Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / cdeb7302af5a30d62aab712a71b32f0b46a4dcaa / . / keystore2 / test_utils / key_generations.rs
blob: ff40aa1797beaca30b157bbaca473ac4aaceacf2 [file] [log] [blame]
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]1// Copyright 2022, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! This module implements test utils to generate various types of keys.
16
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]17use anyhow::Result;
18
Rajesh Nyamagoud6a823492023-04-07 02:47:27 +0000[diff] [blame]19use core::ops::Range;
20use std::collections::HashSet;
21use std::fmt::Write;
22
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]23use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]24 Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]25 ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
26 KeyOrigin::KeyOrigin, KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue,
27 KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, Tag::Tag,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]28};
29use android_system_keystore2::aidl::android::system::keystore2::{
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]30 AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization, Domain::Domain,
31 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
32 KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]33};
34
35use crate::authorizations::AuthSetBuilder;
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]36use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]37
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]38/// Shell namespace.
39pub const SELINUX_SHELL_NAMESPACE: i64 = 1;
Rajesh Nyamagouddc6fb232021-12-08 21:27:15 +0000[diff] [blame]40/// Vold namespace.
41pub const SELINUX_VOLD_NAMESPACE: i64 = 100;
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]42
Rajesh Nyamagoudfa7c0f12021-12-02 17:15:48 +0000[diff] [blame]43/// SU context.
44pub const TARGET_SU_CTX: &str = "u:r:su:s0";
45
46/// Vold context
47pub const TARGET_VOLD_CTX: &str = "u:r:vold:s0";
48
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]49/// Key parameters to generate a key.
50pub struct KeyParams {
51 /// Key Size.
52 pub key_size: i32,
53 /// Key Purposes.
54 pub purpose: Vec<KeyPurpose>,
55 /// Padding Mode.
56 pub padding: Option<PaddingMode>,
57 /// Digest.
58 pub digest: Option<Digest>,
59 /// MFG Digest.
60 pub mgf_digest: Option<Digest>,
61 /// Block Mode.
62 pub block_mode: Option<BlockMode>,
63 /// Attestation challenge.
64 pub att_challenge: Option<Vec<u8>>,
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]65}
66
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]67/// DER-encoded PKCS#8 format RSA key. Generated using:
68/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
69pub static RSA_2048_KEY: &[u8] = &[
70 0x30, 0x82, 0x04, 0xBD, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
71 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xA7, 0x30, 0x82, 0x04, 0xA3, 0x02, 0x01,
72 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xE5, 0x14, 0xE3, 0xC2, 0x43, 0xF3, 0x0F, 0xCC, 0x22, 0x73,
73 0x9C, 0x84, 0xCC, 0x1B, 0x6C, 0x97, 0x4B, 0xC9, 0xDF, 0x1F, 0xE2, 0xB8, 0x80, 0x85, 0xF9, 0x27,
74 0xAB, 0x97, 0x94, 0x58, 0x4B, 0xC9, 0x40, 0x94, 0x5A, 0xB4, 0xD4, 0xF8, 0xD0, 0x36, 0xC4, 0x86,
75 0x17, 0x7D, 0xA2, 0x48, 0x6D, 0x40, 0xF0, 0xB9, 0x61, 0x4F, 0xCE, 0x65, 0x80, 0x88, 0x81, 0x59,
76 0x95, 0x11, 0x24, 0xF4, 0x36, 0xB7, 0xB7, 0x37, 0x44, 0xF4, 0x6C, 0x1C, 0xEB, 0x04, 0x19, 0x78,
77 0xB2, 0x29, 0x4D, 0x21, 0x44, 0x16, 0x57, 0x58, 0x6D, 0x7D, 0x56, 0xB5, 0x99, 0xDD, 0xD2, 0xAD,
78 0x02, 0x9A, 0x72, 0x16, 0x67, 0xD6, 0x00, 0x9F, 0x69, 0xE0, 0x25, 0xEE, 0x7C, 0x86, 0x54, 0x27,
79 0x4B, 0x50, 0xEF, 0x60, 0x52, 0x60, 0x82, 0xAA, 0x09, 0x15, 0x72, 0xD2, 0xEB, 0x01, 0x52, 0x04,
80 0x39, 0x60, 0xBC, 0x5E, 0x95, 0x07, 0xC8, 0xC2, 0x3A, 0x3A, 0xE2, 0xA4, 0x99, 0x6B, 0x27, 0xE3,
81 0xA3, 0x55, 0x69, 0xC4, 0xB3, 0x2D, 0x19, 0xC4, 0x34, 0x76, 0xFC, 0x27, 0xDA, 0x22, 0xB2, 0x62,
82 0x69, 0x25, 0xDE, 0x0D, 0xE7, 0x54, 0x3C, 0xBB, 0x61, 0xD2, 0x20, 0xDA, 0x7B, 0x6E, 0x63, 0xBD,
83 0x9A, 0x4B, 0xCD, 0x75, 0xC6, 0xA1, 0x5E, 0x1C, 0x3E, 0xD5, 0x63, 0x59, 0x22, 0x7E, 0xE0, 0x6C,
84 0x98, 0x25, 0x63, 0x97, 0x56, 0xDF, 0x71, 0xF5, 0x4C, 0x78, 0xE9, 0xE1, 0xD5, 0xFC, 0xF8, 0x5A,
85 0x5B, 0xF6, 0x1D, 0xFA, 0x5A, 0x99, 0x4C, 0x99, 0x19, 0x21, 0x1D, 0xF5, 0x24, 0x07, 0xEF, 0x8A,
86 0xC9, 0x9F, 0xE7, 0x3F, 0xBB, 0x46, 0x1A, 0x16, 0x96, 0xC6, 0xD6, 0x12, 0x7E, 0xDA, 0xCB, 0xEB,
