Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / e79fe80acff1b0b9c7f63032191923f5b0aaec6b / . / keystore2 / test_utils / key_generations.rs
blob: 0ffc32afd1c37c243ea1b36ebacaec11f481ef59 [file] [log] [blame]
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]1// Copyright 2022, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! This module implements test utils to generate various types of keys.
16
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]17use anyhow::Result;
Rajesh Nyamagoud6a823492023-04-07 02:47:27 +0000[diff] [blame]18use core::ops::Range;
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]19use nix::unistd::getuid;
Rajesh Nyamagoud6a823492023-04-07 02:47:27 +0000[diff] [blame]20use std::collections::HashSet;
21use std::fmt::Write;
22
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]23use binder::ThreadState;
24
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]25use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]26 Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]27 ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
28 KeyOrigin::KeyOrigin, KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue,
Rajesh Nyamagoud5f6db2f2023-06-01 17:22:32 +0000[diff] [blame]29 KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, SecurityLevel::SecurityLevel, Tag::Tag,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]30};
31use android_system_keystore2::aidl::android::system::keystore2::{
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]32 AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization,
33 CreateOperationResponse::CreateOperationResponse, Domain::Domain,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]34 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
35 KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]36};
37
38use crate::authorizations::AuthSetBuilder;
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]39use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]40
Rajesh Nyamagoud5f6db2f2023-06-01 17:22:32 +0000[diff] [blame]41use crate::ffi_test_utils::{
42 get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel,
43 validate_certchain,
44};
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]45
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]46/// Shell namespace.
47pub const SELINUX_SHELL_NAMESPACE: i64 = 1;
Rajesh Nyamagouddc6fb232021-12-08 21:27:15 +0000[diff] [blame]48/// Vold namespace.
49pub const SELINUX_VOLD_NAMESPACE: i64 = 100;
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]50
Rajesh Nyamagoudfa7c0f12021-12-02 17:15:48 +0000[diff] [blame]51/// SU context.
52pub const TARGET_SU_CTX: &str = "u:r:su:s0";
53
54/// Vold context
55pub const TARGET_VOLD_CTX: &str = "u:r:vold:s0";
56
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]57/// Allowed tags in generated/imported key authorizations.
58/// See hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl for the
59/// list feature tags.
60/// Note: This list need to be updated whenever a new Tag is introduced and is expected to be added
61/// in key authorizations.
62pub const ALLOWED_TAGS_IN_KEY_AUTHS: &[Tag] = &[
63 Tag::ACTIVE_DATETIME,
64 Tag::ALGORITHM,
65 Tag::ALLOW_WHILE_ON_BODY,
66 Tag::AUTH_TIMEOUT,
67 Tag::BLOCK_MODE,
68 Tag::BOOTLOADER_ONLY,
69 Tag::BOOT_PATCHLEVEL,
70 Tag::CALLER_NONCE,
71 Tag::CREATION_DATETIME,
72 Tag::DIGEST,
73 Tag::EARLY_BOOT_ONLY,
74 Tag::EC_CURVE,
75 Tag::IDENTITY_CREDENTIAL_KEY,
76 Tag::INCLUDE_UNIQUE_ID,
77 Tag::KEY_SIZE,
78 Tag::MAX_BOOT_LEVEL,
79 Tag::MAX_USES_PER_BOOT,
80 Tag::MIN_MAC_LENGTH,
81 Tag::NO_AUTH_REQUIRED,
82 Tag::ORIGIN,
83 Tag::ORIGINATION_EXPIRE_DATETIME,
84 Tag::OS_PATCHLEVEL,
85 Tag::OS_VERSION,
86 Tag::PADDING,
87 Tag::PURPOSE,
88 Tag::ROLLBACK_RESISTANCE,
89 Tag::RSA_OAEP_MGF_DIGEST,
90 Tag::RSA_PUBLIC_EXPONENT,
91 Tag::STORAGE_KEY,
92 Tag::TRUSTED_CONFIRMATION_REQUIRED,
93 Tag::TRUSTED_USER_PRESENCE_REQUIRED,
94 Tag::UNLOCKED_DEVICE_REQUIRED,
95 Tag::USAGE_COUNT_LIMIT,
96 Tag::USAGE_EXPIRE_DATETIME,
97 Tag::USER_AUTH_TYPE,
98 Tag::USER_ID,
99 Tag::USER_SECURE_ID,
100 Tag::VENDOR_PATCHLEVEL,
101];
102
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]103/// Key parameters to generate a key.
104pub struct KeyParams {
105 /// Key Size.
106 pub key_size: i32,
107 /// Key Purposes.
108 pub purpose: Vec<KeyPurpose>,
109 /// Padding Mode.
110 pub padding: Option<PaddingMode>,
111 /// Digest.
112 pub digest: Option<Digest>,
113 /// MFG Digest.
114 pub mgf_digest: Option<Digest>,
115 /// Block Mode.
116 pub block_mode: Option<BlockMode>,
117 /// Attestation challenge.
118 pub att_challenge: Option<Vec<u8>>,
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]119}
120
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]121/// DER-encoded PKCS#8 format RSA key. Generated using:
122/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
123pub static RSA_2048_KEY: &[u8] = &[
124 0x30, 0x82, 0x04, 0xBD, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
125 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xA7, 0x30, 0x82, 0x04, 0xA3, 0x02, 0x01,
126 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xE5, 0x14, 0xE3, 0xC2, 0x43, 0xF3, 0x0F, 0xCC, 0x22, 0x73,
127 0x9C, 0x84, 0xCC, 0x1B, 0x6C, 0x97, 0x4B, 0xC9, 0xDF, 0x1F, 0xE2, 0xB8, 0x80, 0x85, 0xF9, 0x27,
128 0xAB, 0x97, 0x94, 0x58, 0x4B, 0xC9, 0x40, 0x94, 0x5A, 0xB4, 0xD4, 0xF8, 0xD0, 0x36, 0xC4, 0x86,
129 0x17, 0x7D, 0xA2, 0x48, 0x6D, 0x40, 0xF0, 0xB9, 0x61, 0x4F, 0xCE, 0x65, 0x80, 0x88, 0x81, 0x59,
130 0x95, 0x11, 0x24, 0xF4, 0x36, 0xB7, 0xB7, 0x37, 0x44, 0xF4, 0x6C, 0x1C, 0xEB, 0x04, 0x19, 0x78,
131 0xB2, 0x29, 0x4D, 0x21, 0x44, 0x16, 0x57, 0x58, 0x6D, 0x7D, 0x56, 0xB5, 0x99, 0xDD, 0xD2, 0xAD,
132 0x02, 0x9A, 0x72, 0x16, 0x67, 0xD6, 0x00, 0x9F, 0x69, 0xE0, 0x25, 0xEE, 0x7C, 0x86, 0x54, 0x27,
133 0x4B, 0x50, 0xEF, 0x60, 0x52, 0x60, 0x82, 0xAA, 0x09, 0x15, 0x72, 0xD2, 0xEB, 0x01, 0x52, 0x04,
134 0x39, 0x60, 0xBC, 0x5E, 0x95, 0x07, 0xC8, 0xC2, 0x3A, 0x3A, 0xE2, 0xA4, 0x99, 0x6B, 0x27, 0xE3,
135 0xA3, 0x55, 0x69, 0xC4, 0xB3, 0x2D, 0x19, 0xC4, 0x34, 0x76, 0xFC, 0x27, 0xDA, 0x22, 0xB2, 0x62,
136 0x69, 0x25, 0xDE, 0x0D, 0xE7, 0x54, 0x3C, 0xBB, 0x61, 0xD2, 0x20, 0xDA, 0x7B, 0x6E, 0x63, 0xBD,
137 0x9A, 0x4B, 0xCD, 0x75, 0xC6, 0xA1, 0x5E, 0x1C, 0x3E, 0xD5, 0x63, 0x59, 0x22, 0x7E, 0xE0, 0x6C,
138 0x98, 0x25, 0x63, 0x97, 0x56, 0xDF, 0x71, 0xF5, 0x4C, 0x78, 0xE9, 0xE1, 0xD5, 0xFC, 0xF8, 0x5A,
139 0x5B, 0xF6, 0x1D, 0xFA, 0x5A, 0x99, 0x4C, 0x99, 0x19, 0x21, 0x1D, 0xF5, 0x24, 0x07, 0xEF, 0x8A,
140 0xC9, 0x9F, 0xE7, 0x3F, 0xBB, 0x46, 0x1A, 0x16, 0x96, 0xC6, 0xD6, 0x12, 0x7E, 0xDA, 0xCB, 0xEB,
141 0x2F, 0x1D, 0x3B, 0x31, 0xCC, 0x55, 0x63, 0xA2, 0x6F, 0x8A, 0xDE, 0x35, 0x52, 0x40, 0x04, 0xBF,
142 0xE0, 0x82, 0x32, 0xE1, 0x6D, 0x8B, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x2D,
143 0x1F, 0x71, 0x41, 0x79, 0xBA, 0xED, 0xD8, 0xAA, 0xCC, 0x94, 0xFE, 0xFF, 0x69, 0x43, 0x79, 0x85,
144 0xBF, 0x2C, 0xC9, 0x0E, 0x12, 0x83, 0x96, 0x60, 0x1E, 0x75, 0x49, 0x35, 0x3A, 0x33, 0x2B, 0x60,
