keystore2/src/key_parameter.rs

// Copyright 2020, The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//! KeyParameter is used to express different characteristics of a key requested by the user
//! and enforced by the OEMs. This module implements the internal representation of KeyParameter
//! and the methods to work with KeyParameter.

use crate::error::Error as KeystoreError;
use crate::error::Rc;
pub use android_hardware_keymint::aidl::android::hardware::keymint::{
    Algorithm, Algorithm::Algorithm as AlgorithmType, BlockMode,
    BlockMode::BlockMode as BlockModeType, Digest, Digest::Digest as DigestType, EcCurve,
    EcCurve::EcCurve as EcCurveType, HardwareAuthenticatorType,
    HardwareAuthenticatorType::HardwareAuthenticatorType as HardwareAuthenticatorTypeType,
    KeyOrigin, KeyOrigin::KeyOrigin as KeyOriginType, KeyPurpose,
    KeyPurpose::KeyPurpose as KeyPurposeType, PaddingMode,
    PaddingMode::PaddingMode as PaddingModeType, SecurityLevel,
    SecurityLevel::SecurityLevel as SecurityLevelType, Tag, Tag::Tag as TagType,
};
use anyhow::{Context, Result};
use rusqlite::types::{FromSql, Null, ToSql, ToSqlOutput};
use rusqlite::{Result as SqlResult, Row};

/// KeyParameter wraps the KeyParameterValue and the security level at which it is enforced.
#[derive(Debug, Clone, Eq, PartialEq, Ord, PartialOrd)]
pub struct KeyParameter {
    key_parameter_value: KeyParameterValue,
    security_level: SecurityLevelType,
}

/// KeyParameterValue holds a value corresponding to one of the Tags defined in
/// the AIDL spec at hardware/interfaces/keymint
#[derive(Debug, Clone, Eq, PartialEq, Ord, PartialOrd)]
pub enum KeyParameterValue {
    /// Associated with Tag:INVALID
    Invalid,
    /// Set of purposes for which the key may be used
    KeyPurpose(KeyPurposeType),
    /// Cryptographic algorithm with which the key is used
    Algorithm(AlgorithmType),
    /// Size of the key , in bits
    KeySize(i32),
    /// Block cipher mode(s) with which the key may be used
    BlockMode(BlockModeType),
    /// Digest algorithms that may be used with the key to perform signing and verification
    Digest(DigestType),
    /// Padding modes that may be used with the key.  Relevant to RSA, AES and 3DES keys.
    PaddingMode(PaddingModeType),
    /// Can the caller provide a nonce for nonce-requiring operations
    CallerNonce,
    /// Minimum length of MAC for HMAC keys and AES keys that support GCM mode
    MinMacLength(i32),
    /// The elliptic curve
    EcCurve(EcCurveType),
    /// Value of the public exponent for an RSA key pair
    RSAPublicExponent(i64),
    /// An attestation certificate for the generated key should contain an application-scoped
    /// and time-bounded device-unique ID
    IncludeUniqueID,
    //TODO: find out about this
    // /// Necessary system environment conditions for the generated key to be used
    // KeyBlobUsageRequirements(KeyBlobUsageRequirements),
    /// Only the boot loader can use the key
    BootLoaderOnly,
    /// When deleted, the key is guaranteed to be permanently deleted and unusable
    RollbackResistance,
    /// The date and time at which the key becomes active
    ActiveDateTime(i64),
    /// The date and time at which the key expires for signing and encryption
    OriginationExpireDateTime(i64),
    /// The date and time at which the key expires for verification and decryption
    UsageExpireDateTime(i64),
    /// Minimum amount of time that elapses between allowed operations
    MinSecondsBetweenOps(i32),
    /// Maximum number of times that a key may be used between system reboots
    MaxUsesPerBoot(i32),
    /// ID of the Android user that is permitted to use the key
    UserID(i32),
    /// A key may only be used under a particular secure user authentication state
    UserSecureID(i64),
    /// No authentication is required to use this key
    NoAuthRequired,
    /// The types of user authenticators that may be used to authorize this key
    HardwareAuthenticatorType(HardwareAuthenticatorTypeType),
    /// The time in seconds for which the key is authorized for use, after user authentication
    AuthTimeout(i32),
    /// The key may be used after authentication timeout if device is still on-body
    AllowWhileOnBody,
    /// The key must be unusable except when the user has provided proof of physical presence
    TrustedUserPresenceRequired,
    /// Applicable to keys with KeyPurpose SIGN, and specifies that this key must not be usable
    /// unless the user provides confirmation of the data to be signed
    TrustedConfirmationRequired,
    /// The key may only be used when the device is unlocked
    UnlockedDeviceRequired,
    /// When provided to generateKey or importKey, this tag specifies data
    /// that is necessary during all uses of the key
    ApplicationID(Vec<u8>),
    /// When provided to generateKey or importKey, this tag specifies data
    /// that is necessary during all uses of the key
    ApplicationData(Vec<u8>),
    /// Specifies the date and time the key was created
    CreationDateTime(i64),
    /// Specifies where the key was created, if known
    KeyOrigin(KeyOriginType),
    /// The key used by verified boot to validate the operating system booted
    RootOfTrust(Vec<u8>),
    /// System OS version with which the key may be used
    OSVersion(i32),
    /// Specifies the system security patch level with which the key may be used
    OSPatchLevel(i32),
    /// Specifies a unique, time-based identifier
    UniqueID(Vec<u8>),
    /// Used to deliver a "challenge" value to the attestKey() method
    AttestationChallenge(Vec<u8>),
    /// The set of applications which may use a key, used only with attestKey()
    AttestationApplicationID(Vec<u8>),
    /// Provides the device's brand name, to attestKey()
    AttestationIdBrand(Vec<u8>),
    /// Provides the device's device name, to attestKey()
    AttestationIdDevice(Vec<u8>),
    /// Provides the device's product name, to attestKey()
    AttestationIdProduct(Vec<u8>),
    /// Provides the device's serial number, to attestKey()
    AttestationIdSerial(Vec<u8>),
    /// Provides the IMEIs for all radios on the device, to attestKey()
    AttestationIdIMEI(Vec<u8>),
    /// Provides the MEIDs for all radios on the device, to attestKey()
    AttestationIdMEID(Vec<u8>),
    /// Provides the device's manufacturer name, to attestKey()
    AttestationIdManufacturer(Vec<u8>),
    /// Provides the device's model name, to attestKey()
    AttestationIdModel(Vec<u8>),
    /// Specifies the vendor image security patch level with which the key may be used
    VendorPatchLevel(i32),
    /// Specifies the boot image (kernel) security patch level with which the key may be used
    BootPatchLevel(i32),
    /// Provides "associated data" for AES-GCM encryption or decryption
    AssociatedData(Vec<u8>),
    /// Provides or returns a nonce or Initialization Vector (IV) for AES-GCM,
    /// AES-CBC, AES-CTR, or 3DES-CBC encryption or decryption
    Nonce(Vec<u8>),
    /// Provides the requested length of a MAC or GCM authentication tag, in bits
    MacLength(i32),
    /// Specifies whether the device has been factory reset since the
    /// last unique ID rotation.  Used for key attestation
    ResetSinceIdRotation,
    /// Used to deliver a cryptographic token proving that the user
    ///  confirmed a signing request
    ConfirmationToken(Vec<u8>),
}

