Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 6a82349afb23106b67a72a05596911358698f92f / . / keystore2 / test_utils / key_generations.rs
blob: 02384d91c8ba702e9b2aa3c780d97cbf914bd5b4 [file] [log] [blame]
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]1// Copyright 2022, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! This module implements test utils to generate various types of keys.
16
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]17use anyhow::Result;
18
Rajesh Nyamagoud6a823492023-04-07 02:47:27 +0000[diff] [blame^]19use core::ops::Range;
20use std::collections::HashSet;
21use std::fmt::Write;
22
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]23use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]24 Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]25 ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
26 KeyOrigin::KeyOrigin, KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue,
27 KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, Tag::Tag,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]28};
29use android_system_keystore2::aidl::android::system::keystore2::{
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]30 AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization, Domain::Domain,
31 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
32 KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]33};
34
35use crate::authorizations::AuthSetBuilder;
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]36use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]37
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]38/// Shell namespace.
39pub const SELINUX_SHELL_NAMESPACE: i64 = 1;
Rajesh Nyamagouddc6fb232021-12-08 21:27:15 +0000[diff] [blame]40/// Vold namespace.
41pub const SELINUX_VOLD_NAMESPACE: i64 = 100;
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]42
Rajesh Nyamagoudfa7c0f12021-12-02 17:15:48 +0000[diff] [blame]43/// SU context.
44pub const TARGET_SU_CTX: &str = "u:r:su:s0";
45
46/// Vold context
47pub const TARGET_VOLD_CTX: &str = "u:r:vold:s0";
48
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]49/// Key parameters to generate a key.
50pub struct KeyParams {
51 /// Key Size.
52 pub key_size: i32,
53 /// Key Purposes.
54 pub purpose: Vec<KeyPurpose>,
55 /// Padding Mode.
56 pub padding: Option<PaddingMode>,
57 /// Digest.
58 pub digest: Option<Digest>,
59 /// MFG Digest.
60 pub mgf_digest: Option<Digest>,
61 /// Block Mode.
62 pub block_mode: Option<BlockMode>,
63 /// Attestation challenge.
64 pub att_challenge: Option<Vec<u8>>,
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]65}
66
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]67/// DER-encoded PKCS#8 format RSA key. Generated using:
68/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
69pub static RSA_2048_KEY: &[u8] = &[
70 0x30, 0x82, 0x04, 0xBD, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
71 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xA7, 0x30, 0x82, 0x04, 0xA3, 0x02, 0x01,
72 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xE5, 0x14, 0xE3, 0xC2, 0x43, 0xF3, 0x0F, 0xCC, 0x22, 0x73,
73 0x9C, 0x84, 0xCC, 0x1B, 0x6C, 0x97, 0x4B, 0xC9, 0xDF, 0x1F, 0xE2, 0xB8, 0x80, 0x85, 0xF9, 0x27,
74 0xAB, 0x97, 0x94, 0x58, 0x4B, 0xC9, 0x40, 0x94, 0x5A, 0xB4, 0xD4, 0xF8, 0xD0, 0x36, 0xC4, 0x86,
75 0x17, 0x7D, 0xA2, 0x48, 0x6D, 0x40, 0xF0, 0xB9, 0x61, 0x4F, 0xCE, 0x65, 0x80, 0x88, 0x81, 0x59,
76 0x95, 0x11, 0x24, 0xF4, 0x36, 0xB7, 0xB7, 0x37, 0x44, 0xF4, 0x6C, 0x1C, 0xEB, 0x04, 0x19, 0x78,
77 0xB2, 0x29, 0x4D, 0x21, 0x44, 0x16, 0x57, 0x58, 0x6D, 0x7D, 0x56, 0xB5, 0x99, 0xDD, 0xD2, 0xAD,
78 0x02, 0x9A, 0x72, 0x16, 0x67, 0xD6, 0x00, 0x9F, 0x69, 0xE0, 0x25, 0xEE, 0x7C, 0x86, 0x54, 0x27,
79 0x4B, 0x50, 0xEF, 0x60, 0x52, 0x60, 0x82, 0xAA, 0x09, 0x15, 0x72, 0xD2, 0xEB, 0x01, 0x52, 0x04,
80 0x39, 0x60, 0xBC, 0x5E, 0x95, 0x07, 0xC8, 0xC2, 0x3A, 0x3A, 0xE2, 0xA4, 0x99, 0x6B, 0x27, 0xE3,
81 0xA3, 0x55, 0x69, 0xC4, 0xB3, 0x2D, 0x19, 0xC4, 0x34, 0x76, 0xFC, 0x27, 0xDA, 0x22, 0xB2, 0x62,
82 0x69, 0x25, 0xDE, 0x0D, 0xE7, 0x54, 0x3C, 0xBB, 0x61, 0xD2, 0x20, 0xDA, 0x7B, 0x6E, 0x63, 0xBD,
83 0x9A, 0x4B, 0xCD, 0x75, 0xC6, 0xA1, 0x5E, 0x1C, 0x3E, 0xD5, 0x63, 0x59, 0x22, 0x7E, 0xE0, 0x6C,
84 0x98, 0x25, 0x63, 0x97, 0x56, 0xDF, 0x71, 0xF5, 0x4C, 0x78, 0xE9, 0xE1, 0xD5, 0xFC, 0xF8, 0x5A,
85 0x5B, 0xF6, 0x1D, 0xFA, 0x5A, 0x99, 0x4C, 0x99, 0x19, 0x21, 0x1D, 0xF5, 0x24, 0x07, 0xEF, 0x8A,
86 0xC9, 0x9F, 0xE7, 0x3F, 0xBB, 0x46, 0x1A, 0x16, 0x96, 0xC6, 0xD6, 0x12, 0x7E, 0xDA, 0xCB, 0xEB,