145 0x22, 0x18, 0xBF, 0xD7, 0xD7, 0x6E, 0xC3, 0xEA, 0xEF, 0xF2, 0xBE, 0x97, 0x71, 0xA6, 0xBB, 0x8C,
146 0xEF, 0x27, 0x00, 0xDE, 0x49, 0xD6, 0x08, 0x8D, 0x5A, 0x04, 0xE7, 0xCC, 0x9C, 0xA2, 0x0E, 0x8B,
147 0xF3, 0x42, 0x0C, 0xD7, 0x22, 0xD7, 0x14, 0x06, 0xA4, 0x64, 0x8B, 0x88, 0x1A, 0xCE, 0x5B, 0x8C,
148 0x36, 0xE9, 0xD2, 0x2F, 0x7B, 0x33, 0xE4, 0xA2, 0xB3, 0xDB, 0x78, 0x6A, 0x92, 0x89, 0x3F, 0x78,
149 0xFD, 0xED, 0x8F, 0xEE, 0x48, 0xCC, 0x94, 0x75, 0x0D, 0x0C, 0x63, 0xD3, 0xD2, 0xE8, 0x47, 0x04,
150 0x55, 0xD3, 0xD6, 0x3A, 0xB8, 0xDA, 0xFB, 0x76, 0x99, 0x48, 0x68, 0x0A, 0x92, 0xA2, 0xCD, 0xF7,
151 0x45, 0x8B, 0x50, 0xFE, 0xF9, 0x1A, 0x33, 0x24, 0x3C, 0x2E, 0xDE, 0x88, 0xAD, 0xB2, 0x5B, 0x9F,
152 0x44, 0xEA, 0xD1, 0x9F, 0xC7, 0x9F, 0x02, 0x5E, 0x31, 0x61, 0xB3, 0xD6, 0xE2, 0xE1, 0xBC, 0xFB,
153 0x1C, 0xDB, 0xBD, 0xB2, 0x9A, 0xE5, 0xEF, 0xDA, 0xCD, 0x29, 0xA5, 0x45, 0xCC, 0x67, 0x01, 0x8B,
154 0x1C, 0x1D, 0x0E, 0x8F, 0x73, 0x69, 0x4D, 0x4D, 0xF6, 0x9D, 0xA6, 0x6C, 0x9A, 0x1C, 0xF4, 0x5C,
155 0xE4, 0x83, 0x9A, 0x77, 0x12, 0x01, 0xBD, 0xCE, 0x66, 0x3A, 0x4B, 0x3D, 0x6E, 0xE0, 0x6E, 0x82,
156 0x98, 0xDE, 0x74, 0x11, 0x47, 0xEC, 0x7A, 0x3A, 0xA9, 0xD8, 0x48, 0x00, 0x26, 0x64, 0x47, 0x7B,
157 0xAE, 0x55, 0x9D, 0x29, 0x22, 0xB4, 0xB3, 0xB9, 0xB1, 0x64, 0xEA, 0x3B, 0x5A, 0xD3, 0x3F, 0x8D,
158 0x0F, 0x14, 0x7E, 0x4E, 0xB8, 0x1B, 0x06, 0xFC, 0xB1, 0x7E, 0xCD, 0xB9, 0x1A, 0x4E, 0xA1, 0x02,
159 0x81, 0x81, 0x00, 0xF9, 0xDE, 0xEE, 0xED, 0x13, 0x2F, 0xBB, 0xE7, 0xE2, 0xB3, 0x2D, 0x98, 0xD2,
160 0xE8, 0x25, 0x07, 0x5A, 0x1E, 0x51, 0x0A, 0xC8, 0xAD, 0x50, 0x4B, 0x80, 0xC6, 0x22, 0xF5, 0x9B,
161 0x08, 0xE6, 0x3D, 0x01, 0xC6, 0x3E, 0xC8, 0xD2, 0x54, 0x9F, 0x91, 0x77, 0x95, 0xCD, 0xCA, 0xC7,
162 0xE7, 0x47, 0x94, 0xA9, 0x5F, 0x4E, 0xBE, 0x31, 0x3D, 0xB4, 0xAF, 0x43, 0x0F, 0xDC, 0x8D, 0x9C,
163 0x1E, 0x52, 0x7B, 0x72, 0x21, 0x34, 0xB3, 0x96, 0x7C, 0x9C, 0xB8, 0x51, 0x65, 0x60, 0xAC, 0x3D,
164 0x11, 0x32, 0xB8, 0xD6, 0x34, 0x35, 0x66, 0xD0, 0x30, 0xB9, 0xE9, 0x67, 0x2C, 0x87, 0x73, 0x43,
165 0x9C, 0x12, 0x16, 0x7D, 0x4A, 0xD9, 0xA3, 0x4C, 0x24, 0x64, 0x6A, 0x32, 0x8E, 0xC3, 0xD8, 0x00,
166 0x90, 0x5C, 0x4D, 0x65, 0x01, 0x53, 0x8A, 0xD0, 0x87, 0xCE, 0x96, 0xEF, 0xFA, 0x73, 0x03, 0xF1,
167 0xDC, 0x1B, 0x9B, 0x02, 0x81, 0x81, 0x00, 0xEA, 0xB3, 0x69, 0x00, 0x11, 0x0E, 0x50, 0xAA, 0xD3,
168 0x22, 0x51, 0x78, 0x9D, 0xFF, 0x05, 0x62, 0xBC, 0x9A, 0x67, 0x86, 0xE1, 0xC5, 0x02, 0x2D, 0x14,
169 0x11, 0x29, 0x30, 0xE7, 0x90, 0x5D, 0x72, 0x6F, 0xC5, 0x62, 0xEB, 0xD4, 0xB0, 0x3F, 0x3D, 0xDC,
170 0xB9, 0xFC, 0x2B, 0x5C, 0xBD, 0x9E, 0x71, 0x81, 0x5C, 0xC5, 0xFE, 0xDF, 0x69, 0x73, 0x12, 0x66,
171 0x92, 0x06, 0xD4, 0xD5, 0x8F, 0xDF, 0x14, 0x2E, 0x9C, 0xD0, 0x4C, 0xC2, 0x4D, 0x31, 0x2E, 0x47,
172 0xA5, 0xDC, 0x8A, 0x83, 0x7B, 0xE8, 0xA5, 0xC3, 0x03, 0x98, 0xD8, 0xBF, 0xF4, 0x7D, 0x6E, 0x87,
173 0x55, 0xE4, 0x0F, 0x15, 0x10, 0xC8, 0x76, 0x4F, 0xAD, 0x1D, 0x1C, 0x95, 0x41, 0x9D, 0x88, 0xEC,
174 0x8C, 0xDA, 0xBA, 0x90, 0x7F, 0x8D, 0xD9, 0x8B, 0x47, 0x6C, 0x0C, 0xFF, 0xBA, 0x73, 0x00, 0x20,
175 0x1F, 0xF7, 0x7E, 0x5F, 0xF4, 0xEC, 0xD1, 0x02, 0x81, 0x80, 0x16, 0xB7, 0x43, 0xB5, 0x5D, 0xD7,
176 0x2B, 0x18, 0x0B, 0xAE, 0x0A, 0x69, 0x28, 0x53, 0x5E, 0x7A, 0x6A, 0xA0, 0xF2, 0xF1, 0x2E, 0x09,
177 0x43, 0x91, 0x79, 0xA5, 0x89, 0xAC, 0x16, 0x6A, 0x1A, 0xB4, 0x55, 0x22, 0xF6, 0xB6, 0x3F, 0x18,
178 0xDE, 0x60, 0xD5, 0x24, 0x53, 0x4F, 0x2A, 0x19, 0x46, 0x92, 0xA7, 0x4B, 0x38, 0xD7, 0x65, 0x96,
179 0x9C, 0x84, 0x8A, 0x6E, 0x38, 0xB8, 0xCF, 0x06, 0x9A, 0xAD, 0x0A, 0x55, 0x26, 0x7B, 0x65, 0x24,
180 0xF3, 0x02, 0x76, 0xB3, 0xE6, 0xB4, 0x01, 0xE1, 0x3C, 0x61, 0x3D, 0x68, 0x05, 0xAA, 0xD1, 0x26,
181 0x7C, 0xE0, 0x51, 0x36, 0xE5, 0x21, 0x7F, 0x76, 0x02, 0xD6, 0xF4, 0x91, 0x07, 0x74, 0x27, 0x09,
182 0xEF, 0xEF, 0x0F, 0xA5, 0x96, 0xFC, 0x5E, 0x20, 0xC1, 0xA3, 0x6F, 0x99, 0x4D, 0x45, 0x03, 0x6C,
183 0x35, 0x45, 0xD7, 0x8F, 0x47, 0x41, 0x86, 0x8D, 0x62, 0x1D, 0x02, 0x81, 0x81, 0x00, 0xC3, 0x93,
184 0x85, 0xA7, 0xFC, 0x8E, 0x85, 0x42, 0x14, 0x76, 0xC0, 0x95, 0x56, 0x73, 0xB0, 0xB5, 0x3A, 0x9D,
185 0x20, 0x30, 0x11, 0xEA, 0xED, 0x89, 0x4A, 0xF3, 0x91, 0xF3, 0xA2, 0xC3, 0x76, 0x5B, 0x6A, 0x30,
186 0x7D, 0xE2, 0x2F, 0x76, 0x3E, 0xFC, 0xF9, 0xF6, 0x31, 0xE0, 0xA0, 0x83, 0x92, 0x88, 0xDB, 0x57,
187 0xC7, 0xD6, 0x3F, 0xAD, 0xCB, 0xAA, 0x45, 0xB6, 0xE1, 0xE2, 0x71, 0xA4, 0x56, 0x2C, 0xA7, 0x3B,
188 0x1D, 0x89, 0x19, 0x50, 0xE1, 0xEE, 0xC2, 0xDD, 0xC0, 0x0D, 0xDC, 0xCB, 0x60, 0x6E, 0xE1, 0x37,
189 0x1A, 0x23, 0x64, 0xB2, 0x03, 0xE4, 0x1A, 0xFA, 0xC3, 0xF4, 0x9D, 0x85, 0x42, 0xC6, 0xF4, 0x56,
190 0x39, 0xB0, 0x1B, 0xE0, 0x75, 0xBA, 0x28, 0x04, 0xA8, 0x30, 0x57, 0x41, 0x33, 0x9F, 0x58, 0xA4,
191 0xC7, 0xB1, 0x7D, 0x58, 0x8D, 0x84, 0x49, 0x40, 0xDA, 0x28, 0x81, 0x25, 0xC4, 0x41, 0x02, 0x81,
192 0x80, 0x13, 0x20, 0x65, 0xD5, 0x96, 0x98, 0x8D, 0x16, 0x73, 0xA1, 0x31, 0x73, 0x79, 0xBA, 0xEC,
193 0xB0, 0xD9, 0x0C, 0xF6, 0xEF, 0x2F, 0xC2, 0xE7, 0x96, 0x9B, 0xA1, 0x2D, 0xE9, 0xFB, 0x45, 0xB9,
194 0xD0, 0x30, 0xE2, 0xBD, 0x30, 0x4F, 0xB6, 0xFE, 0x24, 0x02, 0xCF, 0x8D, 0x51, 0x48, 0x45, 0xD9,
195 0xF7, 0x20, 0x53, 0x1C, 0x0B, 0xA9, 0x7E, 0xC2, 0xA2, 0x65, 0xCC, 0x3E, 0x0E, 0x0D, 0xF1, 0x62,
196 0xDD, 0x5F, 0xBC, 0x55, 0x9B, 0x58, 0x26, 0x40, 0x6A, 0xEE, 0x02, 0x55, 0x36, 0xE9, 0xBA, 0x82,
197 0x5A, 0xFD, 0x3C, 0xDF, 0xA6, 0x26, 0x32, 0x81, 0xA9, 0x5E, 0x46, 0xBE, 0xBA, 0xDC, 0xD3, 0x2A,
198 0x3A, 0x3B, 0xC1, 0x4E, 0xF7, 0x1A, 0xDC, 0x4B, 0xAF, 0x67, 0x1B, 0x3A, 0x83, 0x0D, 0x04, 0xDE,
199 0x27, 0x47, 0xFC, 0xE6, 0x39, 0x89, 0x7B, 0x66, 0xF9, 0x50, 0x4D, 0xF1, 0xAC, 0x20, 0x43, 0x7E,
200 0xEE,
201];
202
203/// DER-encoded PKCS#8 format EC key. Generated using:
204/// openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
205pub static EC_P_256_KEY: &[u8] = &[
206 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02,
207 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02,
208 0x01, 0x01, 0x04, 0x20, 0xB9, 0x1D, 0xAF, 0x50, 0xFD, 0xD8, 0x6A, 0x40, 0xAB, 0x2C, 0xCB, 0x54,
209 0x4E, 0xED, 0xF1, 0x64, 0xBC, 0x30, 0x25, 0xFB, 0xC4, 0x69, 0x00, 0x34, 0x1A, 0x82, 0xA3, 0x72,
210 0x5D, 0xC7, 0xA9, 0x85, 0xA1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xE8, 0x53, 0x0A, 0xF2, 0xD3, 0x68,
211 0x40, 0x48, 0x8C, 0xB4, 0x2F, 0x11, 0x34, 0xD7, 0xF4, 0x4A, 0x5C, 0x33, 0xFF, 0xF6, 0x2B, 0xF7,
212 0x98, 0x0F, 0x02, 0xA5, 0xD7, 0x4F, 0xF9, 0xDE, 0x60, 0x9C, 0x6E, 0xB0, 0x45, 0xDA, 0x3F, 0xF4,
213 0x34, 0x23, 0x9B, 0x4C, 0x3A, 0x09, 0x9C, 0x5E, 0x5D, 0x37, 0x96, 0xAC, 0x4A, 0xE7, 0x65, 0x2B,
214 0xD6, 0x84, 0x98, 0xEA, 0x96, 0x91, 0xFB, 0x78, 0xED, 0x86,
215];
216
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]217/// DER-encoded PKCS#8 format RSA key -
218/// Size: 2048
219/// Public Exponent: 65537
220/// Purpose: WRAP_KEY, ENCRYPT, DECRYPT
221/// Encryption scheme: RSAES-PKCS1-v1_5
222/// Digest: SHA_2_256
223/// Padding: RSA_OAEP
224/// This sample wrapping_key is taken from KeyMint tests
225/// (see hardware/interfaces/security/keymint/aidl/vts/functional/KeyMintTest.cpp).