impl KeyParameter {
    /// Create an instance of KeyParameter, given the value and the security level.
    pub fn new(key_parameter_value: KeyParameterValue, security_level: SecurityLevelType) -> Self {
        KeyParameter { key_parameter_value, security_level }
    }

    /// Returns the tag given the KeyParameter instance.
    pub fn get_tag(&self) -> TagType {
        match self.key_parameter_value {
            KeyParameterValue::Invalid => Tag::INVALID,
            KeyParameterValue::KeyPurpose(_) => Tag::PURPOSE,
            KeyParameterValue::Algorithm(_) => Tag::ALGORITHM,
            KeyParameterValue::KeySize(_) => Tag::KEY_SIZE,
            KeyParameterValue::BlockMode(_) => Tag::BLOCK_MODE,
            KeyParameterValue::Digest(_) => Tag::DIGEST,
            KeyParameterValue::PaddingMode(_) => Tag::PADDING,
            KeyParameterValue::CallerNonce => Tag::CALLER_NONCE,
            KeyParameterValue::MinMacLength(_) => Tag::MIN_MAC_LENGTH,
            KeyParameterValue::EcCurve(_) => Tag::EC_CURVE,
            KeyParameterValue::RSAPublicExponent(_) => Tag::RSA_PUBLIC_EXPONENT,
            KeyParameterValue::IncludeUniqueID => Tag::INCLUDE_UNIQUE_ID,
            KeyParameterValue::BootLoaderOnly => Tag::BOOTLOADER_ONLY,
            KeyParameterValue::RollbackResistance => Tag::ROLLBACK_RESISTANCE,
            KeyParameterValue::ActiveDateTime(_) => Tag::ACTIVE_DATETIME,
            KeyParameterValue::OriginationExpireDateTime(_) => Tag::ORIGINATION_EXPIRE_DATETIME,
            KeyParameterValue::UsageExpireDateTime(_) => Tag::USAGE_EXPIRE_DATETIME,
            KeyParameterValue::MinSecondsBetweenOps(_) => Tag::MIN_SECONDS_BETWEEN_OPS,
            KeyParameterValue::MaxUsesPerBoot(_) => Tag::MAX_USES_PER_BOOT,
            KeyParameterValue::UserID(_) => Tag::USER_ID,
            KeyParameterValue::UserSecureID(_) => Tag::USER_SECURE_ID,
            KeyParameterValue::NoAuthRequired => Tag::NO_AUTH_REQUIRED,
            KeyParameterValue::HardwareAuthenticatorType(_) => Tag::USER_AUTH_TYPE,
            KeyParameterValue::AuthTimeout(_) => Tag::AUTH_TIMEOUT,
            KeyParameterValue::AllowWhileOnBody => Tag::ALLOW_WHILE_ON_BODY,
            KeyParameterValue::TrustedUserPresenceRequired => Tag::TRUSTED_USER_PRESENCE_REQUIRED,
            KeyParameterValue::TrustedConfirmationRequired => Tag::TRUSTED_CONFIRMATION_REQUIRED,
            KeyParameterValue::UnlockedDeviceRequired => Tag::UNLOCKED_DEVICE_REQUIRED,
            KeyParameterValue::ApplicationID(_) => Tag::APPLICATION_ID,
            KeyParameterValue::ApplicationData(_) => Tag::APPLICATION_DATA,
            KeyParameterValue::CreationDateTime(_) => Tag::CREATION_DATETIME,
            KeyParameterValue::KeyOrigin(_) => Tag::ORIGIN,
            KeyParameterValue::RootOfTrust(_) => Tag::ROOT_OF_TRUST,
            KeyParameterValue::OSVersion(_) => Tag::OS_VERSION,
            KeyParameterValue::OSPatchLevel(_) => Tag::OS_PATCHLEVEL,
            KeyParameterValue::UniqueID(_) => Tag::UNIQUE_ID,
            KeyParameterValue::AttestationChallenge(_) => Tag::ATTESTATION_CHALLENGE,
            KeyParameterValue::AttestationApplicationID(_) => Tag::ATTESTATION_APPLICATION_ID,
            KeyParameterValue::AttestationIdBrand(_) => Tag::ATTESTATION_ID_BRAND,
            KeyParameterValue::AttestationIdDevice(_) => Tag::ATTESTATION_ID_DEVICE,
            KeyParameterValue::AttestationIdProduct(_) => Tag::ATTESTATION_ID_PRODUCT,
            KeyParameterValue::AttestationIdSerial(_) => Tag::ATTESTATION_ID_SERIAL,
            KeyParameterValue::AttestationIdIMEI(_) => Tag::ATTESTATION_ID_IMEI,
            KeyParameterValue::AttestationIdMEID(_) => Tag::ATTESTATION_ID_MEID,
            KeyParameterValue::AttestationIdManufacturer(_) => Tag::ATTESTATION_ID_MANUFACTURER,
            KeyParameterValue::AttestationIdModel(_) => Tag::ATTESTATION_ID_MODEL,
            KeyParameterValue::VendorPatchLevel(_) => Tag::VENDOR_PATCHLEVEL,
            KeyParameterValue::BootPatchLevel(_) => Tag::BOOT_PATCHLEVEL,
            KeyParameterValue::AssociatedData(_) => Tag::ASSOCIATED_DATA,
            KeyParameterValue::Nonce(_) => Tag::NONCE,
            KeyParameterValue::MacLength(_) => Tag::MAC_LENGTH,
            KeyParameterValue::ResetSinceIdRotation => Tag::RESET_SINCE_ID_ROTATION,
            KeyParameterValue::ConfirmationToken(_) => Tag::CONFIRMATION_TOKEN,
        }
    }

