Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 4b7b5986f66ec57bc6acd07d99a1d484f4a7426e / . / keystore2 / test_utils / key_generations.rs
blob: e4c4968f26aa0e688c918a7c349a6133e922cc1f [file] [log] [blame]
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]1// Copyright 2022, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! This module implements test utils to generate various types of keys.
16
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]17use anyhow::Result;
18
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]19use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]20 Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]21 ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
22 KeyOrigin::KeyOrigin, KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue,
23 KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, Tag::Tag,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]24};
25use android_system_keystore2::aidl::android::system::keystore2::{
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]26 AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization, Domain::Domain,
27 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
28 KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]29};
30
31use crate::authorizations::AuthSetBuilder;
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]32use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]33
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]34/// Shell namespace.
35pub const SELINUX_SHELL_NAMESPACE: i64 = 1;
Rajesh Nyamagouddc6fb232021-12-08 21:27:15 +0000[diff] [blame]36/// Vold namespace.
37pub const SELINUX_VOLD_NAMESPACE: i64 = 100;
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]38
Rajesh Nyamagoudfa7c0f12021-12-02 17:15:48 +0000[diff] [blame]39/// SU context.
40pub const TARGET_SU_CTX: &str = "u:r:su:s0";
41
42/// Vold context
43pub const TARGET_VOLD_CTX: &str = "u:r:vold:s0";
44
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]45/// Key parameters to generate a key.
46pub struct KeyParams {
47 /// Key Size.
48 pub key_size: i32,
49 /// Key Purposes.
50 pub purpose: Vec<KeyPurpose>,
51 /// Padding Mode.
52 pub padding: Option<PaddingMode>,
53 /// Digest.
54 pub digest: Option<Digest>,
55 /// MFG Digest.
56 pub mgf_digest: Option<Digest>,
57 /// Block Mode.
58 pub block_mode: Option<BlockMode>,
59 /// Attestation challenge.
60 pub att_challenge: Option<Vec<u8>>,
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]61}
62
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]63/// DER-encoded PKCS#8 format RSA key. Generated using:
64/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
65pub static RSA_2048_KEY: &[u8] = &[
66 0x30, 0x82, 0x04, 0xBD, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
67 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xA7, 0x30, 0x82, 0x04, 0xA3, 0x02, 0x01,
68 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xE5, 0x14, 0xE3, 0xC2, 0x43, 0xF3, 0x0F, 0xCC, 0x22, 0x73,
69 0x9C, 0x84, 0xCC, 0x1B, 0x6C, 0x97, 0x4B, 0xC9, 0xDF, 0x1F, 0xE2, 0xB8, 0x80, 0x85, 0xF9, 0x27,
70 0xAB, 0x97, 0x94, 0x58, 0x4B, 0xC9, 0x40, 0x94, 0x5A, 0xB4, 0xD4, 0xF8, 0xD0, 0x36, 0xC4, 0x86,
71 0x17, 0x7D, 0xA2, 0x48, 0x6D, 0x40, 0xF0, 0xB9, 0x61, 0x4F, 0xCE, 0x65, 0x80, 0x88, 0x81, 0x59,
72 0x95, 0x11, 0x24, 0xF4, 0x36, 0xB7, 0xB7, 0x37, 0x44, 0xF4, 0x6C, 0x1C, 0xEB, 0x04, 0x19, 0x78,
73 0xB2, 0x29, 0x4D, 0x21, 0x44, 0x16, 0x57, 0x58, 0x6D, 0x7D, 0x56, 0xB5, 0x99, 0xDD, 0xD2, 0xAD,
74 0x02, 0x9A, 0x72, 0x16, 0x67, 0xD6, 0x00, 0x9F, 0x69, 0xE0, 0x25, 0xEE, 0x7C, 0x86, 0x54, 0x27,
75 0x4B, 0x50, 0xEF, 0x60, 0x52, 0x60, 0x82, 0xAA, 0x09, 0x15, 0x72, 0xD2, 0xEB, 0x01, 0x52, 0x04,
76 0x39, 0x60, 0xBC, 0x5E, 0x95, 0x07, 0xC8, 0xC2, 0x3A, 0x3A, 0xE2, 0xA4, 0x99, 0x6B, 0x27, 0xE3,
77 0xA3, 0x55, 0x69, 0xC4, 0xB3, 0x2D, 0x19, 0xC4, 0x34, 0x76, 0xFC, 0x27, 0xDA, 0x22, 0xB2, 0x62,
78 0x69, 0x25, 0xDE, 0x0D, 0xE7, 0x54, 0x3C, 0xBB, 0x61, 0xD2, 0x20, 0xDA, 0x7B, 0x6E, 0x63, 0xBD,
79 0x9A, 0x4B, 0xCD, 0x75, 0xC6, 0xA1, 0x5E, 0x1C, 0x3E, 0xD5, 0x63, 0x59, 0x22, 0x7E, 0xE0, 0x6C,
80 0x98, 0x25, 0x63, 0x97, 0x56, 0xDF, 0x71, 0xF5, 0x4C, 0x78, 0xE9, 0xE1, 0xD5, 0xFC, 0xF8, 0x5A,
81 0x5B, 0xF6, 0x1D, 0xFA, 0x5A, 0x99, 0x4C, 0x99, 0x19, 0x21, 0x1D, 0xF5, 0x24, 0x07, 0xEF, 0x8A,
82 0xC9, 0x9F, 0xE7, 0x3F, 0xBB, 0x46, 0x1A, 0x16, 0x96, 0xC6, 0xD6, 0x12, 0x7E, 0xDA, 0xCB, 0xEB,
83 0x2F, 0x1D, 0x3B, 0x31, 0xCC, 0x55, 0x63, 0xA2, 0x6F, 0x8A, 0xDE, 0x35, 0x52, 0x40, 0x04, 0xBF,