226/// Similarly more test keys can be generated with below command -
227/// openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
228pub static WRAPPING_KEY: &[u8] = &[
229 0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
230 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xa8, 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01,
231 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xae, 0xc3, 0x67, 0x93, 0x1d, 0x89, 0x00, 0xce, 0x56, 0xb0,
232 0x06, 0x7f, 0x7d, 0x70, 0xe1, 0xfc, 0x65, 0x3f, 0x3f, 0x34, 0xd1, 0x94, 0xc1, 0xfe, 0xd5, 0x00,
233 0x18, 0xfb, 0x43, 0xdb, 0x93, 0x7b, 0x06, 0xe6, 0x73, 0xa8, 0x37, 0x31, 0x3d, 0x56, 0xb1, 0xc7,
234 0x25, 0x15, 0x0a, 0x3f, 0xef, 0x86, 0xac, 0xbd, 0xdc, 0x41, 0xbb, 0x75, 0x9c, 0x28, 0x54, 0xea,
235 0xe3, 0x2d, 0x35, 0x84, 0x1e, 0xfb, 0x5c, 0x18, 0xd8, 0x2b, 0xc9, 0x0a, 0x1c, 0xb5, 0xc1, 0xd5,
236 0x5a, 0xdf, 0x24, 0x5b, 0x02, 0x91, 0x1f, 0x0b, 0x7c, 0xda, 0x88, 0xc4, 0x21, 0xff, 0x0e, 0xba,
237 0xfe, 0x7c, 0x0d, 0x23, 0xbe, 0x31, 0x2d, 0x7b, 0xd5, 0x92, 0x1f, 0xfa, 0xea, 0x13, 0x47, 0xc1,
238 0x57, 0x40, 0x6f, 0xef, 0x71, 0x8f, 0x68, 0x26, 0x43, 0xe4, 0xe5, 0xd3, 0x3c, 0x67, 0x03, 0xd6,
239 0x1c, 0x0c, 0xf7, 0xac, 0x0b, 0xf4, 0x64, 0x5c, 0x11, 0xf5, 0xc1, 0x37, 0x4c, 0x38, 0x86, 0x42,
240 0x74, 0x11, 0xc4, 0x49, 0x79, 0x67, 0x92, 0xe0, 0xbe, 0xf7, 0x5d, 0xec, 0x85, 0x8a, 0x21, 0x23,
241 0xc3, 0x67, 0x53, 0xe0, 0x2a, 0x95, 0xa9, 0x6d, 0x7c, 0x45, 0x4b, 0x50, 0x4d, 0xe3, 0x85, 0xa6,
242 0x42, 0xe0, 0xdf, 0xc3, 0xe6, 0x0a, 0xc3, 0xa7, 0xee, 0x49, 0x91, 0xd0, 0xd4, 0x8b, 0x01, 0x72,
243 0xa9, 0x5f, 0x95, 0x36, 0xf0, 0x2b, 0xa1, 0x3c, 0xec, 0xcc, 0xb9, 0x2b, 0x72, 0x7d, 0xb5, 0xc2,
244 0x7e, 0x5b, 0x2f, 0x5c, 0xec, 0x09, 0x60, 0x0b, 0x28, 0x6a, 0xf5, 0xcf, 0x14, 0xc4, 0x20, 0x24,
245 0xc6, 0x1d, 0xdf, 0xe7, 0x1c, 0x2a, 0x8d, 0x74, 0x58, 0xf1, 0x85, 0x23, 0x4c, 0xb0, 0x0e, 0x01,
246 0xd2, 0x82, 0xf1, 0x0f, 0x8f, 0xc6, 0x72, 0x1d, 0x2a, 0xed, 0x3f, 0x48, 0x33, 0xcc, 0xa2, 0xbd,
247 0x8f, 0xa6, 0x28, 0x21, 0xdd, 0x55, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x43,
248 0x14, 0x47, 0xb6, 0x25, 0x19, 0x08, 0x11, 0x2b, 0x1e, 0xe7, 0x6f, 0x99, 0xf3, 0x71, 0x1a, 0x52,
249 0xb6, 0x63, 0x09, 0x60, 0x04, 0x6c, 0x2d, 0xe7, 0x0d, 0xe1, 0x88, 0xd8, 0x33, 0xf8, 0xb8, 0xb9,
250 0x1e, 0x4d, 0x78, 0x5c, 0xae, 0xee, 0xaf, 0x4f, 0x0f, 0x74, 0x41, 0x4e, 0x2c, 0xda, 0x40, 0x64,
251 0x1f, 0x7f, 0xe2, 0x4f, 0x14, 0xc6, 0x7a, 0x88, 0x95, 0x9b, 0xdb, 0x27, 0x76, 0x6d, 0xf9, 0xe7,
252 0x10, 0xb6, 0x30, 0xa0, 0x3a, 0xdc, 0x68, 0x3b, 0x5d, 0x2c, 0x43, 0x08, 0x0e, 0x52, 0xbe, 0xe7,
253 0x1e, 0x9e, 0xae, 0xb6, 0xde, 0x29, 0x7a, 0x5f, 0xea, 0x10, 0x72, 0x07, 0x0d, 0x18, 0x1c, 0x82,
254 0x2b, 0xcc, 0xff, 0x08, 0x7d, 0x63, 0xc9, 0x40, 0xba, 0x8a, 0x45, 0xf6, 0x70, 0xfe, 0xb2, 0x9f,
255 0xb4, 0x48, 0x4d, 0x1c, 0x95, 0xe6, 0xd2, 0x57, 0x9b, 0xa0, 0x2a, 0xae, 0x0a, 0x00, 0x90, 0x0c,
256 0x3e, 0xbf, 0x49, 0x0e, 0x3d, 0x2c, 0xd7, 0xee, 0x8d, 0x0e, 0x20, 0xc5, 0x36, 0xe4, 0xdc, 0x5a,
257 0x50, 0x97, 0x27, 0x28, 0x88, 0xcd, 0xdd, 0x7e, 0x91, 0xf2, 0x28, 0xb1, 0xc4, 0xd7, 0x47, 0x4c,
258 0x55, 0xb8, 0xfc, 0xd6, 0x18, 0xc4, 0xa9, 0x57, 0xbb, 0xdd, 0xd5, 0xad, 0x74, 0x07, 0xcc, 0x31,
259 0x2d, 0x8d, 0x98, 0xa5, 0xca, 0xf7, 0xe0, 0x8f, 0x4a, 0x0d, 0x6b, 0x45, 0xbb, 0x41, 0xc6, 0x52,
260 0x65, 0x9d, 0x5a, 0x5b, 0xa0, 0x5b, 0x66, 0x37, 0x37, 0xa8, 0x69, 0x62, 0x81, 0x86, 0x5b, 0xa2,
261 0x0f, 0xbd, 0xd7, 0xf8, 0x51, 0xe6, 0xc5, 0x6e, 0x8c, 0xbe, 0x0d, 0xdb, 0xbf, 0x24, 0xdc, 0x03,
262 0xb2, 0xd2, 0xcb, 0x4c, 0x3d, 0x54, 0x0f, 0xb0, 0xaf, 0x52, 0xe0, 0x34, 0xa2, 0xd0, 0x66, 0x98,
263 0xb1, 0x28, 0xe5, 0xf1, 0x01, 0xe3, 0xb5, 0x1a, 0x34, 0xf8, 0xd8, 0xb4, 0xf8, 0x61, 0x81, 0x02,
264 0x81, 0x81, 0x00, 0xde, 0x39, 0x2e, 0x18, 0xd6, 0x82, 0xc8, 0x29, 0x26, 0x6c, 0xc3, 0x45, 0x4e,
265 0x1d, 0x61, 0x66, 0x24, 0x2f, 0x32, 0xd9, 0xa1, 0xd1, 0x05, 0x77, 0x75, 0x3e, 0x90, 0x4e, 0xa7,
266 0xd0, 0x8b, 0xff, 0x84, 0x1b, 0xe5, 0xba, 0xc8, 0x2a, 0x16, 0x4c, 0x59, 0x70, 0x00, 0x70, 0x47,
267 0xb8, 0xc5, 0x17, 0xdb, 0x8f, 0x8f, 0x84, 0xe3, 0x7b, 0xd5, 0x98, 0x85, 0x61, 0xbd, 0xf5, 0x03,