87 0x2F, 0x1D, 0x3B, 0x31, 0xCC, 0x55, 0x63, 0xA2, 0x6F, 0x8A, 0xDE, 0x35, 0x52, 0x40, 0x04, 0xBF,
88 0xE0, 0x82, 0x32, 0xE1, 0x6D, 0x8B, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x2D,
89 0x1F, 0x71, 0x41, 0x79, 0xBA, 0xED, 0xD8, 0xAA, 0xCC, 0x94, 0xFE, 0xFF, 0x69, 0x43, 0x79, 0x85,
90 0xBF, 0x2C, 0xC9, 0x0E, 0x12, 0x83, 0x96, 0x60, 0x1E, 0x75, 0x49, 0x35, 0x3A, 0x33, 0x2B, 0x60,
91 0x22, 0x18, 0xBF, 0xD7, 0xD7, 0x6E, 0xC3, 0xEA, 0xEF, 0xF2, 0xBE, 0x97, 0x71, 0xA6, 0xBB, 0x8C,
92 0xEF, 0x27, 0x00, 0xDE, 0x49, 0xD6, 0x08, 0x8D, 0x5A, 0x04, 0xE7, 0xCC, 0x9C, 0xA2, 0x0E, 0x8B,
93 0xF3, 0x42, 0x0C, 0xD7, 0x22, 0xD7, 0x14, 0x06, 0xA4, 0x64, 0x8B, 0x88, 0x1A, 0xCE, 0x5B, 0x8C,
94 0x36, 0xE9, 0xD2, 0x2F, 0x7B, 0x33, 0xE4, 0xA2, 0xB3, 0xDB, 0x78, 0x6A, 0x92, 0x89, 0x3F, 0x78,
95 0xFD, 0xED, 0x8F, 0xEE, 0x48, 0xCC, 0x94, 0x75, 0x0D, 0x0C, 0x63, 0xD3, 0xD2, 0xE8, 0x47, 0x04,
96 0x55, 0xD3, 0xD6, 0x3A, 0xB8, 0xDA, 0xFB, 0x76, 0x99, 0x48, 0x68, 0x0A, 0x92, 0xA2, 0xCD, 0xF7,
97 0x45, 0x8B, 0x50, 0xFE, 0xF9, 0x1A, 0x33, 0x24, 0x3C, 0x2E, 0xDE, 0x88, 0xAD, 0xB2, 0x5B, 0x9F,
98 0x44, 0xEA, 0xD1, 0x9F, 0xC7, 0x9F, 0x02, 0x5E, 0x31, 0x61, 0xB3, 0xD6, 0xE2, 0xE1, 0xBC, 0xFB,
99 0x1C, 0xDB, 0xBD, 0xB2, 0x9A, 0xE5, 0xEF, 0xDA, 0xCD, 0x29, 0xA5, 0x45, 0xCC, 0x67, 0x01, 0x8B,
100 0x1C, 0x1D, 0x0E, 0x8F, 0x73, 0x69, 0x4D, 0x4D, 0xF6, 0x9D, 0xA6, 0x6C, 0x9A, 0x1C, 0xF4, 0x5C,
101 0xE4, 0x83, 0x9A, 0x77, 0x12, 0x01, 0xBD, 0xCE, 0x66, 0x3A, 0x4B, 0x3D, 0x6E, 0xE0, 0x6E, 0x82,
102 0x98, 0xDE, 0x74, 0x11, 0x47, 0xEC, 0x7A, 0x3A, 0xA9, 0xD8, 0x48, 0x00, 0x26, 0x64, 0x47, 0x7B,
103 0xAE, 0x55, 0x9D, 0x29, 0x22, 0xB4, 0xB3, 0xB9, 0xB1, 0x64, 0xEA, 0x3B, 0x5A, 0xD3, 0x3F, 0x8D,
104 0x0F, 0x14, 0x7E, 0x4E, 0xB8, 0x1B, 0x06, 0xFC, 0xB1, 0x7E, 0xCD, 0xB9, 0x1A, 0x4E, 0xA1, 0x02,
105 0x81, 0x81, 0x00, 0xF9, 0xDE, 0xEE, 0xED, 0x13, 0x2F, 0xBB, 0xE7, 0xE2, 0xB3, 0x2D, 0x98, 0xD2,
106 0xE8, 0x25, 0x07, 0x5A, 0x1E, 0x51, 0x0A, 0xC8, 0xAD, 0x50, 0x4B, 0x80, 0xC6, 0x22, 0xF5, 0x9B,
107 0x08, 0xE6, 0x3D, 0x01, 0xC6, 0x3E, 0xC8, 0xD2, 0x54, 0x9F, 0x91, 0x77, 0x95, 0xCD, 0xCA, 0xC7,
108 0xE7, 0x47, 0x94, 0xA9, 0x5F, 0x4E, 0xBE, 0x31, 0x3D, 0xB4, 0xAF, 0x43, 0x0F, 0xDC, 0x8D, 0x9C,
109 0x1E, 0x52, 0x7B, 0x72, 0x21, 0x34, 0xB3, 0x96, 0x7C, 0x9C, 0xB8, 0x51, 0x65, 0x60, 0xAC, 0x3D,
110 0x11, 0x32, 0xB8, 0xD6, 0x34, 0x35, 0x66, 0xD0, 0x30, 0xB9, 0xE9, 0x67, 0x2C, 0x87, 0x73, 0x43,
111 0x9C, 0x12, 0x16, 0x7D, 0x4A, 0xD9, 0xA3, 0x4C, 0x24, 0x64, 0x6A, 0x32, 0x8E, 0xC3, 0xD8, 0x00,
112 0x90, 0x5C, 0x4D, 0x65, 0x01, 0x53, 0x8A, 0xD0, 0x87, 0xCE, 0x96, 0xEF, 0xFA, 0x73, 0x03, 0xF1,
113 0xDC, 0x1B, 0x9B, 0x02, 0x81, 0x81, 0x00, 0xEA, 0xB3, 0x69, 0x00, 0x11, 0x0E, 0x50, 0xAA, 0xD3,
114 0x22, 0x51, 0x78, 0x9D, 0xFF, 0x05, 0x62, 0xBC, 0x9A, 0x67, 0x86, 0xE1, 0xC5, 0x02, 0x2D, 0x14,
115 0x11, 0x29, 0x30, 0xE7, 0x90, 0x5D, 0x72, 0x6F, 0xC5, 0x62, 0xEB, 0xD4, 0xB0, 0x3F, 0x3D, 0xDC,
116 0xB9, 0xFC, 0x2B, 0x5C, 0xBD, 0x9E, 0x71, 0x81, 0x5C, 0xC5, 0xFE, 0xDF, 0x69, 0x73, 0x12, 0x66,
117 0x92, 0x06, 0xD4, 0xD5, 0x8F, 0xDF, 0x14, 0x2E, 0x9C, 0xD0, 0x4C, 0xC2, 0x4D, 0x31, 0x2E, 0x47,
118 0xA5, 0xDC, 0x8A, 0x83, 0x7B, 0xE8, 0xA5, 0xC3, 0x03, 0x98, 0xD8, 0xBF, 0xF4, 0x7D, 0x6E, 0x87,
119 0x55, 0xE4, 0x0F, 0x15, 0x10, 0xC8, 0x76, 0x4F, 0xAD, 0x1D, 0x1C, 0x95, 0x41, 0x9D, 0x88, 0xEC,
120 0x8C, 0xDA, 0xBA, 0x90, 0x7F, 0x8D, 0xD9, 0x8B, 0x47, 0x6C, 0x0C, 0xFF, 0xBA, 0x73, 0x00, 0x20,
121 0x1F, 0xF7, 0x7E, 0x5F, 0xF4, 0xEC, 0xD1, 0x02, 0x81, 0x80, 0x16, 0xB7, 0x43, 0xB5, 0x5D, 0xD7,
122 0x2B, 0x18, 0x0B, 0xAE, 0x0A, 0x69, 0x28, 0x53, 0x5E, 0x7A, 0x6A, 0xA0, 0xF2, 0xF1, 0x2E, 0x09,
123 0x43, 0x91, 0x79, 0xA5, 0x89, 0xAC, 0x16, 0x6A, 0x1A, 0xB4, 0x55, 0x22, 0xF6, 0xB6, 0x3F, 0x18,
124 0xDE, 0x60, 0xD5, 0x24, 0x53, 0x4F, 0x2A, 0x19, 0x46, 0x92, 0xA7, 0x4B, 0x38, 0xD7, 0x65, 0x96,
125 0x9C, 0x84, 0x8A, 0x6E, 0x38, 0xB8, 0xCF, 0x06, 0x9A, 0xAD, 0x0A, 0x55, 0x26, 0x7B, 0x65, 0x24,
126 0xF3, 0x02, 0x76, 0xB3, 0xE6, 0xB4, 0x01, 0xE1, 0x3C, 0x61, 0x3D, 0x68, 0x05, 0xAA, 0xD1, 0x26,
127 0x7C, 0xE0, 0x51, 0x36, 0xE5, 0x21, 0x7F, 0x76, 0x02, 0xD6, 0xF4, 0x91, 0x07, 0x74, 0x27, 0x09,
128 0xEF, 0xEF, 0x0F, 0xA5, 0x96, 0xFC, 0x5E, 0x20, 0xC1, 0xA3, 0x6F, 0x99, 0x4D, 0x45, 0x03, 0x6C,
129 0x35, 0x45, 0xD7, 0x8F, 0x47, 0x41, 0x86, 0x8D, 0x62, 0x1D, 0x02, 0x81, 0x81, 0x00, 0xC3, 0x93,
130 0x85, 0xA7, 0xFC, 0x8E, 0x85, 0x42, 0x14, 0x76, 0xC0, 0x95, 0x56, 0x73, 0xB0, 0xB5, 0x3A, 0x9D,
131 0x20, 0x30, 0x11, 0xEA, 0xED, 0x89, 0x4A, 0xF3, 0x91, 0xF3, 0xA2, 0xC3, 0x76, 0x5B, 0x6A, 0x30,
