diff options
author | Rajesh Nyamagoud <nyamagoud@google.com> | 2022-01-08 00:37:13 +0000 |
---|---|---|
committer | Rajesh Nyamagoud <nyamagoud@google.com> | 2022-07-22 18:58:41 +0000 |
commit | 4740993bf18a1320860d95588786ede7d51c0f22 (patch) | |
tree | dbb69537ce4385d3af4c81b0c108a75255c31c3c /keystore2/test_utils | |
parent | 11912eaf788418ea6b0ef735c5f6c40fdda8f755 (diff) | |
download | security-4740993bf18a1320860d95588786ede7d51c0f22.tar.gz |
Adding tests using AES algorithm.
- Generate AES keys with block modes [ECB, CBC] and padding modes [NONE,
PKCS7]. Should be able to create operations successfully with these
generated keys.
- Generate AES keys with block modes [CTR, GCM] and padding modes [NONE,
PKCS7]. Should be able to create operations successfully with padding
mode NONE. With PKCS7 padding mode creation of an operation should
fail with incompatible padding mode.
- Try to generate a key and create an operation with invalid inputs, it
should fail with proper error codes.
- with unsupported key size
- with GCM block mode without providing min-mac-length
- with multiple block modes
- with multiple padding modes
- with incompatible padding modes
- with incompatible block modes
- with missing mac-length
- with invalid mac-length
- with unsupported mac-length
- With AES-CBC-PKCS7 key without `CALLER_NONCE` authorization, Try to
set nonce while creating an operation.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ibf1b8460317b4c99d9060d5889c8b3778a80ca5b
Diffstat (limited to 'keystore2/test_utils')
-rw-r--r-- | keystore2/test_utils/authorizations.rs | 19 | ||||
-rw-r--r-- | keystore2/test_utils/key_generations.rs | 43 |
2 files changed, 62 insertions, 0 deletions
diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs index 5876c091..c2f0279e 100644 --- a/keystore2/test_utils/authorizations.rs +++ b/keystore2/test_utils/authorizations.rs @@ -142,6 +142,25 @@ impl AuthSetBuilder { }); self } + + /// Add nonce. + pub fn nonce(mut self, b: Vec<u8>) -> Self { + self.0.push(KeyParameter { tag: Tag::NONCE, value: KeyParameterValue::Blob(b) }); + self + } + + /// Add MAC length. + pub fn mac_length(mut self, l: i32) -> Self { + self.0.push(KeyParameter { tag: Tag::MAC_LENGTH, value: KeyParameterValue::Integer(l) }); + self + } + + /// Add min MAC length. + pub fn min_mac_length(mut self, l: i32) -> Self { + self.0 + .push(KeyParameter { tag: Tag::MIN_MAC_LENGTH, value: KeyParameterValue::Integer(l) }); + self + } } impl Deref for AuthSetBuilder { diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs index 36986ecf..047df284 100644 --- a/keystore2/test_utils/key_generations.rs +++ b/keystore2/test_utils/key_generations.rs @@ -253,3 +253,46 @@ pub fn generate_rsa_key( Ok(key_metadata) } + +/// Generate AES key. +pub fn generate_aes_key( + sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>, + size: i32, + alias: &str, + padding_mode: &PaddingMode, + block_mode: &BlockMode, + min_mac_len: Option<i32>, +) -> binder::Result<KeyMetadata> { + let mut gen_params = AuthSetBuilder::new() + .no_auth_required() + .algorithm(Algorithm::AES) + .purpose(KeyPurpose::ENCRYPT) + .purpose(KeyPurpose::DECRYPT) + .key_size(size) + .padding_mode(*padding_mode) + .block_mode(*block_mode); + + if let Some(val) = min_mac_len { + gen_params = gen_params.min_mac_length(val); + } + + let key_metadata = sec_level.generateKey( + &KeyDescriptor { + domain: Domain::APP, + nspace: -1, + alias: Some(alias.to_string()), + blob: None, + }, + None, + &gen_params, + 0, + b"entropy", + )?; + + // Should not have public certificate. + assert!(key_metadata.certificate.is_none()); + + // Should not have an attestation record. + assert!(key_metadata.certificateChain.is_none()); + Ok(key_metadata) +} |