84 0xE0, 0x82, 0x32, 0xE1, 0x6D, 0x8B, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x2D,
85 0x1F, 0x71, 0x41, 0x79, 0xBA, 0xED, 0xD8, 0xAA, 0xCC, 0x94, 0xFE, 0xFF, 0x69, 0x43, 0x79, 0x85,
86 0xBF, 0x2C, 0xC9, 0x0E, 0x12, 0x83, 0x96, 0x60, 0x1E, 0x75, 0x49, 0x35, 0x3A, 0x33, 0x2B, 0x60,
87 0x22, 0x18, 0xBF, 0xD7, 0xD7, 0x6E, 0xC3, 0xEA, 0xEF, 0xF2, 0xBE, 0x97, 0x71, 0xA6, 0xBB, 0x8C,
88 0xEF, 0x27, 0x00, 0xDE, 0x49, 0xD6, 0x08, 0x8D, 0x5A, 0x04, 0xE7, 0xCC, 0x9C, 0xA2, 0x0E, 0x8B,
89 0xF3, 0x42, 0x0C, 0xD7, 0x22, 0xD7, 0x14, 0x06, 0xA4, 0x64, 0x8B, 0x88, 0x1A, 0xCE, 0x5B, 0x8C,
90 0x36, 0xE9, 0xD2, 0x2F, 0x7B, 0x33, 0xE4, 0xA2, 0xB3, 0xDB, 0x78, 0x6A, 0x92, 0x89, 0x3F, 0x78,
91 0xFD, 0xED, 0x8F, 0xEE, 0x48, 0xCC, 0x94, 0x75, 0x0D, 0x0C, 0x63, 0xD3, 0xD2, 0xE8, 0x47, 0x04,
92 0x55, 0xD3, 0xD6, 0x3A, 0xB8, 0xDA, 0xFB, 0x76, 0x99, 0x48, 0x68, 0x0A, 0x92, 0xA2, 0xCD, 0xF7,
93 0x45, 0x8B, 0x50, 0xFE, 0xF9, 0x1A, 0x33, 0x24, 0x3C, 0x2E, 0xDE, 0x88, 0xAD, 0xB2, 0x5B, 0x9F,
94 0x44, 0xEA, 0xD1, 0x9F, 0xC7, 0x9F, 0x02, 0x5E, 0x31, 0x61, 0xB3, 0xD6, 0xE2, 0xE1, 0xBC, 0xFB,
95 0x1C, 0xDB, 0xBD, 0xB2, 0x9A, 0xE5, 0xEF, 0xDA, 0xCD, 0x29, 0xA5, 0x45, 0xCC, 0x67, 0x01, 0x8B,
96 0x1C, 0x1D, 0x0E, 0x8F, 0x73, 0x69, 0x4D, 0x4D, 0xF6, 0x9D, 0xA6, 0x6C, 0x9A, 0x1C, 0xF4, 0x5C,
97 0xE4, 0x83, 0x9A, 0x77, 0x12, 0x01, 0xBD, 0xCE, 0x66, 0x3A, 0x4B, 0x3D, 0x6E, 0xE0, 0x6E, 0x82,
98 0x98, 0xDE, 0x74, 0x11, 0x47, 0xEC, 0x7A, 0x3A, 0xA9, 0xD8, 0x48, 0x00, 0x26, 0x64, 0x47, 0x7B,
99 0xAE, 0x55, 0x9D, 0x29, 0x22, 0xB4, 0xB3, 0xB9, 0xB1, 0x64, 0xEA, 0x3B, 0x5A, 0xD3, 0x3F, 0x8D,
100 0x0F, 0x14, 0x7E, 0x4E, 0xB8, 0x1B, 0x06, 0xFC, 0xB1, 0x7E, 0xCD, 0xB9, 0x1A, 0x4E, 0xA1, 0x02,
101 0x81, 0x81, 0x00, 0xF9, 0xDE, 0xEE, 0xED, 0x13, 0x2F, 0xBB, 0xE7, 0xE2, 0xB3, 0x2D, 0x98, 0xD2,
102 0xE8, 0x25, 0x07, 0x5A, 0x1E, 0x51, 0x0A, 0xC8, 0xAD, 0x50, 0x4B, 0x80, 0xC6, 0x22, 0xF5, 0x9B,
103 0x08, 0xE6, 0x3D, 0x01, 0xC6, 0x3E, 0xC8, 0xD2, 0x54, 0x9F, 0x91, 0x77, 0x95, 0xCD, 0xCA, 0xC7,
104 0xE7, 0x47, 0x94, 0xA9, 0x5F, 0x4E, 0xBE, 0x31, 0x3D, 0xB4, 0xAF, 0x43, 0x0F, 0xDC, 0x8D, 0x9C,
105 0x1E, 0x52, 0x7B, 0x72, 0x21, 0x34, 0xB3, 0x96, 0x7C, 0x9C, 0xB8, 0x51, 0x65, 0x60, 0xAC, 0x3D,
106 0x11, 0x32, 0xB8, 0xD6, 0x34, 0x35, 0x66, 0xD0, 0x30, 0xB9, 0xE9, 0x67, 0x2C, 0x87, 0x73, 0x43,
107 0x9C, 0x12, 0x16, 0x7D, 0x4A, 0xD9, 0xA3, 0x4C, 0x24, 0x64, 0x6A, 0x32, 0x8E, 0xC3, 0xD8, 0x00,
108 0x90, 0x5C, 0x4D, 0x65, 0x01, 0x53, 0x8A, 0xD0, 0x87, 0xCE, 0x96, 0xEF, 0xFA, 0x73, 0x03, 0xF1,
109 0xDC, 0x1B, 0x9B, 0x02, 0x81, 0x81, 0x00, 0xEA, 0xB3, 0x69, 0x00, 0x11, 0x0E, 0x50, 0xAA, 0xD3,
110 0x22, 0x51, 0x78, 0x9D, 0xFF, 0x05, 0x62, 0xBC, 0x9A, 0x67, 0x86, 0xE1, 0xC5, 0x02, 0x2D, 0x14,
111 0x11, 0x29, 0x30, 0xE7, 0x90, 0x5D, 0x72, 0x6F, 0xC5, 0x62, 0xEB, 0xD4, 0xB0, 0x3F, 0x3D, 0xDC,
112 0xB9, 0xFC, 0x2B, 0x5C, 0xBD, 0x9E, 0x71, 0x81, 0x5C, 0xC5, 0xFE, 0xDF, 0x69, 0x73, 0x12, 0x66,
113 0x92, 0x06, 0xD4, 0xD5, 0x8F, 0xDF, 0x14, 0x2E, 0x9C, 0xD0, 0x4C, 0xC2, 0x4D, 0x31, 0x2E, 0x47,
114 0xA5, 0xDC, 0x8A, 0x83, 0x7B, 0xE8, 0xA5, 0xC3, 0x03, 0x98, 0xD8, 0xBF, 0xF4, 0x7D, 0x6E, 0x87,
115 0x55, 0xE4, 0x0F, 0x15, 0x10, 0xC8, 0x76, 0x4F, 0xAD, 0x1D, 0x1C, 0x95, 0x41, 0x9D, 0x88, 0xEC,
116 0x8C, 0xDA, 0xBA, 0x90, 0x7F, 0x8D, 0xD9, 0x8B, 0x47, 0x6C, 0x0C, 0xFF, 0xBA, 0x73, 0x00, 0x20,
117 0x1F, 0xF7, 0x7E, 0x5F, 0xF4, 0xEC, 0xD1, 0x02, 0x81, 0x80, 0x16, 0xB7, 0x43, 0xB5, 0x5D, 0xD7,
118 0x2B, 0x18, 0x0B, 0xAE, 0x0A, 0x69, 0x28, 0x53, 0x5E, 0x7A, 0x6A, 0xA0, 0xF2, 0xF1, 0x2E, 0x09,
119 0x43, 0x91, 0x79, 0xA5, 0x89, 0xAC, 0x16, 0x6A, 0x1A, 0xB4, 0x55, 0x22, 0xF6, 0xB6, 0x3F, 0x18,
120 0xDE, 0x60, 0xD5, 0x24, 0x53, 0x4F, 0x2A, 0x19, 0x46, 0x92, 0xA7, 0x4B, 0x38, 0xD7, 0x65, 0x96,
121 0x9C, 0x84, 0x8A, 0x6E, 0x38, 0xB8, 0xCF, 0x06, 0x9A, 0xAD, 0x0A, 0x55, 0x26, 0x7B, 0x65, 0x24,
122 0xF3, 0x02, 0x76, 0xB3, 0xE6, 0xB4, 0x01, 0xE1, 0x3C, 0x61, 0x3D, 0x68, 0x05, 0xAA, 0xD1, 0x26,
123 0x7C, 0xE0, 0x51, 0x36, 0xE5, 0x21, 0x7F, 0x76, 0x02, 0xD6, 0xF4, 0x91, 0x07, 0x74, 0x27, 0x09,
124 0xEF, 0xEF, 0x0F, 0xA5, 0x96, 0xFC, 0x5E, 0x20, 0xC1, 0xA3, 0x6F, 0x99, 0x4D, 0x45, 0x03, 0x6C,
125 0x35, 0x45, 0xD7, 0x8F, 0x47, 0x41, 0x86, 0x8D, 0x62, 0x1D, 0x02, 0x81, 0x81, 0x00, 0xC3, 0x93,
126 0x85, 0xA7, 0xFC, 0x8E, 0x85, 0x42, 0x14, 0x76, 0xC0, 0x95, 0x56, 0x73, 0xB0, 0xB5, 0x3A, 0x9D,
127 0x20, 0x30, 0x11, 0xEA, 0xED, 0x89, 0x4A, 0xF3, 0x91, 0xF3, 0xA2, 0xC3, 0x76, 0x5B, 0x6A, 0x30,
128 0x7D, 0xE2, 0x2F, 0x76, 0x3E, 0xFC, 0xF9, 0xF6, 0x31, 0xE0, 0xA0, 0x83, 0x92, 0x88, 0xDB, 0x57,