132 0x7D, 0xE2, 0x2F, 0x76, 0x3E, 0xFC, 0xF9, 0xF6, 0x31, 0xE0, 0xA0, 0x83, 0x92, 0x88, 0xDB, 0x57,
133 0xC7, 0xD6, 0x3F, 0xAD, 0xCB, 0xAA, 0x45, 0xB6, 0xE1, 0xE2, 0x71, 0xA4, 0x56, 0x2C, 0xA7, 0x3B,
134 0x1D, 0x89, 0x19, 0x50, 0xE1, 0xEE, 0xC2, 0xDD, 0xC0, 0x0D, 0xDC, 0xCB, 0x60, 0x6E, 0xE1, 0x37,
135 0x1A, 0x23, 0x64, 0xB2, 0x03, 0xE4, 0x1A, 0xFA, 0xC3, 0xF4, 0x9D, 0x85, 0x42, 0xC6, 0xF4, 0x56,
136 0x39, 0xB0, 0x1B, 0xE0, 0x75, 0xBA, 0x28, 0x04, 0xA8, 0x30, 0x57, 0x41, 0x33, 0x9F, 0x58, 0xA4,
137 0xC7, 0xB1, 0x7D, 0x58, 0x8D, 0x84, 0x49, 0x40, 0xDA, 0x28, 0x81, 0x25, 0xC4, 0x41, 0x02, 0x81,
138 0x80, 0x13, 0x20, 0x65, 0xD5, 0x96, 0x98, 0x8D, 0x16, 0x73, 0xA1, 0x31, 0x73, 0x79, 0xBA, 0xEC,
139 0xB0, 0xD9, 0x0C, 0xF6, 0xEF, 0x2F, 0xC2, 0xE7, 0x96, 0x9B, 0xA1, 0x2D, 0xE9, 0xFB, 0x45, 0xB9,
140 0xD0, 0x30, 0xE2, 0xBD, 0x30, 0x4F, 0xB6, 0xFE, 0x24, 0x02, 0xCF, 0x8D, 0x51, 0x48, 0x45, 0xD9,
141 0xF7, 0x20, 0x53, 0x1C, 0x0B, 0xA9, 0x7E, 0xC2, 0xA2, 0x65, 0xCC, 0x3E, 0x0E, 0x0D, 0xF1, 0x62,
142 0xDD, 0x5F, 0xBC, 0x55, 0x9B, 0x58, 0x26, 0x40, 0x6A, 0xEE, 0x02, 0x55, 0x36, 0xE9, 0xBA, 0x82,
143 0x5A, 0xFD, 0x3C, 0xDF, 0xA6, 0x26, 0x32, 0x81, 0xA9, 0x5E, 0x46, 0xBE, 0xBA, 0xDC, 0xD3, 0x2A,
144 0x3A, 0x3B, 0xC1, 0x4E, 0xF7, 0x1A, 0xDC, 0x4B, 0xAF, 0x67, 0x1B, 0x3A, 0x83, 0x0D, 0x04, 0xDE,
145 0x27, 0x47, 0xFC, 0xE6, 0x39, 0x89, 0x7B, 0x66, 0xF9, 0x50, 0x4D, 0xF1, 0xAC, 0x20, 0x43, 0x7E,
146 0xEE,
147];
148
149/// DER-encoded PKCS#8 format EC key. Generated using:
150/// openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
151pub static EC_P_256_KEY: &[u8] = &[
152 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02,
153 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02,
154 0x01, 0x01, 0x04, 0x20, 0xB9, 0x1D, 0xAF, 0x50, 0xFD, 0xD8, 0x6A, 0x40, 0xAB, 0x2C, 0xCB, 0x54,
155 0x4E, 0xED, 0xF1, 0x64, 0xBC, 0x30, 0x25, 0xFB, 0xC4, 0x69, 0x00, 0x34, 0x1A, 0x82, 0xA3, 0x72,
156 0x5D, 0xC7, 0xA9, 0x85, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xE8, 0x53, 0x0A, 0xF2, 0xD3, 0x68,
157 0x40, 0x48, 0x8C, 0xB4, 0x2F, 0x11, 0x34, 0xD7, 0xF4, 0x4A, 0x5C, 0x33, 0xFF, 0xF6, 0x2B, 0xF7,
158 0x98, 0x0F, 0x02, 0xA5, 0xD7, 0x4F, 0xF9, 0xDE, 0x60, 0x9C, 0x6E, 0xB0, 0x45, 0xDA, 0x3F, 0xF4,
159 0x34, 0x23, 0x9B, 0x4C, 0x3A, 0x09, 0x9C, 0x5E, 0x5D, 0x37, 0x96, 0xAC, 0x4A, 0xE7, 0x65, 0x2B,
160 0xD6, 0x84, 0x98, 0xEA, 0x96, 0x91, 0xFB, 0x78, 0xED, 0x86,
161];
162
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]163/// DER-encoded PKCS#8 format RSA key -
164/// Size: 2048
165/// Public Exponent: 65537
166/// Purpose: WRAP_KEY, ENCRYPT, DECRYPT
167/// Encryption scheme: RSAES-PKCS1-v1_5
168/// Digest: SHA_2_256
169/// Padding: RSA_OAEP
170/// This sample wrapping_key is taken from KeyMint tests
171/// (see hardware/interfaces/security/keymint/aidl/vts/functional/KeyMintTest.cpp).
172/// Similarly more test keys can be generated with below command -
173/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
174pub static WRAPPING_KEY: &[u8] = &[
175 0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
176 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xa8, 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01,
177 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xae, 0xc3, 0x67, 0x93, 0x1d, 0x89, 0x00, 0xce, 0x56, 0xb0,
178 0x06, 0x7f, 0x7d, 0x70, 0xe1, 0xfc, 0x65, 0x3f, 0x3f, 0x34, 0xd1, 0x94, 0xc1, 0xfe, 0xd5, 0x00,
179 0x18, 0xfb, 0x43, 0xdb, 0x93, 0x7b, 0x06, 0xe6, 0x73, 0xa8, 0x37, 0x31, 0x3d, 0x56, 0xb1, 0xc7,
180 0x25, 0x15, 0x0a, 0x3f, 0xef, 0x86, 0xac, 0xbd, 0xdc, 0x41, 0xbb, 0x75, 0x9c, 0x28, 0x54, 0xea,
181 0xe3, 0x2d, 0x35, 0x84, 0x1e, 0xfb, 0x5c, 0x18, 0xd8, 0x2b, 0xc9, 0x0a, 0x1c, 0xb5, 0xc1, 0xd5,
182 0x5a, 0xdf, 0x24, 0x5b, 0x02, 0x91, 0x1f, 0x0b, 0x7c, 0xda, 0x88, 0xc4, 0x21, 0xff, 0x0e, 0xba,
183 0xfe, 0x7c, 0x0d, 0x23, 0xbe, 0x31, 0x2d, 0x7b, 0xd5, 0x92, 0x1f, 0xfa, 0xea, 0x13, 0x47, 0xc1,
184 0x57, 0x40, 0x6f, 0xef, 0x71, 0x8f, 0x68, 0x26, 0x43, 0xe4, 0xe5, 0xd3, 0x3c, 0x67, 0x03, 0xd6,
185 0x1c, 0x0c, 0xf7, 0xac, 0x0b, 0xf4, 0x64, 0x5c, 0x11, 0xf5, 0xc1, 0x37, 0x4c, 0x38, 0x86, 0x42,
186 0x74, 0x11, 0xc4, 0x49, 0x79, 0x67, 0x92, 0xe0, 0xbe, 0xf7, 0x5d, 0xec, 0x85, 0x8a, 0x21, 0x23,
187 0xc3, 0x67, 0x53, 0xe0, 0x2a, 0x95, 0xa9, 0x6d, 0x7c, 0x45, 0x4b, 0x50, 0x4d, 0xe3, 0x85, 0xa6,
188 0x42, 0xe0, 0xdf, 0xc3, 0xe6, 0x0a, 0xc3, 0xa7, 0xee, 0x49, 0x91, 0xd0, 0xd4, 0x8b, 0x01, 0x72,
189 0xa9, 0x5f, 0x95, 0x36, 0xf0, 0x2b, 0xa1, 0x3c, 0xec, 0xcc, 0xb9, 0x2b, 0x72, 0x7d, 0xb5, 0xc2,
