Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / a42dee61cefd6083648face2d7fb56ffba0f60dd / . / keystore2 / test_utils / key_generations.rs
blob: 0a1ffb1ff4659ff275c14951dd0a306ac72638d6 [file] [log] [blame]
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]1// Copyright 2022, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! This module implements test utils to generate various types of keys.
16
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]17use anyhow::Result;
18
Rajesh Nyamagoud6a823492023-04-07 02:47:27 +0000[diff] [blame]19use core::ops::Range;
20use std::collections::HashSet;
21use std::fmt::Write;
22
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]23use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]24 Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]25 ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
26 KeyOrigin::KeyOrigin, KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue,
27 KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, Tag::Tag,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]28};
29use android_system_keystore2::aidl::android::system::keystore2::{
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]30 AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization, Domain::Domain,
31 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
32 KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]33};
34
35use crate::authorizations::AuthSetBuilder;
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]36use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]37
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]38/// Shell namespace.
39pub const SELINUX_SHELL_NAMESPACE: i64 = 1;
Rajesh Nyamagouddc6fb232021-12-08 21:27:15 +0000[diff] [blame]40/// Vold namespace.
41pub const SELINUX_VOLD_NAMESPACE: i64 = 100;
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]42
Rajesh Nyamagoudfa7c0f12021-12-02 17:15:48 +0000[diff] [blame]43/// SU context.
44pub const TARGET_SU_CTX: &str = "u:r:su:s0";
45
46/// Vold context
47pub const TARGET_VOLD_CTX: &str = "u:r:vold:s0";
48
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]49/// Key parameters to generate a key.
50pub struct KeyParams {
51 /// Key Size.
52 pub key_size: i32,
53 /// Key Purposes.
54 pub purpose: Vec<KeyPurpose>,
55 /// Padding Mode.
56 pub padding: Option<PaddingMode>,
57 /// Digest.
58 pub digest: Option<Digest>,
59 /// MFG Digest.
60 pub mgf_digest: Option<Digest>,
61 /// Block Mode.
62 pub block_mode: Option<BlockMode>,
63 /// Attestation challenge.
64 pub att_challenge: Option<Vec<u8>>,
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]65}
66
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]67/// DER-encoded PKCS#8 format RSA key. Generated using:
68/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
69pub static RSA_2048_KEY: &[u8] = &[
70 0x30, 0x82, 0x04, 0xBD, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
71 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xA7, 0x30, 0x82, 0x04, 0xA3, 0x02, 0x01,
72 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xE5, 0x14, 0xE3, 0xC2, 0x43, 0xF3, 0x0F, 0xCC, 0x22, 0x73,
73 0x9C, 0x84, 0xCC, 0x1B, 0x6C, 0x97, 0x4B, 0xC9, 0xDF, 0x1F, 0xE2, 0xB8, 0x80, 0x85, 0xF9, 0x27,
74 0xAB, 0x97, 0x94, 0x58, 0x4B, 0xC9, 0x40, 0x94, 0x5A, 0xB4, 0xD4, 0xF8, 0xD0, 0x36, 0xC4, 0x86,
75 0x17, 0x7D, 0xA2, 0x48, 0x6D, 0x40, 0xF0, 0xB9, 0x61, 0x4F, 0xCE, 0x65, 0x80, 0x88, 0x81, 0x59,
76 0x95, 0x11, 0x24, 0xF4, 0x36, 0xB7, 0xB7, 0x37, 0x44, 0xF4, 0x6C, 0x1C, 0xEB, 0x04, 0x19, 0x78,
77 0xB2, 0x29, 0x4D, 0x21, 0x44, 0x16, 0x57, 0x58, 0x6D, 0x7D, 0x56, 0xB5, 0x99, 0xDD, 0xD2, 0xAD,
78 0x02, 0x9A, 0x72, 0x16, 0x67, 0xD6, 0x00, 0x9F, 0x69, 0xE0, 0x25, 0xEE, 0x7C, 0x86, 0x54, 0x27,
79 0x4B, 0x50, 0xEF, 0x60, 0x52, 0x60, 0x82, 0xAA, 0x09, 0x15, 0x72, 0xD2, 0xEB, 0x01, 0x52, 0x04,
80 0x39, 0x60, 0xBC, 0x5E, 0x95, 0x07, 0xC8, 0xC2, 0x3A, 0x3A, 0xE2, 0xA4, 0x99, 0x6B, 0x27, 0xE3,
81 0xA3, 0x55, 0x69, 0xC4, 0xB3, 0x2D, 0x19, 0xC4, 0x34, 0x76, 0xFC, 0x27, 0xDA, 0x22, 0xB2, 0x62,
82 0x69, 0x25, 0xDE, 0x0D, 0xE7, 0x54, 0x3C, 0xBB, 0x61, 0xD2, 0x20, 0xDA, 0x7B, 0x6E, 0x63, 0xBD,
83 0x9A, 0x4B, 0xCD, 0x75, 0xC6, 0xA1, 0x5E, 0x1C, 0x3E, 0xD5, 0x63, 0x59, 0x22, 0x7E, 0xE0, 0x6C,
84 0x98, 0x25, 0x63, 0x97, 0x56, 0xDF, 0x71, 0xF5, 0x4C, 0x78, 0xE9, 0xE1, 0xD5, 0xFC, 0xF8, 0x5A,
85 0x5B, 0xF6, 0x1D, 0xFA, 0x5A, 0x99, 0x4C, 0x99, 0x19, 0x21, 0x1D, 0xF5, 0x24, 0x07, 0xEF, 0x8A,
86 0xC9, 0x9F, 0xE7, 0x3F, 0xBB, 0x46, 0x1A, 0x16, 0x96, 0xC6, 0xD6, 0x12, 0x7E, 0xDA, 0xCB, 0xEB,
87 0x2F, 0x1D, 0x3B, 0x31, 0xCC, 0x55, 0x63, 0xA2, 0x6F, 0x8A, 0xDE, 0x35, 0x52, 0x40, 0x04, 0xBF,
88 0xE0, 0x82, 0x32, 0xE1, 0x6D, 0x8B, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x2D,
89 0x1F, 0x71, 0x41, 0x79, 0xBA, 0xED, 0xD8, 0xAA, 0xCC, 0x94, 0xFE, 0xFF, 0x69, 0x43, 0x79, 0x85,
90 0xBF, 0x2C, 0xC9, 0x0E, 0x12, 0x83, 0x96, 0x60, 0x1E, 0x75, 0x49, 0x35, 0x3A, 0x33, 0x2B, 0x60,
91 0x22, 0x18, 0xBF, 0xD7, 0xD7, 0x6E, 0xC3, 0xEA, 0xEF, 0xF2, 0xBE, 0x97, 0x71, 0xA6, 0xBB, 0x8C,
92 0xEF, 0x27, 0x00, 0xDE, 0x49, 0xD6, 0x08, 0x8D, 0x5A, 0x04, 0xE7, 0xCC, 0x9C, 0xA2, 0x0E, 0x8B,
93 0xF3, 0x42, 0x0C, 0xD7, 0x22, 0xD7, 0x14, 0x06, 0xA4, 0x64, 0x8B, 0x88, 0x1A, 0xCE, 0x5B, 0x8C,
94 0x36, 0xE9, 0xD2, 0x2F, 0x7B, 0x33, 0xE4, 0xA2, 0xB3, 0xDB, 0x78, 0x6A, 0x92, 0x89, 0x3F, 0x78,
95 0xFD, 0xED, 0x8F, 0xEE, 0x48, 0xCC, 0x94, 0x75, 0x0D, 0x0C, 0x63, 0xD3, 0xD2, 0xE8, 0x47, 0x04,
96 0x55, 0xD3, 0xD6, 0x3A, 0xB8, 0xDA, 0xFB, 0x76, 0x99, 0x48, 0x68, 0x0A, 0x92, 0xA2, 0xCD, 0xF7,
97 0x45, 0x8B, 0x50, 0xFE, 0xF9, 0x1A, 0x33, 0x24, 0x3C, 0x2E, 0xDE, 0x88, 0xAD, 0xB2, 0x5B, 0x9F,
98 0x44, 0xEA, 0xD1, 0x9F, 0xC7, 0x9F, 0x02, 0x5E, 0x31, 0x61, 0xB3, 0xD6, 0xE2, 0xE1, 0xBC, 0xFB,
99 0x1C, 0xDB, 0xBD, 0xB2, 0x9A, 0xE5, 0xEF, 0xDA, 0xCD, 0x29, 0xA5, 0x45, 0xCC, 0x67, 0x01, 0x8B,
100 0x1C, 0x1D, 0x0E, 0x8F, 0x73, 0x69, 0x4D, 0x4D, 0xF6, 0x9D, 0xA6, 0x6C, 0x9A, 0x1C, 0xF4, 0x5C,