129 0xC7, 0xD6, 0x3F, 0xAD, 0xCB, 0xAA, 0x45, 0xB6, 0xE1, 0xE2, 0x71, 0xA4, 0x56, 0x2C, 0xA7, 0x3B,
130 0x1D, 0x89, 0x19, 0x50, 0xE1, 0xEE, 0xC2, 0xDD, 0xC0, 0x0D, 0xDC, 0xCB, 0x60, 0x6E, 0xE1, 0x37,
131 0x1A, 0x23, 0x64, 0xB2, 0x03, 0xE4, 0x1A, 0xFA, 0xC3, 0xF4, 0x9D, 0x85, 0x42, 0xC6, 0xF4, 0x56,
132 0x39, 0xB0, 0x1B, 0xE0, 0x75, 0xBA, 0x28, 0x04, 0xA8, 0x30, 0x57, 0x41, 0x33, 0x9F, 0x58, 0xA4,
133 0xC7, 0xB1, 0x7D, 0x58, 0x8D, 0x84, 0x49, 0x40, 0xDA, 0x28, 0x81, 0x25, 0xC4, 0x41, 0x02, 0x81,
134 0x80, 0x13, 0x20, 0x65, 0xD5, 0x96, 0x98, 0x8D, 0x16, 0x73, 0xA1, 0x31, 0x73, 0x79, 0xBA, 0xEC,
135 0xB0, 0xD9, 0x0C, 0xF6, 0xEF, 0x2F, 0xC2, 0xE7, 0x96, 0x9B, 0xA1, 0x2D, 0xE9, 0xFB, 0x45, 0xB9,
136 0xD0, 0x30, 0xE2, 0xBD, 0x30, 0x4F, 0xB6, 0xFE, 0x24, 0x02, 0xCF, 0x8D, 0x51, 0x48, 0x45, 0xD9,
137 0xF7, 0x20, 0x53, 0x1C, 0x0B, 0xA9, 0x7E, 0xC2, 0xA2, 0x65, 0xCC, 0x3E, 0x0E, 0x0D, 0xF1, 0x62,
138 0xDD, 0x5F, 0xBC, 0x55, 0x9B, 0x58, 0x26, 0x40, 0x6A, 0xEE, 0x02, 0x55, 0x36, 0xE9, 0xBA, 0x82,
139 0x5A, 0xFD, 0x3C, 0xDF, 0xA6, 0x26, 0x32, 0x81, 0xA9, 0x5E, 0x46, 0xBE, 0xBA, 0xDC, 0xD3, 0x2A,
140 0x3A, 0x3B, 0xC1, 0x4E, 0xF7, 0x1A, 0xDC, 0x4B, 0xAF, 0x67, 0x1B, 0x3A, 0x83, 0x0D, 0x04, 0xDE,
141 0x27, 0x47, 0xFC, 0xE6, 0x39, 0x89, 0x7B, 0x66, 0xF9, 0x50, 0x4D, 0xF1, 0xAC, 0x20, 0x43, 0x7E,
142 0xEE,
143];
144
145/// DER-encoded PKCS#8 format EC key. Generated using:
146/// openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
147pub static EC_P_256_KEY: &[u8] = &[
148 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02,
149 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02,
150 0x01, 0x01, 0x04, 0x20, 0xB9, 0x1D, 0xAF, 0x50, 0xFD, 0xD8, 0x6A, 0x40, 0xAB, 0x2C, 0xCB, 0x54,
151 0x4E, 0xED, 0xF1, 0x64, 0xBC, 0x30, 0x25, 0xFB, 0xC4, 0x69, 0x00, 0x34, 0x1A, 0x82, 0xA3, 0x72,
152 0x5D, 0xC7, 0xA9, 0x85, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xE8, 0x53, 0x0A, 0xF2, 0xD3, 0x68,
153 0x40, 0x48, 0x8C, 0xB4, 0x2F, 0x11, 0x34, 0xD7, 0xF4, 0x4A, 0x5C, 0x33, 0xFF, 0xF6, 0x2B, 0xF7,
154 0x98, 0x0F, 0x02, 0xA5, 0xD7, 0x4F, 0xF9, 0xDE, 0x60, 0x9C, 0x6E, 0xB0, 0x45, 0xDA, 0x3F, 0xF4,
155 0x34, 0x23, 0x9B, 0x4C, 0x3A, 0x09, 0x9C, 0x5E, 0x5D, 0x37, 0x96, 0xAC, 0x4A, 0xE7, 0x65, 0x2B,
156 0xD6, 0x84, 0x98, 0xEA, 0x96, 0x91, 0xFB, 0x78, 0xED, 0x86,
157];
158
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]159/// DER-encoded PKCS#8 format RSA key -
160/// Size: 2048
161/// Public Exponent: 65537
162/// Purpose: WRAP_KEY, ENCRYPT, DECRYPT
163/// Encryption scheme: RSAES-PKCS1-v1_5
164/// Digest: SHA_2_256
165/// Padding: RSA_OAEP
166/// This sample wrapping_key is taken from KeyMint tests
167/// (see hardware/interfaces/security/keymint/aidl/vts/functional/KeyMintTest.cpp).
168/// Similarly more test keys can be generated with below command -
169/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
170pub static WRAPPING_KEY: &[u8] = &[
171 0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
172 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xa8, 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01,
173 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xae, 0xc3, 0x67, 0x93, 0x1d, 0x89, 0x00, 0xce, 0x56, 0xb0,
174 0x06, 0x7f, 0x7d, 0x70, 0xe1, 0xfc, 0x65, 0x3f, 0x3f, 0x34, 0xd1, 0x94, 0xc1, 0xfe, 0xd5, 0x00,
175 0x18, 0xfb, 0x43, 0xdb, 0x93, 0x7b, 0x06, 0xe6, 0x73, 0xa8, 0x37, 0x31, 0x3d, 0x56, 0xb1, 0xc7,
176 0x25, 0x15, 0x0a, 0x3f, 0xef, 0x86, 0xac, 0xbd, 0xdc, 0x41, 0xbb, 0x75, 0x9c, 0x28, 0x54, 0xea,
177 0xe3, 0x2d, 0x35, 0x84, 0x1e, 0xfb, 0x5c, 0x18, 0xd8, 0x2b, 0xc9, 0x0a, 0x1c, 0xb5, 0xc1, 0xd5,
178 0x5a, 0xdf, 0x24, 0x5b, 0x02, 0x91, 0x1f, 0x0b, 0x7c, 0xda, 0x88, 0xc4, 0x21, 0xff, 0x0e, 0xba,
179 0xfe, 0x7c, 0x0d, 0x23, 0xbe, 0x31, 0x2d, 0x7b, 0xd5, 0x92, 0x1f, 0xfa, 0xea, 0x13, 0x47, 0xc1,
180 0x57, 0x40, 0x6f, 0xef, 0x71, 0x8f, 0x68, 0x26, 0x43, 0xe4, 0xe5, 0xd3, 0x3c, 0x67, 0x03, 0xd6,
181 0x1c, 0x0c, 0xf7, 0xac, 0x0b, 0xf4, 0x64, 0x5c, 0x11, 0xf5, 0xc1, 0x37, 0x4c, 0x38, 0x86, 0x42,
182 0x74, 0x11, 0xc4, 0x49, 0x79, 0x67, 0x92, 0xe0, 0xbe, 0xf7, 0x5d, 0xec, 0x85, 0x8a, 0x21, 0x23,
183 0xc3, 0x67, 0x53, 0xe0, 0x2a, 0x95, 0xa9, 0x6d, 0x7c, 0x45, 0x4b, 0x50, 0x4d, 0xe3, 0x85, 0xa6,
184 0x42, 0xe0, 0xdf, 0xc3, 0xe6, 0x0a, 0xc3, 0xa7, 0xee, 0x49, 0x91, 0xd0, 0xd4, 0x8b, 0x01, 0x72,
185 0xa9, 0x5f, 0x95, 0x36, 0xf0, 0x2b, 0xa1, 0x3c, 0xec, 0xcc, 0xb9, 0x2b, 0x72, 0x7d, 0xb5, 0xc2,
186 0x7e, 0x5b, 0x2f, 0x5c, 0xec, 0x09, 0x60, 0x0b, 0x28, 0x6a, 0xf5, 0xcf, 0x14, 0xc4, 0x20, 0x24,