190 0x7e, 0x5b, 0x2f, 0x5c, 0xec, 0x09, 0x60, 0x0b, 0x28, 0x6a, 0xf5, 0xcf, 0x14, 0xc4, 0x20, 0x24,
191 0xc6, 0x1d, 0xdf, 0xe7, 0x1c, 0x2a, 0x8d, 0x74, 0x58, 0xf1, 0x85, 0x23, 0x4c, 0xb0, 0x0e, 0x01,
192 0xd2, 0x82, 0xf1, 0x0f, 0x8f, 0xc6, 0x72, 0x1d, 0x2a, 0xed, 0x3f, 0x48, 0x33, 0xcc, 0xa2, 0xbd,
193 0x8f, 0xa6, 0x28, 0x21, 0xdd, 0x55, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x43,
194 0x14, 0x47, 0xb6, 0x25, 0x19, 0x08, 0x11, 0x2b, 0x1e, 0xe7, 0x6f, 0x99, 0xf3, 0x71, 0x1a, 0x52,
195 0xb6, 0x63, 0x09, 0x60, 0x04, 0x6c, 0x2d, 0xe7, 0x0d, 0xe1, 0x88, 0xd8, 0x33, 0xf8, 0xb8, 0xb9,
196 0x1e, 0x4d, 0x78, 0x5c, 0xae, 0xee, 0xaf, 0x4f, 0x0f, 0x74, 0x41, 0x4e, 0x2c, 0xda, 0x40, 0x64,
197 0x1f, 0x7f, 0xe2, 0x4f, 0x14, 0xc6, 0x7a, 0x88, 0x95, 0x9b, 0xdb, 0x27, 0x76, 0x6d, 0xf9, 0xe7,
198 0x10, 0xb6, 0x30, 0xa0, 0x3a, 0xdc, 0x68, 0x3b, 0x5d, 0x2c, 0x43, 0x08, 0x0e, 0x52, 0xbe, 0xe7,
199 0x1e, 0x9e, 0xae, 0xb6, 0xde, 0x29, 0x7a, 0x5f, 0xea, 0x10, 0x72, 0x07, 0x0d, 0x18, 0x1c, 0x82,
200 0x2b, 0xcc, 0xff, 0x08, 0x7d, 0x63, 0xc9, 0x40, 0xba, 0x8a, 0x45, 0xf6, 0x70, 0xfe, 0xb2, 0x9f,
201 0xb4, 0x48, 0x4d, 0x1c, 0x95, 0xe6, 0xd2, 0x57, 0x9b, 0xa0, 0x2a, 0xae, 0x0a, 0x00, 0x90, 0x0c,
202 0x3e, 0xbf, 0x49, 0x0e, 0x3d, 0x2c, 0xd7, 0xee, 0x8d, 0x0e, 0x20, 0xc5, 0x36, 0xe4, 0xdc, 0x5a,
203 0x50, 0x97, 0x27, 0x28, 0x88, 0xcd, 0xdd, 0x7e, 0x91, 0xf2, 0x28, 0xb1, 0xc4, 0xd7, 0x47, 0x4c,
204 0x55, 0xb8, 0xfc, 0xd6, 0x18, 0xc4, 0xa9, 0x57, 0xbb, 0xdd, 0xd5, 0xad, 0x74, 0x07, 0xcc, 0x31,
205 0x2d, 0x8d, 0x98, 0xa5, 0xca, 0xf7, 0xe0, 0x8f, 0x4a, 0x0d, 0x6b, 0x45, 0xbb, 0x41, 0xc6, 0x52,
206 0x65, 0x9d, 0x5a, 0x5b, 0xa0, 0x5b, 0x66, 0x37, 0x37, 0xa8, 0x69, 0x62, 0x81, 0x86, 0x5b, 0xa2,
207 0x0f, 0xbd, 0xd7, 0xf8, 0x51, 0xe6, 0xc5, 0x6e, 0x8c, 0xbe, 0x0d, 0xdb, 0xbf, 0x24, 0xdc, 0x03,
208 0xb2, 0xd2, 0xcb, 0x4c, 0x3d, 0x54, 0x0f, 0xb0, 0xaf, 0x52, 0xe0, 0x34, 0xa2, 0xd0, 0x66, 0x98,
209 0xb1, 0x28, 0xe5, 0xf1, 0x01, 0xe3, 0xb5, 0x1a, 0x34, 0xf8, 0xd8, 0xb4, 0xf8, 0x61, 0x81, 0x02,
210 0x81, 0x81, 0x00, 0xde, 0x39, 0x2e, 0x18, 0xd6, 0x82, 0xc8, 0x29, 0x26, 0x6c, 0xc3, 0x45, 0x4e,
211 0x1d, 0x61, 0x66, 0x24, 0x2f, 0x32, 0xd9, 0xa1, 0xd1, 0x05, 0x77, 0x75, 0x3e, 0x90, 0x4e, 0xa7,
212 0xd0, 0x8b, 0xff, 0x84, 0x1b, 0xe5, 0xba, 0xc8, 0x2a, 0x16, 0x4c, 0x59, 0x70, 0x00, 0x70, 0x47,
213 0xb8, 0xc5, 0x17, 0xdb, 0x8f, 0x8f, 0x84, 0xe3, 0x7b, 0xd5, 0x98, 0x85, 0x61, 0xbd, 0xf5, 0x03,
214 0xd4, 0xdc, 0x2b, 0xdb, 0x38, 0xf8, 0x85, 0x43, 0x4a, 0xe4, 0x2c, 0x35, 0x5f, 0x72, 0x5c, 0x9a,
215 0x60, 0xf9, 0x1f, 0x07, 0x88, 0xe1, 0xf1, 0xa9, 0x72, 0x23, 0xb5, 0x24, 0xb5, 0x35, 0x7f, 0xdf,
216 0x72, 0xe2, 0xf6, 0x96, 0xba, 0xb7, 0xd7, 0x8e, 0x32, 0xbf, 0x92, 0xba, 0x8e, 0x18, 0x64, 0xea,
217 0xb1, 0x22, 0x9e, 0x91, 0x34, 0x61, 0x30, 0x74, 0x8a, 0x6e, 0x3c, 0x12, 0x4f, 0x91, 0x49, 0xd7,
218 0x1c, 0x74, 0x35, 0x02, 0x81, 0x81, 0x00, 0xc9, 0x53, 0x87, 0xc0, 0xf9, 0xd3, 0x5f, 0x13, 0x7b,
219 0x57, 0xd0, 0xd6, 0x5c, 0x39, 0x7c, 0x5e, 0x21, 0xcc, 0x25, 0x1e, 0x47, 0x00, 0x8e, 0xd6, 0x2a,
220 0x54, 0x24, 0x09, 0xc8, 0xb6, 0xb6, 0xac, 0x7f, 0x89, 0x67, 0xb3, 0x86, 0x3c, 0xa6, 0x45, 0xfc,
221 0xce, 0x49, 0x58, 0x2a, 0x9a, 0xa1, 0x73, 0x49, 0xdb, 0x6c, 0x4a, 0x95, 0xaf, 0xfd, 0xae, 0x0d,
222 0xae, 0x61, 0x2e, 0x1a, 0xfa, 0xc9, 0x9e, 0xd3, 0x9a, 0x2d, 0x93, 0x4c, 0x88, 0x04, 0x40, 0xae,
223 0xd8, 0x83, 0x2f, 0x98, 0x43, 0x16, 0x3a, 0x47, 0xf2, 0x7f, 0x39, 0x21, 0x99, 0xdc, 0x12, 0x02,
224 0xf9, 0xa0, 0xf9, 0xbd, 0x08, 0x30, 0x80, 0x07, 0xcb, 0x1e, 0x4e, 0x7f, 0x58, 0x30, 0x93, 0x66,
225 0xa7, 0xde, 0x25, 0xf7, 0xc3, 0xc9, 0xb8, 0x80, 0x67, 0x7c, 0x06, 0x8e, 0x1b, 0xe9, 0x36, 0xe8,
226 0x12, 0x88, 0x81, 0x52, 0x52, 0xa8, 0xa1, 0x02, 0x81, 0x80, 0x57, 0xff, 0x8c, 0xa1, 0x89, 0x50,
227 0x80, 0xb2, 0xca, 0xe4, 0x86, 0xef, 0x0a, 0xdf, 0xd7, 0x91, 0xfb, 0x02, 0x35, 0xc0, 0xb8, 0xb3,
228 0x6c, 0xd6, 0xc1, 0x36, 0xe5, 0x2e, 0x40, 0x85, 0xf4, 0xea, 0x5a, 0x06, 0x32, 0x12, 0xa4, 0xf1,
229 0x05, 0xa3, 0x76, 0x47, 0x43, 0xe5, 0x32, 0x81, 0x98, 0x8a, 0xba, 0x07, 0x3f, 0x6e, 0x00, 0x27,
230 0x29, 0x8e, 0x1c, 0x43, 0x78, 0x55, 0x6e, 0x0e, 0xfc, 0xa0, 0xe1, 0x4e, 0xce, 0x1a, 0xf7, 0x6a,
231 0xd0, 0xb0, 0x30, 0xf2, 0x7a, 0xf6, 0xf0, 0xab, 0x35, 0xfb, 0x73, 0xa0, 0x60, 0xd8, 0xb1, 0xa0,
232 0xe1, 0x42, 0xfa, 0x26, 0x47, 0xe9, 0x3b, 0x32, 0xe3, 0x6d, 0x82, 0x82, 0xae, 0x0a, 0x4d, 0xe5,
233 0x0a, 0xb7, 0xaf, 0xe8, 0x55, 0x00, 0xa1, 0x6f, 0x43, 0xa6, 0x47, 0x19, 0xd6, 0xe2, 0xb9, 0x43,
234 0x98, 0x23, 0x71, 0x9c, 0xd0, 0x8b, 0xcd, 0x03, 0x17, 0x81, 0x02, 0x81, 0x81, 0x00, 0xba, 0x73,