87 0x2F, 0x1D, 0x3B, 0x31, 0xCC, 0x55, 0x63, 0xA2, 0x6F, 0x8A, 0xDE, 0x35, 0x52, 0x40, 0x04, 0xBF,
88 0xE0, 0x82, 0x32, 0xE1, 0x6D, 0x8B, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x2D,
89 0x1F, 0x71, 0x41, 0x79, 0xBA, 0xED, 0xD8, 0xAA, 0xCC, 0x94, 0xFE, 0xFF, 0x69, 0x43, 0x79, 0x85,
90 0xBF, 0x2C, 0xC9, 0x0E, 0x12, 0x83, 0x96, 0x60, 0x1E, 0x75, 0x49, 0x35, 0x3A, 0x33, 0x2B, 0x60,
91 0x22, 0x18, 0xBF, 0xD7, 0xD7, 0x6E, 0xC3, 0xEA, 0xEF, 0xF2, 0xBE, 0x97, 0x71, 0xA6, 0xBB, 0x8C,
92 0xEF, 0x27, 0x00, 0xDE, 0x49, 0xD6, 0x08, 0x8D, 0x5A, 0x04, 0xE7, 0xCC, 0x9C, 0xA2, 0x0E, 0x8B,
93 0xF3, 0x42, 0x0C, 0xD7, 0x22, 0xD7, 0x14, 0x06, 0xA4, 0x64, 0x8B, 0x88, 0x1A, 0xCE, 0x5B, 0x8C,
94 0x36, 0xE9, 0xD2, 0x2F, 0x7B, 0x33, 0xE4, 0xA2, 0xB3, 0xDB, 0x78, 0x6A, 0x92, 0x89, 0x3F, 0x78,
95 0xFD, 0xED, 0x8F, 0xEE, 0x48, 0xCC, 0x94, 0x75, 0x0D, 0x0C, 0x63, 0xD3, 0xD2, 0xE8, 0x47, 0x04,
96 0x55, 0xD3, 0xD6, 0x3A, 0xB8, 0xDA, 0xFB, 0x76, 0x99, 0x48, 0x68, 0x0A, 0x92, 0xA2, 0xCD, 0xF7,
97 0x45, 0x8B, 0x50, 0xFE, 0xF9, 0x1A, 0x33, 0x24, 0x3C, 0x2E, 0xDE, 0x88, 0xAD, 0xB2, 0x5B, 0x9F,
98 0x44, 0xEA, 0xD1, 0x9F, 0xC7, 0x9F, 0x02, 0x5E, 0x31, 0x61, 0xB3, 0xD6, 0xE2, 0xE1, 0xBC, 0xFB,
99 0x1C, 0xDB, 0xBD, 0xB2, 0x9A, 0xE5, 0xEF, 0xDA, 0xCD, 0x29, 0xA5, 0x45, 0xCC, 0x67, 0x01, 0x8B,
100 0x1C, 0x1D, 0x0E, 0x8F, 0x73, 0x69, 0x4D, 0x4D, 0xF6, 0x9D, 0xA6, 0x6C, 0x9A, 0x1C, 0xF4, 0x5C,
101 0xE4, 0x83, 0x9A, 0x77, 0x12, 0x01, 0xBD, 0xCE, 0x66, 0x3A, 0x4B, 0x3D, 0x6E, 0xE0, 0x6E, 0x82,
102 0x98, 0xDE, 0x74, 0x11, 0x47, 0xEC, 0x7A, 0x3A, 0xA9, 0xD8, 0x48, 0x00, 0x26, 0x64, 0x47, 0x7B,
103 0xAE, 0x55, 0x9D, 0x29, 0x22, 0xB4, 0xB3, 0xB9, 0xB1, 0x64, 0xEA, 0x3B, 0x5A, 0xD3, 0x3F, 0x8D,
104 0x0F, 0x14, 0x7E, 0x4E, 0xB8, 0x1B, 0x06, 0xFC, 0xB1, 0x7E, 0xCD, 0xB9, 0x1A, 0x4E, 0xA1, 0x02,
105 0x81, 0x81, 0x00, 0xF9, 0xDE, 0xEE, 0xED, 0x13, 0x2F, 0xBB, 0xE7, 0xE2, 0xB3, 0x2D, 0x98, 0xD2,
106 0xE8, 0x25, 0x07, 0x5A, 0x1E, 0x51, 0x0A, 0xC8, 0xAD, 0x50, 0x4B, 0x80, 0xC6, 0x22, 0xF5, 0x9B,
107 0x08, 0xE6, 0x3D, 0x01, 0xC6, 0x3E, 0xC8, 0xD2, 0x54, 0x9F, 0x91, 0x77, 0x95, 0xCD, 0xCA, 0xC7,
108 0xE7, 0x47, 0x94, 0xA9, 0x5F, 0x4E, 0xBE, 0x31, 0x3D, 0xB4, 0xAF, 0x43, 0x0F, 0xDC, 0x8D, 0x9C,
109 0x1E, 0x52, 0x7B, 0x72, 0x21, 0x34, 0xB3, 0x96, 0x7C, 0x9C, 0xB8, 0x51, 0x65, 0x60, 0xAC, 0x3D,
110 0x11, 0x32, 0xB8, 0xD6, 0x34, 0x35, 0x66, 0xD0, 0x30, 0xB9, 0xE9, 0x67, 0x2C, 0x87, 0x73, 0x43,
111 0x9C, 0x12, 0x16, 0x7D, 0x4A, 0xD9, 0xA3, 0x4C, 0x24, 0x64, 0x6A, 0x32, 0x8E, 0xC3, 0xD8, 0x00,
112 0x90, 0x5C, 0x4D, 0x65, 0x01, 0x53, 0x8A, 0xD0, 0x87, 0xCE, 0x96, 0xEF, 0xFA, 0x73, 0x03, 0xF1,
113 0xDC, 0x1B, 0x9B, 0x02, 0x81, 0x81, 0x00, 0xEA, 0xB3, 0x69, 0x00, 0x11, 0x0E, 0x50, 0xAA, 0xD3,
114 0x22, 0x51, 0x78, 0x9D, 0xFF, 0x05, 0x62, 0xBC, 0x9A, 0x67, 0x86, 0xE1, 0xC5, 0x02, 0x2D, 0x14,
115 0x11, 0x29, 0x30, 0xE7, 0x90, 0x5D, 0x72, 0x6F, 0xC5, 0x62, 0xEB, 0xD4, 0xB0, 0x3F, 0x3D, 0xDC,
116 0xB9, 0xFC, 0x2B, 0x5C, 0xBD, 0x9E, 0x71, 0x81, 0x5C, 0xC5, 0xFE, 0xDF, 0x69, 0x73, 0x12, 0x66,
117 0x92, 0x06, 0xD4, 0xD5, 0x8F, 0xDF, 0x14, 0x2E, 0x9C, 0xD0, 0x4C, 0xC2, 0x4D, 0x31, 0x2E, 0x47,
118 0xA5, 0xDC, 0x8A, 0x83, 0x7B, 0xE8, 0xA5, 0xC3, 0x03, 0x98, 0xD8, 0xBF, 0xF4, 0x7D, 0x6E, 0x87,
119 0x55, 0xE4, 0x0F, 0x15, 0x10, 0xC8, 0x76, 0x4F, 0xAD, 0x1D, 0x1C, 0x95, 0x41, 0x9D, 0x88, 0xEC,
120 0x8C, 0xDA, 0xBA, 0x90, 0x7F, 0x8D, 0xD9, 0x8B, 0x47, 0x6C, 0x0C, 0xFF, 0xBA, 0x73, 0x00, 0x20,
121 0x1F, 0xF7, 0x7E, 0x5F, 0xF4, 0xEC, 0xD1, 0x02, 0x81, 0x80, 0x16, 0xB7, 0x43, 0xB5, 0x5D, 0xD7,
122 0x2B, 0x18, 0x0B, 0xAE, 0x0A, 0x69, 0x28, 0x53, 0x5E, 0x7A, 0x6A, 0xA0, 0xF2, 0xF1, 0x2E, 0x09,
123 0x43, 0x91, 0x79, 0xA5, 0x89, 0xAC, 0x16, 0x6A, 0x1A, 0xB4, 0x55, 0x22, 0xF6, 0xB6, 0x3F, 0x18,
124 0xDE, 0x60, 0xD5, 0x24, 0x53, 0x4F, 0x2A, 0x19, 0x46, 0x92, 0xA7, 0x4B, 0x38, 0xD7, 0x65, 0x96,
125 0x9C, 0x84, 0x8A, 0x6E, 0x38, 0xB8, 0xCF, 0x06, 0x9A, 0xAD, 0x0A, 0x55, 0x26, 0x7B, 0x65, 0x24,
126 0xF3, 0x02, 0x76, 0xB3, 0xE6, 0xB4, 0x01, 0xE1, 0x3C, 0x61, 0x3D, 0x68, 0x05, 0xAA, 0xD1, 0x26,
127 0x7C, 0xE0, 0x51, 0x36, 0xE5, 0x21, 0x7F, 0x76, 0x02, 0xD6, 0xF4, 0x91, 0x07, 0x74, 0x27, 0x09,
128 0xEF, 0xEF, 0x0F, 0xA5, 0x96, 0xFC, 0x5E, 0x20, 0xC1, 0xA3, 0x6F, 0x99, 0x4D, 0x45, 0x03, 0x6C,
129 0x35, 0x45, 0xD7, 0x8F, 0x47, 0x41, 0x86, 0x8D, 0x62, 0x1D, 0x02, 0x81, 0x81, 0x00, 0xC3, 0x93,
130 0x85, 0xA7, 0xFC, 0x8E, 0x85, 0x42, 0x14, 0x76, 0xC0, 0x95, 0x56, 0x73, 0xB0, 0xB5, 0x3A, 0x9D,
131 0x20, 0x30, 0x11, 0xEA, 0xED, 0x89, 0x4A, 0xF3, 0x91, 0xF3, 0xA2, 0xC3, 0x76, 0x5B, 0x6A, 0x30,