    /// Returns key parameter value.
    pub fn key_parameter_value(&self) -> &KeyParameterValue {
        &self.key_parameter_value
    }

    /// Returns the security level of a KeyParameter.
    pub fn security_level(&self) -> &SecurityLevelType {
        &self.security_level
    }
}

#[cfg(test)]
mod basic_tests {
    use super::*;

    // Test basic functionality of KeyParameter.
    #[test]
    fn test_key_parameter() {
        let key_parameter = KeyParameter::new(
            KeyParameterValue::Algorithm(Algorithm::RSA),
            SecurityLevel::STRONGBOX,
        );

        assert_eq!(key_parameter.get_tag(), Tag::ALGORITHM);

        assert_eq!(
            *key_parameter.key_parameter_value(),
            KeyParameterValue::Algorithm(Algorithm::RSA)
        );

        assert_eq!(*key_parameter.security_level(), SecurityLevel::STRONGBOX);
    }
}

/// This struct is defined to postpone converting rusqlite column value to the
/// appropriate key parameter value until we know the corresponding tag value.
/// Wraps the column index and a rusqlite row.
pub struct SqlField<'a>(usize, &'a Row<'a>);

impl<'a> SqlField<'a> {
    /// Creates a new SqlField with the given index and row.
    pub fn new(index: usize, row: &'a Row<'a>) -> Self {
        Self(index, row)
    }
    /// Returns the column value from the row, when we know the expected type.
    pub fn get<T: FromSql>(&self) -> SqlResult<T> {
        self.1.get(self.0)
    }
}