235 0xb0, 0xbb, 0x28, 0xe3, 0xf8, 0x1e, 0x9b, 0xd1, 0xc5, 0x68, 0x71, 0x3b, 0x10, 0x12, 0x41, 0xac,
236 0xc6, 0x07, 0x97, 0x6c, 0x4d, 0xdc, 0xcc, 0x90, 0xe6, 0x5b, 0x65, 0x56, 0xca, 0x31, 0x51, 0x60,
237 0x58, 0xf9, 0x2b, 0x6e, 0x09, 0xf3, 0xb1, 0x60, 0xff, 0x0e, 0x37, 0x4e, 0xc4, 0x0d, 0x78, 0xae,
238 0x4d, 0x49, 0x79, 0xfd, 0xe6, 0xac, 0x06, 0xa1, 0xa4, 0x00, 0xc6, 0x1d, 0xd3, 0x12, 0x54, 0x18,
239 0x6a, 0xf3, 0x0b, 0x22, 0xc1, 0x05, 0x82, 0xa8, 0xa4, 0x3e, 0x34, 0xfe, 0x94, 0x9c, 0x5f, 0x3b,
240 0x97, 0x55, 0xba, 0xe7, 0xba, 0xa7, 0xb7, 0xb7, 0xa6, 0xbd, 0x03, 0xb3, 0x8c, 0xef, 0x55, 0xc8,
241 0x68, 0x85, 0xfc, 0x6c, 0x19, 0x78, 0xb9, 0xce, 0xe7, 0xef, 0x33, 0xda, 0x50, 0x7c, 0x9d, 0xf6,
242 0xb9, 0x27, 0x7c, 0xff, 0x1e, 0x6a, 0xaa, 0x5d, 0x57, 0xac, 0xa5, 0x28, 0x46, 0x61, 0x02, 0x81,
243 0x81, 0x00, 0xc9, 0x31, 0x61, 0x7c, 0x77, 0x82, 0x9d, 0xfb, 0x12, 0x70, 0x50, 0x2b, 0xe9, 0x19,
244 0x5c, 0x8f, 0x28, 0x30, 0x88, 0x5f, 0x57, 0xdb, 0xa8, 0x69, 0x53, 0x68, 0x11, 0xe6, 0x86, 0x42,
245 0x36, 0xd0, 0xc4, 0x73, 0x6a, 0x00, 0x08, 0xa1, 0x45, 0xaf, 0x36, 0xb8, 0x35, 0x7a, 0x7c, 0x3d,
246 0x13, 0x99, 0x66, 0xd0, 0x4c, 0x4e, 0x00, 0x93, 0x4e, 0xa1, 0xae, 0xde, 0x3b, 0xb6, 0xb8, 0xec,
247 0x84, 0x1d, 0xc9, 0x5e, 0x3f, 0x57, 0x97, 0x51, 0xe2, 0xbf, 0xdf, 0xe2, 0x7a, 0xe7, 0x78, 0x98,
248 0x3f, 0x95, 0x93, 0x56, 0x21, 0x07, 0x23, 0x28, 0x7b, 0x0a, 0xff, 0xcc, 0x9f, 0x72, 0x70, 0x44,
249 0xd4, 0x8c, 0x37, 0x3f, 0x1b, 0xab, 0xde, 0x07, 0x24, 0xfa, 0x17, 0xa4, 0xfd, 0x4d, 0xa0, 0x90,
250 0x2c, 0x7c, 0x9b, 0x9b, 0xf2, 0x7b, 0xa6, 0x1b, 0xe6, 0xad, 0x02, 0xdf, 0xdd, 0xda, 0x8f, 0x4e,
251 0x68, 0x22,
252];
253
254/// WrappedKeyData as ASN.1 DER-encoded data corresponding to the `SecureKeyWrapper` schema
255/// specified in IKeyMintDevice.aidl. Wrapped key parameters are -
256/// Algorithm: AES
257/// Key size: 256
258/// Block mode: ECB
259/// Padding mode: PKCS7
260/// This sample wrapped_key is taken from KeyMint tests (see KeyMintTest.cpp).
261pub static WRAPPED_KEY: &[u8] = &[
262 0x30, 0x82, 0x01, 0x79, 0x02, 0x01, 0x00, 0x04, 0x82, 0x01, 0x00, 0x93, 0x4b, 0xf9, 0x4e, 0x2a,
263 0xa2, 0x8a, 0x3f, 0x83, 0xc9, 0xf7, 0x92, 0x97, 0x25, 0x02, 0x62, 0xfb, 0xe3, 0x27, 0x6b, 0x5a,
264 0x1c, 0x91, 0x15, 0x9b, 0xbf, 0xa3, 0xef, 0x89, 0x57, 0xaa, 0xc8, 0x4b, 0x59, 0xb3, 0x0b, 0x45,
265 0x5a, 0x79, 0xc2, 0x97, 0x34, 0x80, 0x82, 0x3d, 0x8b, 0x38, 0x63, 0xc3, 0xde, 0xef, 0x4a, 0x8e,
266 0x24, 0x35, 0x90, 0x26, 0x8d, 0x80, 0xe1, 0x87, 0x51, 0xa0, 0xe1, 0x30, 0xf6, 0x7c, 0xe6, 0xa1,
267 0xac, 0xe9, 0xf7, 0x9b, 0x95, 0xe0, 0x97, 0x47, 0x4f, 0xeb, 0xc9, 0x81, 0x19, 0x5b, 0x1d, 0x13,
268 0xa6, 0x90, 0x86, 0xc0, 0x86, 0x3f, 0x66, 0xa7, 0xb7, 0xfd, 0xb4, 0x87, 0x92, 0x22, 0x7b, 0x1a,
269 0xc5, 0xe2, 0x48, 0x9f, 0xeb, 0xdf, 0x08, 0x7a, 0xb5, 0x48, 0x64, 0x83, 0x03, 0x3a, 0x6f, 0x00,
270 0x1c, 0xa5, 0xd1, 0xec, 0x1e, 0x27, 0xf5, 0xc3, 0x0f, 0x4c, 0xec, 0x26, 0x42, 0x07, 0x4a, 0x39,
271 0xae, 0x68, 0xae, 0xe5, 0x52, 0xe1, 0x96, 0x62, 0x7a, 0x8e, 0x3d, 0x86, 0x7e, 0x67, 0xa8, 0xc0,
272 0x1b, 0x11, 0xe7, 0x5f, 0x13, 0xcc, 0xa0, 0xa9, 0x7a, 0xb6, 0x68, 0xb5, 0x0c, 0xda, 0x07, 0xa8,
273 0xec, 0xb7, 0xcd, 0x8e, 0x3d, 0xd7, 0x00, 0x9c, 0x96, 0x36, 0x53, 0x4f, 0x6f, 0x23, 0x9c, 0xff,
274 0xe1, 0xfc, 0x8d, 0xaa, 0x46, 0x6f, 0x78, 0xb6, 0x76, 0xc7, 0x11, 0x9e, 0xfb, 0x96, 0xbc, 0xe4,
275 0xe6, 0x9c, 0xa2, 0xa2, 0x5d, 0x0b, 0x34, 0xed, 0x9c, 0x3f, 0xf9, 0x99, 0xb8, 0x01, 0x59, 0x7d,
276 0x52, 0x20, 0xe3, 0x07, 0xea, 0xa5, 0xbe, 0xe5, 0x07, 0xfb, 0x94, 0xd1, 0xfa, 0x69, 0xf9, 0xe5,
277 0x19, 0xb2, 0xde, 0x31, 0x5b, 0xac, 0x92, 0xc3, 0x6f, 0x2e, 0xa1, 0xfa, 0x1d, 0xf4, 0x47, 0x8c,
278 0x0d, 0xde, 0xde, 0xae, 0x8c, 0x70, 0xe0, 0x23, 0x3c, 0xd0, 0x98, 0x04, 0x0c, 0xd7, 0x96, 0xb0,
279 0x2c, 0x37, 0x0f, 0x1f, 0xa4, 0xcc, 0x01, 0x24, 0xf1, 0x30, 0x2e, 0x02, 0x01, 0x03, 0x30, 0x29,
280 0xa1, 0x08, 0x31, 0x06, 0x02, 0x01, 0x00, 0x02, 0x01, 0x01, 0xa2, 0x03, 0x02, 0x01, 0x20, 0xa3,
281 0x04, 0x02, 0x02, 0x01, 0x00, 0xa4, 0x05, 0x31, 0x03, 0x02, 0x01, 0x01, 0xa6, 0x05, 0x31, 0x03,
282 0x02, 0x01, 0x40, 0xbf, 0x83, 0x77, 0x02, 0x05, 0x00, 0x04, 0x20, 0xcc, 0xd5, 0x40, 0x85, 0x5f,
283 0x83, 0x3a, 0x5e, 0x14, 0x80, 0xbf, 0xd2, 0xd3, 0x6f, 0xaf, 0x3a, 0xee, 0xe1, 0x5d, 0xf5, 0xbe,
284 0xab, 0xe2, 0x69, 0x1b, 0xc8, 0x2d, 0xde, 0x2a, 0x7a, 0xa9, 0x10, 0x04, 0x10, 0x64, 0xc9, 0xf6,
285 0x89, 0xc6, 0x0f, 0xf6, 0x22, 0x3a, 0xb6, 0xe6, 0x99, 0x9e, 0x0e, 0xb6, 0xe5,
286];
287
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]288/// To map Keystore errors.