187 0xc6, 0x1d, 0xdf, 0xe7, 0x1c, 0x2a, 0x8d, 0x74, 0x58, 0xf1, 0x85, 0x23, 0x4c, 0xb0, 0x0e, 0x01,
188 0xd2, 0x82, 0xf1, 0x0f, 0x8f, 0xc6, 0x72, 0x1d, 0x2a, 0xed, 0x3f, 0x48, 0x33, 0xcc, 0xa2, 0xbd,
189 0x8f, 0xa6, 0x28, 0x21, 0xdd, 0x55, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x43,
190 0x14, 0x47, 0xb6, 0x25, 0x19, 0x08, 0x11, 0x2b, 0x1e, 0xe7, 0x6f, 0x99, 0xf3, 0x71, 0x1a, 0x52,
191 0xb6, 0x63, 0x09, 0x60, 0x04, 0x6c, 0x2d, 0xe7, 0x0d, 0xe1, 0x88, 0xd8, 0x33, 0xf8, 0xb8, 0xb9,
192 0x1e, 0x4d, 0x78, 0x5c, 0xae, 0xee, 0xaf, 0x4f, 0x0f, 0x74, 0x41, 0x4e, 0x2c, 0xda, 0x40, 0x64,
193 0x1f, 0x7f, 0xe2, 0x4f, 0x14, 0xc6, 0x7a, 0x88, 0x95, 0x9b, 0xdb, 0x27, 0x76, 0x6d, 0xf9, 0xe7,
194 0x10, 0xb6, 0x30, 0xa0, 0x3a, 0xdc, 0x68, 0x3b, 0x5d, 0x2c, 0x43, 0x08, 0x0e, 0x52, 0xbe, 0xe7,
195 0x1e, 0x9e, 0xae, 0xb6, 0xde, 0x29, 0x7a, 0x5f, 0xea, 0x10, 0x72, 0x07, 0x0d, 0x18, 0x1c, 0x82,
196 0x2b, 0xcc, 0xff, 0x08, 0x7d, 0x63, 0xc9, 0x40, 0xba, 0x8a, 0x45, 0xf6, 0x70, 0xfe, 0xb2, 0x9f,
197 0xb4, 0x48, 0x4d, 0x1c, 0x95, 0xe6, 0xd2, 0x57, 0x9b, 0xa0, 0x2a, 0xae, 0x0a, 0x00, 0x90, 0x0c,
198 0x3e, 0xbf, 0x49, 0x0e, 0x3d, 0x2c, 0xd7, 0xee, 0x8d, 0x0e, 0x20, 0xc5, 0x36, 0xe4, 0xdc, 0x5a,
199 0x50, 0x97, 0x27, 0x28, 0x88, 0xcd, 0xdd, 0x7e, 0x91, 0xf2, 0x28, 0xb1, 0xc4, 0xd7, 0x47, 0x4c,
200 0x55, 0xb8, 0xfc, 0xd6, 0x18, 0xc4, 0xa9, 0x57, 0xbb, 0xdd, 0xd5, 0xad, 0x74, 0x07, 0xcc, 0x31,
201 0x2d, 0x8d, 0x98, 0xa5, 0xca, 0xf7, 0xe0, 0x8f, 0x4a, 0x0d, 0x6b, 0x45, 0xbb, 0x41, 0xc6, 0x52,
202 0x65, 0x9d, 0x5a, 0x5b, 0xa0, 0x5b, 0x66, 0x37, 0x37, 0xa8, 0x69, 0x62, 0x81, 0x86, 0x5b, 0xa2,
203 0x0f, 0xbd, 0xd7, 0xf8, 0x51, 0xe6, 0xc5, 0x6e, 0x8c, 0xbe, 0x0d, 0xdb, 0xbf, 0x24, 0xdc, 0x03,
204 0xb2, 0xd2, 0xcb, 0x4c, 0x3d, 0x54, 0x0f, 0xb0, 0xaf, 0x52, 0xe0, 0x34, 0xa2, 0xd0, 0x66, 0x98,
205 0xb1, 0x28, 0xe5, 0xf1, 0x01, 0xe3, 0xb5, 0x1a, 0x34, 0xf8, 0xd8, 0xb4, 0xf8, 0x61, 0x81, 0x02,
206 0x81, 0x81, 0x00, 0xde, 0x39, 0x2e, 0x18, 0xd6, 0x82, 0xc8, 0x29, 0x26, 0x6c, 0xc3, 0x45, 0x4e,
207 0x1d, 0x61, 0x66, 0x24, 0x2f, 0x32, 0xd9, 0xa1, 0xd1, 0x05, 0x77, 0x75, 0x3e, 0x90, 0x4e, 0xa7,
208 0xd0, 0x8b, 0xff, 0x84, 0x1b, 0xe5, 0xba, 0xc8, 0x2a, 0x16, 0x4c, 0x59, 0x70, 0x00, 0x70, 0x47,
209 0xb8, 0xc5, 0x17, 0xdb, 0x8f, 0x8f, 0x84, 0xe3, 0x7b, 0xd5, 0x98, 0x85, 0x61, 0xbd, 0xf5, 0x03,
210 0xd4, 0xdc, 0x2b, 0xdb, 0x38, 0xf8, 0x85, 0x43, 0x4a, 0xe4, 0x2c, 0x35, 0x5f, 0x72, 0x5c, 0x9a,
211 0x60, 0xf9, 0x1f, 0x07, 0x88, 0xe1, 0xf1, 0xa9, 0x72, 0x23, 0xb5, 0x24, 0xb5, 0x35, 0x7f, 0xdf,
212 0x72, 0xe2, 0xf6, 0x96, 0xba, 0xb7, 0xd7, 0x8e, 0x32, 0xbf, 0x92, 0xba, 0x8e, 0x18, 0x64, 0xea,
213 0xb1, 0x22, 0x9e, 0x91, 0x34, 0x61, 0x30, 0x74, 0x8a, 0x6e, 0x3c, 0x12, 0x4f, 0x91, 0x49, 0xd7,
214 0x1c, 0x74, 0x35, 0x02, 0x81, 0x81, 0x00, 0xc9, 0x53, 0x87, 0xc0, 0xf9, 0xd3, 0x5f, 0x13, 0x7b,
215 0x57, 0xd0, 0xd6, 0x5c, 0x39, 0x7c, 0x5e, 0x21, 0xcc, 0x25, 0x1e, 0x47, 0x00, 0x8e, 0xd6, 0x2a,
216 0x54, 0x24, 0x09, 0xc8, 0xb6, 0xb6, 0xac, 0x7f, 0x89, 0x67, 0xb3, 0x86, 0x3c, 0xa6, 0x45, 0xfc,
217 0xce, 0x49, 0x58, 0x2a, 0x9a, 0xa1, 0x73, 0x49, 0xdb, 0x6c, 0x4a, 0x95, 0xaf, 0xfd, 0xae, 0x0d,
218 0xae, 0x61, 0x2e, 0x1a, 0xfa, 0xc9, 0x9e, 0xd3, 0x9a, 0x2d, 0x93, 0x4c, 0x88, 0x04, 0x40, 0xae,
219 0xd8, 0x83, 0x2f, 0x98, 0x43, 0x16, 0x3a, 0x47, 0xf2, 0x7f, 0x39, 0x21, 0x99, 0xdc, 0x12, 0x02,
220 0xf9, 0xa0, 0xf9, 0xbd, 0x08, 0x30, 0x80, 0x07, 0xcb, 0x1e, 0x4e, 0x7f, 0x58, 0x30, 0x93, 0x66,
221 0xa7, 0xde, 0x25, 0xf7, 0xc3, 0xc9, 0xb8, 0x80, 0x67, 0x7c, 0x06, 0x8e, 0x1b, 0xe9, 0x36, 0xe8,
222 0x12, 0x88, 0x81, 0x52, 0x52, 0xa8, 0xa1, 0x02, 0x81, 0x80, 0x57, 0xff, 0x8c, 0xa1, 0x89, 0x50,
223 0x80, 0xb2, 0xca, 0xe4, 0x86, 0xef, 0x0a, 0xdf, 0xd7, 0x91, 0xfb, 0x02, 0x35, 0xc0, 0xb8, 0xb3,
224 0x6c, 0xd6, 0xc1, 0x36, 0xe5, 0x2e, 0x40, 0x85, 0xf4, 0xea, 0x5a, 0x06, 0x32, 0x12, 0xa4, 0xf1,
225 0x05, 0xa3, 0x76, 0x47, 0x43, 0xe5, 0x32, 0x81, 0x98, 0x8a, 0xba, 0x07, 0x3f, 0x6e, 0x00, 0x27,
226 0x29, 0x8e, 0x1c, 0x43, 0x78, 0x55, 0x6e, 0x0e, 0xfc, 0xa0, 0xe1, 0x4e, 0xce, 0x1a, 0xf7, 0x6a,
227 0xd0, 0xb0, 0x30, 0xf2, 0x7a, 0xf6, 0xf0, 0xab, 0x35, 0xfb, 0x73, 0xa0, 0x60, 0xd8, 0xb1, 0xa0,
228 0xe1, 0x42, 0xfa, 0x26, 0x47, 0xe9, 0x3b, 0x32, 0xe3, 0x6d, 0x82, 0x82, 0xae, 0x0a, 0x4d, 0xe5,
229 0x0a, 0xb7, 0xaf, 0xe8, 0x55, 0x00, 0xa1, 0x6f, 0x43, 0xa6, 0x47, 0x19, 0xd6, 0xe2, 0xb9, 0x43,
230 0x98, 0x23, 0x71, 0x9c, 0xd0, 0x8b, 0xcd, 0x03, 0x17, 0x81, 0x02, 0x81, 0x81, 0x00, 0xba, 0x73,