132 0x7D, 0xE2, 0x2F, 0x76, 0x3E, 0xFC, 0xF9, 0xF6, 0x31, 0xE0, 0xA0, 0x83, 0x92, 0x88, 0xDB, 0x57,
133 0xC7, 0xD6, 0x3F, 0xAD, 0xCB, 0xAA, 0x45, 0xB6, 0xE1, 0xE2, 0x71, 0xA4, 0x56, 0x2C, 0xA7, 0x3B,
134 0x1D, 0x89, 0x19, 0x50, 0xE1, 0xEE, 0xC2, 0xDD, 0xC0, 0x0D, 0xDC, 0xCB, 0x60, 0x6E, 0xE1, 0x37,
135 0x1A, 0x23, 0x64, 0xB2, 0x03, 0xE4, 0x1A, 0xFA, 0xC3, 0xF4, 0x9D, 0x85, 0x42, 0xC6, 0xF4, 0x56,
136 0x39, 0xB0, 0x1B, 0xE0, 0x75, 0xBA, 0x28, 0x04, 0xA8, 0x30, 0x57, 0x41, 0x33, 0x9F, 0x58, 0xA4,
137 0xC7, 0xB1, 0x7D, 0x58, 0x8D, 0x84, 0x49, 0x40, 0xDA, 0x28, 0x81, 0x25, 0xC4, 0x41, 0x02, 0x81,
138 0x80, 0x13, 0x20, 0x65, 0xD5, 0x96, 0x98, 0x8D, 0x16, 0x73, 0xA1, 0x31, 0x73, 0x79, 0xBA, 0xEC,
139 0xB0, 0xD9, 0x0C, 0xF6, 0xEF, 0x2F, 0xC2, 0xE7, 0x96, 0x9B, 0xA1, 0x2D, 0xE9, 0xFB, 0x45, 0xB9,
140 0xD0, 0x30, 0xE2, 0xBD, 0x30, 0x4F, 0xB6, 0xFE, 0x24, 0x02, 0xCF, 0x8D, 0x51, 0x48, 0x45, 0xD9,
141 0xF7, 0x20, 0x53, 0x1C, 0x0B, 0xA9, 0x7E, 0xC2, 0xA2, 0x65, 0xCC, 0x3E, 0x0E, 0x0D, 0xF1, 0x62,
142 0xDD, 0x5F, 0xBC, 0x55, 0x9B, 0x58, 0x26, 0x40, 0x6A, 0xEE, 0x02, 0x55, 0x36, 0xE9, 0xBA, 0x82,
143 0x5A, 0xFD, 0x3C, 0xDF, 0xA6, 0x26, 0x32, 0x81, 0xA9, 0x5E, 0x46, 0xBE, 0xBA, 0xDC, 0xD3, 0x2A,
144 0x3A, 0x3B, 0xC1, 0x4E, 0xF7, 0x1A, 0xDC, 0x4B, 0xAF, 0x67, 0x1B, 0x3A, 0x83, 0x0D, 0x04, 0xDE,
145 0x27, 0x47, 0xFC, 0xE6, 0x39, 0x89, 0x7B, 0x66, 0xF9, 0x50, 0x4D, 0xF1, 0xAC, 0x20, 0x43, 0x7E,
146 0xEE,
147];
148
149/// DER-encoded PKCS#8 format EC key. Generated using:
150/// openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
151pub static EC_P_256_KEY: &[u8] = &[
152 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02,
153 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02,
154 0x01, 0x01, 0x04, 0x20, 0xB9, 0x1D, 0xAF, 0x50, 0xFD, 0xD8, 0x6A, 0x40, 0xAB, 0x2C, 0xCB, 0x54,
155 0x4E, 0xED, 0xF1, 0x64, 0xBC, 0x30, 0x25, 0xFB, 0xC4, 0x69, 0x00, 0x34, 0x1A, 0x82, 0xA3, 0x72,
156 0x5D, 0xC7, 0xA9, 0x85, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xE8, 0x53, 0x0A, 0xF2, 0xD3, 0x68,
157 0x40, 0x48, 0x8C, 0xB4, 0x2F, 0x11, 0x34, 0xD7, 0xF4, 0x4A, 0x5C, 0x33, 0xFF, 0xF6, 0x2B, 0xF7,
158 0x98, 0x0F, 0x02, 0xA5, 0xD7, 0x4F, 0xF9, 0xDE, 0x60, 0x9C, 0x6E, 0xB0, 0x45, 0xDA, 0x3F, 0xF4,
159 0x34, 0x23, 0x9B, 0x4C, 0x3A, 0x09, 0x9C, 0x5E, 0x5D, 0x37, 0x96, 0xAC, 0x4A, 0xE7, 0x65, 0x2B,
160 0xD6, 0x84, 0x98, 0xEA, 0x96, 0x91, 0xFB, 0x78, 0xED, 0x86,
161];
162
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]163/// DER-encoded PKCS#8 format RSA key -
164/// Size: 2048
165/// Public Exponent: 65537
166/// Purpose: WRAP_KEY, ENCRYPT, DECRYPT
167/// Encryption scheme: RSAES-PKCS1-v1_5
168/// Digest: SHA_2_256
169/// Padding: RSA_OAEP
170/// This sample wrapping_key is taken from KeyMint tests
171/// (see hardware/interfaces/security/keymint/aidl/vts/functional/KeyMintTest.cpp).
172/// Similarly more test keys can be generated with below command -
173/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
174pub static WRAPPING_KEY: &[u8] = &[
175 0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
176 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xa8, 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01,
177 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xae, 0xc3, 0x67, 0x93, 0x1d, 0x89, 0x00, 0xce, 0x56, 0xb0,
178 0x06, 0x7f, 0x7d, 0x70, 0xe1, 0xfc, 0x65, 0x3f, 0x3f, 0x34, 0xd1, 0x94, 0xc1, 0xfe, 0xd5, 0x00,
179 0x18, 0xfb, 0x43, 0xdb, 0x93, 0x7b, 0x06, 0xe6, 0x73, 0xa8, 0x37, 0x31, 0x3d, 0x56, 0xb1, 0xc7,
180 0x25, 0x15, 0x0a, 0x3f, 0xef, 0x86, 0xac, 0xbd, 0xdc, 0x41, 0xbb, 0x75, 0x9c, 0x28, 0x54, 0xea,
181 0xe3, 0x2d, 0x35, 0x84, 0x1e, 0xfb, 0x5c, 0x18, 0xd8, 0x2b, 0xc9, 0x0a, 0x1c, 0xb5, 0xc1, 0xd5,
182 0x5a, 0xdf, 0x24, 0x5b, 0x02, 0x91, 0x1f, 0x0b, 0x7c, 0xda, 0x88, 0xc4, 0x21, 0xff, 0x0e, 0xba,
183 0xfe, 0x7c, 0x0d, 0x23, 0xbe, 0x31, 0x2d, 0x7b, 0xd5, 0x92, 0x1f, 0xfa, 0xea, 0x13, 0x47, 0xc1,
184 0x57, 0x40, 0x6f, 0xef, 0x71, 0x8f, 0x68, 0x26, 0x43, 0xe4, 0xe5, 0xd3, 0x3c, 0x67, 0x03, 0xd6,
185 0x1c, 0x0c, 0xf7, 0xac, 0x0b, 0xf4, 0x64, 0x5c, 0x11, 0xf5, 0xc1, 0x37, 0x4c, 0x38, 0x86, 0x42,
186 0x74, 0x11, 0xc4, 0x49, 0x79, 0x67, 0x92, 0xe0, 0xbe, 0xf7, 0x5d, 0xec, 0x85, 0x8a, 0x21, 0x23,
187 0xc3, 0x67, 0x53, 0xe0, 0x2a, 0x95, 0xa9, 0x6d, 0x7c, 0x45, 0x4b, 0x50, 0x4d, 0xe3, 0x85, 0xa6,
188 0x42, 0xe0, 0xdf, 0xc3, 0xe6, 0x0a, 0xc3, 0xa7, 0xee, 0x49, 0x91, 0xd0, 0xd4, 0x8b, 0x01, 0x72,
189 0xa9, 0x5f, 0x95, 0x36, 0xf0, 0x2b, 0xa1, 0x3c, 0xec, 0xcc, 0xb9, 0x2b, 0x72, 0x7d, 0xb5, 0xc2,