289#[derive(thiserror::Error, Debug, Eq, PartialEq)]
290pub enum Error {
291 /// Keystore2 error code
292 #[error("ResponseCode {0:?}")]
293 Rc(ResponseCode),
294 /// Keymint error code
295 #[error("ErrorCode {0:?}")]
296 Km(ErrorCode),
297 /// Exception
298 #[error("Binder exception {0:?}")]
299 Binder(ExceptionCode),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]300 /// This is returned if the C implementation of extractSubjectFromCertificate failed.
301 #[error("Failed to validate certificate chain.")]
302 ValidateCertChainFailed,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]303 /// Error code to indicate error in ASN.1 DER-encoded data creation.
304 #[error("Failed to create and encode ASN.1 data.")]
305 DerEncodeFailed,
Rajesh Nyamagoud28abde62023-04-01 01:32:32 +0000[diff] [blame]306 /// Error code to indicate error while using keystore-engine API.
307 #[error("Failed to perform crypto op using keystore-engine APIs.")]
308 Keystore2EngineOpFailed,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]309}
310
311/// Keystore2 error mapping.
312pub fn map_ks_error<T>(r: BinderResult<T>) -> Result<T, Error> {
313 r.map_err(|s| {
314 match s.exception_code() {
315 ExceptionCode::SERVICE_SPECIFIC => {
316 match s.service_specific_error() {
317 se if se < 0 => {
318 // Negative service specific errors are KM error codes.
319 Error::Km(ErrorCode(se))
320 }
321 se => {
322 // Positive service specific errors are KS response codes.
323 Error::Rc(ResponseCode(se))
324 }
325 }
326 }
327 // We create `Error::Binder` to preserve the exception code
328 // for logging.
329 e_code => Error::Binder(e_code),
330 }
331 })
332}
333
334/// Generate EC Key using given security level and domain with below key parameters and
335/// optionally allow the generated key to be attested with factory provisioned attest key using
336/// given challenge and application id -
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]337/// Purposes: SIGN and VERIFY
338/// Digest: SHA_2_256
339/// Curve: P_256
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]340pub fn generate_ec_p256_signing_key(
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]341 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]342 domain: Domain,
343 nspace: i64,
344 alias: Option<String>,
345 att_challenge: Option<&[u8]>,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]346) -> binder::Result<KeyMetadata> {
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]347 let mut key_attest = false;
348 let mut gen_params = AuthSetBuilder::new()
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]349 .no_auth_required()
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]350 .algorithm(Algorithm::EC)
351 .purpose(KeyPurpose::SIGN)
352 .purpose(KeyPurpose::VERIFY)
353 .digest(Digest::SHA_2_256)
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]354 .ec_curve(EcCurve::P_256);
355
356 if let Some(challenge) = att_challenge {
357 key_attest = true;
358 gen_params = gen_params.clone().attestation_challenge(challenge.to_vec());
359 }
360
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]361 match sec_level.generateKey(
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]362 &KeyDescriptor { domain, nspace, alias, blob: None },
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]363 None,
364 &gen_params,
365 0,
366 b"entropy",
367 ) {
368 Ok(key_metadata) => {
369 assert!(key_metadata.certificate.is_some());
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]370 if key_attest {
371 assert!(key_metadata.certificateChain.is_some());
372 }
373 if domain == Domain::BLOB {
374 assert!(key_metadata.key.blob.is_some());
375 }
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]376
377 Ok(key_metadata)
378 }
379 Err(e) => Err(e),
380 }
381}
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]382
383/// Generate EC signing key.
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]384pub fn generate_ec_key(
385 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]386 domain: Domain,
387 nspace: i64,
388 alias: Option<String>,
389 ec_curve: EcCurve,
390 digest: Digest,
391) -> binder::Result<KeyMetadata> {
392 let gen_params = AuthSetBuilder::new()
393 .no_auth_required()
394 .algorithm(Algorithm::EC)
395 .purpose(KeyPurpose::SIGN)
396 .purpose(KeyPurpose::VERIFY)
397 .digest(digest)
398 .ec_curve(ec_curve);
399
400 let key_metadata = sec_level.generateKey(
401 &KeyDescriptor { domain, nspace, alias, blob: None },
402 None,
403 &gen_params,
404 0,
405 b"entropy",
406 )?;
407
408 // Must have a public key.
409 assert!(key_metadata.certificate.is_some());
410
411 // Should not have an attestation record.
412 assert!(key_metadata.certificateChain.is_none());
413
414 if domain == Domain::BLOB {
415 assert!(key_metadata.key.blob.is_some());
416 } else {
417 assert!(key_metadata.key.blob.is_none());
418 }
419 Ok(key_metadata)
420}
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]421
422/// Generate a RSA key with the given key parameters, alias, domain and namespace.
423pub fn generate_rsa_key(
424 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
425 domain: Domain,
426 nspace: i64,
427 alias: Option<String>,
428 key_params: &KeyParams,
429 attest_key: Option<&KeyDescriptor>,
430) -> binder::Result<KeyMetadata> {
431 let mut gen_params = AuthSetBuilder::new()
432 .no_auth_required()
433 .algorithm(Algorithm::RSA)
434 .rsa_public_exponent(65537)
435 .key_size(key_params.key_size);
436
437 for purpose in &key_params.purpose {
438 gen_params = gen_params.purpose(*purpose);
439 }
440 if let Some(value) = key_params.digest {
441 gen_params = gen_params.digest(value)
442 }
443 if let Some(value) = key_params.padding {
444 gen_params = gen_params.padding_mode(value);
445 }
446 if let Some(value) = key_params.mgf_digest {
447 gen_params = gen_params.mgf_digest(value);
448 }
449 if let Some(value) = key_params.block_mode {
450 gen_params = gen_params.block_mode(value)
451 }
452 if let Some(value) = &key_params.att_challenge {
453 gen_params = gen_params.attestation_challenge(value.to_vec())
454 }
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]455
456 let key_metadata = sec_level.generateKey(
457 &KeyDescriptor { domain, nspace, alias, blob: None },
458 attest_key,
459 &gen_params,
460 0,
461 b"entropy",
462 )?;
463
464 // Must have a public key.
465 assert!(key_metadata.certificate.is_some());
466
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]467 if attest_key.is_none() && key_params.att_challenge.is_some() {
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]468 // Should have an attestation record.
469 assert!(key_metadata.certificateChain.is_some());
470 } else {
471 // Should not have an attestation record.
472 assert!(key_metadata.certificateChain.is_none());
473 }
474
475 assert!(
476 (domain == Domain::BLOB && key_metadata.key.blob.is_some())
477 || key_metadata.key.blob.is_none()
478 );
479
480 Ok(key_metadata)
481}
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]482
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]483/// Generate AES/3DES key.
484pub fn generate_sym_key(
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]485 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]486 algorithm: Algorithm,
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]487 size: i32,
488 alias: &str,
489 padding_mode: &PaddingMode,
490 block_mode: &BlockMode,
491 min_mac_len: Option<i32>,
492) -> binder::Result<KeyMetadata> {
493 let mut gen_params = AuthSetBuilder::new()
494 .no_auth_required()
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]495 .algorithm(algorithm)
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]496 .purpose(KeyPurpose::ENCRYPT)
497 .purpose(KeyPurpose::DECRYPT)
498 .key_size(size)
499 .padding_mode(*padding_mode)
500 .block_mode(*block_mode);
501
502 if let Some(val) = min_mac_len {
503 gen_params = gen_params.min_mac_length(val);
504 }
505
506 let key_metadata = sec_level.generateKey(
507 &KeyDescriptor {
508 domain: Domain::APP,
509 nspace: -1,
510 alias: Some(alias.to_string()),
511 blob: None,
512 },
513 None,
514 &gen_params,
515 0,
516 b"entropy",
517 )?;
518
519 // Should not have public certificate.
520 assert!(key_metadata.certificate.is_none());
521
522 // Should not have an attestation record.
523 assert!(key_metadata.certificateChain.is_none());
524 Ok(key_metadata)
525}
Rajesh Nyamagoud4c6193c2022-02-03 01:15:34 +0000[diff] [blame]526
527/// Generate HMAC key.
528pub fn generate_hmac_key(
529 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
530 alias: &str,
531 key_size: i32,
532 min_mac_len: i32,
533 digest: Digest,
534) -> binder::Result<KeyMetadata> {
535 let gen_params = AuthSetBuilder::new()
536 .no_auth_required()
537 .algorithm(Algorithm::HMAC)
538 .purpose(KeyPurpose::SIGN)
539 .purpose(KeyPurpose::VERIFY)
540 .key_size(key_size)
541 .min_mac_length(min_mac_len)
542 .digest(digest);
543
544 let key_metadata = sec_level.generateKey(
545 &KeyDescriptor {
546 domain: Domain::APP,
547 nspace: -1,
548 alias: Some(alias.to_string()),
549 blob: None,
550 },
551 None,
552 &gen_params,
553 0,
554 b"entropy",
555 )?;
556
557 // Should not have public certificate.
