Create authorizations and key_generations test modules -

- authorizations: helper struct to create set of key authorizations - key_generations: helper methods to generate various keys. Test: N/A Change-Id: I23250838b7b6d8ad59f5ef8682861a07e856299f
author: Rajesh Nyamagoud <nyamagoud@google.com> 2022-03-21 20:35:18 +0000
committer: Rajesh Nyamagoud <nyamagoud@google.com> 2022-03-25 19:51:23 +0000
commit: 901386c2c44a34688563ab8328311186e0695d03 (patch)
tree: 15d3684a676c49e45f8be88db1b5b0d7eff08188 /keystore2/test_utils
parent: b174ed0494c13b4adb6bdd634f4bec512878a025 (diff)
download: security-901386c2c44a34688563ab8328311186e0695d03.tar.gz
3 files changed, 167 insertions, 0 deletions
diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs
new file mode 100644
index 00000000..4fbe1241
--- /dev/null
+++ b/keystore2/test_utils/authorizations.rs
@@ -0,0 +1,88 @@
+// Copyright 2022, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module implements test utils to create Autherizations.
+
+use std::ops::Deref;
+
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+    Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, KeyParameter::KeyParameter,
+    KeyParameterValue::KeyParameterValue, KeyPurpose::KeyPurpose, Tag::Tag,
+};
+
+/// Helper struct to create set of Authorizations.
+pub struct AuthSetBuilder(Vec<KeyParameter>);
+
+impl Default for AuthSetBuilder {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl AuthSetBuilder {
+    /// Creates new Authorizations list.
+    pub fn new() -> Self {
+        Self(Vec::new())
+    }
+
+    /// Add Purpose.
+    pub fn purpose(mut self, p: KeyPurpose) -> Self {
+        self.0.push(KeyParameter { tag: Tag::PURPOSE, value: KeyParameterValue::KeyPurpose(p) });
+        self
+    }
+
+    /// Add Digest.
+    pub fn digest(mut self, d: Digest) -> Self {
+        self.0.push(KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(d) });
+        self
+    }
+
+    /// Add Algorithm.
+    pub fn algorithm(mut self, a: Algorithm) -> Self {
+        self.0.push(KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(a) });
+        self
+    }
+
+    /// Add EC-Curve.
+    pub fn ec_curve(mut self, e: EcCurve) -> Self {
+        self.0.push(KeyParameter { tag: Tag::EC_CURVE, value: KeyParameterValue::EcCurve(e) });
+        self
+    }
+
+    /// Add Attestation-Challenge.
+    pub fn attestation_challenge(mut self, b: Vec<u8>) -> Self {
+        self.0.push(KeyParameter {
+            tag: Tag::ATTESTATION_CHALLENGE,
+            value: KeyParameterValue::Blob(b),
+        });
+        self
+    }
+
+    /// Add Attestation-ID.
+    pub fn attestation_app_id(mut self, b: Vec<u8>) -> Self {
+        self.0.push(KeyParameter {
+            tag: Tag::ATTESTATION_APPLICATION_ID,
+            value: KeyParameterValue::Blob(b),
+        });
+        self
+    }
+}
+
+impl Deref for AuthSetBuilder {
+    type Target = Vec<KeyParameter>;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
new file mode 100644
index 00000000..f49aa9ff
--- /dev/null
+++ b/keystore2/test_utils/key_generations.rs
@@ -0,0 +1,68 @@
+// Copyright 2022, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module implements test utils to generate various types of keys.
+
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+    Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, KeyPurpose::KeyPurpose,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+    Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
+    KeyMetadata::KeyMetadata,
+};
+
+use crate::authorizations::AuthSetBuilder;
+
+const SELINUX_SHELL_NAMESPACE: i64 = 1;
+
+/// Generate attested EC Key blob using given security level with below key parameters -
+///     Purposes: SIGN and VERIFY
+///     Digest: SHA_2_256
+///     Curve: P_256
+pub fn generate_ec_p256_signing_key_with_attestation(
+    sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+) -> binder::Result<KeyMetadata> {
+    let att_challenge: &[u8] = b"foo";
+    let att_app_id: &[u8] = b"bar";
+    let gen_params = AuthSetBuilder::new()
+        .algorithm(Algorithm::EC)
+        .purpose(KeyPurpose::SIGN)
+        .purpose(KeyPurpose::VERIFY)
+        .digest(Digest::SHA_2_256)
+        .ec_curve(EcCurve::P_256)
+        .attestation_challenge(att_challenge.to_vec())
+        .attestation_app_id(att_app_id.to_vec());
+
+    match sec_level.generateKey(
+        &KeyDescriptor {
+            domain: Domain::BLOB,
+            nspace: SELINUX_SHELL_NAMESPACE,
+            alias: None,
+            blob: None,
+        },
+        None,
+        &gen_params,
+        0,
+        b"entropy",
+    ) {
+        Ok(key_metadata) => {
+            assert!(key_metadata.certificate.is_some());
+            assert!(key_metadata.certificateChain.is_some());
+            assert!(key_metadata.key.blob.is_some());
+
+            Ok(key_metadata)
+        }
+        Err(e) => Err(e),
+    }
+}
diff --git a/keystore2/test_utils/lib.rs b/keystore2/test_utils/lib.rs
index a355544b..c63bfacc 100644
--- a/keystore2/test_utils/lib.rs
+++ b/keystore2/test_utils/lib.rs
@@ -19,8 +19,14 @@ use std::io::ErrorKind;
 use std::path::{Path, PathBuf};
 use std::{env::temp_dir, ops::Deref};
 
+use android_system_keystore2::aidl::android::system::keystore2::IKeystoreService::IKeystoreService;
+
+pub mod authorizations;
+pub mod key_generations;
 pub mod run_as;
 
+static KS2_SERVICE_NAME: &str = "android.system.keystore2.IKeystoreService/default";
+
 /// Represents the lifecycle of a temporary directory for testing.
 #[derive(Debug)]
 pub struct TempDir {
@@ -104,3 +110,8 @@ impl Deref for PathBuilder {
         &self.0
     }
 }
+
+/// Get Keystore2 service.
+pub fn get_keystore_service() -> binder::Strong<dyn IKeystoreService> {
+    binder::get_interface(KS2_SERVICE_NAME).unwrap()
+}
author	Rajesh Nyamagoud <nyamagoud@google.com>	2022-03-21 20:35:18 +0000
committer	Rajesh Nyamagoud <nyamagoud@google.com>	2022-03-25 19:51:23 +0000
commit	901386c2c44a34688563ab8328311186e0695d03 (patch)
tree	15d3684a676c49e45f8be88db1b5b0d7eff08188 /keystore2/test_utils
parent	b174ed0494c13b4adb6bdd634f4bec512878a025 (diff)
download	security-901386c2c44a34688563ab8328311186e0695d03.tar.gz