190 0x7e, 0x5b, 0x2f, 0x5c, 0xec, 0x09, 0x60, 0x0b, 0x28, 0x6a, 0xf5, 0xcf, 0x14, 0xc4, 0x20, 0x24,
191 0xc6, 0x1d, 0xdf, 0xe7, 0x1c, 0x2a, 0x8d, 0x74, 0x58, 0xf1, 0x85, 0x23, 0x4c, 0xb0, 0x0e, 0x01,
192 0xd2, 0x82, 0xf1, 0x0f, 0x8f, 0xc6, 0x72, 0x1d, 0x2a, 0xed, 0x3f, 0x48, 0x33, 0xcc, 0xa2, 0xbd,
193 0x8f, 0xa6, 0x28, 0x21, 0xdd, 0x55, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x43,
194 0x14, 0x47, 0xb6, 0x25, 0x19, 0x08, 0x11, 0x2b, 0x1e, 0xe7, 0x6f, 0x99, 0xf3, 0x71, 0x1a, 0x52,
195 0xb6, 0x63, 0x09, 0x60, 0x04, 0x6c, 0x2d, 0xe7, 0x0d, 0xe1, 0x88, 0xd8, 0x33, 0xf8, 0xb8, 0xb9,
196 0x1e, 0x4d, 0x78, 0x5c, 0xae, 0xee, 0xaf, 0x4f, 0x0f, 0x74, 0x41, 0x4e, 0x2c, 0xda, 0x40, 0x64,
197 0x1f, 0x7f, 0xe2, 0x4f, 0x14, 0xc6, 0x7a, 0x88, 0x95, 0x9b, 0xdb, 0x27, 0x76, 0x6d, 0xf9, 0xe7,
198 0x10, 0xb6, 0x30, 0xa0, 0x3a, 0xdc, 0x68, 0x3b, 0x5d, 0x2c, 0x43, 0x08, 0x0e, 0x52, 0xbe, 0xe7,
199 0x1e, 0x9e, 0xae, 0xb6, 0xde, 0x29, 0x7a, 0x5f, 0xea, 0x10, 0x72, 0x07, 0x0d, 0x18, 0x1c, 0x82,
200 0x2b, 0xcc, 0xff, 0x08, 0x7d, 0x63, 0xc9, 0x40, 0xba, 0x8a, 0x45, 0xf6, 0x70, 0xfe, 0xb2, 0x9f,
201 0xb4, 0x48, 0x4d, 0x1c, 0x95, 0xe6, 0xd2, 0x57, 0x9b, 0xa0, 0x2a, 0xae, 0x0a, 0x00, 0x90, 0x0c,
202 0x3e, 0xbf, 0x49, 0x0e, 0x3d, 0x2c, 0xd7, 0xee, 0x8d, 0x0e, 0x20, 0xc5, 0x36, 0xe4, 0xdc, 0x5a,
203 0x50, 0x97, 0x27, 0x28, 0x88, 0xcd, 0xdd, 0x7e, 0x91, 0xf2, 0x28, 0xb1, 0xc4, 0xd7, 0x47, 0x4c,
204 0x55, 0xb8, 0xfc, 0xd6, 0x18, 0xc4, 0xa9, 0x57, 0xbb, 0xdd, 0xd5, 0xad, 0x74, 0x07, 0xcc, 0x31,
205 0x2d, 0x8d, 0x98, 0xa5, 0xca, 0xf7, 0xe0, 0x8f, 0x4a, 0x0d, 0x6b, 0x45, 0xbb, 0x41, 0xc6, 0x52,
206 0x65, 0x9d, 0x5a, 0x5b, 0xa0, 0x5b, 0x66, 0x37, 0x37, 0xa8, 0x69, 0x62, 0x81, 0x86, 0x5b, 0xa2,
207 0x0f, 0xbd, 0xd7, 0xf8, 0x51, 0xe6, 0xc5, 0x6e, 0x8c, 0xbe, 0x0d, 0xdb, 0xbf, 0x24, 0xdc, 0x03,
208 0xb2, 0xd2, 0xcb, 0x4c, 0x3d, 0x54, 0x0f, 0xb0, 0xaf, 0x52, 0xe0, 0x34, 0xa2, 0xd0, 0x66, 0x98,
209 0xb1, 0x28, 0xe5, 0xf1, 0x01, 0xe3, 0xb5, 0x1a, 0x34, 0xf8, 0xd8, 0xb4, 0xf8, 0x61, 0x81, 0x02,
210 0x81, 0x81, 0x00, 0xde, 0x39, 0x2e, 0x18, 0xd6, 0x82, 0xc8, 0x29, 0x26, 0x6c, 0xc3, 0x45, 0x4e,
211 0x1d, 0x61, 0x66, 0x24, 0x2f, 0x32, 0xd9, 0xa1, 0xd1, 0x05, 0x77, 0x75, 0x3e, 0x90, 0x4e, 0xa7,
212 0xd0, 0x8b, 0xff, 0x84, 0x1b, 0xe5, 0xba, 0xc8, 0x2a, 0x16, 0x4c, 0x59, 0x70, 0x00, 0x70, 0x47,
213 0xb8, 0xc5, 0x17, 0xdb, 0x8f, 0x8f, 0x84, 0xe3, 0x7b, 0xd5, 0x98, 0x85, 0x61, 0xbd, 0xf5, 0x03,
214 0xd4, 0xdc, 0x2b, 0xdb, 0x38, 0xf8, 0x85, 0x43, 0x4a, 0xe4, 0x2c, 0x35, 0x5f, 0x72, 0x5c, 0x9a,
215 0x60, 0xf9, 0x1f, 0x07, 0x88, 0xe1, 0xf1, 0xa9, 0x72, 0x23, 0xb5, 0x24, 0xb5, 0x35, 0x7f, 0xdf,
216 0x72, 0xe2, 0xf6, 0x96, 0xba, 0xb7, 0xd7, 0x8e, 0x32, 0xbf, 0x92, 0xba, 0x8e, 0x18, 0x64, 0xea,
217 0xb1, 0x22, 0x9e, 0x91, 0x34, 0x61, 0x30, 0x74, 0x8a, 0x6e, 0x3c, 0x12, 0x4f, 0x91, 0x49, 0xd7,
218 0x1c, 0x74, 0x35, 0x02, 0x81, 0x81, 0x00, 0xc9, 0x53, 0x87, 0xc0, 0xf9, 0xd3, 0x5f, 0x13, 0x7b,
219 0x57, 0xd0, 0xd6, 0x5c, 0x39, 0x7c, 0x5e, 0x21, 0xcc, 0x25, 0x1e, 0x47, 0x00, 0x8e, 0xd6, 0x2a,
220 0x54, 0x24, 0x09, 0xc8, 0xb6, 0xb6, 0xac, 0x7f, 0x89, 0x67, 0xb3, 0x86, 0x3c, 0xa6, 0x45, 0xfc,
221 0xce, 0x49, 0x58, 0x2a, 0x9a, 0xa1, 0x73, 0x49, 0xdb, 0x6c, 0x4a, 0x95, 0xaf, 0xfd, 0xae, 0x0d,
222 0xae, 0x61, 0x2e, 0x1a, 0xfa, 0xc9, 0x9e, 0xd3, 0x9a, 0x2d, 0x93, 0x4c, 0x88, 0x04, 0x40, 0xae,
223 0xd8, 0x83, 0x2f, 0x98, 0x43, 0x16, 0x3a, 0x47, 0xf2, 0x7f, 0x39, 0x21, 0x99, 0xdc, 0x12, 0x02,
224 0xf9, 0xa0, 0xf9, 0xbd, 0x08, 0x30, 0x80, 0x07, 0xcb, 0x1e, 0x4e, 0x7f, 0x58, 0x30, 0x93, 0x66,
225 0xa7, 0xde, 0x25, 0xf7, 0xc3, 0xc9, 0xb8, 0x80, 0x67, 0x7c, 0x06, 0x8e, 0x1b, 0xe9, 0x36, 0xe8,
226 0x12, 0x88, 0x81, 0x52, 0x52, 0xa8, 0xa1, 0x02, 0x81, 0x80, 0x57, 0xff, 0x8c, 0xa1, 0x89, 0x50,
227 0x80, 0xb2, 0xca, 0xe4, 0x86, 0xef, 0x0a, 0xdf, 0xd7, 0x91, 0xfb, 0x02, 0x35, 0xc0, 0xb8, 0xb3,
228 0x6c, 0xd6, 0xc1, 0x36, 0xe5, 0x2e, 0x40, 0x85, 0xf4, 0xea, 0x5a, 0x06, 0x32, 0x12, 0xa4, 0xf1,
229 0x05, 0xa3, 0x76, 0x47, 0x43, 0xe5, 0x32, 0x81, 0x98, 0x8a, 0xba, 0x07, 0x3f, 0x6e, 0x00, 0x27,
230 0x29, 0x8e, 0x1c, 0x43, 0x78, 0x55, 0x6e, 0x0e, 0xfc, 0xa0, 0xe1, 0x4e, 0xce, 0x1a, 0xf7, 0x6a,
231 0xd0, 0xb0, 0x30, 0xf2, 0x7a, 0xf6, 0xf0, 0xab, 0x35, 0xfb, 0x73, 0xa0, 0x60, 0xd8, 0xb1, 0xa0,
232 0xe1, 0x42, 0xfa, 0x26, 0x47, 0xe9, 0x3b, 0x32, 0xe3, 0x6d, 0x82, 0x82, 0xae, 0x0a, 0x4d, 0xe5,
233 0x0a, 0xb7, 0xaf, 0xe8, 0x55, 0x00, 0xa1, 0x6f, 0x43, 0xa6, 0x47, 0x19, 0xd6, 0xe2, 0xb9, 0x43,
234 0x98, 0x23, 0x71, 0x9c, 0xd0, 0x8b, 0xcd, 0x03, 0x17, 0x81, 0x02, 0x81, 0x81, 0x00, 0xba, 0x73,