558 assert!(key_metadata.certificate.is_none());
559
560 // Should not have an attestation record.
561 assert!(key_metadata.certificateChain.is_none());
562
563 Ok(key_metadata)
564}
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]565
566/// Generate RSA or EC attestation keys using below parameters -
567/// Purpose: ATTEST_KEY
568/// Digest: Digest::SHA_2_256
569/// Padding: PaddingMode::RSA_PKCS1_1_5_SIGN
570/// RSA-Key-Size: 2048
571/// EC-Curve: EcCurve::P_256
572pub fn generate_attestation_key(
573 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
574 algorithm: Algorithm,
575 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]576) -> binder::Result<KeyMetadata> {
577 assert!(algorithm == Algorithm::RSA || algorithm == Algorithm::EC);
578
579 if algorithm == Algorithm::RSA {
580 let alias = "ks_rsa_attest_test_key";
581 let metadata = generate_rsa_key(
582 sec_level,
583 Domain::APP,
584 -1,
585 Some(alias.to_string()),
586 &KeyParams {
587 key_size: 2048,
588 purpose: vec![KeyPurpose::ATTEST_KEY],
589 padding: Some(PaddingMode::RSA_PKCS1_1_5_SIGN),
590 digest: Some(Digest::SHA_2_256),
591 mgf_digest: None,
592 block_mode: None,
593 att_challenge: Some(att_challenge.to_vec()),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]594 },
595 None,
596 )
597 .unwrap();
598 Ok(metadata)
599 } else {
600 let metadata = generate_ec_attestation_key(
601 sec_level,
602 att_challenge,
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]603 Digest::SHA_2_256,
604 EcCurve::P_256,
605 )
606 .unwrap();
607
608 Ok(metadata)
609 }
610}
611
612/// Generate EC attestation key with the given
613/// curve, attestation-challenge and attestation-app-id.
614pub fn generate_ec_attestation_key(
615 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
616 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]617 digest: Digest,
618 ec_curve: EcCurve,
619) -> binder::Result<KeyMetadata> {
620 let alias = "ks_attest_ec_test_key";
621 let gen_params = AuthSetBuilder::new()
622 .no_auth_required()
623 .algorithm(Algorithm::EC)
624 .purpose(KeyPurpose::ATTEST_KEY)
625 .ec_curve(ec_curve)
626 .digest(digest)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]627 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]628
629 let attestation_key_metadata = sec_level.generateKey(
630 &KeyDescriptor {
631 domain: Domain::APP,
632 nspace: -1,
633 alias: Some(alias.to_string()),
634 blob: None,
635 },
636 None,
637 &gen_params,
638 0,
639 b"entropy",
640 )?;
641
642 // Should have public certificate.
643 assert!(attestation_key_metadata.certificate.is_some());
644 // Should have an attestation record.
645 assert!(attestation_key_metadata.certificateChain.is_some());
646
647 Ok(attestation_key_metadata)
648}
649
650/// Generate EC-P-256 key and attest it with given attestation key.
651pub fn generate_ec_256_attested_key(
652 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
653 alias: Option<String>,
654 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]655 attest_key: &KeyDescriptor,
656) -> binder::Result<KeyMetadata> {
657 let ec_gen_params = AuthSetBuilder::new()
658 .no_auth_required()
659 .algorithm(Algorithm::EC)
660 .purpose(KeyPurpose::SIGN)
661 .purpose(KeyPurpose::VERIFY)
662 .digest(Digest::SHA_2_256)
663 .ec_curve(EcCurve::P_256)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]664 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]665
666 let ec_key_metadata = sec_level
667 .generateKey(
668 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
669 Some(attest_key),
670 &ec_gen_params,
671 0,
672 b"entropy",
673 )
674 .unwrap();
675
676 // Should have public certificate.
677 assert!(ec_key_metadata.certificate.is_some());
678 // Shouldn't have an attestation record.
679 assert!(ec_key_metadata.certificateChain.is_none());
680
681 Ok(ec_key_metadata)
682}
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]683
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]684/// Verify that given key param is listed in given authorizations list.
685pub fn check_key_param(authorizations: &[Authorization], key_param: KeyParameter) -> bool {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]686 for authrization in authorizations {
687 if authrization.keyParameter == key_param {
688 return true;
689 }
690 }
691
692 false
693}
694
695/// Imports above defined RSA key - `RSA_2048_KEY` and validates imported key parameters.
696pub fn import_rsa_2048_key(
697 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
698 domain: Domain,
699 nspace: i64,
700 alias: Option<String>,
701 import_params: AuthSetBuilder,
702) -> binder::Result<KeyMetadata> {
703 let key_metadata = sec_level
704 .importKey(
705 &KeyDescriptor { domain, nspace, alias, blob: None },
706 None,
707 &import_params,
708 0,
709 RSA_2048_KEY,
710 )
711 .unwrap();
712
713 assert!(key_metadata.certificate.is_some());
714 assert!(key_metadata.certificateChain.is_none());
715
716 assert!(check_key_param(
717 &key_metadata.authorizations,
718 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::RSA) }
719 ));
720
721 assert!(check_key_param(
722 &key_metadata.authorizations,
723 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(2048) }
724 ));
725
726 assert!(check_key_param(
727 &key_metadata.authorizations,
728 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
729 ));
730
731 assert!(check_key_param(
732 &key_metadata.authorizations,
733 KeyParameter {
734 tag: Tag::RSA_PUBLIC_EXPONENT,
735 value: KeyParameterValue::LongInteger(65537)
736 }
737 ));
738
739 assert!(check_key_param(
740 &key_metadata.authorizations,
741 KeyParameter {
742 tag: Tag::PADDING,
743 value: KeyParameterValue::PaddingMode(PaddingMode::RSA_PSS)
744 }
745 ));
746
747 assert!(check_key_param(
748 &key_metadata.authorizations,
749 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
750 ));
751
752 Ok(key_metadata)
753}
754
755/// Imports above defined EC key - `EC_P_256_KEY` and validates imported key parameters.
756pub fn import_ec_p_256_key(
757 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
758 domain: Domain,
759 nspace: i64,
760 alias: Option<String>,
761 import_params: AuthSetBuilder,
762) -> binder::Result<KeyMetadata> {
763 let key_metadata = sec_level
764 .importKey(
765 &KeyDescriptor { domain, nspace, alias, blob: None },
766 None,
767 &import_params,
768 0,
769 EC_P_256_KEY,
770 )
771 .unwrap();
772
773 assert!(key_metadata.certificate.is_some());
774 assert!(key_metadata.certificateChain.is_none());
775
776 assert!(check_key_param(
777 &key_metadata.authorizations,
778 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::EC) }
779 ));
780
781 assert!(check_key_param(
782 &key_metadata.authorizations,
783 KeyParameter { tag: Tag::EC_CURVE, value: KeyParameterValue::EcCurve(EcCurve::P_256) }
784 ));
785
786 assert!(check_key_param(
787 &key_metadata.authorizations,
788 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
789 ));
790 assert!(check_key_param(
791 &key_metadata.authorizations,
792 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
793 ));
794
795 Ok(key_metadata)
796}
797
798/// Import sample AES key and validate its key parameters.
799pub fn import_aes_key(
800 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
801 domain: Domain,
802 nspace: i64,
803 alias: Option<String>,
804) -> binder::Result<KeyMetadata> {
805 static AES_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
806 let key_size = AES_KEY.len() * 8;
807
808 let import_params = AuthSetBuilder::new()
809 .no_auth_required()
810 .algorithm(Algorithm::AES)
811 .block_mode(BlockMode::ECB)
812 .key_size(key_size.try_into().unwrap())
813 .purpose(KeyPurpose::ENCRYPT)
814 .purpose(KeyPurpose::DECRYPT)
815 .padding_mode(PaddingMode::PKCS7);
816
817 let key_metadata = sec_level.importKey(
818 &KeyDescriptor { domain, nspace, alias, blob: None },
819 None,
820 &import_params,
821 0,
822 AES_KEY,
823 )?;
824
825 assert!(check_key_param(
826 &key_metadata.authorizations,
827 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::AES) }
828 ));
829 assert!(check_key_param(
830 &key_metadata.authorizations,
831 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
832 ));
833 assert!(check_key_param(
834 &key_metadata.authorizations,
835 KeyParameter {
836 tag: Tag::PADDING,
837 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
838 }
839 ));
840 assert!(check_key_param(
841 &key_metadata.authorizations,
842 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
843 ));
844 assert!(check_key_param(
845 &key_metadata.authorizations,
846 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
847 ));
848
849 Ok(key_metadata)
850}
851
852/// Import sample 3DES key and validate its key parameters.