231 0xb0, 0xbb, 0x28, 0xe3, 0xf8, 0x1e, 0x9b, 0xd1, 0xc5, 0x68, 0x71, 0x3b, 0x10, 0x12, 0x41, 0xac,
232 0xc6, 0x07, 0x97, 0x6c, 0x4d, 0xdc, 0xcc, 0x90, 0xe6, 0x5b, 0x65, 0x56, 0xca, 0x31, 0x51, 0x60,
233 0x58, 0xf9, 0x2b, 0x6e, 0x09, 0xf3, 0xb1, 0x60, 0xff, 0x0e, 0x37, 0x4e, 0xc4, 0x0d, 0x78, 0xae,
234 0x4d, 0x49, 0x79, 0xfd, 0xe6, 0xac, 0x06, 0xa1, 0xa4, 0x00, 0xc6, 0x1d, 0xd3, 0x12, 0x54, 0x18,
235 0x6a, 0xf3, 0x0b, 0x22, 0xc1, 0x05, 0x82, 0xa8, 0xa4, 0x3e, 0x34, 0xfe, 0x94, 0x9c, 0x5f, 0x3b,
236 0x97, 0x55, 0xba, 0xe7, 0xba, 0xa7, 0xb7, 0xb7, 0xa6, 0xbd, 0x03, 0xb3, 0x8c, 0xef, 0x55, 0xc8,
237 0x68, 0x85, 0xfc, 0x6c, 0x19, 0x78, 0xb9, 0xce, 0xe7, 0xef, 0x33, 0xda, 0x50, 0x7c, 0x9d, 0xf6,
238 0xb9, 0x27, 0x7c, 0xff, 0x1e, 0x6a, 0xaa, 0x5d, 0x57, 0xac, 0xa5, 0x28, 0x46, 0x61, 0x02, 0x81,
239 0x81, 0x00, 0xc9, 0x31, 0x61, 0x7c, 0x77, 0x82, 0x9d, 0xfb, 0x12, 0x70, 0x50, 0x2b, 0xe9, 0x19,
240 0x5c, 0x8f, 0x28, 0x30, 0x88, 0x5f, 0x57, 0xdb, 0xa8, 0x69, 0x53, 0x68, 0x11, 0xe6, 0x86, 0x42,
241 0x36, 0xd0, 0xc4, 0x73, 0x6a, 0x00, 0x08, 0xa1, 0x45, 0xaf, 0x36, 0xb8, 0x35, 0x7a, 0x7c, 0x3d,
242 0x13, 0x99, 0x66, 0xd0, 0x4c, 0x4e, 0x00, 0x93, 0x4e, 0xa1, 0xae, 0xde, 0x3b, 0xb6, 0xb8, 0xec,
243 0x84, 0x1d, 0xc9, 0x5e, 0x3f, 0x57, 0x97, 0x51, 0xe2, 0xbf, 0xdf, 0xe2, 0x7a, 0xe7, 0x78, 0x98,
244 0x3f, 0x95, 0x93, 0x56, 0x21, 0x07, 0x23, 0x28, 0x7b, 0x0a, 0xff, 0xcc, 0x9f, 0x72, 0x70, 0x44,
245 0xd4, 0x8c, 0x37, 0x3f, 0x1b, 0xab, 0xde, 0x07, 0x24, 0xfa, 0x17, 0xa4, 0xfd, 0x4d, 0xa0, 0x90,
246 0x2c, 0x7c, 0x9b, 0x9b, 0xf2, 0x7b, 0xa6, 0x1b, 0xe6, 0xad, 0x02, 0xdf, 0xdd, 0xda, 0x8f, 0x4e,
247 0x68, 0x22,
248];
249
250/// WrappedKeyData as ASN.1 DER-encoded data corresponding to the `SecureKeyWrapper` schema
251/// specified in IKeyMintDevice.aidl. Wrapped key parameters are -
252/// Algorithm: AES
253/// Key size: 256
254/// Block mode: ECB
255/// Padding mode: PKCS7
256/// This sample wrapped_key is taken from KeyMint tests (see KeyMintTest.cpp).
257pub static WRAPPED_KEY: &[u8] = &[
258 0x30, 0x82, 0x01, 0x79, 0x02, 0x01, 0x00, 0x04, 0x82, 0x01, 0x00, 0x93, 0x4b, 0xf9, 0x4e, 0x2a,
259 0xa2, 0x8a, 0x3f, 0x83, 0xc9, 0xf7, 0x92, 0x97, 0x25, 0x02, 0x62, 0xfb, 0xe3, 0x27, 0x6b, 0x5a,
260 0x1c, 0x91, 0x15, 0x9b, 0xbf, 0xa3, 0xef, 0x89, 0x57, 0xaa, 0xc8, 0x4b, 0x59, 0xb3, 0x0b, 0x45,
261 0x5a, 0x79, 0xc2, 0x97, 0x34, 0x80, 0x82, 0x3d, 0x8b, 0x38, 0x63, 0xc3, 0xde, 0xef, 0x4a, 0x8e,
262 0x24, 0x35, 0x90, 0x26, 0x8d, 0x80, 0xe1, 0x87, 0x51, 0xa0, 0xe1, 0x30, 0xf6, 0x7c, 0xe6, 0xa1,
263 0xac, 0xe9, 0xf7, 0x9b, 0x95, 0xe0, 0x97, 0x47, 0x4f, 0xeb, 0xc9, 0x81, 0x19, 0x5b, 0x1d, 0x13,
264 0xa6, 0x90, 0x86, 0xc0, 0x86, 0x3f, 0x66, 0xa7, 0xb7, 0xfd, 0xb4, 0x87, 0x92, 0x22, 0x7b, 0x1a,
265 0xc5, 0xe2, 0x48, 0x9f, 0xeb, 0xdf, 0x08, 0x7a, 0xb5, 0x48, 0x64, 0x83, 0x03, 0x3a, 0x6f, 0x00,
266 0x1c, 0xa5, 0xd1, 0xec, 0x1e, 0x27, 0xf5, 0xc3, 0x0f, 0x4c, 0xec, 0x26, 0x42, 0x07, 0x4a, 0x39,
267 0xae, 0x68, 0xae, 0xe5, 0x52, 0xe1, 0x96, 0x62, 0x7a, 0x8e, 0x3d, 0x86, 0x7e, 0x67, 0xa8, 0xc0,
268 0x1b, 0x11, 0xe7, 0x5f, 0x13, 0xcc, 0xa0, 0xa9, 0x7a, 0xb6, 0x68, 0xb5, 0x0c, 0xda, 0x07, 0xa8,
269 0xec, 0xb7, 0xcd, 0x8e, 0x3d, 0xd7, 0x00, 0x9c, 0x96, 0x36, 0x53, 0x4f, 0x6f, 0x23, 0x9c, 0xff,
270 0xe1, 0xfc, 0x8d, 0xaa, 0x46, 0x6f, 0x78, 0xb6, 0x76, 0xc7, 0x11, 0x9e, 0xfb, 0x96, 0xbc, 0xe4,
271 0xe6, 0x9c, 0xa2, 0xa2, 0x5d, 0x0b, 0x34, 0xed, 0x9c, 0x3f, 0xf9, 0x99, 0xb8, 0x01, 0x59, 0x7d,
272 0x52, 0x20, 0xe3, 0x07, 0xea, 0xa5, 0xbe, 0xe5, 0x07, 0xfb, 0x94, 0xd1, 0xfa, 0x69, 0xf9, 0xe5,
273 0x19, 0xb2, 0xde, 0x31, 0x5b, 0xac, 0x92, 0xc3, 0x6f, 0x2e, 0xa1, 0xfa, 0x1d, 0xf4, 0x47, 0x8c,
274 0x0d, 0xde, 0xde, 0xae, 0x8c, 0x70, 0xe0, 0x23, 0x3c, 0xd0, 0x98, 0x04, 0x0c, 0xd7, 0x96, 0xb0,
275 0x2c, 0x37, 0x0f, 0x1f, 0xa4, 0xcc, 0x01, 0x24, 0xf1, 0x30, 0x2e, 0x02, 0x01, 0x03, 0x30, 0x29,
276 0xa1, 0x08, 0x31, 0x06, 0x02, 0x01, 0x00, 0x02, 0x01, 0x01, 0xa2, 0x03, 0x02, 0x01, 0x20, 0xa3,
277 0x04, 0x02, 0x02, 0x01, 0x00, 0xa4, 0x05, 0x31, 0x03, 0x02, 0x01, 0x01, 0xa6, 0x05, 0x31, 0x03,
278 0x02, 0x01, 0x40, 0xbf, 0x83, 0x77, 0x02, 0x05, 0x00, 0x04, 0x20, 0xcc, 0xd5, 0x40, 0x85, 0x5f,
279 0x83, 0x3a, 0x5e, 0x14, 0x80, 0xbf, 0xd2, 0xd3, 0x6f, 0xaf, 0x3a, 0xee, 0xe1, 0x5d, 0xf5, 0xbe,
280 0xab, 0xe2, 0x69, 0x1b, 0xc8, 0x2d, 0xde, 0x2a, 0x7a, 0xa9, 0x10, 0x04, 0x10, 0x64, 0xc9, 0xf6,
281 0x89, 0xc6, 0x0f, 0xf6, 0x22, 0x3a, 0xb6, 0xe6, 0x99, 0x9e, 0x0e, 0xb6, 0xe5,
282];
283
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]284/// To map Keystore errors.