268 0xd4, 0xdc, 0x2b, 0xdb, 0x38, 0xf8, 0x85, 0x43, 0x4a, 0xe4, 0x2c, 0x35, 0x5f, 0x72, 0x5c, 0x9a,
269 0x60, 0xf9, 0x1f, 0x07, 0x88, 0xe1, 0xf1, 0xa9, 0x72, 0x23, 0xb5, 0x24, 0xb5, 0x35, 0x7f, 0xdf,
270 0x72, 0xe2, 0xf6, 0x96, 0xba, 0xb7, 0xd7, 0x8e, 0x32, 0xbf, 0x92, 0xba, 0x8e, 0x18, 0x64, 0xea,
271 0xb1, 0x22, 0x9e, 0x91, 0x34, 0x61, 0x30, 0x74, 0x8a, 0x6e, 0x3c, 0x12, 0x4f, 0x91, 0x49, 0xd7,
272 0x1c, 0x74, 0x35, 0x02, 0x81, 0x81, 0x00, 0xc9, 0x53, 0x87, 0xc0, 0xf9, 0xd3, 0x5f, 0x13, 0x7b,
273 0x57, 0xd0, 0xd6, 0x5c, 0x39, 0x7c, 0x5e, 0x21, 0xcc, 0x25, 0x1e, 0x47, 0x00, 0x8e, 0xd6, 0x2a,
274 0x54, 0x24, 0x09, 0xc8, 0xb6, 0xb6, 0xac, 0x7f, 0x89, 0x67, 0xb3, 0x86, 0x3c, 0xa6, 0x45, 0xfc,
275 0xce, 0x49, 0x58, 0x2a, 0x9a, 0xa1, 0x73, 0x49, 0xdb, 0x6c, 0x4a, 0x95, 0xaf, 0xfd, 0xae, 0x0d,
276 0xae, 0x61, 0x2e, 0x1a, 0xfa, 0xc9, 0x9e, 0xd3, 0x9a, 0x2d, 0x93, 0x4c, 0x88, 0x04, 0x40, 0xae,
277 0xd8, 0x83, 0x2f, 0x98, 0x43, 0x16, 0x3a, 0x47, 0xf2, 0x7f, 0x39, 0x21, 0x99, 0xdc, 0x12, 0x02,
278 0xf9, 0xa0, 0xf9, 0xbd, 0x08, 0x30, 0x80, 0x07, 0xcb, 0x1e, 0x4e, 0x7f, 0x58, 0x30, 0x93, 0x66,
279 0xa7, 0xde, 0x25, 0xf7, 0xc3, 0xc9, 0xb8, 0x80, 0x67, 0x7c, 0x06, 0x8e, 0x1b, 0xe9, 0x36, 0xe8,
280 0x12, 0x88, 0x81, 0x52, 0x52, 0xa8, 0xa1, 0x02, 0x81, 0x80, 0x57, 0xff, 0x8c, 0xa1, 0x89, 0x50,
281 0x80, 0xb2, 0xca, 0xe4, 0x86, 0xef, 0x0a, 0xdf, 0xd7, 0x91, 0xfb, 0x02, 0x35, 0xc0, 0xb8, 0xb3,
282 0x6c, 0xd6, 0xc1, 0x36, 0xe5, 0x2e, 0x40, 0x85, 0xf4, 0xea, 0x5a, 0x06, 0x32, 0x12, 0xa4, 0xf1,
283 0x05, 0xa3, 0x76, 0x47, 0x43, 0xe5, 0x32, 0x81, 0x98, 0x8a, 0xba, 0x07, 0x3f, 0x6e, 0x00, 0x27,
284 0x29, 0x8e, 0x1c, 0x43, 0x78, 0x55, 0x6e, 0x0e, 0xfc, 0xa0, 0xe1, 0x4e, 0xce, 0x1a, 0xf7, 0x6a,
285 0xd0, 0xb0, 0x30, 0xf2, 0x7a, 0xf6, 0xf0, 0xab, 0x35, 0xfb, 0x73, 0xa0, 0x60, 0xd8, 0xb1, 0xa0,
286 0xe1, 0x42, 0xfa, 0x26, 0x47, 0xe9, 0x3b, 0x32, 0xe3, 0x6d, 0x82, 0x82, 0xae, 0x0a, 0x4d, 0xe5,
287 0x0a, 0xb7, 0xaf, 0xe8, 0x55, 0x00, 0xa1, 0x6f, 0x43, 0xa6, 0x47, 0x19, 0xd6, 0xe2, 0xb9, 0x43,
288 0x98, 0x23, 0x71, 0x9c, 0xd0, 0x8b, 0xcd, 0x03, 0x17, 0x81, 0x02, 0x81, 0x81, 0x00, 0xba, 0x73,
289 0xb0, 0xbb, 0x28, 0xe3, 0xf8, 0x1e, 0x9b, 0xd1, 0xc5, 0x68, 0x71, 0x3b, 0x10, 0x12, 0x41, 0xac,
290 0xc6, 0x07, 0x97, 0x6c, 0x4d, 0xdc, 0xcc, 0x90, 0xe6, 0x5b, 0x65, 0x56, 0xca, 0x31, 0x51, 0x60,
291 0x58, 0xf9, 0x2b, 0x6e, 0x09, 0xf3, 0xb1, 0x60, 0xff, 0x0e, 0x37, 0x4e, 0xc4, 0x0d, 0x78, 0xae,
292 0x4d, 0x49, 0x79, 0xfd, 0xe6, 0xac, 0x06, 0xa1, 0xa4, 0x00, 0xc6, 0x1d, 0xd3, 0x12, 0x54, 0x18,
293 0x6a, 0xf3, 0x0b, 0x22, 0xc1, 0x05, 0x82, 0xa8, 0xa4, 0x3e, 0x34, 0xfe, 0x94, 0x9c, 0x5f, 0x3b,
294 0x97, 0x55, 0xba, 0xe7, 0xba, 0xa7, 0xb7, 0xb7, 0xa6, 0xbd, 0x03, 0xb3, 0x8c, 0xef, 0x55, 0xc8,
295 0x68, 0x85, 0xfc, 0x6c, 0x19, 0x78, 0xb9, 0xce, 0xe7, 0xef, 0x33, 0xda, 0x50, 0x7c, 0x9d, 0xf6,
296 0xb9, 0x27, 0x7c, 0xff, 0x1e, 0x6a, 0xaa, 0x5d, 0x57, 0xac, 0xa5, 0x28, 0x46, 0x61, 0x02, 0x81,
297 0x81, 0x00, 0xc9, 0x31, 0x61, 0x7c, 0x77, 0x82, 0x9d, 0xfb, 0x12, 0x70, 0x50, 0x2b, 0xe9, 0x19,
298 0x5c, 0x8f, 0x28, 0x30, 0x88, 0x5f, 0x57, 0xdb, 0xa8, 0x69, 0x53, 0x68, 0x11, 0xe6, 0x86, 0x42,
299 0x36, 0xd0, 0xc4, 0x73, 0x6a, 0x00, 0x08, 0xa1, 0x45, 0xaf, 0x36, 0xb8, 0x35, 0x7a, 0x7c, 0x3d,
300 0x13, 0x99, 0x66, 0xd0, 0x4c, 0x4e, 0x00, 0x93, 0x4e, 0xa1, 0xae, 0xde, 0x3b, 0xb6, 0xb8, 0xec,
301 0x84, 0x1d, 0xc9, 0x5e, 0x3f, 0x57, 0x97, 0x51, 0xe2, 0xbf, 0xdf, 0xe2, 0x7a, 0xe7, 0x78, 0x98,
302 0x3f, 0x95, 0x93, 0x56, 0x21, 0x07, 0x23, 0x28, 0x7b, 0x0a, 0xff, 0xcc, 0x9f, 0x72, 0x70, 0x44,
303 0xd4, 0x8c, 0x37, 0x3f, 0x1b, 0xab, 0xde, 0x07, 0x24, 0xfa, 0x17, 0xa4, 0xfd, 0x4d, 0xa0, 0x90,
304 0x2c, 0x7c, 0x9b, 0x9b, 0xf2, 0x7b, 0xa6, 0x1b, 0xe6, 0xad, 0x02, 0xdf, 0xdd, 0xda, 0x8f, 0x4e,
305 0x68, 0x22,
306];
307
308/// WrappedKeyData as ASN.1 DER-encoded data corresponding to the `SecureKeyWrapper` schema
309/// specified in IKeyMintDevice.aidl. Wrapped key parameters are -
310/// Algorithm: AES
311/// Key size: 256
312/// Block mode: ECB
313/// Padding mode: PKCS7
314/// This sample wrapped_key is taken from KeyMint tests (see KeyMintTest.cpp).