impl ToSql for KeyParameterValue {
    /// Converts KeyParameterValue to be stored in rusqlite database.
    /// Note that following variants of KeyParameterValue should not be stored:
    /// IncludeUniqueID, ApplicationID, ApplicationData, RootOfTrust, UniqueID,
    /// Attestation*, AssociatedData, Nonce, MacLength, ResetSinceIdRotation, ConfirmationToken.
    /// This filtering is enforced at a higher level (i.e. enforcement module) and here we support
    /// conversion for all the variants, to keep error handling simple.
    fn to_sql(&self) -> SqlResult<ToSqlOutput> {
        match self {
            KeyParameterValue::Invalid => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::KeyPurpose(k) => Ok(ToSqlOutput::from(*k as u32)),
            KeyParameterValue::Algorithm(a) => Ok(ToSqlOutput::from(*a as u32)),
            KeyParameterValue::KeySize(k) => Ok(ToSqlOutput::from(*k)),
            KeyParameterValue::BlockMode(b) => Ok(ToSqlOutput::from(*b as u32)),
            KeyParameterValue::Digest(d) => Ok(ToSqlOutput::from(*d as u32)),
            KeyParameterValue::PaddingMode(p) => Ok(ToSqlOutput::from(*p as u32)),
            KeyParameterValue::CallerNonce => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::MinMacLength(m) => Ok(ToSqlOutput::from(*m)),
            KeyParameterValue::EcCurve(e) => Ok(ToSqlOutput::from(*e as u32)),
            KeyParameterValue::RSAPublicExponent(r) => Ok(ToSqlOutput::from(*r as i64)),
            KeyParameterValue::IncludeUniqueID => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::BootLoaderOnly => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::RollbackResistance => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::ActiveDateTime(a) => Ok(ToSqlOutput::from(*a as i64)),
            KeyParameterValue::OriginationExpireDateTime(o) => Ok(ToSqlOutput::from(*o as i64)),
            KeyParameterValue::UsageExpireDateTime(u) => Ok(ToSqlOutput::from(*u as i64)),
            KeyParameterValue::MinSecondsBetweenOps(m) => Ok(ToSqlOutput::from(*m)),
            KeyParameterValue::MaxUsesPerBoot(m) => Ok(ToSqlOutput::from(*m)),
            KeyParameterValue::UserID(u) => Ok(ToSqlOutput::from(*u)),
            KeyParameterValue::UserSecureID(u) => Ok(ToSqlOutput::from(*u as i64)),
            KeyParameterValue::NoAuthRequired => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::HardwareAuthenticatorType(h) => Ok(ToSqlOutput::from(*h as u32)),
            KeyParameterValue::AuthTimeout(m) => Ok(ToSqlOutput::from(*m)),
            KeyParameterValue::AllowWhileOnBody => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::TrustedUserPresenceRequired => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::TrustedConfirmationRequired => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::UnlockedDeviceRequired => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::ApplicationID(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::ApplicationData(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::CreationDateTime(c) => Ok(ToSqlOutput::from(*c as i64)),
            KeyParameterValue::KeyOrigin(k) => Ok(ToSqlOutput::from(*k as u32)),
            KeyParameterValue::RootOfTrust(r) => Ok(ToSqlOutput::from(r.to_vec())),
            KeyParameterValue::OSVersion(o) => Ok(ToSqlOutput::from(*o)),
            KeyParameterValue::OSPatchLevel(o) => Ok(ToSqlOutput::from(*o)),
            KeyParameterValue::UniqueID(u) => Ok(ToSqlOutput::from(u.to_vec())),
            KeyParameterValue::AttestationChallenge(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::AttestationApplicationID(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::AttestationIdBrand(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::AttestationIdDevice(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::AttestationIdProduct(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::AttestationIdSerial(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::AttestationIdIMEI(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::AttestationIdMEID(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::AttestationIdManufacturer(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::AttestationIdModel(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::VendorPatchLevel(v) => Ok(ToSqlOutput::from(*v)),
            KeyParameterValue::BootPatchLevel(b) => Ok(ToSqlOutput::from(*b)),
            KeyParameterValue::AssociatedData(a) => Ok(ToSqlOutput::from(a.to_vec())),
            KeyParameterValue::Nonce(n) => Ok(ToSqlOutput::from(n.to_vec())),
            KeyParameterValue::MacLength(m) => Ok(ToSqlOutput::from(*m)),
            KeyParameterValue::ResetSinceIdRotation => Ok(ToSqlOutput::from(Null)),
            KeyParameterValue::ConfirmationToken(c) => Ok(ToSqlOutput::from(c.to_vec())),
        }
    }
}

impl KeyParameter {
    /// Construct a KeyParameter from the data from a rusqlite row.
    /// Note that following variants of KeyParameterValue should not be stored:
    /// IncludeUniqueID, ApplicationID, ApplicationData, RootOfTrust, UniqueID,
    /// Attestation*, AssociatedData, Nonce, MacLength, ResetSinceIdRotation, ConfirmationToken.
    /// This filtering is enforced at a higher level and here we support conversion for all the
    /// variants.
    pub fn new_from_sql(
        tag_val: TagType,
        data: &SqlField,
        security_level_val: SecurityLevelType,
    ) -> Result<Self> {
        let key_param_value = match tag_val {
            Tag::INVALID => KeyParameterValue::Invalid,
            Tag::PURPOSE => {
                let key_purpose: KeyPurposeType = data
                    .get()
                    .map_err(|_| KeystoreError::Rc(Rc::ValueCorrupted))
                    .context("Failed to read sql data for tag: PURPOSE.")?;
                KeyParameterValue::KeyPurpose(key_purpose)
            }
            Tag::ALGORITHM => {
                let algorithm: AlgorithmType = data
                    .get()
                    .map_err(|_| KeystoreError::Rc(Rc::ValueCorrupted))
                    .context("Failed to read sql data for tag: ALGORITHM.")?;
                KeyParameterValue::Algorithm(algorithm)
            }
            Tag::KEY_SIZE => {
                let key_size: i32 =
                    data.get().context("Failed to read sql data for tag: KEY_SIZE.")?;
                KeyParameterValue::KeySize(key_size)
            }
            Tag::BLOCK_MODE => {
                let block_mode: BlockModeType = data
                    .get()
                    .map_err(|_| KeystoreError::Rc(Rc::ValueCorrupted))
                    .context("Failed to read sql data for tag: BLOCK_MODE.")?;
                KeyParameterValue::BlockMode(block_mode)
            }
            Tag::DIGEST => {
                let digest: DigestType = data
                    .get()
                    .map_err(|_| KeystoreError::Rc(Rc::ValueCorrupted))
                    .context("Failed to read sql data for tag: DIGEST.")?;
                KeyParameterValue::Digest(digest)
            }
            Tag::PADDING => {
                let padding: PaddingModeType = data
                    .get()
                    .map_err(|_| KeystoreError::Rc(Rc::ValueCorrupted))
                    .context("Failed to read sql data for tag: PADDING.")?;
                KeyParameterValue::PaddingMode(padding)
            }
            Tag::CALLER_NONCE => KeyParameterValue::CallerNonce,
            Tag::MIN_MAC_LENGTH => {
                let min_mac_length: i32 =
                    data.get().context("Failed to read sql data for tag: MIN_MAC_LENGTH.")?;
                KeyParameterValue::MinMacLength(min_mac_length)
            }
            Tag::EC_CURVE => {
                let ec_curve: EcCurveType = data
                    .get()
                    .map_err(|_| KeystoreError::Rc(Rc::ValueCorrupted))
                    .context("Failed to read sql data for tag: EC_CURVE.")?;
                KeyParameterValue::EcCurve(ec_curve)
            }
            Tag::RSA_PUBLIC_EXPONENT => {
                let rsa_pub_exponent: i64 =
                    data.get().context("Failed to read sql data for tag: RSA_PUBLIC_EXPONENT.")?;

