Adding tests using AES algorithm.

- Generate AES keys with block modes [ECB, CBC] and padding modes [NONE,
  PKCS7]. Should be able to create operations successfully with these
  generated keys.

- Generate AES keys with block modes [CTR, GCM] and padding modes [NONE,
  PKCS7]. Should be able to create operations successfully with padding
  mode NONE. With PKCS7 padding mode creation of an operation should
  fail with incompatible padding mode.

- Try to generate a key and create an operation with invalid inputs, it
  should fail with proper error codes.
  - with unsupported key size
  - with GCM block mode without providing min-mac-length
  - with multiple block modes
  - with multiple padding modes
  - with incompatible padding modes
  - with incompatible block modes
  - with missing mac-length
  - with invalid mac-length
  - with unsupported mac-length
  - With AES-CBC-PKCS7 key without `CALLER_NONCE` authorization, Try to
    set nonce while creating an operation.

Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ibf1b8460317b4c99d9060d5889c8b3778a80ca5b

2 files changed, 62 insertions, 0 deletions

diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs
index 5876c091..c2f0279e 100644
--- a/keystore2/test_utils/authorizations.rs
+++ b/keystore2/test_utils/authorizations.rs
@@ -142,6 +142,25 @@ impl AuthSetBuilder {
         });
         self
     }
+
+    /// Add nonce.
+    pub fn nonce(mut self, b: Vec<u8>) -> Self {
+        self.0.push(KeyParameter { tag: Tag::NONCE, value: KeyParameterValue::Blob(b) });
+        self
+    }
+
+    /// Add MAC length.
+    pub fn mac_length(mut self, l: i32) -> Self {
+        self.0.push(KeyParameter { tag: Tag::MAC_LENGTH, value: KeyParameterValue::Integer(l) });
+        self
+    }
+
+    /// Add min MAC length.
+    pub fn min_mac_length(mut self, l: i32) -> Self {
+        self.0
+            .push(KeyParameter { tag: Tag::MIN_MAC_LENGTH, value: KeyParameterValue::Integer(l) });
+        self
+    }
 }
 
 impl Deref for AuthSetBuilder {
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index 36986ecf..047df284 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -253,3 +253,46 @@ pub fn generate_rsa_key(
 
     Ok(key_metadata)
 }
+
+/// Generate AES key.
+pub fn generate_aes_key(
+    sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+    size: i32,
+    alias: &str,
+    padding_mode: &PaddingMode,
+    block_mode: &BlockMode,
+    min_mac_len: Option<i32>,
+) -> binder::Result<KeyMetadata> {
+    let mut gen_params = AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::AES)
+        .purpose(KeyPurpose::ENCRYPT)
+        .purpose(KeyPurpose::DECRYPT)
+        .key_size(size)
+        .padding_mode(*padding_mode)
+        .block_mode(*block_mode);
+
+    if let Some(val) = min_mac_len {
+        gen_params = gen_params.min_mac_length(val);
+    }
+
+    let key_metadata = sec_level.generateKey(
+        &KeyDescriptor {
+            domain: Domain::APP,
+            nspace: -1,
+            alias: Some(alias.to_string()),
+            blob: None,
+        },
+        None,
+        &gen_params,
+        0,
+        b"entropy",
+    )?;
+
+    // Should not have public certificate.
+    assert!(key_metadata.certificate.is_none());
+
+    // Should not have an attestation record.
+    assert!(key_metadata.certificateChain.is_none());
+    Ok(key_metadata)
+}