315pub static WRAPPED_KEY: &[u8] = &[
316 0x30, 0x82, 0x01, 0x79, 0x02, 0x01, 0x00, 0x04, 0x82, 0x01, 0x00, 0x93, 0x4b, 0xf9, 0x4e, 0x2a,
317 0xa2, 0x8a, 0x3f, 0x83, 0xc9, 0xf7, 0x92, 0x97, 0x25, 0x02, 0x62, 0xfb, 0xe3, 0x27, 0x6b, 0x5a,
318 0x1c, 0x91, 0x15, 0x9b, 0xbf, 0xa3, 0xef, 0x89, 0x57, 0xaa, 0xc8, 0x4b, 0x59, 0xb3, 0x0b, 0x45,
319 0x5a, 0x79, 0xc2, 0x97, 0x34, 0x80, 0x82, 0x3d, 0x8b, 0x38, 0x63, 0xc3, 0xde, 0xef, 0x4a, 0x8e,
320 0x24, 0x35, 0x90, 0x26, 0x8d, 0x80, 0xe1, 0x87, 0x51, 0xa0, 0xe1, 0x30, 0xf6, 0x7c, 0xe6, 0xa1,
321 0xac, 0xe9, 0xf7, 0x9b, 0x95, 0xe0, 0x97, 0x47, 0x4f, 0xeb, 0xc9, 0x81, 0x19, 0x5b, 0x1d, 0x13,
322 0xa6, 0x90, 0x86, 0xc0, 0x86, 0x3f, 0x66, 0xa7, 0xb7, 0xfd, 0xb4, 0x87, 0x92, 0x22, 0x7b, 0x1a,
323 0xc5, 0xe2, 0x48, 0x9f, 0xeb, 0xdf, 0x08, 0x7a, 0xb5, 0x48, 0x64, 0x83, 0x03, 0x3a, 0x6f, 0x00,
324 0x1c, 0xa5, 0xd1, 0xec, 0x1e, 0x27, 0xf5, 0xc3, 0x0f, 0x4c, 0xec, 0x26, 0x42, 0x07, 0x4a, 0x39,
325 0xae, 0x68, 0xae, 0xe5, 0x52, 0xe1, 0x96, 0x62, 0x7a, 0x8e, 0x3d, 0x86, 0x7e, 0x67, 0xa8, 0xc0,
326 0x1b, 0x11, 0xe7, 0x5f, 0x13, 0xcc, 0xa0, 0xa9, 0x7a, 0xb6, 0x68, 0xb5, 0x0c, 0xda, 0x07, 0xa8,
327 0xec, 0xb7, 0xcd, 0x8e, 0x3d, 0xd7, 0x00, 0x9c, 0x96, 0x36, 0x53, 0x4f, 0x6f, 0x23, 0x9c, 0xff,
328 0xe1, 0xfc, 0x8d, 0xaa, 0x46, 0x6f, 0x78, 0xb6, 0x76, 0xc7, 0x11, 0x9e, 0xfb, 0x96, 0xbc, 0xe4,
329 0xe6, 0x9c, 0xa2, 0xa2, 0x5d, 0x0b, 0x34, 0xed, 0x9c, 0x3f, 0xf9, 0x99, 0xb8, 0x01, 0x59, 0x7d,
330 0x52, 0x20, 0xe3, 0x07, 0xea, 0xa5, 0xbe, 0xe5, 0x07, 0xfb, 0x94, 0xd1, 0xfa, 0x69, 0xf9, 0xe5,
331 0x19, 0xb2, 0xde, 0x31, 0x5b, 0xac, 0x92, 0xc3, 0x6f, 0x2e, 0xa1, 0xfa, 0x1d, 0xf4, 0x47, 0x8c,
332 0x0d, 0xde, 0xde, 0xae, 0x8c, 0x70, 0xe0, 0x23, 0x3c, 0xd0, 0x98, 0x04, 0x0c, 0xd7, 0x96, 0xb0,
333 0x2c, 0x37, 0x0f, 0x1f, 0xa4, 0xcc, 0x01, 0x24, 0xf1, 0x30, 0x2e, 0x02, 0x01, 0x03, 0x30, 0x29,
334 0xa1, 0x08, 0x31, 0x06, 0x02, 0x01, 0x00, 0x02, 0x01, 0x01, 0xa2, 0x03, 0x02, 0x01, 0x20, 0xa3,
335 0x04, 0x02, 0x02, 0x01, 0x00, 0xa4, 0x05, 0x31, 0x03, 0x02, 0x01, 0x01, 0xa6, 0x05, 0x31, 0x03,
336 0x02, 0x01, 0x40, 0xbf, 0x83, 0x77, 0x02, 0x05, 0x00, 0x04, 0x20, 0xcc, 0xd5, 0x40, 0x85, 0x5f,
337 0x83, 0x3a, 0x5e, 0x14, 0x80, 0xbf, 0xd2, 0xd3, 0x6f, 0xaf, 0x3a, 0xee, 0xe1, 0x5d, 0xf5, 0xbe,
338 0xab, 0xe2, 0x69, 0x1b, 0xc8, 0x2d, 0xde, 0x2a, 0x7a, 0xa9, 0x10, 0x04, 0x10, 0x64, 0xc9, 0xf6,
339 0x89, 0xc6, 0x0f, 0xf6, 0x22, 0x3a, 0xb6, 0xe6, 0x99, 0x9e, 0x0e, 0xb6, 0xe5,
340];
341
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]342/// To map Keystore errors.
343#[derive(thiserror::Error, Debug, Eq, PartialEq)]
344pub enum Error {
345 /// Keystore2 error code
346 #[error("ResponseCode {0:?}")]
347 Rc(ResponseCode),
348 /// Keymint error code
349 #[error("ErrorCode {0:?}")]
350 Km(ErrorCode),
351 /// Exception
352 #[error("Binder exception {0:?}")]
353 Binder(ExceptionCode),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]354 /// This is returned if the C implementation of extractSubjectFromCertificate failed.
355 #[error("Failed to validate certificate chain.")]
356 ValidateCertChainFailed,
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]357 /// Error code to indicate error in ASN.1 DER-encoded data creation.
358 #[error("Failed to create and encode ASN.1 data.")]
359 DerEncodeFailed,
Rajesh Nyamagoud28abde62023-04-01 01:32:32 +0000[diff] [blame]360 /// Error code to indicate error while using keystore-engine API.
361 #[error("Failed to perform crypto op using keystore-engine APIs.")]
362 Keystore2EngineOpFailed,
Rajesh Nyamagouda42dee62022-04-22 21:15:55 +0000[diff] [blame]363 /// Error code to indicate error in attestation-id validation.
364 #[error("Failed to validate attestation-id.")]
365 ValidateAttestIdFailed,
366 /// Error code to indicate error in getting value from attest record.
367 #[error("Failed to get value from attest record.")]
368 AttestRecordGetValueFailed,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]369}
370
371/// Keystore2 error mapping.
372pub fn map_ks_error<T>(r: BinderResult<T>) -> Result<T, Error> {
373 r.map_err(|s| {
374 match s.exception_code() {
375 ExceptionCode::SERVICE_SPECIFIC => {
376 match s.service_specific_error() {
377 se if se < 0 => {
378 // Negative service specific errors are KM error codes.
379 Error::Km(ErrorCode(se))
380 }
381 se => {
382 // Positive service specific errors are KS response codes.
383 Error::Rc(ResponseCode(se))
384 }
385 }
386 }
387 // We create `Error::Binder` to preserve the exception code
388 // for logging.
389 e_code => Error::Binder(e_code),
390 }
391 })
392}
393
Rajesh Nyamagoud5f6db2f2023-06-01 17:22:32 +0000[diff] [blame]394/// Indicate whether the default device is KeyMint (rather than Keymaster).
395pub fn has_default_keymint() -> bool {
396 binder::is_declared("android.hardware.security.keymint.IKeyMintDevice/default")
397 .expect("Could not check for declared keymint interface")
398}
399
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]400/// Verify that given key param is listed in given authorizations list.
401pub fn check_key_param(authorizations: &[Authorization], key_param: &KeyParameter) -> bool {
402 authorizations.iter().any(|auth| &auth.keyParameter == key_param)
403}
404
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]405/// Verify the given key authorizations with the expected authorizations.
406pub fn check_key_authorizations(
407 authorizations: &[Authorization],
408 expected_params: &[KeyParameter],
409 expected_key_origin: KeyOrigin,
410) {
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]411 // Make sure key authorizations contains only `ALLOWED_TAGS_IN_KEY_AUTHS`
412 authorizations.iter().all(|auth| {
413 assert!(
414 ALLOWED_TAGS_IN_KEY_AUTHS.contains(&auth.keyParameter.tag),
415 "key authorization is not allowed: {:#?}",
416 auth.keyParameter
417 );
418 true
419 });
420
421 //Check allowed-expected-key-parameters are present in given key authorizations list.
422 expected_params.iter().all(|key_param| {
423 if ALLOWED_TAGS_IN_KEY_AUTHS.contains(&key_param.tag) {
424 assert!(
425 check_key_param(authorizations, key_param),
426 "Key parameter not found: {:#?}",
427 key_param
428 );
429 }
430 true
431 });
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]432
433 check_common_auths(authorizations, expected_key_origin);
434}
435
436/// Verify common key authorizations.
437fn check_common_auths(authorizations: &[Authorization], expected_key_origin: KeyOrigin) {
438 assert!(check_key_param(
439 authorizations,
440 &KeyParameter {
441 tag: Tag::OS_VERSION,
442 value: KeyParameterValue::Integer(get_os_version().try_into().unwrap())
443 }
444 ));
445 assert!(check_key_param(
446 authorizations,
447 &KeyParameter {
448 tag: Tag::OS_PATCHLEVEL,
449 value: KeyParameterValue::Integer(get_os_patchlevel().try_into().unwrap())
450 }
451 ));
452
453 // Access denied for finding vendor-patch-level ("ro.vendor.build.security_patch") property
454 // in a test running with `untrusted_app` context. Keeping this check to verify
455 // vendor-patch-level in tests running with `su` context.
456 if getuid().is_root() {
457 assert!(check_key_param(
458 authorizations,
459 &KeyParameter {
460 tag: Tag::VENDOR_PATCHLEVEL,
461 value: KeyParameterValue::Integer(get_vendor_patchlevel().try_into().unwrap())
462 }
463 ));
464 }
465 assert!(check_key_param(
466 authorizations,
467 &KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(expected_key_origin) }
468 ));
469 assert!(check_key_param(
470 authorizations,
471 &KeyParameter {
472 tag: Tag::USER_ID,
473 value: KeyParameterValue::Integer(
474 rustutils::users::multiuser_get_user_id(ThreadState::get_calling_uid())
475 .try_into()
476 .unwrap()
477 )
478 }
479 ));
Rajesh Nyamagoud5f6db2f2023-06-01 17:22:32 +0000[diff] [blame]480
481 if has_default_keymint() {
482 assert!(authorizations
483 .iter()
484 .map(|auth| &auth.keyParameter)
485 .any(|key_param| key_param.tag == Tag::CREATION_DATETIME));
486 }
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]487}
488
Rajesh Nyamagoudf436a932023-05-12 01:16:07 +0000[diff] [blame]489/// Get the key `Authorization` for the given auth `Tag`.
490pub fn get_key_auth(authorizations: &[Authorization], tag: Tag) -> Option<&Authorization> {
491 let auths: Vec<&Authorization> =
492 authorizations.iter().filter(|auth| auth.keyParameter.tag == tag).collect();
493
494 if !auths.is_empty() {
495 Some(auths[0])
496 } else {
497 None
498 }
499}
500
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]501/// Generate EC Key using given security level and domain with below key parameters and
502/// optionally allow the generated key to be attested with factory provisioned attest key using
503/// given challenge and application id -
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]504/// Purposes: SIGN and VERIFY
505/// Digest: SHA_2_256
506/// Curve: P_256
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]507pub fn generate_ec_p256_signing_key(
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]508 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]509 domain: Domain,
510 nspace: i64,
511 alias: Option<String>,
512 att_challenge: Option<&[u8]>,
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]513) -> binder::Result<KeyMetadata> {
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]514 let mut key_attest = false;
515 let mut gen_params = AuthSetBuilder::new()
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]516 .no_auth_required()
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]517 .algorithm(Algorithm::EC)
518 .purpose(KeyPurpose::SIGN)
519 .purpose(KeyPurpose::VERIFY)
520 .digest(Digest::SHA_2_256)
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]521 .ec_curve(EcCurve::P_256);
522
523 if let Some(challenge) = att_challenge {
524 key_attest = true;
525 gen_params = gen_params.clone().attestation_challenge(challenge.to_vec());
526 }
527
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]528 match sec_level.generateKey(
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]529 &KeyDescriptor { domain, nspace, alias, blob: None },
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]530 None,
531 &gen_params,
532 0,
533 b"entropy",
534 ) {
535 Ok(key_metadata) => {
536 assert!(key_metadata.certificate.is_some());
Rajesh Nyamagoudb881d512021-12-10 00:33:15 +0000[diff] [blame]537 if key_attest {
538 assert!(key_metadata.certificateChain.is_some());
539 }
540 if domain == Domain::BLOB {
541 assert!(key_metadata.key.blob.is_some());
542 }
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]543
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]544 check_key_authorizations(
545 &key_metadata.authorizations,
546 &gen_params,
547 KeyOrigin::GENERATED,
548 );
Rajesh Nyamagoud901386c2022-03-21 20:35:18 +0000[diff] [blame]549 Ok(key_metadata)
550 }
551 Err(e) => Err(e),
552 }
553}
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]554
555/// Generate EC signing key.
