Adding tests using tags ACTIVE_DATETIME, ORIGINATION_EXPIRE_DATETIME,

USAGE_EXPIRE_DATETIME.

1. Tests will generate a key with current date and time set to
   active-datetime and verify the key characteristics. Test will use
   this key to create a sign operation successfully.

2. Test will generate a key with future date set to active-datetime and
   verify the key characteristics. Test will fail with error code
   `KEY_NOT_YET_VALID` while creating an operation using generated key.

3. Tests will generate a key with future date and time set to
   origination-expire-datetime and verify the key characteristics. Test
   will use this key to create a sign operation successfully.

4. Test will generate a key with current date and time set to
   origination-expire-datetime and verify the key characteristics. Test
   will fail with error code `KEY_EXPIRED` while creating an operation
   using generated key.

5. Tests will generate a key with future date and time set to
   usage-expire-datetime and verify the key characteristics. Test
   will use this key to successfully verify the signature created using
   this key.

6. Tests will generate a key with current date and time set to
   usage-expire-datetime and verify the key characteristics. Test
   will fail with error code `KEY_EXPIRED` while verifying the signature
   created using this key.

7. Test will generate a AES key with future date and time set to
   usage-expire-datetime and verify the key characteristics. Test
   will perform encrypt and decrypt operations using this generated key
   successfully.

8. Test will generate a AES key with current date and time set to
   usage-expire-datetime and verify the key characteristics. Test
   will fail with error code `KEY_EXPIRED` while creating Decrypt
   operation using generated key.

Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I8a0865a6256a6da133e95d0ee8250ba67359a2a2

