Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 1 | // Copyright 2020, The Android Open Source Project |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
Paul Crowley | d5653e5 | 2021-03-25 09:46:31 -0700 | [diff] [blame] | 15 | //! Export into Rust a function to create a KeyMintDevice and add it as a service. |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 16 | |
Paul Crowley | d5653e5 | 2021-03-25 09:46:31 -0700 | [diff] [blame] | 17 | #[allow(missing_docs)] // TODO remove this |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 18 | extern "C" { |
| 19 | fn addKeyMintDeviceService() -> i32; |
| 20 | } |
| 21 | |
Paul Crowley | d5653e5 | 2021-03-25 09:46:31 -0700 | [diff] [blame] | 22 | #[allow(missing_docs)] // TODO remove this |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 23 | pub fn add_keymint_device_service() -> i32 { |
| 24 | unsafe { addKeyMintDeviceService() } |
| 25 | } |
| 26 | |
| 27 | #[cfg(test)] |
| 28 | mod tests { |
| 29 | |
| 30 | use super::*; |
| 31 | use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ |
Shawn Willden | dbdac60 | 2021-01-12 22:35:16 -0700 | [diff] [blame] | 32 | Algorithm::Algorithm, BeginResult::BeginResult, BlockMode::BlockMode, Digest::Digest, |
David Drysdale | f5c1ab0 | 2021-04-19 19:08:14 +0100 | [diff] [blame] | 33 | ErrorCode::ErrorCode, IKeyMintDevice::IKeyMintDevice, KeyCreationResult::KeyCreationResult, |
Janis Danisevskis | 67f3056 | 2021-05-21 13:20:22 -0700 | [diff] [blame] | 34 | KeyFormat::KeyFormat, KeyOrigin::KeyOrigin, KeyParameter::KeyParameter, |
| 35 | KeyParameterValue::KeyParameterValue, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, |
| 36 | SecurityLevel::SecurityLevel, Tag::Tag, |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 37 | }; |
Stephen Crane | 221bbb5 | 2020-12-16 15:52:10 -0800 | [diff] [blame] | 38 | use android_hardware_security_keymint::binder::{self, Strong}; |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 39 | use android_security_compat::aidl::android::security::compat::IKeystoreCompatService::IKeystoreCompatService; |
| 40 | |
Joel Galenson | f21c002 | 2020-12-11 14:37:52 -0800 | [diff] [blame] | 41 | static COMPAT_NAME: &str = "android.security.compat"; |
| 42 | |
Stephen Crane | 221bbb5 | 2020-12-16 15:52:10 -0800 | [diff] [blame] | 43 | fn get_device() -> Option<Strong<dyn IKeyMintDevice>> { |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 44 | add_keymint_device_service(); |
Stephen Crane | 221bbb5 | 2020-12-16 15:52:10 -0800 | [diff] [blame] | 45 | let compat_service: Strong<dyn IKeystoreCompatService> = |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 46 | binder::get_interface(COMPAT_NAME).ok()?; |
| 47 | compat_service.getKeyMintDevice(SecurityLevel::TRUSTED_ENVIRONMENT).ok() |
| 48 | } |
| 49 | |
| 50 | macro_rules! get_device_or_skip_test { |
| 51 | () => { |
| 52 | match get_device() { |
| 53 | Some(dev) => dev, |
| 54 | None => return, |
| 55 | } |
| 56 | }; |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 57 | } |
| 58 | |
| 59 | #[test] |
| 60 | fn test_get_hardware_info() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 61 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | d4dbfd5 | 2021-01-25 09:45:33 -0800 | [diff] [blame] | 62 | let hinfo = legacy.getHardwareInfo(); |
| 63 | assert!(hinfo.is_ok()); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 64 | } |
| 65 | |
| 66 | #[test] |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 67 | fn test_add_rng_entropy() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 68 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 69 | let result = legacy.addRngEntropy(&[42; 16]); |
| 70 | assert!(result.is_ok(), "{:?}", result); |
| 71 | } |
| 72 | |
| 73 | // TODO: If I only need the key itself, don't return the other things. |