Rajesh Nyamagoudc7d064d2022-08-20 01:45:17 +0000[diff] [blame]556pub fn generate_ec_key(
557 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]558 domain: Domain,
559 nspace: i64,
560 alias: Option<String>,
561 ec_curve: EcCurve,
562 digest: Digest,
563) -> binder::Result<KeyMetadata> {
564 let gen_params = AuthSetBuilder::new()
565 .no_auth_required()
566 .algorithm(Algorithm::EC)
567 .purpose(KeyPurpose::SIGN)
568 .purpose(KeyPurpose::VERIFY)
569 .digest(digest)
570 .ec_curve(ec_curve);
571
572 let key_metadata = sec_level.generateKey(
573 &KeyDescriptor { domain, nspace, alias, blob: None },
574 None,
575 &gen_params,
576 0,
577 b"entropy",
578 )?;
579
580 // Must have a public key.
581 assert!(key_metadata.certificate.is_some());
582
583 // Should not have an attestation record.
584 assert!(key_metadata.certificateChain.is_none());
585
586 if domain == Domain::BLOB {
587 assert!(key_metadata.key.blob.is_some());
588 } else {
589 assert!(key_metadata.key.blob.is_none());
590 }
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]591 check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
Rajesh Nyamagouda7766452021-12-13 21:44:19 +0000[diff] [blame]592 Ok(key_metadata)
593}
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]594
595/// Generate a RSA key with the given key parameters, alias, domain and namespace.
596pub fn generate_rsa_key(
597 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
598 domain: Domain,
599 nspace: i64,
600 alias: Option<String>,
601 key_params: &KeyParams,
602 attest_key: Option<&KeyDescriptor>,
603) -> binder::Result<KeyMetadata> {
604 let mut gen_params = AuthSetBuilder::new()
605 .no_auth_required()
606 .algorithm(Algorithm::RSA)
607 .rsa_public_exponent(65537)
608 .key_size(key_params.key_size);
609
610 for purpose in &key_params.purpose {
611 gen_params = gen_params.purpose(*purpose);
612 }
613 if let Some(value) = key_params.digest {
614 gen_params = gen_params.digest(value)
615 }
616 if let Some(value) = key_params.padding {
617 gen_params = gen_params.padding_mode(value);
618 }
619 if let Some(value) = key_params.mgf_digest {
620 gen_params = gen_params.mgf_digest(value);
621 }
622 if let Some(value) = key_params.block_mode {
623 gen_params = gen_params.block_mode(value)
624 }
625 if let Some(value) = &key_params.att_challenge {
626 gen_params = gen_params.attestation_challenge(value.to_vec())
627 }
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]628
629 let key_metadata = sec_level.generateKey(
630 &KeyDescriptor { domain, nspace, alias, blob: None },
631 attest_key,
632 &gen_params,
633 0,
634 b"entropy",
635 )?;
636
637 // Must have a public key.
638 assert!(key_metadata.certificate.is_some());
639
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]640 if attest_key.is_none() && key_params.att_challenge.is_some() {
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]641 // Should have an attestation record.
642 assert!(key_metadata.certificateChain.is_some());
643 } else {
644 // Should not have an attestation record.
645 assert!(key_metadata.certificateChain.is_none());
646 }
647
648 assert!(
649 (domain == Domain::BLOB && key_metadata.key.blob.is_some())
650 || key_metadata.key.blob.is_none()
651 );
652
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]653 check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]654 // If `RSA_OAEP_MGF_DIGEST` tag is not mentioned explicitly while generating/importing a key,
655 // then make sure `RSA_OAEP_MGF_DIGEST` tag with default value (SHA1) must not be included in
656 // key authorization list.
657 if key_params.mgf_digest.is_none() {
658 assert!(!check_key_param(
659 &key_metadata.authorizations,
660 &KeyParameter {
661 tag: Tag::RSA_OAEP_MGF_DIGEST,
662 value: KeyParameterValue::Digest(Digest::SHA1)
663 }
664 ));
665 }
Rajesh Nyamagoud11912ea2021-12-20 20:37:20 +0000[diff] [blame]666 Ok(key_metadata)
667}
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]668
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]669/// Generate AES/3DES key.
670pub fn generate_sym_key(
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]671 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]672 algorithm: Algorithm,
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]673 size: i32,
674 alias: &str,
675 padding_mode: &PaddingMode,
676 block_mode: &BlockMode,
677 min_mac_len: Option<i32>,
678) -> binder::Result<KeyMetadata> {
679 let mut gen_params = AuthSetBuilder::new()
680 .no_auth_required()
Rajesh Nyamagoudc3523ba2022-08-05 17:38:25 +0000[diff] [blame]681 .algorithm(algorithm)
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]682 .purpose(KeyPurpose::ENCRYPT)
683 .purpose(KeyPurpose::DECRYPT)
684 .key_size(size)
685 .padding_mode(*padding_mode)
686 .block_mode(*block_mode);
687
688 if let Some(val) = min_mac_len {
689 gen_params = gen_params.min_mac_length(val);
690 }
691
692 let key_metadata = sec_level.generateKey(
693 &KeyDescriptor {
694 domain: Domain::APP,
695 nspace: -1,
696 alias: Some(alias.to_string()),
697 blob: None,
698 },
699 None,
700 &gen_params,
701 0,
702 b"entropy",
703 )?;
704
705 // Should not have public certificate.
706 assert!(key_metadata.certificate.is_none());
707
708 // Should not have an attestation record.
709 assert!(key_metadata.certificateChain.is_none());
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]710 check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
Rajesh Nyamagoud47409932022-01-08 00:37:13 +0000[diff] [blame]711 Ok(key_metadata)
712}
Rajesh Nyamagoud4c6193c2022-02-03 01:15:34 +0000[diff] [blame]713
714/// Generate HMAC key.
715pub fn generate_hmac_key(
716 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
717 alias: &str,
718 key_size: i32,
719 min_mac_len: i32,
720 digest: Digest,
721) -> binder::Result<KeyMetadata> {
722 let gen_params = AuthSetBuilder::new()
723 .no_auth_required()
724 .algorithm(Algorithm::HMAC)
725 .purpose(KeyPurpose::SIGN)
726 .purpose(KeyPurpose::VERIFY)
727 .key_size(key_size)
728 .min_mac_length(min_mac_len)
729 .digest(digest);
730
731 let key_metadata = sec_level.generateKey(
732 &KeyDescriptor {
733 domain: Domain::APP,
734 nspace: -1,
735 alias: Some(alias.to_string()),
736 blob: None,
737 },
738 None,
739 &gen_params,
740 0,
741 b"entropy",
742 )?;
743
744 // Should not have public certificate.
745 assert!(key_metadata.certificate.is_none());
746
747 // Should not have an attestation record.
748 assert!(key_metadata.certificateChain.is_none());
749
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]750 check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
Rajesh Nyamagoud4c6193c2022-02-03 01:15:34 +0000[diff] [blame]751 Ok(key_metadata)
752}
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]753
754/// Generate RSA or EC attestation keys using below parameters -
755/// Purpose: ATTEST_KEY
756/// Digest: Digest::SHA_2_256
757/// Padding: PaddingMode::RSA_PKCS1_1_5_SIGN
758/// RSA-Key-Size: 2048
759/// EC-Curve: EcCurve::P_256
760pub fn generate_attestation_key(
761 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
762 algorithm: Algorithm,
763 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]764) -> binder::Result<KeyMetadata> {
765 assert!(algorithm == Algorithm::RSA || algorithm == Algorithm::EC);
766
767 if algorithm == Algorithm::RSA {
768 let alias = "ks_rsa_attest_test_key";
769 let metadata = generate_rsa_key(
770 sec_level,
771 Domain::APP,
772 -1,
773 Some(alias.to_string()),
774 &KeyParams {
775 key_size: 2048,
776 purpose: vec![KeyPurpose::ATTEST_KEY],
777 padding: Some(PaddingMode::RSA_PKCS1_1_5_SIGN),
778 digest: Some(Digest::SHA_2_256),
779 mgf_digest: None,
780 block_mode: None,
781 att_challenge: Some(att_challenge.to_vec()),
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]782 },
783 None,
784 )
785 .unwrap();
786 Ok(metadata)
787 } else {
788 let metadata = generate_ec_attestation_key(
789 sec_level,
790 att_challenge,
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]791 Digest::SHA_2_256,
792 EcCurve::P_256,
793 )
794 .unwrap();
795
796 Ok(metadata)
797 }
798}
799
800/// Generate EC attestation key with the given
801/// curve, attestation-challenge and attestation-app-id.
802pub fn generate_ec_attestation_key(
803 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
804 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]805 digest: Digest,
806 ec_curve: EcCurve,
807) -> binder::Result<KeyMetadata> {
808 let alias = "ks_attest_ec_test_key";
809 let gen_params = AuthSetBuilder::new()
810 .no_auth_required()
811 .algorithm(Algorithm::EC)
812 .purpose(KeyPurpose::ATTEST_KEY)
813 .ec_curve(ec_curve)
814 .digest(digest)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]815 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]816
817 let attestation_key_metadata = sec_level.generateKey(
818 &KeyDescriptor {
819 domain: Domain::APP,
820 nspace: -1,
821 alias: Some(alias.to_string()),
822 blob: None,
823 },
824 None,
825 &gen_params,
826 0,
827 b"entropy",
828 )?;
829
830 // Should have public certificate.
831 assert!(attestation_key_metadata.certificate.is_some());
832 // Should have an attestation record.
833 assert!(attestation_key_metadata.certificateChain.is_some());
834
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]835 check_key_authorizations(
836 &attestation_key_metadata.authorizations,
837 &gen_params,
838 KeyOrigin::GENERATED,
839 );
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]840 Ok(attestation_key_metadata)
841}
842
843/// Generate EC-P-256 key and attest it with given attestation key.