853pub fn import_3des_key(
854 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
855 domain: Domain,
856 nspace: i64,
857 alias: Option<String>,
858) -> binder::Result<KeyMetadata> {
859 static TRIPLE_DES_KEY: &[u8] = &[
860 0xa4, 0x9d, 0x75, 0x64, 0x19, 0x9e, 0x97, 0xcb, 0x52, 0x9d, 0x2c, 0x9d, 0x97, 0xbf, 0x2f,
861 0x98, 0xd3, 0x5e, 0xdf, 0x57, 0xba, 0x1f, 0x73, 0x58,
862 ];
863
864 let import_params = AuthSetBuilder::new()
865 .no_auth_required()
866 .algorithm(Algorithm::TRIPLE_DES)
867 .block_mode(BlockMode::ECB)
868 .key_size(168)
869 .purpose(KeyPurpose::ENCRYPT)
870 .purpose(KeyPurpose::DECRYPT)
871 .padding_mode(PaddingMode::PKCS7);
872
873 let key_metadata = sec_level.importKey(
874 &KeyDescriptor { domain, nspace, alias, blob: None },
875 None,
876 &import_params,
877 0,
878 TRIPLE_DES_KEY,
879 )?;
880
881 assert!(check_key_param(
882 &key_metadata.authorizations,
883 KeyParameter {
884 tag: Tag::ALGORITHM,
885 value: KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES)
886 }
887 ));
888 assert!(check_key_param(
889 &key_metadata.authorizations,
890 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(168) }
891 ));
892 assert!(check_key_param(
893 &key_metadata.authorizations,
894 KeyParameter {
895 tag: Tag::PADDING,
896 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
897 }
898 ));
899 assert!(check_key_param(
900 &key_metadata.authorizations,
901 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
902 ));
903 assert!(check_key_param(
904 &key_metadata.authorizations,
905 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
906 ));
907
908 Ok(key_metadata)
909}
910
911/// Import sample HMAC key and validate its key parameters.
912pub fn import_hmac_key(
913 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
914 domain: Domain,
915 nspace: i64,
916 alias: Option<String>,
917) -> binder::Result<KeyMetadata> {
918 static HMAC_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
919 let key_size = HMAC_KEY.len() * 8;
920
921 let import_params = AuthSetBuilder::new()
922 .no_auth_required()
923 .algorithm(Algorithm::HMAC)
924 .key_size(key_size.try_into().unwrap())
925 .purpose(KeyPurpose::SIGN)
926 .purpose(KeyPurpose::VERIFY)
927 .digest(Digest::SHA_2_256)
928 .min_mac_length(256);
929
930 let key_metadata = sec_level.importKey(
931 &KeyDescriptor { domain, nspace, alias, blob: None },
932 None,
933 &import_params,
934 0,
935 HMAC_KEY,
936 )?;
937
938 assert!(check_key_param(
939 &key_metadata.authorizations,
940 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::HMAC) }
941 ));
942 assert!(check_key_param(
943 &key_metadata.authorizations,
944 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
945 ));
946 assert!(check_key_param(
947 &key_metadata.authorizations,
948 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
949 ));
950 assert!(check_key_param(
951 &key_metadata.authorizations,
952 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
953 ));
954
955 Ok(key_metadata)
956}
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]957
958/// Imports RSA encryption key with WRAP_KEY purpose.
959pub fn import_wrapping_key(
960 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
961 wrapping_key_data: &[u8],
962 wrapping_key_alias: Option<String>,
963) -> binder::Result<KeyMetadata> {
964 let wrapping_key_params = AuthSetBuilder::new()
965 .no_auth_required()
966 .algorithm(Algorithm::RSA)
967 .digest(Digest::SHA_2_256)
968 .purpose(KeyPurpose::ENCRYPT)
969 .purpose(KeyPurpose::DECRYPT)
970 .purpose(KeyPurpose::WRAP_KEY)
971 .padding_mode(PaddingMode::RSA_OAEP)
972 .key_size(2048)
973 .rsa_public_exponent(65537)
974 .cert_not_before(0)
975 .cert_not_after(253402300799000);
976
977 sec_level.importKey(
978 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: wrapping_key_alias, blob: None },
979 None,
980 &wrapping_key_params,
981 0,
982 wrapping_key_data,
983 )
984}
985
986/// Import wrapped key using given wrapping key.
987pub fn import_wrapped_key(
988 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
989 alias: Option<String>,
990 wrapping_key_metadata: &KeyMetadata,
991 wrapped_key: Option<Vec<u8>>,
992) -> binder::Result<KeyMetadata> {
993 let unwrap_params =
994 AuthSetBuilder::new().digest(Digest::SHA_2_256).padding_mode(PaddingMode::RSA_OAEP);
995
996 let authenticator_spec: &[AuthenticatorSpec] = &[AuthenticatorSpec {
997 authenticatorType: HardwareAuthenticatorType::NONE,
998 authenticatorId: 0,
999 }];
1000
1001 let key_metadata = sec_level.importWrappedKey(
1002 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: wrapped_key },
1003 &wrapping_key_metadata.key,
1004 None,
1005 &unwrap_params,
1006 authenticator_spec,
1007 )?;
1008
1009 Ok(key_metadata)
1010}
1011
1012/// Import wrapping key and then import wrapped key using wrapping key.
1013pub fn import_wrapping_key_and_wrapped_key(
1014 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1015 domain: Domain,
1016 nspace: i64,
1017 alias: Option<String>,
1018 wrapping_key_alias: Option<String>,
1019 wrapping_key_params: AuthSetBuilder,
1020) -> binder::Result<KeyMetadata> {
1021 let wrapping_key_metadata = sec_level.importKey(
1022 &KeyDescriptor { domain, nspace, alias: wrapping_key_alias, blob: None },
1023 None,
1024 &wrapping_key_params,
1025 0,
1026 WRAPPING_KEY,
1027 )?;
1028
1029 import_wrapped_key(sec_level, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
1030}
1031
1032/// Import given key material as AES-256-GCM-NONE transport key.
1033pub fn import_transport_key(
1034 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1035 transport_key_alias: Option<String>,
1036 transport_key: &[u8],
1037) -> binder::Result<KeyMetadata> {
1038 let transport_key_params = AuthSetBuilder::new()
1039 .no_auth_required()
1040 .algorithm(Algorithm::AES)
1041 .block_mode(BlockMode::GCM)
1042 .padding_mode(PaddingMode::NONE)
1043 .key_size(256)
1044 .caller_nonce()
1045 .min_mac_length(128)
1046 .purpose(KeyPurpose::ENCRYPT)
1047 .purpose(KeyPurpose::DECRYPT);
1048
1049 sec_level.importKey(
1050 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: transport_key_alias, blob: None },
1051 None,
1052 &transport_key_params,
1053 0,
1054 transport_key,
1055 )
1056}
Rajesh Nyamagoudaf050562022-11-11 01:56:45 +0000[diff] [blame]1057
1058/// Generate EC key with purpose AGREE_KEY.
1059pub fn generate_ec_agree_key(
1060 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1061 ec_curve: EcCurve,
1062 digest: Digest,
1063 domain: Domain,
1064 nspace: i64,
1065 alias: Option<String>,
1066) -> binder::Result<KeyMetadata> {
1067 let gen_params = AuthSetBuilder::new()
1068 .no_auth_required()
1069 .algorithm(Algorithm::EC)
1070 .purpose(KeyPurpose::AGREE_KEY)
1071 .digest(digest)
1072 .ec_curve(ec_curve);
1073
1074 match sec_level.generateKey(
1075 &KeyDescriptor { domain, nspace, alias, blob: None },
1076 None,
1077 &gen_params,
1078 0,
1079 b"entropy",
1080 ) {
1081 Ok(key_metadata) => {
1082 assert!(key_metadata.certificate.is_some());
1083 if domain == Domain::BLOB {
1084 assert!(key_metadata.key.blob.is_some());
1085 }
1086
1087 Ok(key_metadata)
1088 }
1089 Err(e) => Err(e),
1090 }
1091}
Rajesh Nyamagoud6a823492023-04-07 02:47:27 +0000[diff] [blame]1092
1093/// Helper method to import AES keys `total_count` of times.
1094pub fn import_aes_keys(
1095 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1096 alias_prefix: String,
1097 total_count: Range<i32>,
1098) -> binder::Result<HashSet<String>> {
1099 let mut imported_key_aliases = HashSet::new();
1100
1101 // Import Total number of keys with given alias prefix.
1102 for count in total_count {
1103 let mut alias = String::new();
1104 write!(alias, "{}_{}", alias_prefix, count).unwrap();
1105 imported_key_aliases.insert(alias.clone());
1106
1107 import_aes_key(sec_level, Domain::APP, -1, Some(alias))?;
1108 }
1109
1110 Ok(imported_key_aliases)
1111}