235 0xb0, 0xbb, 0x28, 0xe3, 0xf8, 0x1e, 0x9b, 0xd1, 0xc5, 0x68, 0x71, 0x3b, 0x10, 0x12, 0x41, 0xac,
236 0xc6, 0x07, 0x97, 0x6c, 0x4d, 0xdc, 0xcc, 0x90, 0xe6, 0x5b, 0x65, 0x56, 0xca, 0x31, 0x51, 0x60,
237 0x58, 0xf9, 0x2b, 0x6e, 0x09, 0xf3, 0xb1, 0x60, 0xff, 0x0e, 0x37, 0x4e, 0xc4, 0x0d, 0x78, 0xae,
238 0x4d, 0x49, 0x79, 0xfd, 0xe6, 0xac, 0x06, 0xa1, 0xa4, 0x00, 0xc6, 0x1d, 0xd3, 0x12, 0x54, 0x18,
239 0x6a, 0xf3, 0x0b, 0x22, 0xc1, 0x05, 0x82, 0xa8, 0xa4, 0x3e, 0x34, 0xfe, 0x94, 0x9c, 0x5f, 0x3b,
240 0x97, 0x55, 0xba, 0xe7, 0xba, 0xa7, 0xb7, 0xb7, 0xa6, 0xbd, 0x03, 0xb3, 0x8c, 0xef, 0x55, 0xc8,
241 0x68, 0x85, 0xfc, 0x6c, 0x19, 0x78, 0xb9, 0xce, 0xe7, 0xef, 0x33, 0xda, 0x50, 0x7c, 0x9d, 0xf6,
242 0xb9, 0x27, 0x7c, 0xff, 0x1e, 0x6a, 0xaa, 0x5d, 0x57, 0xac, 0xa5, 0x28, 0x46, 0x61, 0x02, 0x81,
243 0x81, 0x00, 0xc9, 0x31, 0x61, 0x7c, 0x77, 0x82, 0x9d, 0xfb, 0x12, 0x70, 0x50, 0x2b, 0xe9, 0x19,
244 0x5c, 0x8f, 0x28, 0x30, 0x88, 0x5f, 0x57, 0xdb, 0xa8, 0x69, 0x53, 0x68, 0x11, 0xe6, 0x86, 0x42,
245 0x36, 0xd0, 0xc4, 0x73, 0x6a, 0x00, 0x08, 0xa1, 0x45, 0xaf, 0x36, 0xb8, 0x35, 0x7a, 0x7c, 0x3d,
246 0x13, 0x99, 0x66, 0xd0, 0x4c, 0x4e, 0x00, 0x93, 0x4e, 0xa1, 0xae, 0xde, 0x3b, 0xb6, 0xb8, 0xec,
247 0x84, 0x1d, 0xc9, 0x5e, 0x3f, 0x57, 0x97, 0x51, 0xe2, 0xbf, 0xdf, 0xe2, 0x7a, 0xe7, 0x78, 0x98,
248 0x3f, 0x95, 0x93, 0x56, 0x21, 0x07, 0x23, 0x28, 0x7b, 0x0a, 0xff, 0xcc, 0x9f, 0x72, 0x70, 0x44,
249 0xd4, 0x8c, 0x37, 0x3f, 0x1b, 0xab, 0xde, 0x07, 0x24, 0xfa, 0x17, 0xa4, 0xfd, 0x4d, 0xa0, 0x90,
250 0x2c, 0x7c, 0x9b, 0x9b, 0xf2, 0x7b, 0xa6, 0x1b, 0xe6, 0xad, 0x02, 0xdf, 0xdd, 0xda, 0x8f, 0x4e,
251 0x68, 0x22,
252];
253
254/// WrappedKeyData as ASN.1 DER-encoded data corresponding to the `SecureKeyWrapper` schema
255/// specified in IKeyMintDevice.aidl. Wrapped key parameters are -
256/// Algorithm: AES
257/// Key size: 256
258/// Block mode: ECB
259/// Padding mode: PKCS7
260/// This sample wrapped_key is taken from KeyMint tests (see KeyMintTest.cpp).
261pub static WRAPPED_KEY: &[u8] = &[
262 0x30, 0x82, 0x01, 0x79, 0x02, 0x01, 0x00, 0x04, 0x82, 0x01, 0x00, 0x93, 0x4b, 0xf9, 0x4e, 0x2a,
263 0xa2, 0x8a, 0x3f, 0x83, 0xc9, 0xf7, 0x92, 0x97, 0x25, 0x02, 0x62, 0xfb, 0xe3, 0x27, 0x6b, 0x5a,
264 0x1c, 0x91, 0x15, 0x9b, 0xbf, 0xa3, 0xef, 0x89, 0x57, 0xaa, 0xc8, 0x4b, 0x59, 0xb3, 0x0b, 0x45,
265 0x5a, 0x79, 0xc2, 0x97, 0x34, 0x80, 0x82, 0x3d, 0x8b, 0x38, 0x63, 0xc3, 0xde, 0xef, 0x4a, 0x8e,
266 0x24, 0x35, 0x90, 0x26, 0x8d, 0x80, 0xe1, 0x87, 0x51, 0xa0, 0xe1, 0x30, 0xf6, 0x7c, 0xe6, 0xa1,
267 0xac, 0xe9, 0xf7, 0x9b, 0x95, 0xe0, 0x97, 0x47, 0x4f, 0xeb, 0xc9, 0x81, 0x19, 0x5b, 0x1d, 0x13,
268 0xa6, 0x90, 0x86, 0xc0, 0x86, 0x3f, 0x66, 0xa7, 0xb7, 0xfd, 0xb4, 0x87, 0x92, 0x22, 0x7b, 0x1a,
269 0xc5, 0xe2, 0x48, 0x9f, 0xeb, 0xdf, 0x08, 0x7a, 0xb5, 0x48, 0x64, 0x83, 0x03, 0x3a, 0x6f, 0x00,
270 0x1c, 0xa5, 0xd1, 0xec, 0x1e, 0x27, 0xf5, 0xc3, 0x0f, 0x4c, 0xec, 0x26, 0x42, 0x07, 0x4a, 0x39,
271 0xae, 0x68, 0xae, 0xe5, 0x52, 0xe1, 0x96, 0x62, 0x7a, 0x8e, 0x3d, 0x86, 0x7e, 0x67, 0xa8, 0xc0,
272 0x1b, 0x11, 0xe7, 0x5f, 0x13, 0xcc, 0xa0, 0xa9, 0x7a, 0xb6, 0x68, 0xb5, 0x0c, 0xda, 0x07, 0xa8,
273 0xec, 0xb7, 0xcd, 0x8e, 0x3d, 0xd7, 0x00, 0x9c, 0x96, 0x36, 0x53, 0x4f, 0x6f, 0x23, 0x9c, 0xff,
274 0xe1, 0xfc, 0x8d, 0xaa, 0x46, 0x6f, 0x78, 0xb6, 0x76, 0xc7, 0x11, 0x9e, 0xfb, 0x96, 0xbc, 0xe4,
275 0xe6, 0x9c, 0xa2, 0xa2, 0x5d, 0x0b, 0x34, 0xed, 0x9c, 0x3f, 0xf9, 0x99, 0xb8, 0x01, 0x59, 0x7d,
276 0x52, 0x20, 0xe3, 0x07, 0xea, 0xa5, 0xbe, 0xe5, 0x07, 0xfb, 0x94, 0xd1, 0xfa, 0x69, 0xf9, 0xe5,
277 0x19, 0xb2, 0xde, 0x31, 0x5b, 0xac, 0x92, 0xc3, 0x6f, 0x2e, 0xa1, 0xfa, 0x1d, 0xf4, 0x47, 0x8c,
278 0x0d, 0xde, 0xde, 0xae, 0x8c, 0x70, 0xe0, 0x23, 0x3c, 0xd0, 0x98, 0x04, 0x0c, 0xd7, 0x96, 0xb0,
279 0x2c, 0x37, 0x0f, 0x1f, 0xa4, 0xcc, 0x01, 0x24, 0xf1, 0x30, 0x2e, 0x02, 0x01, 0x03, 0x30, 0x29,
280 0xa1, 0x08, 0x31, 0x06, 0x02, 0x01, 0x00, 0x02, 0x01, 0x01, 0xa2, 0x03, 0x02, 0x01, 0x20, 0xa3,
281 0x04, 0x02, 0x02, 0x01, 0x00, 0xa4, 0x05, 0x31, 0x03, 0x02, 0x01, 0x01, 0xa6, 0x05, 0x31, 0x03,
282 0x02, 0x01, 0x40, 0xbf, 0x83, 0x77, 0x02, 0x05, 0x00, 0x04, 0x20, 0xcc, 0xd5, 0x40, 0x85, 0x5f,
283 0x83, 0x3a, 0x5e, 0x14, 0x80, 0xbf, 0xd2, 0xd3, 0x6f, 0xaf, 0x3a, 0xee, 0xe1, 0x5d, 0xf5, 0xbe,
284 0xab, 0xe2, 0x69, 0x1b, 0xc8, 0x2d, 0xde, 0x2a, 0x7a, 0xa9, 0x10, 0x04, 0x10, 0x64, 0xc9, 0xf6,
285 0x89, 0xc6, 0x0f, 0xf6, 0x22, 0x3a, 0xb6, 0xe6, 0x99, 0x9e, 0x0e, 0xb6, 0xe5,
286];
287
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]288/// To map Keystore errors.