Shawn Willden | dbdac60 | 2021-01-12 22:35:16 -0700 | [diff] [blame] | 74 | fn generate_key(legacy: &dyn IKeyMintDevice, kps: Vec<KeyParameter>) -> KeyCreationResult { |
Shawn Willden | c2f3acf | 2021-02-03 07:07:17 -0700 | [diff] [blame] | 75 | let creation_result = |
| 76 | legacy.generateKey(&kps, None /* attest_key */).expect("Failed to generate key"); |
Shawn Willden | dbdac60 | 2021-01-12 22:35:16 -0700 | [diff] [blame] | 77 | assert_ne!(creation_result.keyBlob.len(), 0); |
| 78 | creation_result |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 79 | } |
| 80 | |
Janis Danisevskis | 2c08401 | 2021-01-31 22:23:17 -0800 | [diff] [blame] | 81 | // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to GeneralizedTime |
| 82 | // 999912312359559, which is 253402300799000 ms from Jan 1, 1970. |
| 83 | const UNDEFINED_NOT_AFTER: i64 = 253402300799000i64; |
| 84 | |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 85 | fn generate_rsa_key(legacy: &dyn IKeyMintDevice, encrypt: bool, attest: bool) -> Vec<u8> { |
| 86 | let mut kps = vec![ |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 87 | KeyParameter { |
| 88 | tag: Tag::ALGORITHM, |
| 89 | value: KeyParameterValue::Algorithm(Algorithm::RSA), |
| 90 | }, |
| 91 | KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(2048) }, |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 92 | KeyParameter { |
| 93 | tag: Tag::RSA_PUBLIC_EXPONENT, |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 94 | value: KeyParameterValue::LongInteger(65537), |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 95 | }, |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 96 | KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }, |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 97 | KeyParameter { |
| 98 | tag: Tag::PADDING, |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 99 | value: KeyParameterValue::PaddingMode(PaddingMode::RSA_PSS), |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 100 | }, |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 101 | KeyParameter { tag: Tag::NO_AUTH_REQUIRED, value: KeyParameterValue::BoolValue(true) }, |
| 102 | KeyParameter { |
| 103 | tag: Tag::PURPOSE, |
| 104 | value: KeyParameterValue::KeyPurpose(KeyPurpose::SIGN), |
| 105 | }, |
Janis Danisevskis | 2c08401 | 2021-01-31 22:23:17 -0800 | [diff] [blame] | 106 | KeyParameter { |
| 107 | tag: Tag::CERTIFICATE_NOT_BEFORE, |
| 108 | value: KeyParameterValue::DateTime(0), |
| 109 | }, |
| 110 | KeyParameter { |
| 111 | tag: Tag::CERTIFICATE_NOT_AFTER, |
| 112 | value: KeyParameterValue::DateTime(UNDEFINED_NOT_AFTER), |
| 113 | }, |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 114 | ]; |
| 115 | if encrypt { |
| 116 | kps.push(KeyParameter { |
| 117 | tag: Tag::PURPOSE, |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 118 | value: KeyParameterValue::KeyPurpose(KeyPurpose::ENCRYPT), |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 119 | }); |
| 120 | } |
| 121 | if attest { |
| 122 | kps.push(KeyParameter { |
| 123 | tag: Tag::ATTESTATION_CHALLENGE, |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 124 | value: KeyParameterValue::Blob(vec![42; 8]), |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 125 | }); |
| 126 | kps.push(KeyParameter { |
| 127 | tag: Tag::ATTESTATION_APPLICATION_ID, |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 128 | value: KeyParameterValue::Blob(vec![42; 8]), |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 129 | }); |
| 130 | } |
Shawn Willden | dbdac60 | 2021-01-12 22:35:16 -0700 | [diff] [blame] | 131 | let creation_result = generate_key(legacy, kps); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 132 | if attest { |
| 133 | // TODO: Will this always be greater than 1? |
Shawn Willden | dbdac60 | 2021-01-12 22:35:16 -0700 | [diff] [blame] | 134 | assert!(creation_result.certificateChain.len() > 1); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 135 | } else { |