                KeyParameterValue::RSAPublicExponent(rsa_pub_exponent)
            }
            Tag::INCLUDE_UNIQUE_ID => KeyParameterValue::IncludeUniqueID,
            Tag::BOOTLOADER_ONLY => KeyParameterValue::BootLoaderOnly,
            Tag::ROLLBACK_RESISTANCE => KeyParameterValue::RollbackResistance,
            Tag::ACTIVE_DATETIME => {
                let active_datetime: i64 =
                    data.get().context("Failed to read sql data for tag: ACTIVE_DATETIME.")?;
                KeyParameterValue::ActiveDateTime(active_datetime)
            }
            Tag::ORIGINATION_EXPIRE_DATETIME => {
                let origination_expire_datetime: i64 = data
                    .get()
                    .context("Failed to read sql data for tag: ORIGINATION_EXPIRE_DATETIME.")?;
                KeyParameterValue::OriginationExpireDateTime(origination_expire_datetime)
            }
            Tag::USAGE_EXPIRE_DATETIME => {
                let usage_expire_datetime: i64 = data
                    .get()
                    .context("Failed to read sql data for tag: USAGE_EXPIRE_DATETIME.")?;
                KeyParameterValue::UsageExpireDateTime(usage_expire_datetime)
            }
            Tag::MIN_SECONDS_BETWEEN_OPS => {
                let min_secs_between_ops: i32 = data
                    .get()
                    .context("Failed to read sql data for tag: MIN_SECONDS_BETWEEN_OPS.")?;
                KeyParameterValue::MinSecondsBetweenOps(min_secs_between_ops)
            }
            Tag::MAX_USES_PER_BOOT => {
                let max_uses_per_boot: i32 =
                    data.get().context("Failed to read sql data for tag: MAX_USES_PER_BOOT.")?;
                KeyParameterValue::MaxUsesPerBoot(max_uses_per_boot)
            }
            Tag::USER_ID => {
                let user_id: i32 =
                    data.get().context("Failed to read sql data for tag: USER_ID.")?;
                KeyParameterValue::UserID(user_id)
            }
            Tag::USER_SECURE_ID => {
                let user_secure_id: i64 =
                    data.get().context("Failed to read sql data for tag: USER_SECURE_ID.")?;
                KeyParameterValue::UserSecureID(user_secure_id)
            }
            Tag::NO_AUTH_REQUIRED => KeyParameterValue::NoAuthRequired,
            Tag::USER_AUTH_TYPE => {
                let user_auth_type: HardwareAuthenticatorTypeType = data
                    .get()
                    .map_err(|_| KeystoreError::Rc(Rc::ValueCorrupted))
                    .context("Failed to read sql data for tag: USER_AUTH_TYPE.")?;
                KeyParameterValue::HardwareAuthenticatorType(user_auth_type)
            }
            Tag::AUTH_TIMEOUT => {
                let auth_timeout: i32 =
                    data.get().context("Failed to read sql data for tag: AUTH_TIMEOUT.")?;
                KeyParameterValue::AuthTimeout(auth_timeout)
            }
            Tag::ALLOW_WHILE_ON_BODY => KeyParameterValue::AllowWhileOnBody,
            Tag::TRUSTED_USER_PRESENCE_REQUIRED => KeyParameterValue::TrustedUserPresenceRequired,
            Tag::TRUSTED_CONFIRMATION_REQUIRED => KeyParameterValue::TrustedConfirmationRequired,
            Tag::UNLOCKED_DEVICE_REQUIRED => KeyParameterValue::UnlockedDeviceRequired,
            Tag::APPLICATION_ID => {
                let app_id: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: APPLICATION_ID.")?;
                KeyParameterValue::ApplicationID(app_id)
            }
            Tag::APPLICATION_DATA => {
                let app_data: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: APPLICATION_DATA.")?;
                KeyParameterValue::ApplicationData(app_data)
            }
            Tag::CREATION_DATETIME => {
                let creation_datetime: i64 =
                    data.get().context("Failed to read sql data for tag: CREATION_DATETIME.")?;
                KeyParameterValue::CreationDateTime(creation_datetime)
            }
            Tag::ORIGIN => {
                let origin: KeyOriginType = data
                    .get()
                    .map_err(|_| KeystoreError::Rc(Rc::ValueCorrupted))
                    .context("Failed to read sql data for tag: ORIGIN.")?;
                KeyParameterValue::KeyOrigin(origin)
            }
            Tag::ROOT_OF_TRUST => {
                let root_of_trust: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: ROOT_OF_TRUST.")?;
                KeyParameterValue::RootOfTrust(root_of_trust)
            }
            Tag::OS_VERSION => {
                let os_version: i32 =
                    data.get().context("Failed to read sql data for tag: OS_VERSION.")?;
                KeyParameterValue::OSVersion(os_version)
            }
            Tag::OS_PATCHLEVEL => {
                let os_patch_level: i32 =
                    data.get().context("Failed to read sql data for tag: OS_PATCHLEVEL.")?;