289#[derive(thiserror::Error, Debug, Eq, PartialEq)]
290pub enum Error {
291 /// Keystore2 error code
292 #[error("ResponseCode {0:?}")]
293 Rc(ResponseCode),
294 /// Keymint error code
295 #[error("ErrorCode {0:?}")]
296 Km(ErrorCode),
297 /// Exception
298 #[error("Binder exception {0:?}")]
299 Binder(ExceptionCode),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]300 /// This is returned if the C implementation of extractSubjectFromCertificate failed.
301 #[error("Failed to validate certificate chain.")]
302 ValidateCertChainFailed,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]303 /// Error code to indicate error in ASN.1 DER-encoded data creation.
304 #[error("Failed to create and encode ASN.1 data.")]
305 DerEncodeFailed,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]306}
307
308/// Keystore2 error mapping.
309pub fn map_ks_error<T>(r: BinderResult<T>) -> Result<T, Error> {
310 r.map_err(|s| {
311 match s.exception_code() {
312 ExceptionCode::SERVICE_SPECIFIC => {
313 match s.service_specific_error() {
314 se if se < 0 => {
315 // Negative service specific errors are KM error codes.
316 Error::Km(ErrorCode(se))
317 }
318 se => {
319 // Positive service specific errors are KS response codes.
320 Error::Rc(ResponseCode(se))
321 }
322 }
323 }
324 // We create `Error::Binder` to preserve the exception code
325 // for logging.
326 e_code => Error::Binder(e_code),
327 }
328 })
329}
330
331/// Generate EC Key using given security level and domain with below key parameters and
332/// optionally allow the generated key to be attested with factory provisioned attest key using
333/// given challenge and application id -
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]334/// Purposes: SIGN and VERIFY
335/// Digest: SHA_2_256
336/// Curve: P_256
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]337pub fn generate_ec_p256_signing_key(
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]338 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]339 domain: Domain,
340 nspace: i64,
341 alias: Option<String>,
342 att_challenge: Option<&[u8]>,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]343) -> binder::Result<KeyMetadata> {
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]344 let mut key_attest = false;
345 let mut gen_params = AuthSetBuilder::new()
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]346 .no_auth_required()
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]347 .algorithm(Algorithm::EC)
348 .purpose(KeyPurpose::SIGN)
349 .purpose(KeyPurpose::VERIFY)
350 .digest(Digest::SHA_2_256)
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]351 .ec_curve(EcCurve::P_256);
352
353 if let Some(challenge) = att_challenge {
354 key_attest = true;
355 gen_params = gen_params.clone().attestation_challenge(challenge.to_vec());
356 }
357
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]358 match sec_level.generateKey(
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]359 &KeyDescriptor { domain, nspace, alias, blob: None },
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]360 None,
361 &gen_params,
362 0,
363 b"entropy",
364 ) {
365 Ok(key_metadata) => {
366 assert!(key_metadata.certificate.is_some());
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]367 if key_attest {
368 assert!(key_metadata.certificateChain.is_some());
369 }
370 if domain == Domain::BLOB {
371 assert!(key_metadata.key.blob.is_some());
372 }
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]373
374 Ok(key_metadata)
375 }
376 Err(e) => Err(e),
377 }
378}
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]379
380/// Generate EC signing key.
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]381pub fn generate_ec_key(
382 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]383 domain: Domain,
384 nspace: i64,
385 alias: Option<String>,
386 ec_curve: EcCurve,
387 digest: Digest,
388) -> binder::Result<KeyMetadata> {
389 let gen_params = AuthSetBuilder::new()
390 .no_auth_required()
391 .algorithm(Algorithm::EC)
392 .purpose(KeyPurpose::SIGN)
393 .purpose(KeyPurpose::VERIFY)
394 .digest(digest)
395 .ec_curve(ec_curve);
396
397 let key_metadata = sec_level.generateKey(
398 &KeyDescriptor { domain, nspace, alias, blob: None },
399 None,
400 &gen_params,
401 0,
402 b"entropy",
403 )?;
404
405 // Must have a public key.
406 assert!(key_metadata.certificate.is_some());
407
408 // Should not have an attestation record.
409 assert!(key_metadata.certificateChain.is_none());
410
411 if domain == Domain::BLOB {
412 assert!(key_metadata.key.blob.is_some());
413 } else {
414 assert!(key_metadata.key.blob.is_none());
415 }
416 Ok(key_metadata)
417}
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]418
419/// Generate a RSA key with the given key parameters, alias, domain and namespace.
420pub fn generate_rsa_key(
421 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
422 domain: Domain,
423 nspace: i64,
424 alias: Option<String>,
425 key_params: &KeyParams,
426 attest_key: Option<&KeyDescriptor>,
427) -> binder::Result<KeyMetadata> {
428 let mut gen_params = AuthSetBuilder::new()
429 .no_auth_required()
430 .algorithm(Algorithm::RSA)
431 .rsa_public_exponent(65537)
432 .key_size(key_params.key_size);
433
434 for purpose in &key_params.purpose {
435 gen_params = gen_params.purpose(*purpose);
436 }
437 if let Some(value) = key_params.digest {
438 gen_params = gen_params.digest(value)
439 }
440 if let Some(value) = key_params.padding {
441 gen_params = gen_params.padding_mode(value);
442 }
443 if let Some(value) = key_params.mgf_digest {
444 gen_params = gen_params.mgf_digest(value);
445 }
446 if let Some(value) = key_params.block_mode {
447 gen_params = gen_params.block_mode(value)
448 }
449 if let Some(value) = &key_params.att_challenge {
450 gen_params = gen_params.attestation_challenge(value.to_vec())
451 }
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]452
453 let key_metadata = sec_level.generateKey(
454 &KeyDescriptor { domain, nspace, alias, blob: None },
455 attest_key,
456 &gen_params,
457 0,
458 b"entropy",
459 )?;
460
461 // Must have a public key.
462 assert!(key_metadata.certificate.is_some());
463
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]464 if attest_key.is_none() && key_params.att_challenge.is_some() {
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]465 // Should have an attestation record.
466 assert!(key_metadata.certificateChain.is_some());
467 } else {
468 // Should not have an attestation record.
469 assert!(key_metadata.certificateChain.is_none());
470 }
471
472 assert!(
473 (domain == Domain::BLOB && key_metadata.key.blob.is_some())
474 || key_metadata.key.blob.is_none()
475 );
476
477 Ok(key_metadata)
478}
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]479
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]480/// Generate AES/3DES key.
481pub fn generate_sym_key(
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]482 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]483 algorithm: Algorithm,
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]484 size: i32,
485 alias: &str,
486 padding_mode: &PaddingMode,
487 block_mode: &BlockMode,
488 min_mac_len: Option<i32>,
489) -> binder::Result<KeyMetadata> {
490 let mut gen_params = AuthSetBuilder::new()
491 .no_auth_required()
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]492 .algorithm(algorithm)
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]493 .purpose(KeyPurpose::ENCRYPT)
494 .purpose(KeyPurpose::DECRYPT)
495 .key_size(size)
496 .padding_mode(*padding_mode)
497 .block_mode(*block_mode);
498
499 if let Some(val) = min_mac_len {
500 gen_params = gen_params.min_mac_length(val);
501 }
502
503 let key_metadata = sec_level.generateKey(
504 &KeyDescriptor {
505 domain: Domain::APP,
506 nspace: -1,
507 alias: Some(alias.to_string()),
508 blob: None,
509 },
510 None,
511 &gen_params,
512 0,
513 b"entropy",
514 )?;
515
516 // Should not have public certificate.
517 assert!(key_metadata.certificate.is_none());
518
519 // Should not have an attestation record.
520 assert!(key_metadata.certificateChain.is_none());
521 Ok(key_metadata)
522}
Rajesh Nyamagoud4c6193c2022-02-03 01:15:34 +0000[diff] [blame]523
524/// Generate HMAC key.
525pub fn generate_hmac_key(
526 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
527 alias: &str,
528 key_size: i32,
529 min_mac_len: i32,
530 digest: Digest,
531) -> binder::Result<KeyMetadata> {
532 let gen_params = AuthSetBuilder::new()
533 .no_auth_required()
534 .algorithm(Algorithm::HMAC)
535 .purpose(KeyPurpose::SIGN)
536 .purpose(KeyPurpose::VERIFY)
537 .key_size(key_size)
538 .min_mac_length(min_mac_len)
539 .digest(digest);
540
541 let key_metadata = sec_level.generateKey(
542 &KeyDescriptor {
543 domain: Domain::APP,
544 nspace: -1,
545 alias: Some(alias.to_string()),
546 blob: None,
547 },
548 None,
549 &gen_params,
550 0,
551 b"entropy",
552 )?;
553
554 // Should not have public certificate.