Shawn Willden | dbdac60 | 2021-01-12 22:35:16 -0700 | [diff] [blame] | 136 | assert_eq!(creation_result.certificateChain.len(), 1); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 137 | } |
Shawn Willden | dbdac60 | 2021-01-12 22:35:16 -0700 | [diff] [blame] | 138 | creation_result.keyBlob |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 139 | } |
| 140 | |
| 141 | #[test] |
| 142 | fn test_generate_key_no_encrypt() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 143 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 144 | generate_rsa_key(legacy.as_ref(), false, false); |
| 145 | } |
| 146 | |
| 147 | #[test] |
| 148 | fn test_generate_key_encrypt() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 149 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 150 | generate_rsa_key(legacy.as_ref(), true, false); |
| 151 | } |
| 152 | |
| 153 | #[test] |
| 154 | fn test_generate_key_attested() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 155 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 156 | generate_rsa_key(legacy.as_ref(), false, true); |
| 157 | } |
| 158 | |
| 159 | #[test] |
| 160 | fn test_import_key() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 161 | let legacy = get_device_or_skip_test!(); |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 162 | let kps = [KeyParameter { |
| 163 | tag: Tag::ALGORITHM, |
| 164 | value: KeyParameterValue::Algorithm(Algorithm::AES), |
| 165 | }]; |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 166 | let kf = KeyFormat::RAW; |
| 167 | let kd = [0; 16]; |
Shawn Willden | c2f3acf | 2021-02-03 07:07:17 -0700 | [diff] [blame] | 168 | let creation_result = |
| 169 | legacy.importKey(&kps, kf, &kd, None /* attest_key */).expect("Failed to import key"); |
Shawn Willden | dbdac60 | 2021-01-12 22:35:16 -0700 | [diff] [blame] | 170 | assert_ne!(creation_result.keyBlob.len(), 0); |
| 171 | assert_eq!(creation_result.certificateChain.len(), 0); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 172 | } |
| 173 | |
| 174 | #[test] |
| 175 | fn test_import_wrapped_key() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 176 | let legacy = get_device_or_skip_test!(); |
Shawn Willden | dbdac60 | 2021-01-12 22:35:16 -0700 | [diff] [blame] | 177 | let result = legacy.importWrappedKey(&[], &[], &[], &[], 0, 0); |
Joel Galenson | d4dbfd5 | 2021-01-25 09:45:33 -0800 | [diff] [blame] | 178 | // For this test we only care that there was no crash. |
| 179 | assert!(result.is_ok() || result.is_err()); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 180 | } |
| 181 | |
| 182 | #[test] |
| 183 | fn test_upgrade_key() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 184 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 185 | let blob = generate_rsa_key(legacy.as_ref(), false, false); |
| 186 | let result = legacy.upgradeKey(&blob, &[]); |
Joel Galenson | d4dbfd5 | 2021-01-25 09:45:33 -0800 | [diff] [blame] | 187 | // For this test we only care that there was no crash. |
| 188 | assert!(result.is_ok() || result.is_err()); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 189 | } |
| 190 | |
| 191 | #[test] |
| 192 | fn test_delete_key() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 193 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 194 | let blob = generate_rsa_key(legacy.as_ref(), false, false); |
| 195 | let result = legacy.deleteKey(&blob); |
| 196 | assert!(result.is_ok(), "{:?}", result); |
| 197 | } |
| 198 | |
| 199 | #[test] |
| 200 | fn test_delete_all_keys() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 201 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 202 | let result = legacy.deleteAllKeys(); |
| 203 | assert!(result.is_ok(), "{:?}", result); |
| 204 | } |
| 205 | |
| 206 | #[test] |
| 207 | fn test_destroy_attestation_ids() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 208 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 209 | let result = legacy.destroyAttestationIds(); |