101 0xE4, 0x83, 0x9A, 0x77, 0x12, 0x01, 0xBD, 0xCE, 0x66, 0x3A, 0x4B, 0x3D, 0x6E, 0xE0, 0x6E, 0x82,
102 0x98, 0xDE, 0x74, 0x11, 0x47, 0xEC, 0x7A, 0x3A, 0xA9, 0xD8, 0x48, 0x00, 0x26, 0x64, 0x47, 0x7B,
103 0xAE, 0x55, 0x9D, 0x29, 0x22, 0xB4, 0xB3, 0xB9, 0xB1, 0x64, 0xEA, 0x3B, 0x5A, 0xD3, 0x3F, 0x8D,
104 0x0F, 0x14, 0x7E, 0x4E, 0xB8, 0x1B, 0x06, 0xFC, 0xB1, 0x7E, 0xCD, 0xB9, 0x1A, 0x4E, 0xA1, 0x02,
105 0x81, 0x81, 0x00, 0xF9, 0xDE, 0xEE, 0xED, 0x13, 0x2F, 0xBB, 0xE7, 0xE2, 0xB3, 0x2D, 0x98, 0xD2,
106 0xE8, 0x25, 0x07, 0x5A, 0x1E, 0x51, 0x0A, 0xC8, 0xAD, 0x50, 0x4B, 0x80, 0xC6, 0x22, 0xF5, 0x9B,
107 0x08, 0xE6, 0x3D, 0x01, 0xC6, 0x3E, 0xC8, 0xD2, 0x54, 0x9F, 0x91, 0x77, 0x95, 0xCD, 0xCA, 0xC7,
108 0xE7, 0x47, 0x94, 0xA9, 0x5F, 0x4E, 0xBE, 0x31, 0x3D, 0xB4, 0xAF, 0x43, 0x0F, 0xDC, 0x8D, 0x9C,
109 0x1E, 0x52, 0x7B, 0x72, 0x21, 0x34, 0xB3, 0x96, 0x7C, 0x9C, 0xB8, 0x51, 0x65, 0x60, 0xAC, 0x3D,
110 0x11, 0x32, 0xB8, 0xD6, 0x34, 0x35, 0x66, 0xD0, 0x30, 0xB9, 0xE9, 0x67, 0x2C, 0x87, 0x73, 0x43,
111 0x9C, 0x12, 0x16, 0x7D, 0x4A, 0xD9, 0xA3, 0x4C, 0x24, 0x64, 0x6A, 0x32, 0x8E, 0xC3, 0xD8, 0x00,
112 0x90, 0x5C, 0x4D, 0x65, 0x01, 0x53, 0x8A, 0xD0, 0x87, 0xCE, 0x96, 0xEF, 0xFA, 0x73, 0x03, 0xF1,
113 0xDC, 0x1B, 0x9B, 0x02, 0x81, 0x81, 0x00, 0xEA, 0xB3, 0x69, 0x00, 0x11, 0x0E, 0x50, 0xAA, 0xD3,
114 0x22, 0x51, 0x78, 0x9D, 0xFF, 0x05, 0x62, 0xBC, 0x9A, 0x67, 0x86, 0xE1, 0xC5, 0x02, 0x2D, 0x14,
115 0x11, 0x29, 0x30, 0xE7, 0x90, 0x5D, 0x72, 0x6F, 0xC5, 0x62, 0xEB, 0xD4, 0xB0, 0x3F, 0x3D, 0xDC,
116 0xB9, 0xFC, 0x2B, 0x5C, 0xBD, 0x9E, 0x71, 0x81, 0x5C, 0xC5, 0xFE, 0xDF, 0x69, 0x73, 0x12, 0x66,
117 0x92, 0x06, 0xD4, 0xD5, 0x8F, 0xDF, 0x14, 0x2E, 0x9C, 0xD0, 0x4C, 0xC2, 0x4D, 0x31, 0x2E, 0x47,
118 0xA5, 0xDC, 0x8A, 0x83, 0x7B, 0xE8, 0xA5, 0xC3, 0x03, 0x98, 0xD8, 0xBF, 0xF4, 0x7D, 0x6E, 0x87,
119 0x55, 0xE4, 0x0F, 0x15, 0x10, 0xC8, 0x76, 0x4F, 0xAD, 0x1D, 0x1C, 0x95, 0x41, 0x9D, 0x88, 0xEC,
120 0x8C, 0xDA, 0xBA, 0x90, 0x7F, 0x8D, 0xD9, 0x8B, 0x47, 0x6C, 0x0C, 0xFF, 0xBA, 0x73, 0x00, 0x20,
121 0x1F, 0xF7, 0x7E, 0x5F, 0xF4, 0xEC, 0xD1, 0x02, 0x81, 0x80, 0x16, 0xB7, 0x43, 0xB5, 0x5D, 0xD7,
122 0x2B, 0x18, 0x0B, 0xAE, 0x0A, 0x69, 0x28, 0x53, 0x5E, 0x7A, 0x6A, 0xA0, 0xF2, 0xF1, 0x2E, 0x09,
123 0x43, 0x91, 0x79, 0xA5, 0x89, 0xAC, 0x16, 0x6A, 0x1A, 0xB4, 0x55, 0x22, 0xF6, 0xB6, 0x3F, 0x18,
124 0xDE, 0x60, 0xD5, 0x24, 0x53, 0x4F, 0x2A, 0x19, 0x46, 0x92, 0xA7, 0x4B, 0x38, 0xD7, 0x65, 0x96,
125 0x9C, 0x84, 0x8A, 0x6E, 0x38, 0xB8, 0xCF, 0x06, 0x9A, 0xAD, 0x0A, 0x55, 0x26, 0x7B, 0x65, 0x24,
126 0xF3, 0x02, 0x76, 0xB3, 0xE6, 0xB4, 0x01, 0xE1, 0x3C, 0x61, 0x3D, 0x68, 0x05, 0xAA, 0xD1, 0x26,
127 0x7C, 0xE0, 0x51, 0x36, 0xE5, 0x21, 0x7F, 0x76, 0x02, 0xD6, 0xF4, 0x91, 0x07, 0x74, 0x27, 0x09,
128 0xEF, 0xEF, 0x0F, 0xA5, 0x96, 0xFC, 0x5E, 0x20, 0xC1, 0xA3, 0x6F, 0x99, 0x4D, 0x45, 0x03, 0x6C,
129 0x35, 0x45, 0xD7, 0x8F, 0x47, 0x41, 0x86, 0x8D, 0x62, 0x1D, 0x02, 0x81, 0x81, 0x00, 0xC3, 0x93,
130 0x85, 0xA7, 0xFC, 0x8E, 0x85, 0x42, 0x14, 0x76, 0xC0, 0x95, 0x56, 0x73, 0xB0, 0xB5, 0x3A, 0x9D,
131 0x20, 0x30, 0x11, 0xEA, 0xED, 0x89, 0x4A, 0xF3, 0x91, 0xF3, 0xA2, 0xC3, 0x76, 0x5B, 0x6A, 0x30,
132 0x7D, 0xE2, 0x2F, 0x76, 0x3E, 0xFC, 0xF9, 0xF6, 0x31, 0xE0, 0xA0, 0x83, 0x92, 0x88, 0xDB, 0x57,
133 0xC7, 0xD6, 0x3F, 0xAD, 0xCB, 0xAA, 0x45, 0xB6, 0xE1, 0xE2, 0x71, 0xA4, 0x56, 0x2C, 0xA7, 0x3B,
134 0x1D, 0x89, 0x19, 0x50, 0xE1, 0xEE, 0xC2, 0xDD, 0xC0, 0x0D, 0xDC, 0xCB, 0x60, 0x6E, 0xE1, 0x37,
135 0x1A, 0x23, 0x64, 0xB2, 0x03, 0xE4, 0x1A, 0xFA, 0xC3, 0xF4, 0x9D, 0x85, 0x42, 0xC6, 0xF4, 0x56,
136 0x39, 0xB0, 0x1B, 0xE0, 0x75, 0xBA, 0x28, 0x04, 0xA8, 0x30, 0x57, 0x41, 0x33, 0x9F, 0x58, 0xA4,
137 0xC7, 0xB1, 0x7D, 0x58, 0x8D, 0x84, 0x49, 0x40, 0xDA, 0x28, 0x81, 0x25, 0xC4, 0x41, 0x02, 0x81,
138 0x80, 0x13, 0x20, 0x65, 0xD5, 0x96, 0x98, 0x8D, 0x16, 0x73, 0xA1, 0x31, 0x73, 0x79, 0xBA, 0xEC,
139 0xB0, 0xD9, 0x0C, 0xF6, 0xEF, 0x2F, 0xC2, 0xE7, 0x96, 0x9B, 0xA1, 0x2D, 0xE9, 0xFB, 0x45, 0xB9,
140 0xD0, 0x30, 0xE2, 0xBD, 0x30, 0x4F, 0xB6, 0xFE, 0x24, 0x02, 0xCF, 0x8D, 0x51, 0x48, 0x45, 0xD9,
141 0xF7, 0x20, 0x53, 0x1C, 0x0B, 0xA9, 0x7E, 0xC2, 0xA2, 0x65, 0xCC, 0x3E, 0x0E, 0x0D, 0xF1, 0x62,
142 0xDD, 0x5F, 0xBC, 0x55, 0x9B, 0x58, 0x26, 0x40, 0x6A, 0xEE, 0x02, 0x55, 0x36, 0xE9, 0xBA, 0x82,
143 0x5A, 0xFD, 0x3C, 0xDF, 0xA6, 0x26, 0x32, 0x81, 0xA9, 0x5E, 0x46, 0xBE, 0xBA, 0xDC, 0xD3, 0x2A,
144 0x3A, 0x3B, 0xC1, 0x4E, 0xF7, 0x1A, 0xDC, 0x4B, 0xAF, 0x67, 0x1B, 0x3A, 0x83, 0x0D, 0x04, 0xDE,
145 0x27, 0x47, 0xFC, 0xE6, 0x39, 0x89, 0x7B, 0x66, 0xF9, 0x50, 0x4D, 0xF1, 0xAC, 0x20, 0x43, 0x7E,
146 0xEE,
147];
148
149/// DER-encoded PKCS#8 format EC key. Generated using:
150/// openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
151pub static EC_P_256_KEY: &[u8] = &[
152 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02,
153 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02,
154 0x01, 0x01, 0x04, 0x20, 0xB9, 0x1D, 0xAF, 0x50, 0xFD, 0xD8, 0x6A, 0x40, 0xAB, 0x2C, 0xCB, 0x54,
155 0x4E, 0xED, 0xF1, 0x64, 0xBC, 0x30, 0x25, 0xFB, 0xC4, 0x69, 0x00, 0x34, 0x1A, 0x82, 0xA3, 0x72,
156 0x5D, 0xC7, 0xA9, 0x85, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xE8, 0x53, 0x0A, 0xF2, 0xD3, 0x68,
157 0x40, 0x48, 0x8C, 0xB4, 0x2F, 0x11, 0x34, 0xD7, 0xF4, 0x4A, 0x5C, 0x33, 0xFF, 0xF6, 0x2B, 0xF7,
158 0x98, 0x0F, 0x02, 0xA5, 0xD7, 0x4F, 0xF9, 0xDE, 0x60, 0x9C, 0x6E, 0xB0, 0x45, 0xDA, 0x3F, 0xF4,
159 0x34, 0x23, 0x9B, 0x4C, 0x3A, 0x09, 0x9C, 0x5E, 0x5D, 0x37, 0x96, 0xAC, 0x4A, 0xE7, 0x65, 0x2B,
160 0xD6, 0x84, 0x98, 0xEA, 0x96, 0x91, 0xFB, 0x78, 0xED, 0x86,
161];
162
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]163/// DER-encoded PKCS#8 format RSA key -
164/// Size: 2048
165/// Public Exponent: 65537
166/// Purpose: WRAP_KEY, ENCRYPT, DECRYPT
167/// Encryption scheme: RSAES-PKCS1-v1_5
168/// Digest: SHA_2_256
169/// Padding: RSA_OAEP
170/// This sample wrapping_key is taken from KeyMint tests
171/// (see hardware/interfaces/security/keymint/aidl/vts/functional/KeyMintTest.cpp).