555 assert!(key_metadata.certificate.is_none());
556
557 // Should not have an attestation record.
558 assert!(key_metadata.certificateChain.is_none());
559
560 Ok(key_metadata)
561}
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]562
563/// Generate RSA or EC attestation keys using below parameters -
564/// Purpose: ATTEST_KEY
565/// Digest: Digest::SHA_2_256
566/// Padding: PaddingMode::RSA_PKCS1_1_5_SIGN
567/// RSA-Key-Size: 2048
568/// EC-Curve: EcCurve::P_256
569pub fn generate_attestation_key(
570 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
571 algorithm: Algorithm,
572 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]573) -> binder::Result<KeyMetadata> {
574 assert!(algorithm == Algorithm::RSA || algorithm == Algorithm::EC);
575
576 if algorithm == Algorithm::RSA {
577 let alias = "ks_rsa_attest_test_key";
578 let metadata = generate_rsa_key(
579 sec_level,
580 Domain::APP,
581 -1,
582 Some(alias.to_string()),
583 &KeyParams {
584 key_size: 2048,
585 purpose: vec![KeyPurpose::ATTEST_KEY],
586 padding: Some(PaddingMode::RSA_PKCS1_1_5_SIGN),
587 digest: Some(Digest::SHA_2_256),
588 mgf_digest: None,
589 block_mode: None,
590 att_challenge: Some(att_challenge.to_vec()),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]591 },
592 None,
593 )
594 .unwrap();
595 Ok(metadata)
596 } else {
597 let metadata = generate_ec_attestation_key(
598 sec_level,
599 att_challenge,
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]600 Digest::SHA_2_256,
601 EcCurve::P_256,
602 )
603 .unwrap();
604
605 Ok(metadata)
606 }
607}
608
609/// Generate EC attestation key with the given
610/// curve, attestation-challenge and attestation-app-id.
611pub fn generate_ec_attestation_key(
612 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
613 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]614 digest: Digest,
615 ec_curve: EcCurve,
616) -> binder::Result<KeyMetadata> {
617 let alias = "ks_attest_ec_test_key";
618 let gen_params = AuthSetBuilder::new()
619 .no_auth_required()
620 .algorithm(Algorithm::EC)
621 .purpose(KeyPurpose::ATTEST_KEY)
622 .ec_curve(ec_curve)
623 .digest(digest)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]624 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]625
626 let attestation_key_metadata = sec_level.generateKey(
627 &KeyDescriptor {
628 domain: Domain::APP,
629 nspace: -1,
630 alias: Some(alias.to_string()),
631 blob: None,
632 },
633 None,
634 &gen_params,
635 0,
636 b"entropy",
637 )?;
638
639 // Should have public certificate.
640 assert!(attestation_key_metadata.certificate.is_some());
641 // Should have an attestation record.
642 assert!(attestation_key_metadata.certificateChain.is_some());
643
644 Ok(attestation_key_metadata)
645}
646
647/// Generate EC-P-256 key and attest it with given attestation key.
648pub fn generate_ec_256_attested_key(
649 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
650 alias: Option<String>,
651 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]652 attest_key: &KeyDescriptor,
653) -> binder::Result<KeyMetadata> {
654 let ec_gen_params = AuthSetBuilder::new()
655 .no_auth_required()
656 .algorithm(Algorithm::EC)
657 .purpose(KeyPurpose::SIGN)
658 .purpose(KeyPurpose::VERIFY)
659 .digest(Digest::SHA_2_256)
660 .ec_curve(EcCurve::P_256)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]661 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]662
663 let ec_key_metadata = sec_level
664 .generateKey(
665 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
666 Some(attest_key),
667 &ec_gen_params,
668 0,
669 b"entropy",
670 )
671 .unwrap();
672
673 // Should have public certificate.
674 assert!(ec_key_metadata.certificate.is_some());
675 // Shouldn't have an attestation record.
676 assert!(ec_key_metadata.certificateChain.is_none());
677
678 Ok(ec_key_metadata)
679}
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]680
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]681/// Verify that given key param is listed in given authorizations list.
682pub fn check_key_param(authorizations: &[Authorization], key_param: KeyParameter) -> bool {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]683 for authrization in authorizations {
684 if authrization.keyParameter == key_param {
685 return true;
686 }
687 }
688
689 false
690}
691
692/// Imports above defined RSA key - `RSA_2048_KEY` and validates imported key parameters.
693pub fn import_rsa_2048_key(
694 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
695 domain: Domain,
696 nspace: i64,
697 alias: Option<String>,
698 import_params: AuthSetBuilder,
699) -> binder::Result<KeyMetadata> {
700 let key_metadata = sec_level
701 .importKey(
702 &KeyDescriptor { domain, nspace, alias, blob: None },
703 None,
704 &import_params,
705 0,
706 RSA_2048_KEY,
707 )
708 .unwrap();
709
710 assert!(key_metadata.certificate.is_some());
711 assert!(key_metadata.certificateChain.is_none());
712
713 assert!(check_key_param(
714 &key_metadata.authorizations,
715 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::RSA) }
716 ));
717
718 assert!(check_key_param(
719 &key_metadata.authorizations,
720 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(2048) }
721 ));
722
723 assert!(check_key_param(
724 &key_metadata.authorizations,
725 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
726 ));
727
728 assert!(check_key_param(
729 &key_metadata.authorizations,
730 KeyParameter {
731 tag: Tag::RSA_PUBLIC_EXPONENT,
732 value: KeyParameterValue::LongInteger(65537)
733 }
734 ));
735
736 assert!(check_key_param(
737 &key_metadata.authorizations,
738 KeyParameter {
739 tag: Tag::PADDING,
740 value: KeyParameterValue::PaddingMode(PaddingMode::RSA_PSS)
741 }
742 ));
743
744 assert!(check_key_param(
745 &key_metadata.authorizations,
746 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
747 ));
748
749 Ok(key_metadata)
750}
751
752/// Imports above defined EC key - `EC_P_256_KEY` and validates imported key parameters.
753pub fn import_ec_p_256_key(
754 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
755 domain: Domain,
756 nspace: i64,
757 alias: Option<String>,
758 import_params: AuthSetBuilder,
759) -> binder::Result<KeyMetadata> {
760 let key_metadata = sec_level
761 .importKey(
762 &KeyDescriptor { domain, nspace, alias, blob: None },
763 None,
764 &import_params,
765 0,
766 EC_P_256_KEY,
767 )
768 .unwrap();
769
770 assert!(key_metadata.certificate.is_some());
771 assert!(key_metadata.certificateChain.is_none());
772
773 assert!(check_key_param(
774 &key_metadata.authorizations,
775 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::EC) }
776 ));
777
778 assert!(check_key_param(
779 &key_metadata.authorizations,
780 KeyParameter { tag: Tag::EC_CURVE, value: KeyParameterValue::EcCurve(EcCurve::P_256) }
781 ));
782
783 assert!(check_key_param(
784 &key_metadata.authorizations,
785 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
786 ));
787 assert!(check_key_param(
788 &key_metadata.authorizations,
789 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
790 ));
791
792 Ok(key_metadata)
793}
794
795/// Import sample AES key and validate its key parameters.
796pub fn import_aes_key(
797 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
798 domain: Domain,
799 nspace: i64,
800 alias: Option<String>,
801) -> binder::Result<KeyMetadata> {
802 static AES_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
803 let key_size = AES_KEY.len() * 8;
804
805 let import_params = AuthSetBuilder::new()
806 .no_auth_required()
807 .algorithm(Algorithm::AES)
808 .block_mode(BlockMode::ECB)
809 .key_size(key_size.try_into().unwrap())
810 .purpose(KeyPurpose::ENCRYPT)
811 .purpose(KeyPurpose::DECRYPT)
812 .padding_mode(PaddingMode::PKCS7);
813
814 let key_metadata = sec_level.importKey(
815 &KeyDescriptor { domain, nspace, alias, blob: None },
816 None,
817 &import_params,
818 0,
819 AES_KEY,
820 )?;
821
822 assert!(check_key_param(
823 &key_metadata.authorizations,
824 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::AES) }
825 ));
826 assert!(check_key_param(
827 &key_metadata.authorizations,
828 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
829 ));
830 assert!(check_key_param(
831 &key_metadata.authorizations,
832 KeyParameter {
833 tag: Tag::PADDING,
834 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
835 }
836 ));
837 assert!(check_key_param(
838 &key_metadata.authorizations,
839 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
840 ));
841 assert!(check_key_param(
842 &key_metadata.authorizations,
843 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
844 ));
845
846 Ok(key_metadata)
847}
848
849/// Import sample 3DES key and validate its key parameters.