| 210 | assert!(result.is_err()); |
| 211 | assert_eq!(result.unwrap_err().service_specific_error(), ErrorCode::UNIMPLEMENTED.0,); |
| 212 | } |
| 213 | |
| 214 | fn generate_aes_key(legacy: &dyn IKeyMintDevice) -> Vec<u8> { |
| 215 | let kps = vec![ |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 216 | KeyParameter { |
| 217 | tag: Tag::ALGORITHM, |
| 218 | value: KeyParameterValue::Algorithm(Algorithm::AES), |
| 219 | }, |
| 220 | KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }, |
| 221 | KeyParameter { |
| 222 | tag: Tag::BLOCK_MODE, |
| 223 | value: KeyParameterValue::BlockMode(BlockMode::CBC), |
| 224 | }, |
| 225 | KeyParameter { |
| 226 | tag: Tag::PADDING, |
| 227 | value: KeyParameterValue::PaddingMode(PaddingMode::NONE), |
| 228 | }, |
| 229 | KeyParameter { tag: Tag::NO_AUTH_REQUIRED, value: KeyParameterValue::BoolValue(true) }, |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 230 | KeyParameter { |
| 231 | tag: Tag::PURPOSE, |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 232 | value: KeyParameterValue::KeyPurpose(KeyPurpose::ENCRYPT), |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 233 | }, |
| 234 | KeyParameter { |
| 235 | tag: Tag::PURPOSE, |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 236 | value: KeyParameterValue::KeyPurpose(KeyPurpose::DECRYPT), |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 237 | }, |
| 238 | ]; |
Shawn Willden | dbdac60 | 2021-01-12 22:35:16 -0700 | [diff] [blame] | 239 | let creation_result = generate_key(legacy, kps); |
| 240 | assert_eq!(creation_result.certificateChain.len(), 0); |
| 241 | creation_result.keyBlob |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 242 | } |
| 243 | |
| 244 | fn begin( |
| 245 | legacy: &dyn IKeyMintDevice, |
| 246 | blob: &[u8], |
| 247 | purpose: KeyPurpose, |
| 248 | extra_params: Option<Vec<KeyParameter>>, |
| 249 | ) -> BeginResult { |
| 250 | let mut kps = vec![ |
Janis Danisevskis | b60c004 | 2020-12-17 00:11:21 -0800 | [diff] [blame] | 251 | KeyParameter { |
| 252 | tag: Tag::BLOCK_MODE, |
| 253 | value: KeyParameterValue::BlockMode(BlockMode::CBC), |
| 254 | }, |
| 255 | KeyParameter { |
| 256 | tag: Tag::PADDING, |
| 257 | value: KeyParameterValue::PaddingMode(PaddingMode::NONE), |
| 258 | }, |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 259 | ]; |
| 260 | if let Some(mut extras) = extra_params { |
| 261 | kps.append(&mut extras); |
| 262 | } |
Chris Wailes | d5aaaef | 2021-07-27 16:04:33 -0700 | [diff] [blame] | 263 | let result = legacy.begin(purpose, blob, &kps, None); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 264 | assert!(result.is_ok(), "{:?}", result); |
| 265 | result.unwrap() |
| 266 | } |
| 267 | |
| 268 | #[test] |
| 269 | fn test_begin_abort() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 270 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 271 | let blob = generate_aes_key(legacy.as_ref()); |
| 272 | let begin_result = begin(legacy.as_ref(), &blob, KeyPurpose::ENCRYPT, None); |
| 273 | let operation = begin_result.operation.unwrap(); |
| 274 | let result = operation.abort(); |
| 275 | assert!(result.is_ok(), "{:?}", result); |
| 276 | let result = operation.abort(); |
| 277 | assert!(result.is_err()); |
| 278 | } |
| 279 | |
| 280 | #[test] |
| 281 | fn test_begin_update_finish() { |
Janis Danisevskis | 1291384 | 2021-02-01 13:49:25 -0800 | [diff] [blame] | 282 | let legacy = get_device_or_skip_test!(); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 283 | let blob = generate_aes_key(legacy.as_ref()); |
| 284 | |
| 285 | let begin_result = begin(legacy.as_ref(), &blob, KeyPurpose::ENCRYPT, None); |
| 286 | let operation = begin_result.operation.unwrap(); |
Shawn Willden | 44cc03d | 2021-02-19 10:53:49 -0700 | [diff] [blame] | 287 | |