172/// Similarly more test keys can be generated with below command -
173/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
174pub static WRAPPING_KEY: &[u8] = &[
175 0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
176 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xa8, 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01,
177 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xae, 0xc3, 0x67, 0x93, 0x1d, 0x89, 0x00, 0xce, 0x56, 0xb0,
178 0x06, 0x7f, 0x7d, 0x70, 0xe1, 0xfc, 0x65, 0x3f, 0x3f, 0x34, 0xd1, 0x94, 0xc1, 0xfe, 0xd5, 0x00,
179 0x18, 0xfb, 0x43, 0xdb, 0x93, 0x7b, 0x06, 0xe6, 0x73, 0xa8, 0x37, 0x31, 0x3d, 0x56, 0xb1, 0xc7,
180 0x25, 0x15, 0x0a, 0x3f, 0xef, 0x86, 0xac, 0xbd, 0xdc, 0x41, 0xbb, 0x75, 0x9c, 0x28, 0x54, 0xea,
181 0xe3, 0x2d, 0x35, 0x84, 0x1e, 0xfb, 0x5c, 0x18, 0xd8, 0x2b, 0xc9, 0x0a, 0x1c, 0xb5, 0xc1, 0xd5,
182 0x5a, 0xdf, 0x24, 0x5b, 0x02, 0x91, 0x1f, 0x0b, 0x7c, 0xda, 0x88, 0xc4, 0x21, 0xff, 0x0e, 0xba,
183 0xfe, 0x7c, 0x0d, 0x23, 0xbe, 0x31, 0x2d, 0x7b, 0xd5, 0x92, 0x1f, 0xfa, 0xea, 0x13, 0x47, 0xc1,
184 0x57, 0x40, 0x6f, 0xef, 0x71, 0x8f, 0x68, 0x26, 0x43, 0xe4, 0xe5, 0xd3, 0x3c, 0x67, 0x03, 0xd6,
185 0x1c, 0x0c, 0xf7, 0xac, 0x0b, 0xf4, 0x64, 0x5c, 0x11, 0xf5, 0xc1, 0x37, 0x4c, 0x38, 0x86, 0x42,
186 0x74, 0x11, 0xc4, 0x49, 0x79, 0x67, 0x92, 0xe0, 0xbe, 0xf7, 0x5d, 0xec, 0x85, 0x8a, 0x21, 0x23,
187 0xc3, 0x67, 0x53, 0xe0, 0x2a, 0x95, 0xa9, 0x6d, 0x7c, 0x45, 0x4b, 0x50, 0x4d, 0xe3, 0x85, 0xa6,
188 0x42, 0xe0, 0xdf, 0xc3, 0xe6, 0x0a, 0xc3, 0xa7, 0xee, 0x49, 0x91, 0xd0, 0xd4, 0x8b, 0x01, 0x72,
189 0xa9, 0x5f, 0x95, 0x36, 0xf0, 0x2b, 0xa1, 0x3c, 0xec, 0xcc, 0xb9, 0x2b, 0x72, 0x7d, 0xb5, 0xc2,
190 0x7e, 0x5b, 0x2f, 0x5c, 0xec, 0x09, 0x60, 0x0b, 0x28, 0x6a, 0xf5, 0xcf, 0x14, 0xc4, 0x20, 0x24,
191 0xc6, 0x1d, 0xdf, 0xe7, 0x1c, 0x2a, 0x8d, 0x74, 0x58, 0xf1, 0x85, 0x23, 0x4c, 0xb0, 0x0e, 0x01,
192 0xd2, 0x82, 0xf1, 0x0f, 0x8f, 0xc6, 0x72, 0x1d, 0x2a, 0xed, 0x3f, 0x48, 0x33, 0xcc, 0xa2, 0xbd,
193 0x8f, 0xa6, 0x28, 0x21, 0xdd, 0x55, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x43,
194 0x14, 0x47, 0xb6, 0x25, 0x19, 0x08, 0x11, 0x2b, 0x1e, 0xe7, 0x6f, 0x99, 0xf3, 0x71, 0x1a, 0x52,
195 0xb6, 0x63, 0x09, 0x60, 0x04, 0x6c, 0x2d, 0xe7, 0x0d, 0xe1, 0x88, 0xd8, 0x33, 0xf8, 0xb8, 0xb9,
196 0x1e, 0x4d, 0x78, 0x5c, 0xae, 0xee, 0xaf, 0x4f, 0x0f, 0x74, 0x41, 0x4e, 0x2c, 0xda, 0x40, 0x64,
197 0x1f, 0x7f, 0xe2, 0x4f, 0x14, 0xc6, 0x7a, 0x88, 0x95, 0x9b, 0xdb, 0x27, 0x76, 0x6d, 0xf9, 0xe7,
198 0x10, 0xb6, 0x30, 0xa0, 0x3a, 0xdc, 0x68, 0x3b, 0x5d, 0x2c, 0x43, 0x08, 0x0e, 0x52, 0xbe, 0xe7,
199 0x1e, 0x9e, 0xae, 0xb6, 0xde, 0x29, 0x7a, 0x5f, 0xea, 0x10, 0x72, 0x07, 0x0d, 0x18, 0x1c, 0x82,
200 0x2b, 0xcc, 0xff, 0x08, 0x7d, 0x63, 0xc9, 0x40, 0xba, 0x8a, 0x45, 0xf6, 0x70, 0xfe, 0xb2, 0x9f,
201 0xb4, 0x48, 0x4d, 0x1c, 0x95, 0xe6, 0xd2, 0x57, 0x9b, 0xa0, 0x2a, 0xae, 0x0a, 0x00, 0x90, 0x0c,
202 0x3e, 0xbf, 0x49, 0x0e, 0x3d, 0x2c, 0xd7, 0xee, 0x8d, 0x0e, 0x20, 0xc5, 0x36, 0xe4, 0xdc, 0x5a,
203 0x50, 0x97, 0x27, 0x28, 0x88, 0xcd, 0xdd, 0x7e, 0x91, 0xf2, 0x28, 0xb1, 0xc4, 0xd7, 0x47, 0x4c,
204 0x55, 0xb8, 0xfc, 0xd6, 0x18, 0xc4, 0xa9, 0x57, 0xbb, 0xdd, 0xd5, 0xad, 0x74, 0x07, 0xcc, 0x31,
205 0x2d, 0x8d, 0x98, 0xa5, 0xca, 0xf7, 0xe0, 0x8f, 0x4a, 0x0d, 0x6b, 0x45, 0xbb, 0x41, 0xc6, 0x52,
206 0x65, 0x9d, 0x5a, 0x5b, 0xa0, 0x5b, 0x66, 0x37, 0x37, 0xa8, 0x69, 0x62, 0x81, 0x86, 0x5b, 0xa2,
207 0x0f, 0xbd, 0xd7, 0xf8, 0x51, 0xe6, 0xc5, 0x6e, 0x8c, 0xbe, 0x0d, 0xdb, 0xbf, 0x24, 0xdc, 0x03,
208 0xb2, 0xd2, 0xcb, 0x4c, 0x3d, 0x54, 0x0f, 0xb0, 0xaf, 0x52, 0xe0, 0x34, 0xa2, 0xd0, 0x66, 0x98,
209 0xb1, 0x28, 0xe5, 0xf1, 0x01, 0xe3, 0xb5, 0x1a, 0x34, 0xf8, 0xd8, 0xb4, 0xf8, 0x61, 0x81, 0x02,
210 0x81, 0x81, 0x00, 0xde, 0x39, 0x2e, 0x18, 0xd6, 0x82, 0xc8, 0x29, 0x26, 0x6c, 0xc3, 0x45, 0x4e,
211 0x1d, 0x61, 0x66, 0x24, 0x2f, 0x32, 0xd9, 0xa1, 0xd1, 0x05, 0x77, 0x75, 0x3e, 0x90, 0x4e, 0xa7,
212 0xd0, 0x8b, 0xff, 0x84, 0x1b, 0xe5, 0xba, 0xc8, 0x2a, 0x16, 0x4c, 0x59, 0x70, 0x00, 0x70, 0x47,
213 0xb8, 0xc5, 0x17, 0xdb, 0x8f, 0x8f, 0x84, 0xe3, 0x7b, 0xd5, 0x98, 0x85, 0x61, 0xbd, 0xf5, 0x03,