844pub fn generate_ec_256_attested_key(
845 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
846 alias: Option<String>,
847 att_challenge: &[u8],
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]848 attest_key: &KeyDescriptor,
849) -> binder::Result<KeyMetadata> {
850 let ec_gen_params = AuthSetBuilder::new()
851 .no_auth_required()
852 .algorithm(Algorithm::EC)
853 .purpose(KeyPurpose::SIGN)
854 .purpose(KeyPurpose::VERIFY)
855 .digest(Digest::SHA_2_256)
856 .ec_curve(EcCurve::P_256)
David Drysdale38f2ca32023-01-10 13:10:51 +0000[diff] [blame]857 .attestation_challenge(att_challenge.to_vec());
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]858
859 let ec_key_metadata = sec_level
860 .generateKey(
861 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
862 Some(attest_key),
863 &ec_gen_params,
864 0,
865 b"entropy",
866 )
867 .unwrap();
868
869 // Should have public certificate.
870 assert!(ec_key_metadata.certificate.is_some());
871 // Shouldn't have an attestation record.
872 assert!(ec_key_metadata.certificateChain.is_none());
873
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]874 check_key_authorizations(&ec_key_metadata.authorizations, &ec_gen_params, KeyOrigin::GENERATED);
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]875 Ok(ec_key_metadata)
876}
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]877
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]878/// Imports above defined RSA key - `RSA_2048_KEY` and validates imported key parameters.
879pub fn import_rsa_2048_key(
880 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
881 domain: Domain,
882 nspace: i64,
883 alias: Option<String>,
884 import_params: AuthSetBuilder,
885) -> binder::Result<KeyMetadata> {
886 let key_metadata = sec_level
887 .importKey(
888 &KeyDescriptor { domain, nspace, alias, blob: None },
889 None,
890 &import_params,
891 0,
892 RSA_2048_KEY,
893 )
894 .unwrap();
895
896 assert!(key_metadata.certificate.is_some());
897 assert!(key_metadata.certificateChain.is_none());
898
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]899 check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]900
901 // Check below auths explicitly, they might not be addd in import parameters.
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]902 assert!(check_key_param(
903 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]904 &KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::RSA) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]905 ));
906
907 assert!(check_key_param(
908 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]909 &KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(2048) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]910 ));
911
912 assert!(check_key_param(
913 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]914 &KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]915 ));
916
917 assert!(check_key_param(
918 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]919 &KeyParameter {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]920 tag: Tag::RSA_PUBLIC_EXPONENT,
921 value: KeyParameterValue::LongInteger(65537)
922 }
923 ));
924
925 assert!(check_key_param(
926 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]927 &KeyParameter {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]928 tag: Tag::PADDING,
929 value: KeyParameterValue::PaddingMode(PaddingMode::RSA_PSS)
930 }
931 ));
932
933 assert!(check_key_param(
934 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]935 &KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]936 ));
937
938 Ok(key_metadata)
939}
940
941/// Imports above defined EC key - `EC_P_256_KEY` and validates imported key parameters.
942pub fn import_ec_p_256_key(
943 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
944 domain: Domain,
945 nspace: i64,
946 alias: Option<String>,
947 import_params: AuthSetBuilder,
948) -> binder::Result<KeyMetadata> {
949 let key_metadata = sec_level
950 .importKey(
951 &KeyDescriptor { domain, nspace, alias, blob: None },
952 None,
953 &import_params,
954 0,
955 EC_P_256_KEY,
956 )
957 .unwrap();
958
959 assert!(key_metadata.certificate.is_some());
960 assert!(key_metadata.certificateChain.is_none());
961
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]962 check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]963
964 // Check below auths explicitly, they might not be addd in import parameters.
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]965 assert!(check_key_param(
966 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]967 &KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::EC) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]968 ));
969
970 assert!(check_key_param(
971 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]972 &KeyParameter { tag: Tag::EC_CURVE, value: KeyParameterValue::EcCurve(EcCurve::P_256) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]973 ));
974
975 assert!(check_key_param(
976 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]977 &KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]978 ));
979 assert!(check_key_param(
980 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]981 &KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]982 ));
983
984 Ok(key_metadata)
985}
986
987/// Import sample AES key and validate its key parameters.
988pub fn import_aes_key(
989 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
990 domain: Domain,
991 nspace: i64,
992 alias: Option<String>,
993) -> binder::Result<KeyMetadata> {
994 static AES_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
995 let key_size = AES_KEY.len() * 8;
996
997 let import_params = AuthSetBuilder::new()
998 .no_auth_required()
999 .algorithm(Algorithm::AES)
1000 .block_mode(BlockMode::ECB)
1001 .key_size(key_size.try_into().unwrap())
1002 .purpose(KeyPurpose::ENCRYPT)
1003 .purpose(KeyPurpose::DECRYPT)
1004 .padding_mode(PaddingMode::PKCS7);
1005
1006 let key_metadata = sec_level.importKey(
1007 &KeyDescriptor { domain, nspace, alias, blob: None },
1008 None,
1009 &import_params,
1010 0,
1011 AES_KEY,
1012 )?;
1013
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]1014 check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1015
1016 // Check below auths explicitly, they might not be addd in import parameters.
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1017 assert!(check_key_param(
1018 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1019 &KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::AES) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1020 ));
1021 assert!(check_key_param(
1022 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1023 &KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1024 ));
1025 assert!(check_key_param(
1026 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1027 &KeyParameter {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1028 tag: Tag::PADDING,
1029 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
1030 }
1031 ));
1032 assert!(check_key_param(
1033 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1034 &KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1035 ));
1036 assert!(check_key_param(
1037 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1038 &KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1039 ));
1040
1041 Ok(key_metadata)
1042}
1043
1044/// Import sample 3DES key and validate its key parameters.
1045pub fn import_3des_key(
1046 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1047 domain: Domain,
1048 nspace: i64,
1049 alias: Option<String>,
1050) -> binder::Result<KeyMetadata> {
1051 static TRIPLE_DES_KEY: &[u8] = &[
1052 0xa4, 0x9d, 0x75, 0x64, 0x19, 0x9e, 0x97, 0xcb, 0x52, 0x9d, 0x2c, 0x9d, 0x97, 0xbf, 0x2f,
1053 0x98, 0xd3, 0x5e, 0xdf, 0x57, 0xba, 0x1f, 0x73, 0x58,
1054 ];
1055
1056 let import_params = AuthSetBuilder::new()
1057 .no_auth_required()
1058 .algorithm(Algorithm::TRIPLE_DES)
1059 .block_mode(BlockMode::ECB)
1060 .key_size(168)
1061 .purpose(KeyPurpose::ENCRYPT)
1062 .purpose(KeyPurpose::DECRYPT)
1063 .padding_mode(PaddingMode::PKCS7);
1064
1065 let key_metadata = sec_level.importKey(
1066 &KeyDescriptor { domain, nspace, alias, blob: None },
1067 None,
1068 &import_params,
1069 0,
1070 TRIPLE_DES_KEY,
1071 )?;
1072
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]1073 check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1074
1075 // Check below auths explicitly, they might not be addd in import parameters.
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1076 assert!(check_key_param(
1077 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1078 &KeyParameter {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1079 tag: Tag::ALGORITHM,
1080 value: KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES)
1081 }
1082 ));
1083 assert!(check_key_param(
1084 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1085 &KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(168) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1086 ));
1087 assert!(check_key_param(
1088 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1089 &KeyParameter {
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1090 tag: Tag::PADDING,
1091 value: KeyParameterValue::PaddingMode(PaddingMode::PKCS7)
1092 }
1093 ));
1094 assert!(check_key_param(
1095 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1096 &KeyParameter { tag: Tag::BLOCK_MODE, value: KeyParameterValue::BlockMode(BlockMode::ECB) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1097 ));
1098 assert!(check_key_param(
1099 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1100 &KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1101 ));
1102
1103 Ok(key_metadata)
1104}
1105
1106/// Import sample HMAC key and validate its key parameters.
1107pub fn import_hmac_key(
1108 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1109 domain: Domain,
1110 nspace: i64,
1111 alias: Option<String>,
1112) -> binder::Result<KeyMetadata> {
1113 static HMAC_KEY: &[u8] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
1114 let key_size = HMAC_KEY.len() * 8;
1115
1116 let import_params = AuthSetBuilder::new()
1117 .no_auth_required()
1118 .algorithm(Algorithm::HMAC)
1119 .key_size(key_size.try_into().unwrap())
1120 .purpose(KeyPurpose::SIGN)
1121 .purpose(KeyPurpose::VERIFY)
1122 .digest(Digest::SHA_2_256)
1123 .min_mac_length(256);
1124
1125 let key_metadata = sec_level.importKey(
1126 &KeyDescriptor { domain, nspace, alias, blob: None },
1127 None,
1128 &import_params,
1129 0,
1130 HMAC_KEY,
1131 )?;
1132
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]1133 check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1134
1135 // Check below auths explicitly, they might not be addd in import parameters.
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1136 assert!(check_key_param(
1137 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1138 &KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::HMAC) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1139 ));
1140 assert!(check_key_param(
1141 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1142 &KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1143 ));
1144 assert!(check_key_param(
1145 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1146 &KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1147 ));
1148 assert!(check_key_param(
1149 &key_metadata.authorizations,
Rajesh Nyamagoudd0213ef2023-05-04 00:29:55 +0000[diff] [blame]1150 &KeyParameter { tag: Tag::ORIGIN, value: KeyParameterValue::Origin(KeyOrigin::IMPORTED) }
Rajesh Nyamagoudb8402b62022-04-08 01:05:47 +0000[diff] [blame]1151 ));
1152
1153 Ok(key_metadata)
1154}
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]1155
1156/// Imports RSA encryption key with WRAP_KEY purpose.
1157pub fn import_wrapping_key(
1158 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1159 wrapping_key_data: &[u8],
1160 wrapping_key_alias: Option<String>,
1161) -> binder::Result<KeyMetadata> {
1162 let wrapping_key_params = AuthSetBuilder::new()
1163 .no_auth_required()
1164 .algorithm(Algorithm::RSA)
1165 .digest(Digest::SHA_2_256)
1166 .purpose(KeyPurpose::ENCRYPT)
1167 .purpose(KeyPurpose::DECRYPT)
1168 .purpose(KeyPurpose::WRAP_KEY)
1169 .padding_mode(PaddingMode::RSA_OAEP)
1170 .key_size(2048)
1171 .rsa_public_exponent(65537)
1172 .cert_not_before(0)
1173 .cert_not_after(253402300799000);
1174
1175 sec_level.importKey(
1176 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: wrapping_key_alias, blob: None },
1177 None,
1178 &wrapping_key_params,
1179 0,
1180 wrapping_key_data,
1181 )
1182}
1183
1184/// Import wrapped key using given wrapping key.