| 288 | let update_aad_result = operation.updateAad( |
| 289 | &b"foobar".to_vec(), |
| 290 | None, /* authToken */ |
| 291 | None, /* timestampToken */ |
| 292 | ); |
| 293 | assert!(update_aad_result.is_ok(), "{:?}", update_aad_result); |
| 294 | |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 295 | let message = [42; 128]; |
Shawn Willden | 44cc03d | 2021-02-19 10:53:49 -0700 | [diff] [blame] | 296 | let result = operation.finish( |
| 297 | Some(&message), |
| 298 | None, /* signature */ |
| 299 | None, /* authToken */ |
| 300 | None, /* timestampToken */ |
| 301 | None, /* confirmationToken */ |
| 302 | ); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 303 | assert!(result.is_ok(), "{:?}", result); |
| 304 | let ciphertext = result.unwrap(); |
| 305 | assert!(!ciphertext.is_empty()); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 306 | |
| 307 | let begin_result = |
| 308 | begin(legacy.as_ref(), &blob, KeyPurpose::DECRYPT, Some(begin_result.params)); |
Shawn Willden | 44cc03d | 2021-02-19 10:53:49 -0700 | [diff] [blame] | 309 | |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 310 | let operation = begin_result.operation.unwrap(); |
Shawn Willden | 44cc03d | 2021-02-19 10:53:49 -0700 | [diff] [blame] | 311 | |
| 312 | let update_aad_result = operation.updateAad( |
| 313 | &b"foobar".to_vec(), |
| 314 | None, /* authToken */ |
| 315 | None, /* timestampToken */ |
| 316 | ); |
| 317 | assert!(update_aad_result.is_ok(), "{:?}", update_aad_result); |
| 318 | |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 319 | let result = operation.update( |
Shawn Willden | 44cc03d | 2021-02-19 10:53:49 -0700 | [diff] [blame] | 320 | &ciphertext, |
| 321 | None, /* authToken */ |
| 322 | None, /* timestampToken */ |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 323 | ); |
| 324 | assert!(result.is_ok(), "{:?}", result); |
Shawn Willden | 44cc03d | 2021-02-19 10:53:49 -0700 | [diff] [blame] | 325 | assert_eq!(result.unwrap(), message); |
| 326 | let result = operation.finish( |
| 327 | None, /* input */ |
| 328 | None, /* signature */ |
| 329 | None, /* authToken */ |
| 330 | None, /* timestampToken */ |
| 331 | None, /* confirmationToken */ |
| 332 | ); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 333 | assert!(result.is_ok(), "{:?}", result); |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 334 | } |
Joel Galenson | f21c002 | 2020-12-11 14:37:52 -0800 | [diff] [blame] | 335 | |
| 336 | #[test] |
| 337 | fn test_secure_clock() { |
| 338 | add_keymint_device_service(); |
Stephen Crane | 221bbb5 | 2020-12-16 15:52:10 -0800 | [diff] [blame] | 339 | let compat_service: binder::Strong<dyn IKeystoreCompatService> = |
Joel Galenson | 9978cd4 | 2021-02-23 09:11:10 -0800 | [diff] [blame] | 340 | match binder::get_interface(COMPAT_NAME) { |
| 341 | Ok(cs) => cs, |
| 342 | _ => return, |
| 343 | }; |
| 344 | let secure_clock = match compat_service.getSecureClock() { |
| 345 | Ok(sc) => sc, |
| 346 | _ => return, |
| 347 | }; |
Joel Galenson | f21c002 | 2020-12-11 14:37:52 -0800 | [diff] [blame] | 348 | |
| 349 | let challenge = 42; |
| 350 | let result = secure_clock.generateTimeStamp(challenge); |
| 351 | assert!(result.is_ok(), "{:?}", result); |
| 352 | let result = result.unwrap(); |
| 353 | assert_eq!(result.challenge, challenge); |
| 354 | assert_eq!(result.mac.len(), 32); |
| 355 | } |
| 356 | |
| 357 | #[test] |
| 358 | fn test_shared_secret() { |
| 359 | add_keymint_device_service(); |
Stephen Crane | 221bbb5 | 2020-12-16 15:52:10 -0800 | [diff] [blame] | 360 | let compat_service: binder::Strong<dyn IKeystoreCompatService> = |
Joel Galenson | 9978cd4 | 2021-02-23 09:11:10 -0800 | [diff] [blame] | 361 | match binder::get_interface(COMPAT_NAME) { |
| 362 | Ok(cs) => cs, |
| 363 | _ => return, |
| 364 | }; |
| 365 | let shared_secret = match compat_service.getSharedSecret(SecurityLevel::TRUSTED_ENVIRONMENT) |