214 0xd4, 0xdc, 0x2b, 0xdb, 0x38, 0xf8, 0x85, 0x43, 0x4a, 0xe4, 0x2c, 0x35, 0x5f, 0x72, 0x5c, 0x9a,
215 0x60, 0xf9, 0x1f, 0x07, 0x88, 0xe1, 0xf1, 0xa9, 0x72, 0x23, 0xb5, 0x24, 0xb5, 0x35, 0x7f, 0xdf,
216 0x72, 0xe2, 0xf6, 0x96, 0xba, 0xb7, 0xd7, 0x8e, 0x32, 0xbf, 0x92, 0xba, 0x8e, 0x18, 0x64, 0xea,
217 0xb1, 0x22, 0x9e, 0x91, 0x34, 0x61, 0x30, 0x74, 0x8a, 0x6e, 0x3c, 0x12, 0x4f, 0x91, 0x49, 0xd7,
218 0x1c, 0x74, 0x35, 0x02, 0x81, 0x81, 0x00, 0xc9, 0x53, 0x87, 0xc0, 0xf9, 0xd3, 0x5f, 0x13, 0x7b,
219 0x57, 0xd0, 0xd6, 0x5c, 0x39, 0x7c, 0x5e, 0x21, 0xcc, 0x25, 0x1e, 0x47, 0x00, 0x8e, 0xd6, 0x2a,
220 0x54, 0x24, 0x09, 0xc8, 0xb6, 0xb6, 0xac, 0x7f, 0x89, 0x67, 0xb3, 0x86, 0x3c, 0xa6, 0x45, 0xfc,
221 0xce, 0x49, 0x58, 0x2a, 0x9a, 0xa1, 0x73, 0x49, 0xdb, 0x6c, 0x4a, 0x95, 0xaf, 0xfd, 0xae, 0x0d,
222 0xae, 0x61, 0x2e, 0x1a, 0xfa, 0xc9, 0x9e, 0xd3, 0x9a, 0x2d, 0x93, 0x4c, 0x88, 0x04, 0x40, 0xae,
223 0xd8, 0x83, 0x2f, 0x98, 0x43, 0x16, 0x3a, 0x47, 0xf2, 0x7f, 0x39, 0x21, 0x99, 0xdc, 0x12, 0x02,
224 0xf9, 0xa0, 0xf9, 0xbd, 0x08, 0x30, 0x80, 0x07, 0xcb, 0x1e, 0x4e, 0x7f, 0x58, 0x30, 0x93, 0x66,
225 0xa7, 0xde, 0x25, 0xf7, 0xc3, 0xc9, 0xb8, 0x80, 0x67, 0x7c, 0x06, 0x8e, 0x1b, 0xe9, 0x36, 0xe8,
226 0x12, 0x88, 0x81, 0x52, 0x52, 0xa8, 0xa1, 0x02, 0x81, 0x80, 0x57, 0xff, 0x8c, 0xa1, 0x89, 0x50,
227 0x80, 0xb2, 0xca, 0xe4, 0x86, 0xef, 0x0a, 0xdf, 0xd7, 0x91, 0xfb, 0x02, 0x35, 0xc0, 0xb8, 0xb3,
228 0x6c, 0xd6, 0xc1, 0x36, 0xe5, 0x2e, 0x40, 0x85, 0xf4, 0xea, 0x5a, 0x06, 0x32, 0x12, 0xa4, 0xf1,
229 0x05, 0xa3, 0x76, 0x47, 0x43, 0xe5, 0x32, 0x81, 0x98, 0x8a, 0xba, 0x07, 0x3f, 0x6e, 0x00, 0x27,
230 0x29, 0x8e, 0x1c, 0x43, 0x78, 0x55, 0x6e, 0x0e, 0xfc, 0xa0, 0xe1, 0x4e, 0xce, 0x1a, 0xf7, 0x6a,
231 0xd0, 0xb0, 0x30, 0xf2, 0x7a, 0xf6, 0xf0, 0xab, 0x35, 0xfb, 0x73, 0xa0, 0x60, 0xd8, 0xb1, 0xa0,
232 0xe1, 0x42, 0xfa, 0x26, 0x47, 0xe9, 0x3b, 0x32, 0xe3, 0x6d, 0x82, 0x82, 0xae, 0x0a, 0x4d, 0xe5,
233 0x0a, 0xb7, 0xaf, 0xe8, 0x55, 0x00, 0xa1, 0x6f, 0x43, 0xa6, 0x47, 0x19, 0xd6, 0xe2, 0xb9, 0x43,
234 0x98, 0x23, 0x71, 0x9c, 0xd0, 0x8b, 0xcd, 0x03, 0x17, 0x81, 0x02, 0x81, 0x81, 0x00, 0xba, 0x73,
235 0xb0, 0xbb, 0x28, 0xe3, 0xf8, 0x1e, 0x9b, 0xd1, 0xc5, 0x68, 0x71, 0x3b, 0x10, 0x12, 0x41, 0xac,
236 0xc6, 0x07, 0x97, 0x6c, 0x4d, 0xdc, 0xcc, 0x90, 0xe6, 0x5b, 0x65, 0x56, 0xca, 0x31, 0x51, 0x60,
237 0x58, 0xf9, 0x2b, 0x6e, 0x09, 0xf3, 0xb1, 0x60, 0xff, 0x0e, 0x37, 0x4e, 0xc4, 0x0d, 0x78, 0xae,
238 0x4d, 0x49, 0x79, 0xfd, 0xe6, 0xac, 0x06, 0xa1, 0xa4, 0x00, 0xc6, 0x1d, 0xd3, 0x12, 0x54, 0x18,
239 0x6a, 0xf3, 0x0b, 0x22, 0xc1, 0x05, 0x82, 0xa8, 0xa4, 0x3e, 0x34, 0xfe, 0x94, 0x9c, 0x5f, 0x3b,
240 0x97, 0x55, 0xba, 0xe7, 0xba, 0xa7, 0xb7, 0xb7, 0xa6, 0xbd, 0x03, 0xb3, 0x8c, 0xef, 0x55, 0xc8,
241 0x68, 0x85, 0xfc, 0x6c, 0x19, 0x78, 0xb9, 0xce, 0xe7, 0xef, 0x33, 0xda, 0x50, 0x7c, 0x9d, 0xf6,
242 0xb9, 0x27, 0x7c, 0xff, 0x1e, 0x6a, 0xaa, 0x5d, 0x57, 0xac, 0xa5, 0x28, 0x46, 0x61, 0x02, 0x81,
243 0x81, 0x00, 0xc9, 0x31, 0x61, 0x7c, 0x77, 0x82, 0x9d, 0xfb, 0x12, 0x70, 0x50, 0x2b, 0xe9, 0x19,
244 0x5c, 0x8f, 0x28, 0x30, 0x88, 0x5f, 0x57, 0xdb, 0xa8, 0x69, 0x53, 0x68, 0x11, 0xe6, 0x86, 0x42,
245 0x36, 0xd0, 0xc4, 0x73, 0x6a, 0x00, 0x08, 0xa1, 0x45, 0xaf, 0x36, 0xb8, 0x35, 0x7a, 0x7c, 0x3d,
246 0x13, 0x99, 0x66, 0xd0, 0x4c, 0x4e, 0x00, 0x93, 0x4e, 0xa1, 0xae, 0xde, 0x3b, 0xb6, 0xb8, 0xec,
247 0x84, 0x1d, 0xc9, 0x5e, 0x3f, 0x57, 0x97, 0x51, 0xe2, 0xbf, 0xdf, 0xe2, 0x7a, 0xe7, 0x78, 0x98,
248 0x3f, 0x95, 0x93, 0x56, 0x21, 0x07, 0x23, 0x28, 0x7b, 0x0a, 0xff, 0xcc, 0x9f, 0x72, 0x70, 0x44,
249 0xd4, 0x8c, 0x37, 0x3f, 0x1b, 0xab, 0xde, 0x07, 0x24, 0xfa, 0x17, 0xa4, 0xfd, 0x4d, 0xa0, 0x90,
250 0x2c, 0x7c, 0x9b, 0x9b, 0xf2, 0x7b, 0xa6, 0x1b, 0xe6, 0xad, 0x02, 0xdf, 0xdd, 0xda, 0x8f, 0x4e,
251 0x68, 0x22,
252];
253
254/// WrappedKeyData as ASN.1 DER-encoded data corresponding to the `SecureKeyWrapper` schema
255/// specified in IKeyMintDevice.aidl. Wrapped key parameters are -
256/// Algorithm: AES
257/// Key size: 256
258/// Block mode: ECB
259/// Padding mode: PKCS7
260/// This sample wrapped_key is taken from KeyMint tests (see KeyMintTest.cpp).