                KeyParameterValue::OSPatchLevel(os_patch_level)
            }
            Tag::UNIQUE_ID => {
                let unique_id: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: UNIQUE_ID.")?;
                KeyParameterValue::UniqueID(unique_id)
            }
            Tag::ATTESTATION_CHALLENGE => {
                let attestation_challenge: Vec<u8> = data
                    .get()
                    .context("Failed to read sql data for tag: ATTESTATION_CHALLENGE.")?;
                KeyParameterValue::AttestationChallenge(attestation_challenge)
            }
            Tag::ATTESTATION_APPLICATION_ID => {
                let attestation_app_id: Vec<u8> = data
                    .get()
                    .context("Failed to read sql data for tag: ATTESTATION_APPLICATION_ID.")?;
                KeyParameterValue::AttestationApplicationID(attestation_app_id)
            }
            Tag::ATTESTATION_ID_BRAND => {
                let attestation_id_brand: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: ATTESTATION_ID_BRAND.")?;
                KeyParameterValue::AttestationIdBrand(attestation_id_brand)
            }
            Tag::ATTESTATION_ID_DEVICE => {
                let attestation_id_device: Vec<u8> = data
                    .get()
                    .context("Failed to read sql data for tag: ATTESTATION_ID_DEVICE.")?;
                KeyParameterValue::AttestationIdDevice(attestation_id_device)
            }
            Tag::ATTESTATION_ID_PRODUCT => {
                let attestation_id_product: Vec<u8> = data
                    .get()
                    .context("Failed to read sql data for tag: ATTESTATION_ID_PRODUCT.")?;
                KeyParameterValue::AttestationIdProduct(attestation_id_product)
            }
            Tag::ATTESTATION_ID_SERIAL => {
                let attestation_id_serial: Vec<u8> = data
                    .get()
                    .context("Failed to read sql data for tag: ATTESTATION_ID_SERIAL.")?;
                KeyParameterValue::AttestationIdSerial(attestation_id_serial)
            }
            Tag::ATTESTATION_ID_IMEI => {
                let attestation_id_imei: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: ATTESTATION_ID_IMEI.")?;
                KeyParameterValue::AttestationIdIMEI(attestation_id_imei)
            }
            Tag::ATTESTATION_ID_MEID => {
                let attestation_id_meid: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: ATTESTATION_ID_MEID.")?;
                KeyParameterValue::AttestationIdMEID(attestation_id_meid)
            }
            Tag::ATTESTATION_ID_MANUFACTURER => {
                let attestation_id_manufacturer: Vec<u8> = data
                    .get()
                    .context("Failed to read sql data for tag: ATTESTATION_ID_MANUFACTURER.")?;
                KeyParameterValue::AttestationIdManufacturer(attestation_id_manufacturer)
            }
            Tag::ATTESTATION_ID_MODEL => {
                let attestation_id_model: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: ATTESTATION_ID_MODEL.")?;
                KeyParameterValue::AttestationIdModel(attestation_id_model)
            }
            Tag::VENDOR_PATCHLEVEL => {
                let vendor_patch_level: i32 =
                    data.get().context("Failed to read sql data for tag: VENDOR_PATCHLEVEL.")?;
                KeyParameterValue::VendorPatchLevel(vendor_patch_level)
            }
            Tag::BOOT_PATCHLEVEL => {
                let boot_patch_level: i32 =
                    data.get().context("Failed to read sql data for tag: BOOT_PATCHLEVEL.")?;
                KeyParameterValue::BootPatchLevel(boot_patch_level)
            }
            Tag::ASSOCIATED_DATA => {
                let associated_data: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: ASSOCIATED_DATA.")?;
                KeyParameterValue::AssociatedData(associated_data)
            }
            Tag::NONCE => {
                let nonce: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: NONCE.")?;
                KeyParameterValue::Nonce(nonce)
            }
            Tag::MAC_LENGTH => {
                let mac_length: i32 =
                    data.get().context("Failed to read sql data for tag: MAC_LENGTH.")?;
                KeyParameterValue::MacLength(mac_length)
            }
            Tag::RESET_SINCE_ID_ROTATION => KeyParameterValue::ResetSinceIdRotation,
            Tag::CONFIRMATION_TOKEN => {
                let confirmation_token: Vec<u8> =
                    data.get().context("Failed to read sql data for tag: CONFIRMATION_TOKEN.")?;
                KeyParameterValue::ConfirmationToken(confirmation_token)
            }
            _ => {
                return Err(KeystoreError::Rc(Rc::ValueCorrupted))
                    .context("Failed to decode Tag enum from value.")?
            }
        };
        Ok(KeyParameter::new(key_param_value, security_level_val))
    }
}