| 366 | { |
| 367 | Ok(ss) => ss, |
| 368 | _ => return, |
| 369 | }; |
Joel Galenson | f21c002 | 2020-12-11 14:37:52 -0800 | [diff] [blame] | 370 | |
| 371 | let result = shared_secret.getSharedSecretParameters(); |
| 372 | assert!(result.is_ok(), "{:?}", result); |
| 373 | let params = result.unwrap(); |
| 374 | |
| 375 | let result = shared_secret.computeSharedSecret(&[params]); |
| 376 | assert!(result.is_ok(), "{:?}", result); |
| 377 | assert_ne!(result.unwrap().len(), 0); |
| 378 | } |
Janis Danisevskis | 67f3056 | 2021-05-21 13:20:22 -0700 | [diff] [blame] | 379 | |
| 380 | #[test] |
| 381 | fn test_get_key_characteristics() { |
| 382 | let legacy = get_device_or_skip_test!(); |
| 383 | let hw_info = legacy.getHardwareInfo().expect("GetHardwareInfo"); |
| 384 | |
| 385 | let blob = generate_rsa_key(legacy.as_ref(), false, false); |
| 386 | let characteristics = |
| 387 | legacy.getKeyCharacteristics(&blob, &[], &[]).expect("GetKeyCharacteristics."); |
| 388 | |
| 389 | assert!(characteristics.iter().any(|kc| kc.securityLevel == hw_info.securityLevel)); |
| 390 | let sec_level_enforced = &characteristics |
| 391 | .iter() |
| 392 | .find(|kc| kc.securityLevel == hw_info.securityLevel) |
| 393 | .expect("There should be characteristics matching the device's security level.") |
| 394 | .authorizations; |
| 395 | |
| 396 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 397 | kp, |
| 398 | KeyParameter { |
| 399 | tag: Tag::PURPOSE, |
| 400 | value: KeyParameterValue::KeyPurpose(KeyPurpose::SIGN) |
| 401 | } |
| 402 | ))); |
| 403 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 404 | kp, |
| 405 | KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) } |
| 406 | ))); |
| 407 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 408 | kp, |
| 409 | KeyParameter { |
| 410 | tag: Tag::PADDING, |
| 411 | value: KeyParameterValue::PaddingMode(PaddingMode::RSA_PSS) |
| 412 | } |
| 413 | ))); |
| 414 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 415 | kp, |
| 416 | KeyParameter { |
| 417 | tag: Tag::ALGORITHM, |
| 418 | value: KeyParameterValue::Algorithm(Algorithm::RSA) |
| 419 | } |
| 420 | ))); |
| 421 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 422 | kp, |
| 423 | KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(2048) } |
| 424 | ))); |
| 425 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 426 | kp, |
| 427 | KeyParameter { |
| 428 | tag: Tag::RSA_PUBLIC_EXPONENT, |
| 429 | value: KeyParameterValue::LongInteger(65537) |
| 430 | } |
| 431 | ))); |
| 432 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 433 | kp, |
| 434 | KeyParameter { tag: Tag::NO_AUTH_REQUIRED, value: KeyParameterValue::BoolValue(true) } |
| 435 | ))); |
| 436 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 437 | kp, |
| 438 | KeyParameter { |
| 439 | tag: Tag::ORIGIN, |
| 440 | value: KeyParameterValue::Origin(KeyOrigin::GENERATED) |
| 441 | } |
| 442 | ))); |
| 443 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 444 | kp, |
| 445 | KeyParameter { tag: Tag::OS_VERSION, value: KeyParameterValue::Integer(_) } |
| 446 | ))); |
| 447 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 448 | kp, |
| 449 | KeyParameter { tag: Tag::OS_PATCHLEVEL, value: KeyParameterValue::Integer(_) } |
| 450 | ))); |
| 451 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 452 | kp, |
Janis Danisevskis | 600321a | 2021-09-30 16:15:25 +0000 | [diff] [blame^] | 453 | KeyParameter { tag: Tag::VENDOR_PATCHLEVEL, value: KeyParameterValue::Integer(_) } |
| 454 | ))); |
| 455 | assert!(sec_level_enforced.iter().any(|kp| matches!( |
| 456 | kp, |
Janis Danisevskis | 67f3056 | 2021-05-21 13:20:22 -0700 | [diff] [blame] | 457 | KeyParameter { tag: Tag::BOOT_PATCHLEVEL, value: KeyParameterValue::Integer(_) } |
| 458 | ))); |
| 459 | } |
Joel Galenson | de386b4 | 2020-09-30 10:53:05 -0700 | [diff] [blame] | 460 | } |