285#[derive(thiserror::Error, Debug, Eq, PartialEq)]
286pub enum Error {
287 /// Keystore2 error code
288 #[error("ResponseCode {0:?}")]
289 Rc(ResponseCode),
290 /// Keymint error code
291 #[error("ErrorCode {0:?}")]
292 Km(ErrorCode),
293 /// Exception
294 #[error("Binder exception {0:?}")]
295 Binder(ExceptionCode),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]296 /// This is returned if the C implementation of extractSubjectFromCertificate failed.
297 #[error("Failed to validate certificate chain.")]
298 ValidateCertChainFailed,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]299 /// Error code to indicate error in ASN.1 DER-encoded data creation.
300 #[error("Failed to create and encode ASN.1 data.")]
301 DerEncodeFailed,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]302}
303
304/// Keystore2 error mapping.
305pub fn map_ks_error<T>(r: BinderResult<T>) -> Result<T, Error> {
306 r.map_err(|s| {
307 match s.exception_code() {
308 ExceptionCode::SERVICE_SPECIFIC => {
309 match s.service_specific_error() {
310 se if se < 0 => {
311 // Negative service specific errors are KM error codes.
312 Error::Km(ErrorCode(se))
313 }
314 se => {
315 // Positive service specific errors are KS response codes.
316 Error::Rc(ResponseCode(se))
317 }
318 }
319 }
320 // We create `Error::Binder` to preserve the exception code
321 // for logging.
322 e_code => Error::Binder(e_code),
323 }
324 })
325}
326
327/// Generate EC Key using given security level and domain with below key parameters and
328/// optionally allow the generated key to be attested with factory provisioned attest key using
329/// given challenge and application id -
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]330/// Purposes: SIGN and VERIFY
331/// Digest: SHA_2_256
332/// Curve: P_256
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]333pub fn generate_ec_p256_signing_key(
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]334 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]335 domain: Domain,
336 nspace: i64,
337 alias: Option<String>,
338 att_challenge: Option<&[u8]>,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]339) -> binder::Result<KeyMetadata> {
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]340 let mut key_attest = false;
341 let mut gen_params = AuthSetBuilder::new()
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]342 .no_auth_required()
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]343 .algorithm(Algorithm::EC)
344 .purpose(KeyPurpose::SIGN)
345 .purpose(KeyPurpose::VERIFY)
346 .digest(Digest::SHA_2_256)
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]347 .ec_curve(EcCurve::P_256);
348
349 if let Some(challenge) = att_challenge {
350 key_attest = true;
351 gen_params = gen_params.clone().attestation_challenge(challenge.to_vec());
352 }
353
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]354 match sec_level.generateKey(
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]355 &KeyDescriptor { domain, nspace, alias, blob: None },
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]356 None,
357 &gen_params,
358 0,
359 b"entropy",
360 ) {
361 Ok(key_metadata) => {
362 assert!(key_metadata.certificate.is_some());
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]363 if key_attest {
364 assert!(key_metadata.certificateChain.is_some());
365 }
366 if domain == Domain::BLOB {
367 assert!(key_metadata.key.blob.is_some());
368 }
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]369
370 Ok(key_metadata)
371 }
372 Err(e) => Err(e),
373 }
374}
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]375
376/// Generate EC signing key.
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]377pub fn generate_ec_key(
378 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]379 domain: Domain,
380 nspace: i64,
381 alias: Option<String>,
382 ec_curve: EcCurve,
383 digest: Digest,
384) -> binder::Result<KeyMetadata> {
385 let gen_params = AuthSetBuilder::new()
386 .no_auth_required()
387 .algorithm(Algorithm::EC)
388 .purpose(KeyPurpose::SIGN)
389 .purpose(KeyPurpose::VERIFY)
390 .digest(digest)
391 .ec_curve(ec_curve);
392
393 let key_metadata = sec_level.generateKey(
394 &KeyDescriptor { domain, nspace, alias, blob: None },
395 None,
396 &gen_params,
397 0,
398 b"entropy",
399 )?;
400
401 // Must have a public key.
402 assert!(key_metadata.certificate.is_some());
403
404 // Should not have an attestation record.
405 assert!(key_metadata.certificateChain.is_none());
406
407 if domain == Domain::BLOB {
408 assert!(key_metadata.key.blob.is_some());
409 } else {
410 assert!(key_metadata.key.blob.is_none());
411 }
412 Ok(key_metadata)
413}
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]414
415/// Generate a RSA key with the given key parameters, alias, domain and namespace.
416pub fn generate_rsa_key(
417 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
418 domain: Domain,
419 nspace: i64,
420 alias: Option<String>,
421 key_params: &KeyParams,
422 attest_key: Option<&KeyDescriptor>,
423) -> binder::Result<KeyMetadata> {
424 let mut gen_params = AuthSetBuilder::new()
425 .no_auth_required()
426 .algorithm(Algorithm::RSA)
427 .rsa_public_exponent(65537)
428 .key_size(key_params.key_size);
429
430 for purpose in &key_params.purpose {
431 gen_params = gen_params.purpose(*purpose);
432 }
433 if let Some(value) = key_params.digest {
434 gen_params = gen_params.digest(value)
435 }
436 if let Some(value) = key_params.padding {
437 gen_params = gen_params.padding_mode(value);
438 }
439 if let Some(value) = key_params.mgf_digest {
440 gen_params = gen_params.mgf_digest(value);
441 }
442 if let Some(value) = key_params.block_mode {
443 gen_params = gen_params.block_mode(value)
444 }
445 if let Some(value) = &key_params.att_challenge {
446 gen_params = gen_params.attestation_challenge(value.to_vec())
447 }
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]448
449 let key_metadata = sec_level.generateKey(
450 &KeyDescriptor { domain, nspace, alias, blob: None },
451 attest_key,
452 &gen_params,
453 0,
454 b"entropy",
455 )?;
456
457 // Must have a public key.
458 assert!(key_metadata.certificate.is_some());
459
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]460 if attest_key.is_none() && key_params.att_challenge.is_some() {
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]461 // Should have an attestation record.
462 assert!(key_metadata.certificateChain.is_some());
463 } else {
464 // Should not have an attestation record.
465 assert!(key_metadata.certificateChain.is_none());
466 }
467
468 assert!(
469 (domain == Domain::BLOB && key_metadata.key.blob.is_some())
470 || key_metadata.key.blob.is_none()
471 );
472
473 Ok(key_metadata)
474}
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]475
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]476/// Generate AES/3DES key.
477pub fn generate_sym_key(
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]478 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]479 algorithm: Algorithm,
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]480 size: i32,
481 alias: &str,
482 padding_mode: &PaddingMode,
483 block_mode: &BlockMode,
484 min_mac_len: Option<i32>,
485) -> binder::Result<KeyMetadata> {
486 let mut gen_params = AuthSetBuilder::new()
487 .no_auth_required()
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]488 .algorithm(algorithm)
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]489 .purpose(KeyPurpose::ENCRYPT)
490 .purpose(KeyPurpose::DECRYPT)
491 .key_size(size)
492 .padding_mode(*padding_mode)
493 .block_mode(*block_mode);
494
495 if let Some(val) = min_mac_len {
496 gen_params = gen_params.min_mac_length(val);
497 }
498
499 let key_metadata = sec_level.generateKey(
500 &KeyDescriptor {
501 domain: Domain::APP,
502 nspace: -1,
503 alias: Some(alias.to_string()),
504 blob: None,
505 },
506 None,
507 &gen_params,
508 0,
509 b"entropy",
510 )?;
511
512 // Should not have public certificate.
513 assert!(key_metadata.certificate.is_none());
514
515 // Should not have an attestation record.
516 assert!(key_metadata.certificateChain.is_none());
517 Ok(key_metadata)
518}
Rajesh Nyamagoud4c6193c2022-02-03 01:15:34 +0000[diff] [blame]519
520/// Generate HMAC key.
