diff options
| author | Rajesh Nyamagoud <nyamagoud@google.com> | 2021-12-10 00:33:15 +0000 |
|---|---|---|
| committer | Rajesh Nyamagoud <nyamagoud@google.com> | 2022-05-13 22:30:16 +0000 |
| commit | b881d5189ce78a13922ecddad598886f2806be80 (patch) | |
| tree | 9db12d2240604d265ffc75900b2b96f3e36dd631 /keystore2/test_utils | |
| parent | 45689e569c97c777b31a3fc30a14563133733977 (diff) | |
| download | security-b881d5189ce78a13922ecddad598886f2806be80.tar.gz | |
Adding test to create BACKEND_BUSY error
Creates multiple child procs and creates opearations in it and
parent proc waits for all child procs operations status, expects
one or more opearations to fail with backeend busy error.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I52f95a7cfd031d80c88bfc2ca478a26572f40150
Diffstat (limited to 'keystore2/test_utils')
| -rw-r--r-- | keystore2/test_utils/authorizations.rs | 10 | ||||
| -rw-r--r-- | keystore2/test_utils/key_generations.rs | 93 |
2 files changed, 84 insertions, 19 deletions
diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs index 4fbe1241..d5a7b7b1 100644 --- a/keystore2/test_utils/authorizations.rs +++ b/keystore2/test_utils/authorizations.rs @@ -22,6 +22,7 @@ use android_hardware_security_keymint::aidl::android::hardware::security::keymin }; /// Helper struct to create set of Authorizations. +#[derive(Debug, Clone, Eq, Hash, Ord, PartialEq, PartialOrd)] pub struct AuthSetBuilder(Vec<KeyParameter>); impl Default for AuthSetBuilder { @@ -77,6 +78,15 @@ impl AuthSetBuilder { }); self } + + /// Add No_auth_required. + pub fn no_auth_required(mut self) -> Self { + self.0.push(KeyParameter { + tag: Tag::NO_AUTH_REQUIRED, + value: KeyParameterValue::BoolValue(true), + }); + self + } } impl Deref for AuthSetBuilder { diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs index f49aa9ff..d917fa1d 100644 --- a/keystore2/test_utils/key_generations.rs +++ b/keystore2/test_utils/key_generations.rs @@ -14,43 +14,94 @@ //! This module implements test utils to generate various types of keys. +use anyhow::Result; + use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ - Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, KeyPurpose::KeyPurpose, + Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode, + KeyPurpose::KeyPurpose, }; use android_system_keystore2::aidl::android::system::keystore2::{ Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor, - KeyMetadata::KeyMetadata, + KeyMetadata::KeyMetadata, ResponseCode::ResponseCode, }; use crate::authorizations::AuthSetBuilder; +use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult}; + +/// Shell namespace. +pub const SELINUX_SHELL_NAMESPACE: i64 = 1; -const SELINUX_SHELL_NAMESPACE: i64 = 1; +/// To map Keystore errors. +#[derive(thiserror::Error, Debug, Eq, PartialEq)] +pub enum Error { + /// Keystore2 error code + #[error("ResponseCode {0:?}")] + Rc(ResponseCode), + /// Keymint error code + #[error("ErrorCode {0:?}")] + Km(ErrorCode), + /// Exception + #[error("Binder exception {0:?}")] + Binder(ExceptionCode), +} + +/// Keystore2 error mapping. +pub fn map_ks_error<T>(r: BinderResult<T>) -> Result<T, Error> { + r.map_err(|s| { + match s.exception_code() { + ExceptionCode::SERVICE_SPECIFIC => { + match s.service_specific_error() { + se if se < 0 => { + // Negative service specific errors are KM error codes. + Error::Km(ErrorCode(se)) + } + se => { + // Positive service specific errors are KS response codes. + Error::Rc(ResponseCode(se)) + } + } + } + // We create `Error::Binder` to preserve the exception code + // for logging. + e_code => Error::Binder(e_code), + } + }) +} -/// Generate attested EC Key blob using given security level with below key parameters - +/// Generate EC Key using given security level and domain with below key parameters and +/// optionally allow the generated key to be attested with factory provisioned attest key using +/// given challenge and application id - /// Purposes: SIGN and VERIFY /// Digest: SHA_2_256 /// Curve: P_256 -pub fn generate_ec_p256_signing_key_with_attestation( +pub fn generate_ec_p256_signing_key( sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>, + domain: Domain, + nspace: i64, + alias: Option<String>, + att_challenge: Option<&[u8]>, + att_app_id: Option<&[u8]>, ) -> binder::Result<KeyMetadata> { - let att_challenge: &[u8] = b"foo"; - let att_app_id: &[u8] = b"bar"; - let gen_params = AuthSetBuilder::new() + let mut key_attest = false; + let mut gen_params = AuthSetBuilder::new() .algorithm(Algorithm::EC) .purpose(KeyPurpose::SIGN) .purpose(KeyPurpose::VERIFY) .digest(Digest::SHA_2_256) - .ec_curve(EcCurve::P_256) - .attestation_challenge(att_challenge.to_vec()) - .attestation_app_id(att_app_id.to_vec()); + .ec_curve(EcCurve::P_256); + + if let Some(challenge) = att_challenge { + key_attest = true; + gen_params = gen_params.clone().attestation_challenge(challenge.to_vec()); + } + + if let Some(app_id) = att_app_id { + key_attest = true; + gen_params = gen_params.clone().attestation_app_id(app_id.to_vec()); + } match sec_level.generateKey( - &KeyDescriptor { - domain: Domain::BLOB, - nspace: SELINUX_SHELL_NAMESPACE, - alias: None, - blob: None, - }, + &KeyDescriptor { domain, nspace, alias, blob: None }, None, &gen_params, 0, @@ -58,8 +109,12 @@ pub fn generate_ec_p256_signing_key_with_attestation( ) { Ok(key_metadata) => { assert!(key_metadata.certificate.is_some()); - assert!(key_metadata.certificateChain.is_some()); - assert!(key_metadata.key.blob.is_some()); + if key_attest { + assert!(key_metadata.certificateChain.is_some()); + } + if domain == Domain::BLOB { + assert!(key_metadata.key.blob.is_some()); + } Ok(key_metadata) } |