261pub static WRAPPED_KEY: &[u8] = &[
262 0x30, 0x82, 0x01, 0x79, 0x02, 0x01, 0x00, 0x04, 0x82, 0x01, 0x00, 0x93, 0x4b, 0xf9, 0x4e, 0x2a,
263 0xa2, 0x8a, 0x3f, 0x83, 0xc9, 0xf7, 0x92, 0x97, 0x25, 0x02, 0x62, 0xfb, 0xe3, 0x27, 0x6b, 0x5a,
264 0x1c, 0x91, 0x15, 0x9b, 0xbf, 0xa3, 0xef, 0x89, 0x57, 0xaa, 0xc8, 0x4b, 0x59, 0xb3, 0x0b, 0x45,
265 0x5a, 0x79, 0xc2, 0x97, 0x34, 0x80, 0x82, 0x3d, 0x8b, 0x38, 0x63, 0xc3, 0xde, 0xef, 0x4a, 0x8e,
266 0x24, 0x35, 0x90, 0x26, 0x8d, 0x80, 0xe1, 0x87, 0x51, 0xa0, 0xe1, 0x30, 0xf6, 0x7c, 0xe6, 0xa1,
267 0xac, 0xe9, 0xf7, 0x9b, 0x95, 0xe0, 0x97, 0x47, 0x4f, 0xeb, 0xc9, 0x81, 0x19, 0x5b, 0x1d, 0x13,
268 0xa6, 0x90, 0x86, 0xc0, 0x86, 0x3f, 0x66, 0xa7, 0xb7, 0xfd, 0xb4, 0x87, 0x92, 0x22, 0x7b, 0x1a,
269 0xc5, 0xe2, 0x48, 0x9f, 0xeb, 0xdf, 0x08, 0x7a, 0xb5, 0x48, 0x64, 0x83, 0x03, 0x3a, 0x6f, 0x00,
270 0x1c, 0xa5, 0xd1, 0xec, 0x1e, 0x27, 0xf5, 0xc3, 0x0f, 0x4c, 0xec, 0x26, 0x42, 0x07, 0x4a, 0x39,
271 0xae, 0x68, 0xae, 0xe5, 0x52, 0xe1, 0x96, 0x62, 0x7a, 0x8e, 0x3d, 0x86, 0x7e, 0x67, 0xa8, 0xc0,
272 0x1b, 0x11, 0xe7, 0x5f, 0x13, 0xcc, 0xa0, 0xa9, 0x7a, 0xb6, 0x68, 0xb5, 0x0c, 0xda, 0x07, 0xa8,
273 0xec, 0xb7, 0xcd, 0x8e, 0x3d, 0xd7, 0x00, 0x9c, 0x96, 0x36, 0x53, 0x4f, 0x6f, 0x23, 0x9c, 0xff,
274 0xe1, 0xfc, 0x8d, 0xaa, 0x46, 0x6f, 0x78, 0xb6, 0x76, 0xc7, 0x11, 0x9e, 0xfb, 0x96, 0xbc, 0xe4,
275 0xe6, 0x9c, 0xa2, 0xa2, 0x5d, 0x0b, 0x34, 0xed, 0x9c, 0x3f, 0xf9, 0x99, 0xb8, 0x01, 0x59, 0x7d,
276 0x52, 0x20, 0xe3, 0x07, 0xea, 0xa5, 0xbe, 0xe5, 0x07, 0xfb, 0x94, 0xd1, 0xfa, 0x69, 0xf9, 0xe5,
277 0x19, 0xb2, 0xde, 0x31, 0x5b, 0xac, 0x92, 0xc3, 0x6f, 0x2e, 0xa1, 0xfa, 0x1d, 0xf4, 0x47, 0x8c,
278 0x0d, 0xde, 0xde, 0xae, 0x8c, 0x70, 0xe0, 0x23, 0x3c, 0xd0, 0x98, 0x04, 0x0c, 0xd7, 0x96, 0xb0,
279 0x2c, 0x37, 0x0f, 0x1f, 0xa4, 0xcc, 0x01, 0x24, 0xf1, 0x30, 0x2e, 0x02, 0x01, 0x03, 0x30, 0x29,
280 0xa1, 0x08, 0x31, 0x06, 0x02, 0x01, 0x00, 0x02, 0x01, 0x01, 0xa2, 0x03, 0x02, 0x01, 0x20, 0xa3,
281 0x04, 0x02, 0x02, 0x01, 0x00, 0xa4, 0x05, 0x31, 0x03, 0x02, 0x01, 0x01, 0xa6, 0x05, 0x31, 0x03,
282 0x02, 0x01, 0x40, 0xbf, 0x83, 0x77, 0x02, 0x05, 0x00, 0x04, 0x20, 0xcc, 0xd5, 0x40, 0x85, 0x5f,
283 0x83, 0x3a, 0x5e, 0x14, 0x80, 0xbf, 0xd2, 0xd3, 0x6f, 0xaf, 0x3a, 0xee, 0xe1, 0x5d, 0xf5, 0xbe,
284 0xab, 0xe2, 0x69, 0x1b, 0xc8, 0x2d, 0xde, 0x2a, 0x7a, 0xa9, 0x10, 0x04, 0x10, 0x64, 0xc9, 0xf6,
285 0x89, 0xc6, 0x0f, 0xf6, 0x22, 0x3a, 0xb6, 0xe6, 0x99, 0x9e, 0x0e, 0xb6, 0xe5,
286];
287
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]288/// To map Keystore errors.
289#[derive(thiserror::Error, Debug, Eq, PartialEq)]
290pub enum Error {
291 /// Keystore2 error code
292 #[error("ResponseCode {0:?}")]
293 Rc(ResponseCode),
294 /// Keymint error code
295 #[error("ErrorCode {0:?}")]
296 Km(ErrorCode),
297 /// Exception
298 #[error("Binder exception {0:?}")]
299 Binder(ExceptionCode),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]300 /// This is returned if the C implementation of extractSubjectFromCertificate failed.
301 #[error("Failed to validate certificate chain.")]
302 ValidateCertChainFailed,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]303 /// Error code to indicate error in ASN.1 DER-encoded data creation.
304 #[error("Failed to create and encode ASN.1 data.")]
305 DerEncodeFailed,
Rajesh Nyamagoud28abde62023-04-01 01:32:32 +0000[diff] [blame]306 /// Error code to indicate error while using keystore-engine API.
307 #[error("Failed to perform crypto op using keystore-engine APIs.")]
308 Keystore2EngineOpFailed,
Rajesh Nyamagouda42dee62022-04-22 21:15:55 +0000[diff] [blame^]309 /// Error code to indicate error in attestation-id validation.
310 #[error("Failed to validate attestation-id.")]
311 ValidateAttestIdFailed,
312 /// Error code to indicate error in getting value from attest record.
313 #[error("Failed to get value from attest record.")]
314 AttestRecordGetValueFailed,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]315}
316
317/// Keystore2 error mapping.
318pub fn map_ks_error<T>(r: BinderResult<T>) -> Result<T, Error> {
319 r.map_err(|s| {
320 match s.exception_code() {
321 ExceptionCode::SERVICE_SPECIFIC => {
322 match s.service_specific_error() {
323 se if se < 0 => {
324 // Negative service specific errors are KM error codes.
325 Error::Km(ErrorCode(se))
326 }
327 se => {
328 // Positive service specific errors are KS response codes.
329 Error::Rc(ResponseCode(se))
330 }
331 }
332 }
333 // We create `Error::Binder` to preserve the exception code
334 // for logging.