521pub fn generate_hmac_key(
522 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
523 alias: &str,
524 key_size: i32,
525 min_mac_len: i32,
526 digest: Digest,
527) -> binder::Result<KeyMetadata> {
528 let gen_params = AuthSetBuilder::new()
529 .no_auth_required()
530 .algorithm(Algorithm::HMAC)
531 .purpose(KeyPurpose::SIGN)
532 .purpose(KeyPurpose::VERIFY)
533 .key_size(key_size)
534 .min_mac_length(min_mac_len)
535 .digest(digest);
536
537 let key_metadata = sec_level.generateKey(
538 &KeyDescriptor {
539 domain: Domain::APP,
540 nspace: -1,
541 alias: Some(alias.to_string()),
542 blob: None,
543 },
544 None,
545 &gen_params,
546 0,
547 b"entropy",
548 )?;
549
550 // Should not have public certificate.
551 assert!(key_metadata.certificate.is_none());
552
553 // Should not have an attestation record.
554 assert!(key_metadata.certificateChain.is_none());
555
556 Ok(key_metadata)
557}
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]558
559/// Generate RSA or EC attestation keys using below parameters -
560/// Purpose: ATTEST_KEY
561/// Digest: Digest::SHA_2_256
562/// Padding: PaddingMode::RSA_PKCS1_1_5_SIGN
563/// RSA-Key-Size: 2048
564/// EC-Curve: EcCurve::P_256
565pub fn generate_attestation_key(
566 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
567 algorithm: Algorithm,
568 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]569) -> binder::Result<KeyMetadata> {
570 assert!(algorithm == Algorithm::RSA || algorithm == Algorithm::EC);
571
572 if algorithm == Algorithm::RSA {
573 let alias = "ks_rsa_attest_test_key";
574 let metadata = generate_rsa_key(
575 sec_level,
576 Domain::APP,
577 -1,
578 Some(alias.to_string()),
579 &KeyParams {
580 key_size: 2048,
581 purpose: vec![KeyPurpose::ATTEST_KEY],
582 padding: Some(PaddingMode::RSA_PKCS1_1_5_SIGN),
583 digest: Some(Digest::SHA_2_256),
584 mgf_digest: None,
585 block_mode: None,
586 att_challenge: Some(att_challenge.to_vec()),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]587 },
588 None,
589 )
590 .unwrap();
591 Ok(metadata)
592 } else {
593 let metadata = generate_ec_attestation_key(
594 sec_level,
595 att_challenge,
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]596 Digest::SHA_2_256,
597 EcCurve::P_256,
598 )
599 .unwrap();
600
601 Ok(metadata)
602 }
603}
604
605/// Generate EC attestation key with the given
606/// curve, attestation-challenge and attestation-app-id.
607pub fn generate_ec_attestation_key(
608 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
609 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]610 digest: Digest,
611 ec_curve: EcCurve,
612) -> binder::Result<KeyMetadata> {
613 let alias = "ks_attest_ec_test_key";
614 let gen_params = AuthSetBuilder::new()
615 .no_auth_required()
616 .algorithm(Algorithm::EC)
617 .purpose(KeyPurpose::ATTEST_KEY)
618 .ec_curve(ec_curve)
619 .digest(digest)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]620 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]621
622 let attestation_key_metadata = sec_level.generateKey(
623 &KeyDescriptor {
624 domain: Domain::APP,
625 nspace: -1,
626 alias: Some(alias.to_string()),
627 blob: None,
628 },
629 None,
630 &gen_params,
631 0,
632 b"entropy",
633 )?;
634
635 // Should have public certificate.
636 assert!(attestation_key_metadata.certificate.is_some());
637 // Should have an attestation record.
638 assert!(attestation_key_metadata.certificateChain.is_some());
639
640 Ok(attestation_key_metadata)
641}
642
643/// Generate EC-P-256 key and attest it with given attestation key.
644pub fn generate_ec_256_attested_key(
645 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
646 alias: Option<String>,
647 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]648 attest_key: &KeyDescriptor,
649) -> binder::Result<KeyMetadata> {
650 let ec_gen_params = AuthSetBuilder::new()
651 .no_auth_required()
652 .algorithm(Algorithm::EC)
653 .purpose(KeyPurpose::SIGN)
654 .purpose(KeyPurpose::VERIFY)
655 .digest(Digest::SHA_2_256)
656 .ec_curve(EcCurve::P_256)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]657 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]658
659 let ec_key_metadata = sec_level
660 .generateKey(
661 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
662 Some(attest_key),
663 &ec_gen_params,
664 0,
665 b"entropy",
666 )
667 .unwrap();
668
669 // Should have public certificate.
670 assert!(ec_key_metadata.certificate.is_some());
671 // Shouldn't have an attestation record.
672 assert!(ec_key_metadata.certificateChain.is_none());
673
674 Ok(ec_key_metadata)
675}
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]676
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]677/// Verify that given key param is listed in given authorizations list.
678pub fn check_key_param(authorizations: &[Authorization], key_param: KeyParameter) -> bool {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]679 for authrization in authorizations {
680 if authrization.keyParameter == key_param {
681 return true;
682 }
683 }
684
685 false
686}
687
688/// Imports above defined RSA key - `RSA_2048_KEY` and validates imported key parameters.
689pub fn import_rsa_2048_key(
690 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
691 domain: Domain,
692 nspace: i64,
693 alias: Option<String>,
694 import_params: AuthSetBuilder,
695) -> binder::Result<KeyMetadata> {
696 let key_metadata = sec_level
697 .importKey(
698 &KeyDescriptor { domain, nspace, alias, blob: None },
699 None,
700 &import_params,
701 0,
702 RSA_2048_KEY,
703 )
704 .unwrap();
705
706 assert!(key_metadata.certificate.is_some());
707 assert!(key_metadata.certificateChain.is_none());
708
709 assert!(check_key_param(
710 &key_metadata.authorizations,
711 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::RSA) }
712 ));
713
714 assert!(check_key_param(
715 &key_metadata.authorizations,
716 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(2048) }
717 ));
718
719 assert!(check_key_param(
720 &key_metadata.authorizations,
721 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
722 ));
723
724 assert!(check_key_param(
725 &key_metadata.authorizations,
726 KeyParameter {
727 tag: Tag::RSA_PUBLIC_EXPONENT,
728 value: KeyParameterValue::LongInteger(65537)
729 }
730 ));
731
732 assert!(check_key_param(
733 &key_metadata.authorizations,
734 KeyParameter {
735 tag: Tag::PADDING,
736 value: KeyParameterValue::PaddingMode(PaddingMode::RSA_PSS)
737 }
738 ));
739
740 assert!(check_key_param(
741 &key_metadata.authorizations,
742 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
743 ));
744
745 Ok(key_metadata)
746}
747
748/// Imports above defined EC key - `EC_P_256_KEY` and validates imported key parameters.
749pub fn import_ec_p_256_key(
750 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
751 domain: Domain,
752 nspace: i64,
753 alias: Option<String>,
754 import_params: AuthSetBuilder,
755) -> binder::Result<KeyMetadata> {
756 let key_metadata = sec_level
757 .importKey(
758 &KeyDescriptor { domain, nspace, alias, blob: None },
759 None,
760 &import_params,
761 0,
762 EC_P_256_KEY,
763 )
764 .unwrap();
765
766 assert!(key_metadata.certificate.is_some());
767 assert!(key_metadata.certificateChain.is_none());
768
769 assert!(check_key_param(
770 &key_metadata.authorizations,
771 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::EC) }
772 ));
773
774 assert!(check_key_param(
775 &key_metadata.authorizations,
776 KeyParameter { tag: Tag::EC_CURVE, value: KeyParameterValue::EcCurve(EcCurve::P_256) }
777 ));
778
779 assert!(check_key_param(
780 &key_metadata.authorizations,
781 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
782 ));
783 assert!(check_key_param(
784 &key_metadata.authorizations,
785 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
786 ));
787
788 Ok(key_metadata)
789}
790
791/// Import sample AES key and validate its key parameters.
792pub fn import_aes_key(
793 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
794 domain: Domain,
795 nspace: i64,
796 alias: Option<String>,
797) -> binder::Result<KeyMetadata> {
798 static AES_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
799 let key_size = AES_KEY.len() * 8;
800
801 let import_params = AuthSetBuilder::new()
802 .no_auth_required()
803 .algorithm(Algorithm::AES)
804 .block_mode(BlockMode::ECB)
805 .key_size(key_size.try_into().unwrap())
806 .purpose(KeyPurpose::ENCRYPT)
807 .purpose(KeyPurpose::DECRYPT)
808 .padding_mode(PaddingMode::PKCS7);
809
810 let key_metadata = sec_level.importKey(
811 &KeyDescriptor { domain, nspace, alias, blob: None },
812 None,
813 &import_params,
814 0,
815 AES_KEY,
816 )?;
817
818 assert!(check_key_param(
819 &key_metadata.authorizations,
820 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::AES) }
821 ));
822 assert!(check_key_param(
823 &key_metadata.authorizations,
824 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
825 ));
826 assert!(check_key_param(
827 &key_metadata.authorizations,
828 KeyParameter {
829 tag: Tag::PADDING,
830 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
831 }
832 ));
833 assert!(check_key_param(
834 &key_metadata.authorizations,
835 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
836 ));
837 assert!(check_key_param(
838 &key_metadata.authorizations,
839 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
840 ));
841
842 Ok(key_metadata)
843}
844
845/// Import sample 3DES key and validate its key parameters.