/// The storage_tests module first tests the 'new_from_sql' method for KeyParameters of different
/// data types and then tests 'to_sql' method for KeyParameters of those
/// different data types. The five different data types for KeyParameter values are:
/// i) enums of u32
/// ii) u32
/// iii) u64
/// iv) Vec<u8>
/// v) bool
#[cfg(test)]
mod storage_tests {
    use crate::error::*;
    use crate::key_parameter::*;
    use anyhow::Result;
    use rusqlite::types::ToSql;
    use rusqlite::{params, Connection, NO_PARAMS};

    /// Test initializing a KeyParameter (with key parameter value corresponding to an enum of i32)
    /// from a database table row.
    #[test]
    fn test_new_from_sql_enum_i32() -> Result<()> {
        let db = init_db()?;
        insert_into_keyparameter(
            &db,
            1,
            Tag::ALGORITHM,
            &Algorithm::RSA,
            SecurityLevel::STRONGBOX,
        )?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(Tag::ALGORITHM, key_param.get_tag());
        assert_eq!(*key_param.key_parameter_value(), KeyParameterValue::Algorithm(Algorithm::RSA));
        assert_eq!(*key_param.security_level(), SecurityLevel::STRONGBOX);
        Ok(())
    }

    /// Test initializing a KeyParameter (with key parameter value which is of i32)
    /// from a database table row.
    #[test]
    fn test_new_from_sql_i32() -> Result<()> {
        let db = init_db()?;
        insert_into_keyparameter(&db, 1, Tag::KEY_SIZE, &1024, SecurityLevel::STRONGBOX)?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(Tag::KEY_SIZE, key_param.get_tag());
        assert_eq!(*key_param.key_parameter_value(), KeyParameterValue::KeySize(1024));
        Ok(())
    }

    /// Test initializing a KeyParameter (with key parameter value which is of i64)
    /// from a database table row.
    #[test]
    fn test_new_from_sql_i64() -> Result<()> {
        let db = init_db()?;
        // max value for i64, just to test corner cases
        insert_into_keyparameter(
            &db,
            1,
            Tag::RSA_PUBLIC_EXPONENT,
            &(i64::MAX),
            SecurityLevel::STRONGBOX,
        )?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(Tag::RSA_PUBLIC_EXPONENT, key_param.get_tag());
        assert_eq!(
            *key_param.key_parameter_value(),
            KeyParameterValue::RSAPublicExponent(i64::MAX)
        );
        Ok(())
    }

    /// Test initializing a KeyParameter (with key parameter value which is of bool)
    /// from a database table row.
    #[test]
    fn test_new_from_sql_bool() -> Result<()> {
        let db = init_db()?;
        insert_into_keyparameter(&db, 1, Tag::CALLER_NONCE, &Null, SecurityLevel::STRONGBOX)?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(Tag::CALLER_NONCE, key_param.get_tag());
        assert_eq!(*key_param.key_parameter_value(), KeyParameterValue::CallerNonce);
        Ok(())
    }

    /// Test initializing a KeyParameter (with key parameter value which is of Vec<u8>)
    /// from a database table row.
    #[test]
    fn test_new_from_sql_vec_u8() -> Result<()> {
        let db = init_db()?;
        let app_id = String::from("MyAppID");
        let app_id_bytes = app_id.into_bytes();
        insert_into_keyparameter(
            &db,
            1,
            Tag::APPLICATION_ID,
            &app_id_bytes,
            SecurityLevel::STRONGBOX,
        )?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(Tag::APPLICATION_ID, key_param.get_tag());
        assert_eq!(
            *key_param.key_parameter_value(),
            KeyParameterValue::ApplicationID(app_id_bytes)
        );
        Ok(())
    }

    /// Test storing a KeyParameter (with key parameter value which corresponds to an enum of i32)
    /// in the database
    #[test]
    fn test_to_sql_enum_i32() -> Result<()> {
        let db = init_db()?;
        let kp = KeyParameter::new(
            KeyParameterValue::Algorithm(Algorithm::RSA),
            SecurityLevel::STRONGBOX,
        );
        store_keyparameter(&db, 1, &kp)?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(kp.get_tag(), key_param.get_tag());
        assert_eq!(kp.key_parameter_value(), key_param.key_parameter_value());
        assert_eq!(kp.security_level(), key_param.security_level());
        Ok(())
    }