335 e_code => Error::Binder(e_code),
336 }
337 })
338}
339
340/// Generate EC Key using given security level and domain with below key parameters and
341/// optionally allow the generated key to be attested with factory provisioned attest key using
342/// given challenge and application id -
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]343/// Purposes: SIGN and VERIFY
344/// Digest: SHA_2_256
345/// Curve: P_256
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]346pub fn generate_ec_p256_signing_key(
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]347 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]348 domain: Domain,
349 nspace: i64,
350 alias: Option<String>,
351 att_challenge: Option<&[u8]>,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]352) -> binder::Result<KeyMetadata> {
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]353 let mut key_attest = false;
354 let mut gen_params = AuthSetBuilder::new()
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]355 .no_auth_required()
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]356 .algorithm(Algorithm::EC)
357 .purpose(KeyPurpose::SIGN)
358 .purpose(KeyPurpose::VERIFY)
359 .digest(Digest::SHA_2_256)
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]360 .ec_curve(EcCurve::P_256);
361
362 if let Some(challenge) = att_challenge {
363 key_attest = true;
364 gen_params = gen_params.clone().attestation_challenge(challenge.to_vec());
365 }
366
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]367 match sec_level.generateKey(
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]368 &KeyDescriptor { domain, nspace, alias, blob: None },
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]369 None,
370 &gen_params,
371 0,
372 b"entropy",
373 ) {
374 Ok(key_metadata) => {
375 assert!(key_metadata.certificate.is_some());
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]376 if key_attest {
377 assert!(key_metadata.certificateChain.is_some());
378 }
379 if domain == Domain::BLOB {
380 assert!(key_metadata.key.blob.is_some());
381 }
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]382
383 Ok(key_metadata)
384 }
385 Err(e) => Err(e),
386 }
387}
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]388
389/// Generate EC signing key.
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]390pub fn generate_ec_key(
391 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]392 domain: Domain,
393 nspace: i64,
394 alias: Option<String>,
395 ec_curve: EcCurve,
396 digest: Digest,
397) -> binder::Result<KeyMetadata> {
398 let gen_params = AuthSetBuilder::new()
399 .no_auth_required()
400 .algorithm(Algorithm::EC)
401 .purpose(KeyPurpose::SIGN)
402 .purpose(KeyPurpose::VERIFY)
403 .digest(digest)
404 .ec_curve(ec_curve);
405
406 let key_metadata = sec_level.generateKey(
407 &KeyDescriptor { domain, nspace, alias, blob: None },
408 None,
409 &gen_params,
410 0,
411 b"entropy",
412 )?;
413
414 // Must have a public key.
415 assert!(key_metadata.certificate.is_some());
416
417 // Should not have an attestation record.
418 assert!(key_metadata.certificateChain.is_none());
419
420 if domain == Domain::BLOB {
421 assert!(key_metadata.key.blob.is_some());
422 } else {
423 assert!(key_metadata.key.blob.is_none());
424 }
425 Ok(key_metadata)
426}
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]427
428/// Generate a RSA key with the given key parameters, alias, domain and namespace.
429pub fn generate_rsa_key(
430 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
431 domain: Domain,
432 nspace: i64,
433 alias: Option<String>,
434 key_params: &KeyParams,
435 attest_key: Option<&KeyDescriptor>,
436) -> binder::Result<KeyMetadata> {
437 let mut gen_params = AuthSetBuilder::new()
438 .no_auth_required()
439 .algorithm(Algorithm::RSA)
440 .rsa_public_exponent(65537)
441 .key_size(key_params.key_size);
442
443 for purpose in &key_params.purpose {
444 gen_params = gen_params.purpose(*purpose);
445 }
446 if let Some(value) = key_params.digest {
447 gen_params = gen_params.digest(value)
448 }
449 if let Some(value) = key_params.padding {
450 gen_params = gen_params.padding_mode(value);
451 }
452 if let Some(value) = key_params.mgf_digest {
453 gen_params = gen_params.mgf_digest(value);
454 }
455 if let Some(value) = key_params.block_mode {
456 gen_params = gen_params.block_mode(value)
457 }
458 if let Some(value) = &key_params.att_challenge {
459 gen_params = gen_params.attestation_challenge(value.to_vec())
460 }
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]461
462 let key_metadata = sec_level.generateKey(
463 &KeyDescriptor { domain, nspace, alias, blob: None },
464 attest_key,
465 &gen_params,
466 0,
467 b"entropy",
468 )?;
469
470 // Must have a public key.
471 assert!(key_metadata.certificate.is_some());
472
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]473 if attest_key.is_none() && key_params.att_challenge.is_some() {
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]474 // Should have an attestation record.
475 assert!(key_metadata.certificateChain.is_some());
476 } else {
477 // Should not have an attestation record.
478 assert!(key_metadata.certificateChain.is_none());
479 }
480
481 assert!(
482 (domain == Domain::BLOB && key_metadata.key.blob.is_some())
483 || key_metadata.key.blob.is_none()
484 );
485
486 Ok(key_metadata)
487}
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]488
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]489/// Generate AES/3DES key.
490pub fn generate_sym_key(
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]491 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]492 algorithm: Algorithm,
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]493 size: i32,
494 alias: &str,
495 padding_mode: &PaddingMode,
496 block_mode: &BlockMode,
497 min_mac_len: Option<i32>,
498) -> binder::Result<KeyMetadata> {
499 let mut gen_params = AuthSetBuilder::new()
500 .no_auth_required()
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]501 .algorithm(algorithm)
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]502 .purpose(KeyPurpose::ENCRYPT)
503 .purpose(KeyPurpose::DECRYPT)
504 .key_size(size)
505 .padding_mode(*padding_mode)
506 .block_mode(*block_mode);
507
508 if let Some(val) = min_mac_len {
509 gen_params = gen_params.min_mac_length(val);
510 }
511
512 let key_metadata = sec_level.generateKey(
513 &KeyDescriptor {
514 domain: Domain::APP,
515 nspace: -1,
516 alias: Some(alias.to_string()),
517 blob: None,
518 },
519 None,
520 &gen_params,
521 0,
522 b"entropy",
523 )?;
524
525 // Should not have public certificate.
526 assert!(key_metadata.certificate.is_none());
527
528 // Should not have an attestation record.
529 assert!(key_metadata.certificateChain.is_none());
530 Ok(key_metadata)
531}
Rajesh Nyamagoud4c6193c2022-02-03 01:15:34 +0000[diff] [blame]532
533/// Generate HMAC key.
534pub fn generate_hmac_key(
535 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
536 alias: &str,
537 key_size: i32,
538 min_mac_len: i32,
539 digest: Digest,
540) -> binder::Result<KeyMetadata> {
541 let gen_params = AuthSetBuilder::new()
542 .no_auth_required()
543 .algorithm(Algorithm::HMAC)
544 .purpose(KeyPurpose::SIGN)
545 .purpose(KeyPurpose::VERIFY)
546 .key_size(key_size)
547 .min_mac_length(min_mac_len)
548 .digest(digest);
549
550 let key_metadata = sec_level.generateKey(
551 &KeyDescriptor {
552 domain: Domain::APP,
553 nspace: -1,
554 alias: Some(alias.to_string()),
555 blob: None,
556 },
557 None,
558 &gen_params,
559 0,
560 b"entropy",
561 )?;
562
563 // Should not have public certificate.
564 assert!(key_metadata.certificate.is_none());
565
566 // Should not have an attestation record.
567 assert!(key_metadata.certificateChain.is_none());
568
569 Ok(key_metadata)
570}
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]571
572/// Generate RSA or EC attestation keys using below parameters -
573/// Purpose: ATTEST_KEY
574/// Digest: Digest::SHA_2_256
575/// Padding: PaddingMode::RSA_PKCS1_1_5_SIGN
576/// RSA-Key-Size: 2048
577/// EC-Curve: EcCurve::P_256
578pub fn generate_attestation_key(
579 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
580 algorithm: Algorithm,
581 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]582) -> binder::Result<KeyMetadata> {
583 assert!(algorithm == Algorithm::RSA || algorithm == Algorithm::EC);
584
585 if algorithm == Algorithm::RSA {
586 let alias = "ks_rsa_attest_test_key";
587 let metadata = generate_rsa_key(
588 sec_level,
589 Domain::APP,
590 -1,
591 Some(alias.to_string()),
592 &KeyParams {
593 key_size: 2048,
594 purpose: vec![KeyPurpose::ATTEST_KEY],
595 padding: Some(PaddingMode::RSA_PKCS1_1_5_SIGN),
596 digest: Some(Digest::SHA_2_256),
597 mgf_digest: None,
598 block_mode: None,
599 att_challenge: Some(att_challenge.to_vec()),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]600 },
601 None,
602 )
603 .unwrap();
604 Ok(metadata)
605 } else {
606 let metadata = generate_ec_attestation_key(
607 sec_level,
608 att_challenge,
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]609 Digest::SHA_2_256,
610 EcCurve::P_256,
611 )
612 .unwrap();
613
614 Ok(metadata)
615 }
616}
617
618/// Generate EC attestation key with the given
619/// curve, attestation-challenge and attestation-app-id.
620pub fn generate_ec_attestation_key(
621 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
622 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]623 digest: Digest,
624 ec_curve: EcCurve,
625) -> binder::Result<KeyMetadata> {
626 let alias = "ks_attest_ec_test_key";
627 let gen_params = AuthSetBuilder::new()
628 .no_auth_required()
629 .algorithm(Algorithm::EC)
630 .purpose(KeyPurpose::ATTEST_KEY)
631 .ec_curve(ec_curve)
632 .digest(digest)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]633 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]634
635 let attestation_key_metadata = sec_level.generateKey(
636 &KeyDescriptor {
637 domain: Domain::APP,
638 nspace: -1,
639 alias: Some(alias.to_string()),
640 blob: None,
641 },
642 None,
643 &gen_params,
644 0,
645 b"entropy",
646 )?;
647
648 // Should have public certificate.