846pub fn import_3des_key(
847 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
848 domain: Domain,
849 nspace: i64,
850 alias: Option<String>,
851) -> binder::Result<KeyMetadata> {
852 static TRIPLE_DES_KEY: &[u8] = &[
853 0xa4, 0x9d, 0x75, 0x64, 0x19, 0x9e, 0x97, 0xcb, 0x52, 0x9d, 0x2c, 0x9d, 0x97, 0xbf, 0x2f,
854 0x98, 0xd3, 0x5e, 0xdf, 0x57, 0xba, 0x1f, 0x73, 0x58,
855 ];
856
857 let import_params = AuthSetBuilder::new()
858 .no_auth_required()
859 .algorithm(Algorithm::TRIPLE_DES)
860 .block_mode(BlockMode::ECB)
861 .key_size(168)
862 .purpose(KeyPurpose::ENCRYPT)
863 .purpose(KeyPurpose::DECRYPT)
864 .padding_mode(PaddingMode::PKCS7);
865
866 let key_metadata = sec_level.importKey(
867 &KeyDescriptor { domain, nspace, alias, blob: None },
868 None,
869 &import_params,
870 0,
871 TRIPLE_DES_KEY,
872 )?;
873
874 assert!(check_key_param(
875 &key_metadata.authorizations,
876 KeyParameter {
877 tag: Tag::ALGORITHM,
878 value: KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES)
879 }
880 ));
881 assert!(check_key_param(
882 &key_metadata.authorizations,
883 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(168) }
884 ));
885 assert!(check_key_param(
886 &key_metadata.authorizations,
887 KeyParameter {
888 tag: Tag::PADDING,
889 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
890 }
891 ));
892 assert!(check_key_param(
893 &key_metadata.authorizations,
894 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
895 ));
896 assert!(check_key_param(
897 &key_metadata.authorizations,
898 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
899 ));
900
901 Ok(key_metadata)
902}
903
904/// Import sample HMAC key and validate its key parameters.
905pub fn import_hmac_key(
906 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
907 domain: Domain,
908 nspace: i64,
909 alias: Option<String>,
910) -> binder::Result<KeyMetadata> {
911 static HMAC_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
912 let key_size = HMAC_KEY.len() * 8;
913
914 let import_params = AuthSetBuilder::new()
915 .no_auth_required()
916 .algorithm(Algorithm::HMAC)
917 .key_size(key_size.try_into().unwrap())
918 .purpose(KeyPurpose::SIGN)
919 .purpose(KeyPurpose::VERIFY)
920 .digest(Digest::SHA_2_256)
921 .min_mac_length(256);
922
923 let key_metadata = sec_level.importKey(
924 &KeyDescriptor { domain, nspace, alias, blob: None },
925 None,
926 &import_params,
927 0,
928 HMAC_KEY,
929 )?;
930
931 assert!(check_key_param(
932 &key_metadata.authorizations,
933 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::HMAC) }
934 ));
935 assert!(check_key_param(
936 &key_metadata.authorizations,
937 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
938 ));
939 assert!(check_key_param(
940 &key_metadata.authorizations,
941 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
942 ));
943 assert!(check_key_param(
944 &key_metadata.authorizations,
945 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
946 ));
947
948 Ok(key_metadata)
949}
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]950
951/// Imports RSA encryption key with WRAP_KEY purpose.
952pub fn import_wrapping_key(
953 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
954 wrapping_key_data: &[u8],
955 wrapping_key_alias: Option<String>,
956) -> binder::Result<KeyMetadata> {
957 let wrapping_key_params = AuthSetBuilder::new()
958 .no_auth_required()
959 .algorithm(Algorithm::RSA)
960 .digest(Digest::SHA_2_256)
961 .purpose(KeyPurpose::ENCRYPT)
962 .purpose(KeyPurpose::DECRYPT)
963 .purpose(KeyPurpose::WRAP_KEY)
964 .padding_mode(PaddingMode::RSA_OAEP)
965 .key_size(2048)
966 .rsa_public_exponent(65537)
967 .cert_not_before(0)
968 .cert_not_after(253402300799000);
969
970 sec_level.importKey(
971 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: wrapping_key_alias, blob: None },
972 None,
973 &wrapping_key_params,
974 0,
975 wrapping_key_data,
976 )
977}
978
979/// Import wrapped key using given wrapping key.
980pub fn import_wrapped_key(
981 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
982 alias: Option<String>,
983 wrapping_key_metadata: &KeyMetadata,
984 wrapped_key: Option<Vec<u8>>,
985) -> binder::Result<KeyMetadata> {
986 let unwrap_params =
987 AuthSetBuilder::new().digest(Digest::SHA_2_256).padding_mode(PaddingMode::RSA_OAEP);
988
989 let authenticator_spec: &[AuthenticatorSpec] = &[AuthenticatorSpec {
990 authenticatorType: HardwareAuthenticatorType::NONE,
991 authenticatorId: 0,
992 }];
993
994 let key_metadata = sec_level.importWrappedKey(
995 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: wrapped_key },
996 &wrapping_key_metadata.key,
997 None,
998 &unwrap_params,
999 authenticator_spec,
1000 )?;
1001
1002 Ok(key_metadata)
1003}
1004
1005/// Import wrapping key and then import wrapped key using wrapping key.
1006pub fn import_wrapping_key_and_wrapped_key(
1007 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1008 domain: Domain,
1009 nspace: i64,
1010 alias: Option<String>,
1011 wrapping_key_alias: Option<String>,
1012 wrapping_key_params: AuthSetBuilder,
1013) -> binder::Result<KeyMetadata> {
1014 let wrapping_key_metadata = sec_level.importKey(
1015 &KeyDescriptor { domain, nspace, alias: wrapping_key_alias, blob: None },
1016 None,
1017 &wrapping_key_params,
1018 0,
1019 WRAPPING_KEY,
1020 )?;
1021
1022 import_wrapped_key(sec_level, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
1023}
1024
1025/// Import given key material as AES-256-GCM-NONE transport key.
1026pub fn import_transport_key(
1027 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1028 transport_key_alias: Option<String>,
1029 transport_key: &[u8],
1030) -> binder::Result<KeyMetadata> {
1031 let transport_key_params = AuthSetBuilder::new()
1032 .no_auth_required()
1033 .algorithm(Algorithm::AES)
1034 .block_mode(BlockMode::GCM)
1035 .padding_mode(PaddingMode::NONE)
1036 .key_size(256)
1037 .caller_nonce()
1038 .min_mac_length(128)
1039 .purpose(KeyPurpose::ENCRYPT)
1040 .purpose(KeyPurpose::DECRYPT);
1041
1042 sec_level.importKey(
1043 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: transport_key_alias, blob: None },
1044 None,
1045 &transport_key_params,
1046 0,
1047 transport_key,
1048 )
1049}
Rajesh Nyamagoudaf050562022-11-11 01:56:45 +0000[diff] [blame]1050
1051/// Generate EC key with purpose AGREE_KEY.
1052pub fn generate_ec_agree_key(
1053 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1054 ec_curve: EcCurve,
1055 digest: Digest,
1056 domain: Domain,
1057 nspace: i64,
1058 alias: Option<String>,
1059) -> binder::Result<KeyMetadata> {
1060 let gen_params = AuthSetBuilder::new()
1061 .no_auth_required()
1062 .algorithm(Algorithm::EC)
1063 .purpose(KeyPurpose::AGREE_KEY)
1064 .digest(digest)
1065 .ec_curve(ec_curve);
1066
1067 match sec_level.generateKey(
1068 &KeyDescriptor { domain, nspace, alias, blob: None },
1069 None,
1070 &gen_params,
1071 0,
1072 b"entropy",
1073 ) {
1074 Ok(key_metadata) => {
1075 assert!(key_metadata.certificate.is_some());
1076 if domain == Domain::BLOB {
1077 assert!(key_metadata.key.blob.is_some());
1078 }
1079
1080 Ok(key_metadata)
1081 }
1082 Err(e) => Err(e),
1083 }
1084}