    /// Test storing a KeyParameter (with key parameter value which is of i32) in the database
    #[test]
    fn test_to_sql_i32() -> Result<()> {
        let db = init_db()?;
        let kp = KeyParameter::new(KeyParameterValue::KeySize(1024), SecurityLevel::STRONGBOX);
        store_keyparameter(&db, 1, &kp)?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(kp.get_tag(), key_param.get_tag());
        assert_eq!(kp.key_parameter_value(), key_param.key_parameter_value());
        assert_eq!(kp.security_level(), key_param.security_level());
        Ok(())
    }

    /// Test storing a KeyParameter (with key parameter value which is of i64) in the database
    #[test]
    fn test_to_sql_i64() -> Result<()> {
        let db = init_db()?;
        // max value for i64, just to test corner cases
        let kp = KeyParameter::new(
            KeyParameterValue::RSAPublicExponent(i64::MAX),
            SecurityLevel::STRONGBOX,
        );
        store_keyparameter(&db, 1, &kp)?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(kp.get_tag(), key_param.get_tag());
        assert_eq!(kp.key_parameter_value(), key_param.key_parameter_value());
        assert_eq!(kp.security_level(), key_param.security_level());
        Ok(())
    }

    /// Test storing a KeyParameter (with key parameter value which is of Vec<u8>) in the database
    #[test]
    fn test_to_sql_vec_u8() -> Result<()> {
        let db = init_db()?;
        let kp = KeyParameter::new(
            KeyParameterValue::ApplicationID(String::from("MyAppID").into_bytes()),
            SecurityLevel::STRONGBOX,
        );
        store_keyparameter(&db, 1, &kp)?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(kp.get_tag(), key_param.get_tag());
        assert_eq!(kp.key_parameter_value(), key_param.key_parameter_value());
        assert_eq!(kp.security_level(), key_param.security_level());
        Ok(())
    }

    /// Test storing a KeyParameter (with key parameter value which is of i32) in the database
    #[test]
    fn test_to_sql_bool() -> Result<()> {
        let db = init_db()?;
        let kp = KeyParameter::new(KeyParameterValue::CallerNonce, SecurityLevel::STRONGBOX);
        store_keyparameter(&db, 1, &kp)?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(kp.get_tag(), key_param.get_tag());
        assert_eq!(kp.key_parameter_value(), key_param.key_parameter_value());
        assert_eq!(kp.security_level(), key_param.security_level());
        Ok(())
    }

    #[test]
    /// Test Tag::Invalid
    fn test_invalid_tag() -> Result<()> {
        let db = init_db()?;
        insert_into_keyparameter(&db, 1, 0, &123, 1)?;
        let key_param = query_from_keyparameter(&db)?;
        assert_eq!(Tag::INVALID, key_param.get_tag());
        Ok(())
    }

    #[test]
    fn test_non_existing_enum_variant() -> Result<()> {
        let db = init_db()?;
        insert_into_keyparameter(&db, 1, 100, &123, 1)?;
        tests::check_result_contains_error_string(
            query_from_keyparameter(&db),
            "Failed to decode Tag enum from value.",
        );
        Ok(())
    }

    #[test]
    fn test_invalid_conversion_from_sql() -> Result<()> {
        let db = init_db()?;
        insert_into_keyparameter(&db, 1, Tag::ALGORITHM, &Null, 1)?;
        tests::check_result_contains_error_string(
            query_from_keyparameter(&db),
            "Failed to read sql data for tag: ALGORITHM.",
        );
        Ok(())
    }

    /// Helper method to init database table for key parameter
    fn init_db() -> Result<Connection> {
        let db = Connection::open_in_memory().context("Failed to initialize sqlite connection.")?;
        db.execute("ATTACH DATABASE ? as 'persistent';", params![""])
            .context("Failed to attach databases.")?;
        db.execute(
            "CREATE TABLE IF NOT EXISTS persistent.keyparameter (
                                keyentryid INTEGER,
                                tag INTEGER,
                                data ANY,
                                security_level INTEGER);",
            NO_PARAMS,
        )
        .context("Failed to initialize \"keyparameter\" table.")?;
        Ok(db)
    }

    /// Helper method to insert an entry into key parameter table, with individual parameters
    fn insert_into_keyparameter<T: ToSql>(
        db: &Connection,
        key_id: i64,
        tag: i32,
        value: &T,
        security_level: i32,
    ) -> Result<()> {
        db.execute(
            "INSERT into persistent.keyparameter (keyentryid, tag, data, security_level)
VALUES(?, ?, ?, ?);",
            params![key_id, tag, *value, security_level],
        )?;
        Ok(())
    }

    /// Helper method to store a key parameter instance.
    fn store_keyparameter(db: &Connection, key_id: i64, kp: &KeyParameter) -> Result<()> {
        db.execute(
            "INSERT into persistent.keyparameter (keyentryid, tag, data, security_level)
VALUES(?, ?, ?, ?);",
            params![key_id, kp.get_tag(), kp.key_parameter_value(), kp.security_level()],
        )?;
        Ok(())
    }

    /// Helper method to query a row from keyparameter table
    fn query_from_keyparameter(db: &Connection) -> Result<KeyParameter> {
        let mut stmt = db.prepare(
            "SELECT tag, data, security_level FROM
persistent.keyparameter",
        )?;
        let mut rows = stmt.query(NO_PARAMS)?;
        let row = rows.next()?.unwrap();
        Ok(KeyParameter::new_from_sql(row.get(0)?, &SqlField(1, row), row.get(2)?)?)
    }
}