649 assert!(attestation_key_metadata.certificate.is_some());
650 // Should have an attestation record.
651 assert!(attestation_key_metadata.certificateChain.is_some());
652
653 Ok(attestation_key_metadata)
654}
655
656/// Generate EC-P-256 key and attest it with given attestation key.
657pub fn generate_ec_256_attested_key(
658 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
659 alias: Option<String>,
660 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]661 attest_key: &KeyDescriptor,
662) -> binder::Result<KeyMetadata> {
663 let ec_gen_params = AuthSetBuilder::new()
664 .no_auth_required()
665 .algorithm(Algorithm::EC)
666 .purpose(KeyPurpose::SIGN)
667 .purpose(KeyPurpose::VERIFY)
668 .digest(Digest::SHA_2_256)
669 .ec_curve(EcCurve::P_256)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]670 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]671
672 let ec_key_metadata = sec_level
673 .generateKey(
674 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
675 Some(attest_key),
676 &ec_gen_params,
677 0,
678 b"entropy",
679 )
680 .unwrap();
681
682 // Should have public certificate.
683 assert!(ec_key_metadata.certificate.is_some());
684 // Shouldn't have an attestation record.
685 assert!(ec_key_metadata.certificateChain.is_none());
686
687 Ok(ec_key_metadata)
688}
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]689
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]690/// Verify that given key param is listed in given authorizations list.
691pub fn check_key_param(authorizations: &[Authorization], key_param: KeyParameter) -> bool {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]692 for authrization in authorizations {
693 if authrization.keyParameter == key_param {
694 return true;
695 }
696 }
697
698 false
699}
700
701/// Imports above defined RSA key - `RSA_2048_KEY` and validates imported key parameters.
702pub fn import_rsa_2048_key(
703 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
704 domain: Domain,
705 nspace: i64,
706 alias: Option<String>,
707 import_params: AuthSetBuilder,
708) -> binder::Result<KeyMetadata> {
709 let key_metadata = sec_level
710 .importKey(
711 &KeyDescriptor { domain, nspace, alias, blob: None },
712 None,
713 &import_params,
714 0,
715 RSA_2048_KEY,
716 )
717 .unwrap();
718
719 assert!(key_metadata.certificate.is_some());
720 assert!(key_metadata.certificateChain.is_none());
721
722 assert!(check_key_param(
723 &key_metadata.authorizations,
724 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::RSA) }
725 ));
726
727 assert!(check_key_param(
728 &key_metadata.authorizations,
729 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(2048) }
730 ));
731
732 assert!(check_key_param(
733 &key_metadata.authorizations,
734 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
735 ));
736
737 assert!(check_key_param(
738 &key_metadata.authorizations,
739 KeyParameter {
740 tag: Tag::RSA_PUBLIC_EXPONENT,
741 value: KeyParameterValue::LongInteger(65537)
742 }
743 ));
744
745 assert!(check_key_param(
746 &key_metadata.authorizations,
747 KeyParameter {
748 tag: Tag::PADDING,
749 value: KeyParameterValue::PaddingMode(PaddingMode::RSA_PSS)
750 }
751 ));
752
753 assert!(check_key_param(
754 &key_metadata.authorizations,
755 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
756 ));
757
758 Ok(key_metadata)
759}
760
761/// Imports above defined EC key - `EC_P_256_KEY` and validates imported key parameters.
762pub fn import_ec_p_256_key(
763 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
764 domain: Domain,
765 nspace: i64,
766 alias: Option<String>,
767 import_params: AuthSetBuilder,
768) -> binder::Result<KeyMetadata> {
769 let key_metadata = sec_level
770 .importKey(
771 &KeyDescriptor { domain, nspace, alias, blob: None },
772 None,
773 &import_params,
774 0,
775 EC_P_256_KEY,
776 )
777 .unwrap();
778
779 assert!(key_metadata.certificate.is_some());
780 assert!(key_metadata.certificateChain.is_none());
781
782 assert!(check_key_param(
783 &key_metadata.authorizations,
784 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::EC) }
785 ));
786
787 assert!(check_key_param(
788 &key_metadata.authorizations,
789 KeyParameter { tag: Tag::EC_CURVE, value: KeyParameterValue::EcCurve(EcCurve::P_256) }
790 ));
791
792 assert!(check_key_param(
793 &key_metadata.authorizations,
794 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
795 ));
796 assert!(check_key_param(
797 &key_metadata.authorizations,
798 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
799 ));
800
801 Ok(key_metadata)
802}
803
804/// Import sample AES key and validate its key parameters.
805pub fn import_aes_key(
806 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
807 domain: Domain,
808 nspace: i64,
809 alias: Option<String>,
810) -> binder::Result<KeyMetadata> {
811 static AES_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
812 let key_size = AES_KEY.len() * 8;
813
814 let import_params = AuthSetBuilder::new()
815 .no_auth_required()
816 .algorithm(Algorithm::AES)
817 .block_mode(BlockMode::ECB)
818 .key_size(key_size.try_into().unwrap())
819 .purpose(KeyPurpose::ENCRYPT)
820 .purpose(KeyPurpose::DECRYPT)
821 .padding_mode(PaddingMode::PKCS7);
822
823 let key_metadata = sec_level.importKey(
824 &KeyDescriptor { domain, nspace, alias, blob: None },
825 None,
826 &import_params,
827 0,
828 AES_KEY,
829 )?;
830
831 assert!(check_key_param(
832 &key_metadata.authorizations,
833 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::AES) }
834 ));
835 assert!(check_key_param(
836 &key_metadata.authorizations,
837 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
838 ));
839 assert!(check_key_param(
840 &key_metadata.authorizations,
841 KeyParameter {
842 tag: Tag::PADDING,
843 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
844 }
845 ));
846 assert!(check_key_param(
847 &key_metadata.authorizations,
848 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
849 ));
850 assert!(check_key_param(
851 &key_metadata.authorizations,
852 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
853 ));
854
855 Ok(key_metadata)
856}
857
858/// Import sample 3DES key and validate its key parameters.
859pub fn import_3des_key(
860 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
861 domain: Domain,
862 nspace: i64,
863 alias: Option<String>,
864) -> binder::Result<KeyMetadata> {
865 static TRIPLE_DES_KEY: &[u8] = &[
866 0xa4, 0x9d, 0x75, 0x64, 0x19, 0x9e, 0x97, 0xcb, 0x52, 0x9d, 0x2c, 0x9d, 0x97, 0xbf, 0x2f,
867 0x98, 0xd3, 0x5e, 0xdf, 0x57, 0xba, 0x1f, 0x73, 0x58,
868 ];
869
870 let import_params = AuthSetBuilder::new()
871 .no_auth_required()
872 .algorithm(Algorithm::TRIPLE_DES)
873 .block_mode(BlockMode::ECB)
874 .key_size(168)
875 .purpose(KeyPurpose::ENCRYPT)
876 .purpose(KeyPurpose::DECRYPT)
877 .padding_mode(PaddingMode::PKCS7);
878
879 let key_metadata = sec_level.importKey(
880 &KeyDescriptor { domain, nspace, alias, blob: None },
881 None,
882 &import_params,
883 0,
884 TRIPLE_DES_KEY,
885 )?;
886
887 assert!(check_key_param(
888 &key_metadata.authorizations,
889 KeyParameter {
890 tag: Tag::ALGORITHM,
891 value: KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES)
892 }
893 ));
894 assert!(check_key_param(
895 &key_metadata.authorizations,
896 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(168) }
897 ));
898 assert!(check_key_param(
899 &key_metadata.authorizations,
900 KeyParameter {
901 tag: Tag::PADDING,
902 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
903 }
904 ));
905 assert!(check_key_param(
906 &key_metadata.authorizations,
907 KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
908 ));
909 assert!(check_key_param(
910 &key_metadata.authorizations,
911 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
912 ));
913
914 Ok(key_metadata)
915}
916
917/// Import sample HMAC key and validate its key parameters.
918pub fn import_hmac_key(
919 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
920 domain: Domain,
921 nspace: i64,
922 alias: Option<String>,
923) -> binder::Result<KeyMetadata> {
924 static HMAC_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
925 let key_size = HMAC_KEY.len() * 8;
926
927 let import_params = AuthSetBuilder::new()
928 .no_auth_required()
929 .algorithm(Algorithm::HMAC)
930 .key_size(key_size.try_into().unwrap())
931 .purpose(KeyPurpose::SIGN)
932 .purpose(KeyPurpose::VERIFY)
933 .digest(Digest::SHA_2_256)
934 .min_mac_length(256);
935
936 let key_metadata = sec_level.importKey(
937 &KeyDescriptor { domain, nspace, alias, blob: None },
938 None,
939 &import_params,
940 0,
941 HMAC_KEY,
942 )?;
943
944 assert!(check_key_param(
945 &key_metadata.authorizations,
946 KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::HMAC) }
947 ));
948 assert!(check_key_param(
949 &key_metadata.authorizations,
950 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
951 ));
952 assert!(check_key_param(
953 &key_metadata.authorizations,
954 KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
955 ));
956 assert!(check_key_param(
957 &key_metadata.authorizations,
958 KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
959 ));
960
961 Ok(key_metadata)
962}
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]963
964/// Imports RSA encryption key with WRAP_KEY purpose.
