wrapping key.
1025pub fn import_wrapping_key_and_wrapped_key(
1026 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1027 domain: Domain,
1028 nspace: i64,
1029 alias: Option<String>,
1030 wrapping_key_alias: Option<String>,
1031 wrapping_key_params: AuthSetBuilder,
1032) -> binder::Result<KeyMetadata> {
1033 let wrapping_key_metadata = sec_level.importKey(
1034 &KeyDescriptor { domain, nspace, alias: wrapping_key_alias, blob: None },
1035 None,
1036 &wrapping_key_params,
1037 0,
1038 WRAPPING_KEY,
1039 )?;
1040
1041 import_wrapped_key(sec_level, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
1042}
1043
1044/// Import given key material as AES-256-GCM-NONE transport key.
1045pub fn import_transport_key(
1046 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1047 transport_key_alias: Option<String>,
1048 transport_key: &[u8],
1049) -> binder::Result<KeyMetadata> {
1050 let transport_key_params = AuthSetBuilder::new()
1051 .no_auth_required()
1052 .algorithm(Algorithm::AES)
1053 .block_mode(BlockMode::GCM)
1054 .padding_mode(PaddingMode::NONE)
1055 .key_size(256)
1056 .caller_nonce()
1057 .min_mac_length(128)
1058 .purpose(KeyPurpose::ENCRYPT)
1059 .purpose(KeyPurpose::DECRYPT);
1060
1061 sec_level.importKey(
1062 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: transport_key_alias, blob: None },
1063 None,
1064 &transport_key_params,
1065 0,
1066 transport_key,
1067 )
1068}