1185pub fn import_wrapped_key(
1186 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1187 alias: Option<String>,
1188 wrapping_key_metadata: &KeyMetadata,
1189 wrapped_key: Option<Vec<u8>>,
1190) -> binder::Result<KeyMetadata> {
1191 let unwrap_params =
1192 AuthSetBuilder::new().digest(Digest::SHA_2_256).padding_mode(PaddingMode::RSA_OAEP);
1193
1194 let authenticator_spec: &[AuthenticatorSpec] = &[AuthenticatorSpec {
1195 authenticatorType: HardwareAuthenticatorType::NONE,
1196 authenticatorId: 0,
1197 }];
1198
1199 let key_metadata = sec_level.importWrappedKey(
1200 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: wrapped_key },
1201 &wrapping_key_metadata.key,
1202 None,
1203 &unwrap_params,
1204 authenticator_spec,
1205 )?;
1206
1207 Ok(key_metadata)
1208}
1209
1210/// Import wrapping key and then import wrapped key using wrapping key.
1211pub fn import_wrapping_key_and_wrapped_key(
1212 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1213 domain: Domain,
1214 nspace: i64,
1215 alias: Option<String>,
1216 wrapping_key_alias: Option<String>,
1217 wrapping_key_params: AuthSetBuilder,
1218) -> binder::Result<KeyMetadata> {
1219 let wrapping_key_metadata = sec_level.importKey(
1220 &KeyDescriptor { domain, nspace, alias: wrapping_key_alias, blob: None },
1221 None,
1222 &wrapping_key_params,
1223 0,
1224 WRAPPING_KEY,
1225 )?;
1226
1227 import_wrapped_key(sec_level, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
1228}
1229
1230/// Import given key material as AES-256-GCM-NONE transport key.
1231pub fn import_transport_key(
1232 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1233 transport_key_alias: Option<String>,
1234 transport_key: &[u8],
1235) -> binder::Result<KeyMetadata> {
1236 let transport_key_params = AuthSetBuilder::new()
1237 .no_auth_required()
1238 .algorithm(Algorithm::AES)
1239 .block_mode(BlockMode::GCM)
1240 .padding_mode(PaddingMode::NONE)
1241 .key_size(256)
1242 .caller_nonce()
1243 .min_mac_length(128)
1244 .purpose(KeyPurpose::ENCRYPT)
1245 .purpose(KeyPurpose::DECRYPT);
1246
1247 sec_level.importKey(
1248 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: transport_key_alias, blob: None },
1249 None,
1250 &transport_key_params,
1251 0,
1252 transport_key,
1253 )
1254}
Rajesh Nyamagoudaf050562022-11-11 01:56:45 +0000[diff] [blame]1255
1256/// Generate EC key with purpose AGREE_KEY.
1257pub fn generate_ec_agree_key(
1258 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1259 ec_curve: EcCurve,
1260 digest: Digest,
1261 domain: Domain,
1262 nspace: i64,
1263 alias: Option<String>,
1264) -> binder::Result<KeyMetadata> {
1265 let gen_params = AuthSetBuilder::new()
1266 .no_auth_required()
1267 .algorithm(Algorithm::EC)
1268 .purpose(KeyPurpose::AGREE_KEY)
1269 .digest(digest)
1270 .ec_curve(ec_curve);
1271
1272 match sec_level.generateKey(
1273 &KeyDescriptor { domain, nspace, alias, blob: None },
1274 None,
1275 &gen_params,
1276 0,
1277 b"entropy",
1278 ) {
1279 Ok(key_metadata) => {
1280 assert!(key_metadata.certificate.is_some());
1281 if domain == Domain::BLOB {
1282 assert!(key_metadata.key.blob.is_some());
1283 }
1284
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]1285 check_key_authorizations(
1286 &key_metadata.authorizations,
1287 &gen_params,
1288 KeyOrigin::GENERATED,
1289 );
Rajesh Nyamagoudaf050562022-11-11 01:56:45 +0000[diff] [blame]1290 Ok(key_metadata)
1291 }
1292 Err(e) => Err(e),
1293 }
1294}
Rajesh Nyamagoud6a823492023-04-07 02:47:27 +0000[diff] [blame]1295
1296/// Helper method to import AES keys `total_count` of times.
1297pub fn import_aes_keys(
1298 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1299 alias_prefix: String,
1300 total_count: Range<i32>,
1301) -> binder::Result<HashSet<String>> {
1302 let mut imported_key_aliases = HashSet::new();
1303
1304 // Import Total number of keys with given alias prefix.
1305 for count in total_count {
1306 let mut alias = String::new();
1307 write!(alias, "{}_{}", alias_prefix, count).unwrap();
1308 imported_key_aliases.insert(alias.clone());
1309
1310 import_aes_key(sec_level, Domain::APP, -1, Some(alias))?;
1311 }
1312
1313 Ok(imported_key_aliases)
1314}
Rajesh Nyamagouda42dee62022-04-22 21:15:55 +0000[diff] [blame]1315
1316/// Generate attested EC-P_256 key with device id attestation.
1317pub fn generate_key_with_attest_id(
1318 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1319 algorithm: Algorithm,
1320 alias: Option<String>,
1321 att_challenge: &[u8],
1322 attest_key: &KeyDescriptor,
1323 attest_id: Tag,
1324 value: Vec<u8>,
1325) -> binder::Result<KeyMetadata> {
1326 assert!(algorithm == Algorithm::RSA || algorithm == Algorithm::EC);
1327
1328 let mut ec_gen_params;
1329 if algorithm == Algorithm::EC {
1330 ec_gen_params = AuthSetBuilder::new()
1331 .no_auth_required()
1332 .algorithm(Algorithm::EC)
1333 .purpose(KeyPurpose::SIGN)
1334 .purpose(KeyPurpose::VERIFY)
1335 .digest(Digest::SHA_2_256)
1336 .ec_curve(EcCurve::P_256)
1337 .attestation_challenge(att_challenge.to_vec());
1338 } else {
1339 ec_gen_params = AuthSetBuilder::new()
1340 .no_auth_required()
1341 .algorithm(Algorithm::RSA)
1342 .rsa_public_exponent(65537)
1343 .key_size(2048)
1344 .purpose(KeyPurpose::SIGN)
1345 .purpose(KeyPurpose::VERIFY)
1346 .digest(Digest::SHA_2_256)
1347 .padding_mode(PaddingMode::RSA_PKCS1_1_5_SIGN)
1348 .attestation_challenge(att_challenge.to_vec());
1349 }
1350
1351 match attest_id {
1352 Tag::ATTESTATION_ID_BRAND => {
1353 ec_gen_params = ec_gen_params.attestation_device_brand(value);
1354 }
1355 Tag::ATTESTATION_ID_DEVICE => {
1356 ec_gen_params = ec_gen_params.attestation_device_name(value);
1357 }
1358 Tag::ATTESTATION_ID_PRODUCT => {
1359 ec_gen_params = ec_gen_params.attestation_device_product_name(value);
1360 }
1361 Tag::ATTESTATION_ID_SERIAL => {
1362 ec_gen_params = ec_gen_params.attestation_device_serial(value);
1363 }
1364 Tag::ATTESTATION_ID_MANUFACTURER => {
1365 ec_gen_params = ec_gen_params.attestation_device_manufacturer(value);
1366 }
1367 Tag::ATTESTATION_ID_MODEL => {
1368 ec_gen_params = ec_gen_params.attestation_device_model(value);
1369 }
1370 Tag::ATTESTATION_ID_IMEI => {
1371 ec_gen_params = ec_gen_params.attestation_device_imei(value);
1372 }
1373 Tag::ATTESTATION_ID_SECOND_IMEI => {
1374 ec_gen_params = ec_gen_params.attestation_device_second_imei(value);
1375 }
1376 _ => {
1377 panic!("Unknown attestation id");
1378 }
1379 }
1380
1381 sec_level.generateKey(
1382 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
1383 Some(attest_key),
1384 &ec_gen_params,
1385 0,
1386 b"entropy",
1387 )
1388}
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]1389
1390/// Generate Key and validate key characteristics.
1391pub fn generate_key(
1392 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1393 gen_params: &AuthSetBuilder,
1394 alias: &str,
1395) -> binder::Result<KeyMetadata> {
1396 let key_metadata = sec_level.generateKey(
1397 &KeyDescriptor {
1398 domain: Domain::APP,
1399 nspace: -1,
1400 alias: Some(alias.to_string()),
1401 blob: None,
1402 },
1403 None,
1404 gen_params,
1405 0,
1406 b"entropy",
1407 )?;
1408
1409 if gen_params.iter().any(|kp| {
1410 matches!(
1411 kp.value,
1412 KeyParameterValue::Algorithm(Algorithm::RSA)
1413 | KeyParameterValue::Algorithm(Algorithm::EC)
1414 )
1415 }) {
1416 assert!(key_metadata.certificate.is_some());
1417 if gen_params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) {
1418 assert!(key_metadata.certificateChain.is_some());
Rajesh Nyamagoud5f6db2f2023-06-01 17:22:32 +0000[diff] [blame]1419 let mut cert_chain: Vec<u8> = Vec::new();
1420 cert_chain.extend(key_metadata.certificate.as_ref().unwrap());
1421 cert_chain.extend(key_metadata.certificateChain.as_ref().unwrap());
1422 validate_certchain(&cert_chain).expect("Error while validating cert chain");
1423 }
1424
1425 if let Some(challenge_param) =
1426 gen_params.iter().find(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE)
1427 {
1428 if let KeyParameterValue::Blob(val) = &challenge_param.value {
1429 let att_challenge = get_value_from_attest_record(
1430 key_metadata.certificate.as_ref().unwrap(),
1431 challenge_param.tag,
1432 key_metadata.keySecurityLevel,
1433 )
1434 .expect("Attestation challenge verification failed.");
1435 assert_eq!(&att_challenge, val);
1436 }
1437
1438 let att_app_id = get_value_from_attest_record(
1439 key_metadata.certificate.as_ref().unwrap(),
1440 Tag::ATTESTATION_APPLICATION_ID,
1441 SecurityLevel::KEYSTORE,
1442 )
1443 .expect("Attestation application id verification failed.");
1444 assert!(!att_app_id.is_empty());
Rajesh Nyamagoud75dfa0c2023-05-11 00:31:40 +0000[diff] [blame]1445 }
1446 }
1447 check_key_authorizations(&key_metadata.authorizations, gen_params, KeyOrigin::GENERATED);
1448
1449 Ok(key_metadata)
1450}
1451
1452/// Generate a key using given authorizations and create an operation using the generated key.
1453pub fn create_key_and_operation(
1454 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
1455 gen_params: &AuthSetBuilder,
1456 op_params: &AuthSetBuilder,
1457 alias: &str,
1458) -> binder::Result<CreateOperationResponse> {
1459 let key_metadata = generate_key(sec_level, gen_params, alias)?;
1460
1461 sec_level.createOperation(&key_metadata.key, op_params, false)
1462}