965pub fn import_wrapping_key(
966 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
967 wrapping_key_data: &[u8],
968 wrapping_key_alias: Option<String>,
969) -> binder::Result<KeyMetadata> {
970 let wrapping_key_params = AuthSetBuilder::new()
971 .no_auth_required()
972 .algorithm(Algorithm::RSA)
973 .digest(Digest::SHA_2_256)
974 .purpose(KeyPurpose::ENCRYPT)
975 .purpose(KeyPurpose::DECRYPT)
976 .purpose(KeyPurpose::WRAP_KEY)
977 .padding_mode(PaddingMode::RSA_OAEP)
978 .key_size(2048)
979 .rsa_public_exponent(65537)
980 .cert_not_before(0)
981 .cert_not_after(253402300799000);
982
983 sec_level.importKey(
984 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: wrapping_key_alias, blob: None },
985 None,
986 &wrapping_key_params,
987 0,
988 wrapping_key_data,
989 )
990}
991
992/// Import wrapped key using given wrapping key.
993pub fn import_wrapped_key(
994 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
995 alias: Option<String>,
996 wrapping_key_metadata: &KeyMetadata,
997 wrapped_key: Option<Vec<u8>>,
998) -> binder::Result<KeyMetadata> {
999 let unwrap_params =
1000 AuthSetBuilder::new().digest(Digest::SHA_2_256).padding_mode(PaddingMode::RSA_OAEP);
1001
1002 let authenticator_spec: &[AuthenticatorSpec] = &[AuthenticatorSpec {
1003 authenticatorType: HardwareAuthenticatorType::NONE,
1004 authenticatorId: 0,
1005 }];
1006
1007 let key_metadata = sec_level.importWrappedKey(
1008 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: wrapped_key },
1009 &wrapping_key_metadata.key,
1010 None,
1011 &unwrap_params,
1012 authenticator_spec,
1013 )?;
1014
1015 Ok(key_metadata)
1016}
1017
1018/// Import wrapping key and then import wrapped key using wrapping key.
1019pub fn import_wrapping_key_and_wrapped_key(
1020 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1021 domain: Domain,
1022 nspace: i64,
1023 alias: Option<String>,
1024 wrapping_key_alias: Option<String>,
1025 wrapping_key_params: AuthSetBuilder,
1026) -> binder::Result<KeyMetadata> {
1027 let wrapping_key_metadata = sec_level.importKey(
1028 &KeyDescriptor { domain, nspace, alias: wrapping_key_alias, blob: None },
1029 None,
1030 &wrapping_key_params,
1031 0,
1032 WRAPPING_KEY,
1033 )?;
1034
1035 import_wrapped_key(sec_level, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
1036}
1037
1038/// Import given key material as AES-256-GCM-NONE transport key.
1039pub fn import_transport_key(
1040 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1041 transport_key_alias: Option<String>,
1042 transport_key: &[u8],
1043) -> binder::Result<KeyMetadata> {
1044 let transport_key_params = AuthSetBuilder::new()
1045 .no_auth_required()
1046 .algorithm(Algorithm::AES)
1047 .block_mode(BlockMode::GCM)
1048 .padding_mode(PaddingMode::NONE)
1049 .key_size(256)
1050 .caller_nonce()
1051 .min_mac_length(128)
1052 .purpose(KeyPurpose::ENCRYPT)
1053 .purpose(KeyPurpose::DECRYPT);
1054
1055 sec_level.importKey(
1056 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: transport_key_alias, blob: None },
1057 None,
1058 &transport_key_params,
1059 0,
1060 transport_key,
1061 )
1062}
Rajesh Nyamagoudaf050562022-11-11 01:56:45 +0000[diff] [blame]1063
1064/// Generate EC key with purpose AGREE_KEY.
1065pub fn generate_ec_agree_key(
1066 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1067 ec_curve: EcCurve,
1068 digest: Digest,
1069 domain: Domain,
1070 nspace: i64,
1071 alias: Option<String>,
1072) -> binder::Result<KeyMetadata> {
1073 let gen_params = AuthSetBuilder::new()
1074 .no_auth_required()
1075 .algorithm(Algorithm::EC)
1076 .purpose(KeyPurpose::AGREE_KEY)
1077 .digest(digest)
1078 .ec_curve(ec_curve);
1079
1080 match sec_level.generateKey(
1081 &KeyDescriptor { domain, nspace, alias, blob: None },
1082 None,
1083 &gen_params,
1084 0,
1085 b"entropy",
1086 ) {
1087 Ok(key_metadata) => {
1088 assert!(key_metadata.certificate.is_some());
1089 if domain == Domain::BLOB {
1090 assert!(key_metadata.key.blob.is_some());
1091 }
1092
1093 Ok(key_metadata)
1094 }
1095 Err(e) => Err(e),
1096 }
1097}
Rajesh Nyamagoud6a823492023-04-07 02:47:27 +0000[diff] [blame]1098
1099/// Helper method to import AES keys `total_count` of times.
1100pub fn import_aes_keys(
1101 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1102 alias_prefix: String,
1103 total_count: Range<i32>,
1104) -> binder::Result<HashSet<String>> {
1105 let mut imported_key_aliases = HashSet::new();
1106
1107 // Import Total number of keys with given alias prefix.
1108 for count in total_count {
1109 let mut alias = String::new();
1110 write!(alias, "{}_{}", alias_prefix, count).unwrap();
1111 imported_key_aliases.insert(alias.clone());
1112
1113 import_aes_key(sec_level, Domain::APP, -1, Some(alias))?;
1114 }
1115
1116 Ok(imported_key_aliases)
1117}
Rajesh Nyamagouda42dee62022-04-22 21:15:55 +0000[diff] [blame^]1118
1119/// Generate attested EC-P_256 key with device id attestation.
1120pub fn generate_key_with_attest_id(
1121 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1122 algorithm: Algorithm,
1123 alias: Option<String>,
1124 att_challenge: &[u8],
1125 attest_key: &KeyDescriptor,
1126 attest_id: Tag,
1127 value: Vec<u8>,
1128) -> binder::Result<KeyMetadata> {
1129 assert!(algorithm == Algorithm::RSA || algorithm == Algorithm::EC);
1130
1131 let mut ec_gen_params;
1132 if algorithm == Algorithm::EC {
1133 ec_gen_params = AuthSetBuilder::new()
1134 .no_auth_required()
1135 .algorithm(Algorithm::EC)
1136 .purpose(KeyPurpose::SIGN)
1137 .purpose(KeyPurpose::VERIFY)
1138 .digest(Digest::SHA_2_256)
1139 .ec_curve(EcCurve::P_256)
1140 .attestation_challenge(att_challenge.to_vec());
1141 } else {
1142 ec_gen_params = AuthSetBuilder::new()
1143 .no_auth_required()
1144 .algorithm(Algorithm::RSA)
1145 .rsa_public_exponent(65537)
1146 .key_size(2048)
1147 .purpose(KeyPurpose::SIGN)
1148 .purpose(KeyPurpose::VERIFY)
1149 .digest(Digest::SHA_2_256)
1150 .padding_mode(PaddingMode::RSA_PKCS1_1_5_SIGN)
1151 .attestation_challenge(att_challenge.to_vec());
1152 }
1153
1154 match attest_id {
1155 Tag::ATTESTATION_ID_BRAND => {
1156 ec_gen_params = ec_gen_params.attestation_device_brand(value);
1157 }
1158 Tag::ATTESTATION_ID_DEVICE => {
1159 ec_gen_params = ec_gen_params.attestation_device_name(value);
1160 }
1161 Tag::ATTESTATION_ID_PRODUCT => {
1162 ec_gen_params = ec_gen_params.attestation_device_product_name(value);
1163 }
1164 Tag::ATTESTATION_ID_SERIAL => {
1165 ec_gen_params = ec_gen_params.attestation_device_serial(value);
1166 }
1167 Tag::ATTESTATION_ID_MANUFACTURER => {
1168 ec_gen_params = ec_gen_params.attestation_device_manufacturer(value);
1169 }
1170 Tag::ATTESTATION_ID_MODEL => {
1171 ec_gen_params = ec_gen_params.attestation_device_model(value);
1172 }
1173 Tag::ATTESTATION_ID_IMEI => {
1174 ec_gen_params = ec_gen_params.attestation_device_imei(value);
1175 }
1176 Tag::ATTESTATION_ID_SECOND_IMEI => {
1177 ec_gen_params = ec_gen_params.attestation_device_second_imei(value);
1178 }
1179 _ => {
1180 panic!("Unknown attestation id");
1181 }
1182 }
1183
1184 sec_level.generateKey(
1185 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
1186 Some(attest_key),
1187 &ec_gen_params,
1188 0,
1189 b"entropy",
1190 )
1191}