850pub fn import_3des_key(
851 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
852 domain: Domain,
853 nspace: i64,
854 alias: Option<String>,
855) -> binder::Result<KeyMetadata> {
856 static TRIPLE_DES_KEY: &[u8] = &[
857 0xa4, 0x9d, 0x75, 0x64, 0x19, 0x9e, 0x97, 0xcb, 0x52, 0x9d, 0x2c, 0x9d, 0x97, 0xbf, 0x2f,
858 0x98, 0xd3, 0x5e, 0xdf, 0x57, 0xba, 0x1f, 0x73, 0x58,
859 ];
860
861 let import_params = AuthSetBuilder::new()
862 .no_auth_required()
863 .algorithm(Algorithm::TRIPLE_DES)
864 .block_mode(BlockMode::ECB)
865 .key_size(168)
866 .purpose(KeyPurpose::ENCRYPT)
867 .purpose(KeyPurpose::DECRYPT)
868 .padding_mode(PaddingMode::PKCS7);
869
870 let key_metadata = sec_level.importKey(
871 &KeyDescriptor { domain, nspace, alias, blob: None },
872 None,
873 &import_params,
874 0,
875 TRIPLE_DES_KEY,
876 )?;
877
878 assert!(check_key_param(
879 &key_metadata.authorizations,
880 KeyParameter {
881 tag: Tag::ALGORITHM,
882 value: KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES)
883 }
884 ));
885 assert!(check_key_param(
886 &key_metadata.authorizations,
887 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(168) }
888 ));
889 assert!(check_key_param(
890 &key_metadata.authorizations,
891 KeyParameter {
892 tag: Tag::PADDING,
893 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
894 }
895 ));
896 assert!(check_key_param(
897 &key_metadata.authorizations,
898 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
899 ));
900 assert!(check_key_param(
901 &key_metadata.authorizations,
902 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
903 ));
904
905 Ok(key_metadata)
906}
907
908/// Import sample HMAC key and validate its key parameters.
909pub fn import_hmac_key(
910 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
911 domain: Domain,
912 nspace: i64,
913 alias: Option<String>,
914) -> binder::Result<KeyMetadata> {
915 static HMAC_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
916 let key_size = HMAC_KEY.len() * 8;
917
918 let import_params = AuthSetBuilder::new()
919 .no_auth_required()
920 .algorithm(Algorithm::HMAC)
921 .key_size(key_size.try_into().unwrap())
922 .purpose(KeyPurpose::SIGN)
923 .purpose(KeyPurpose::VERIFY)
924 .digest(Digest::SHA_2_256)
925 .min_mac_length(256);
926
927 let key_metadata = sec_level.importKey(
928 &KeyDescriptor { domain, nspace, alias, blob: None },
929 None,
930 &import_params,
931 0,
932 HMAC_KEY,
933 )?;
934
935 assert!(check_key_param(
936 &key_metadata.authorizations,
937 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::HMAC) }
938 ));
939 assert!(check_key_param(
940 &key_metadata.authorizations,
941 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
942 ));
943 assert!(check_key_param(
944 &key_metadata.authorizations,
945 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
946 ));
947 assert!(check_key_param(
948 &key_metadata.authorizations,
949 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
950 ));
951
952 Ok(key_metadata)
953}
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]954
955/// Imports RSA encryption key with WRAP_KEY purpose.
956pub fn import_wrapping_key(
957 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
958 wrapping_key_data: &[u8],
959 wrapping_key_alias: Option<String>,
960) -> binder::Result<KeyMetadata> {
961 let wrapping_key_params = AuthSetBuilder::new()
962 .no_auth_required()
963 .algorithm(Algorithm::RSA)
964 .digest(Digest::SHA_2_256)
965 .purpose(KeyPurpose::ENCRYPT)
966 .purpose(KeyPurpose::DECRYPT)
967 .purpose(KeyPurpose::WRAP_KEY)
968 .padding_mode(PaddingMode::RSA_OAEP)
969 .key_size(2048)
970 .rsa_public_exponent(65537)
971 .cert_not_before(0)
972 .cert_not_after(253402300799000);
973
974 sec_level.importKey(
975 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: wrapping_key_alias, blob: None },
976 None,
977 &wrapping_key_params,
978 0,
979 wrapping_key_data,
980 )
981}
982
983/// Import wrapped key using given wrapping key.
984pub fn import_wrapped_key(
985 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
986 alias: Option<String>,
987 wrapping_key_metadata: &KeyMetadata,
988 wrapped_key: Option<Vec<u8>>,
989) -> binder::Result<KeyMetadata> {
990 let unwrap_params =
991 AuthSetBuilder::new().digest(Digest::SHA_2_256).padding_mode(PaddingMode::RSA_OAEP);
992
993 let authenticator_spec: &[AuthenticatorSpec] = &[AuthenticatorSpec {
994 authenticatorType: HardwareAuthenticatorType::NONE,
995 authenticatorId: 0,
996 }];
997
998 let key_metadata = sec_level.importWrappedKey(
999 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: wrapped_key },
1000 &wrapping_key_metadata.key,
1001 None,
1002 &unwrap_params,
1003 authenticator_spec,
1004 )?;
1005
1006 Ok(key_metadata)
1007}
1008
1009/// Import wrapping key and then import wrapped key using wrapping key.
1010pub fn import_wrapping_key_and_wrapped_key(
1011 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1012 domain: Domain,
1013 nspace: i64,
1014 alias: Option<String>,
1015 wrapping_key_alias: Option<String>,
1016 wrapping_key_params: AuthSetBuilder,
1017) -> binder::Result<KeyMetadata> {
1018 let wrapping_key_metadata = sec_level.importKey(
1019 &KeyDescriptor { domain, nspace, alias: wrapping_key_alias, blob: None },
1020 None,
1021 &wrapping_key_params,
1022 0,
1023 WRAPPING_KEY,
1024 )?;
1025
1026 import_wrapped_key(sec_level, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
1027}
1028
1029/// Import given key material as AES-256-GCM-NONE transport key.
1030pub fn import_transport_key(
1031 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1032 transport_key_alias: Option<String>,
1033 transport_key: &[u8],
1034) -> binder::Result<KeyMetadata> {
1035 let transport_key_params = AuthSetBuilder::new()
1036 .no_auth_required()
1037 .algorithm(Algorithm::AES)
1038 .block_mode(BlockMode::GCM)
1039 .padding_mode(PaddingMode::NONE)
1040 .key_size(256)
1041 .caller_nonce()
1042 .min_mac_length(128)
1043 .purpose(KeyPurpose::ENCRYPT)
1044 .purpose(KeyPurpose::DECRYPT);
1045
1046 sec_level.importKey(
1047 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: transport_key_alias, blob: None },
1048 None,
1049 &transport_key_params,
1050 0,
1051 transport_key,
1052 )
1053}
Rajesh Nyamagoudaf050562022-11-11 01:56:45 +0000[diff] [blame]1054
1055/// Generate EC key with purpose AGREE_KEY.
1056pub fn generate_ec_agree_key(
1057 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1058 ec_curve: EcCurve,
1059 digest: Digest,
1060 domain: Domain,
1061 nspace: i64,
1062 alias: Option<String>,
1063) -> binder::Result<KeyMetadata> {
1064 let gen_params = AuthSetBuilder::new()
1065 .no_auth_required()
1066 .algorithm(Algorithm::EC)
1067 .purpose(KeyPurpose::AGREE_KEY)
1068 .digest(digest)
1069 .ec_curve(ec_curve);
1070
1071 match sec_level.generateKey(
1072 &KeyDescriptor { domain, nspace, alias, blob: None },
1073 None,
1074 &gen_params,
1075 0,
1076 b"entropy",
1077 ) {
1078 Ok(key_metadata) => {
1079 assert!(key_metadata.certificate.is_some());
1080 if domain == Domain::BLOB {
1081 assert!(key_metadata.key.blob.is_some());
1082 }
1083
1084 Ok(key_metadata)
1085 }
1086 Err(e) => Err(e),
1087 }
1088}
Rajesh Nyamagoud6a823492023-04-07 02:47:27 +0000[diff] [blame^]1089
1090/// Helper method to import AES keys `total_count` of times.
1091pub fn import_aes_keys(
1092 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1093 alias_prefix: String,
1094 total_count: Range<i32>,
1095) -> binder::Result<HashSet<String>> {
1096 let mut imported_key_aliases = HashSet::new();
1097
1098 // Import Total number of keys with given alias prefix.
1099 for count in total_count {
1100 let mut alias = String::new();
1101 write!(alias, "{}_{}", alias_prefix, count).unwrap();
1102 imported_key_aliases.insert(alias.clone());
1103
1104 import_aes_key(sec_level, Domain::APP, -1, Some(alias))?;
1105 }
1106
1107 Ok(imported_key_aliases)
1108}