2 files changed, 323 insertions, 0 deletions

diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs
new file mode 100644
index 00000000..e518a1c7
--- /dev/null
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs
@@ -0,0 +1,322 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use std::time::SystemTime;
+
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+    Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
+    ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
+    SecurityLevel::SecurityLevel,
+};
+
+use keystore2_test_utils::{
+    authorizations, get_keystore_service, key_generations, key_generations::Error,
+};
+
+use crate::keystore2_client_test_utils::{
+    delete_app_key, perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op,
+    perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
+};
+
+/// Generate a key with `ACTIVE_DATETIME` set to current time. Test should successfully generate
+/// a key and verify the key characteristics. Test should be able to create a sign operation using
+/// the generated key successfully.
+#[test]
+fn keystore2_gen_key_auth_active_datetime_test_success() {
+    let keystore2 = get_keystore_service();
+    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+    let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
+    let active_datetime = duration_since_epoch.as_millis();
+    let gen_params = authorizations::AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::EC)
+        .purpose(KeyPurpose::SIGN)
+        .purpose(KeyPurpose::VERIFY)
+        .digest(Digest::SHA_2_256)
+        .ec_curve(EcCurve::P_256)
+        .attestation_challenge(b"foo".to_vec())
+        .active_date_time(active_datetime.try_into().unwrap());
+
+    let alias = "ks_test_auth_tags_test";
+    let result = key_generations::create_key_and_operation(
+        &sec_level,
+        &gen_params,
+        &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
+        alias,
+    );
+
+    assert!(result.is_ok());
+    delete_app_key(&keystore2, alias).unwrap();
+}
+
+/// Generate a key with `ACTIVE_DATETIME` set to future date and time. Test should successfully
+/// generate a key and verify the key characteristics. Try to create a sign operation
+/// using the generated key, test should fail to create an operation with error code
+/// `KEY_NOT_YET_VALID`.
+#[test]
+fn keystore2_gen_key_auth_future_active_datetime_test_op_fail() {
+    let keystore2 = get_keystore_service();
+    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+    let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
+    let future_active_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
+    let gen_params = authorizations::AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::EC)
+        .purpose(KeyPurpose::SIGN)
+        .purpose(KeyPurpose::VERIFY)
+        .digest(Digest::SHA_2_256)
+        .ec_curve(EcCurve::P_256)
+        .attestation_challenge(b"foo".to_vec())
+        .active_date_time(future_active_datetime.try_into().unwrap());
+
+    let alias = "ks_test_auth_tags_test";
+    let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
+        &sec_level,
+        &gen_params,
+        &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
+        alias,
+    ));
+    assert!(result.is_err());
+    assert_eq!(Error::Km(ErrorCode::KEY_NOT_YET_VALID), result.unwrap_err());
+    delete_app_key(&keystore2, alias).unwrap();
+}
+
+/// Generate a key with `ORIGINATION_EXPIRE_DATETIME` set to future date and time. Test should
+/// successfully generate a key and verify the key characteristics. Test should be able to create
+/// sign operation using the generated key successfully.
+#[test]
+fn keystore2_gen_key_auth_future_origination_expire_datetime_test_success() {
+    let keystore2 = get_keystore_service();
+    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+    let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
+    let origination_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
+    let gen_params = authorizations::AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::EC)
+        .purpose(KeyPurpose::SIGN)
+        .purpose(KeyPurpose::VERIFY)
+        .digest(Digest::SHA_2_256)
+        .ec_curve(EcCurve::P_256)
+        .attestation_challenge(b"foo".to_vec())
+        .origination_expire_date_time(origination_expire_datetime.try_into().unwrap());
+
+    let alias = "ks_test_auth_tags_test";
+    let result = key_generations::create_key_and_operation(
+        &sec_level,
+        &gen_params,
+        &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
+        alias,
+    );
+    assert!(result.is_ok());
+    delete_app_key(&keystore2, alias).unwrap();
+}
+
+/// Generate a key with `ORIGINATION_EXPIRE_DATETIME` set to current date and time. Test should
+/// successfully generate a key and verify the key characteristics. Try to create a sign operation
+/// using the generated key, test should fail to create an operation with error code
+/// `KEY_EXPIRED`.
+#[test]
+fn keystore2_gen_key_auth_origination_expire_datetime_test_op_fail() {
+    let keystore2 = get_keystore_service();
+    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+    let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
+    let origination_expire_datetime = duration_since_epoch.as_millis();
+    let gen_params = authorizations::AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::EC)
+        .purpose(KeyPurpose::SIGN)
+        .purpose(KeyPurpose::VERIFY)
+        .digest(Digest::SHA_2_256)
+        .ec_curve(EcCurve::P_256)
+        .attestation_challenge(b"foo".to_vec())
+        .origination_expire_date_time(origination_expire_datetime.try_into().unwrap());
+
+    let alias = "ks_test_auth_tags_test";
+    let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
+        &sec_level,
+        &gen_params,
+        &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
+        alias,
+    ));
+    assert!(result.is_err());
+    assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err());
+    delete_app_key(&keystore2, alias).unwrap();
+}
+
+/// Generate a HMAC key with `USAGE_EXPIRE_DATETIME` set to future date and time. Test should
+/// successfully generate a key and verify the key characteristics. Test should be able to create
+/// sign and verify operations using the generated key successfully.
+#[test]
+fn keystore2_gen_key_auth_future_usage_expire_datetime_hmac_verify_op_success() {
+    let keystore2 = get_keystore_service();
+    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+    let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
+    let usage_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
+    let gen_params = authorizations::AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::HMAC)
+        .purpose(KeyPurpose::SIGN)
+        .purpose(KeyPurpose::VERIFY)
+        .key_size(128)
+        .min_mac_length(256)
+        .digest(Digest::SHA_2_256)
+        .usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
+
+    let alias = "ks_test_auth_tags_hmac_verify_success";
+    let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+
+    perform_sample_hmac_sign_verify_op(&sec_level, &key_metadata.key);
+    delete_app_key(&keystore2, alias).unwrap();
+}
+
+/// Generate a key with `USAGE_EXPIRE_DATETIME` set to current date and time. Test should
+/// successfully generate a key and verify the key characteristics. Test should be able to create
+/// sign operation successfully and fail while performing verify operation with error code
+/// `KEY_EXPIRED`.
+#[test]
+fn keystore2_gen_key_auth_usage_expire_datetime_hmac_verify_op_fail() {
+    let keystore2 = get_keystore_service();
+    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+    let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
+    let usage_expire_datetime = duration_since_epoch.as_millis();
+    let gen_params = authorizations::AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::HMAC)
+        .purpose(KeyPurpose::SIGN)
+        .purpose(KeyPurpose::VERIFY)
+        .key_size(128)
+        .min_mac_length(256)
+        .digest(Digest::SHA_2_256)
+        .usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
+
+    let alias = "ks_test_auth_tags_hamc_verify_fail";
+    let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+
+    let result = key_generations::map_ks_error(
+        sec_level.createOperation(
+            &key_metadata.key,
+            &authorizations::AuthSetBuilder::new()
+                .purpose(KeyPurpose::VERIFY)
+                .digest(Digest::SHA_2_256),
+            false,
+        ),
+    );
+    assert!(result.is_err());
+    assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err());
+    delete_app_key(&keystore2, alias).unwrap();
+}
+
+/// Generate AES key with `USAGE_EXPIRE_DATETIME` set to future date and time. Test should
+/// successfully generate a key and verify the key characteristics. Test should be able to create
+/// Encrypt and Decrypt operations successfully.
+#[test]
+fn keystore2_gen_key_auth_usage_future_expire_datetime_decrypt_op_success() {
+    let keystore2 = get_keystore_service();
+    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+    let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
+    let usage_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
+    let gen_params = authorizations::AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::AES)
+        .purpose(KeyPurpose::ENCRYPT)
+        .purpose(KeyPurpose::DECRYPT)
+        .key_size(128)
+        .padding_mode(PaddingMode::PKCS7)
+        .block_mode(BlockMode::ECB)
+        .usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
+
+    let alias = "ks_test_auth_tags_test";
+    let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+    let cipher_text = perform_sample_sym_key_encrypt_op(
+        &sec_level,
+        PaddingMode::PKCS7,
+        BlockMode::ECB,
+        &mut None,
+        None,
+        &key_metadata.key,
+    )
+    .unwrap();
+
+    assert!(cipher_text.is_some());
+
+    let plain_text = perform_sample_sym_key_decrypt_op(
+        &sec_level,
+        &cipher_text.unwrap(),
+        PaddingMode::PKCS7,
+        BlockMode::ECB,
+        &mut None,
+        None,
+        &key_metadata.key,
+    )
+    .unwrap();
+    assert!(plain_text.is_some());
+    assert_eq!(plain_text.unwrap(), SAMPLE_PLAIN_TEXT.to_vec());
+    delete_app_key(&keystore2, alias).unwrap();
+}
+
+/// Generate AES key with `USAGE_EXPIRE_DATETIME` set to current date and time. Test should
+/// successfully generate a key and verify the key characteristics. Test should be able to create
+/// Encrypt operation successfully and fail while performing decrypt operation with error code
+/// `KEY_EXPIRED`.
+#[test]
+fn keystore2_gen_key_auth_usage_expire_datetime_decrypt_op_fail() {
+    let keystore2 = get_keystore_service();
+    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+    let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
+    let usage_expire_datetime = duration_since_epoch.as_millis();
+    let gen_params = authorizations::AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::AES)
+        .purpose(KeyPurpose::ENCRYPT)
+        .purpose(KeyPurpose::DECRYPT)
+        .key_size(128)
+        .padding_mode(PaddingMode::PKCS7)
+        .block_mode(BlockMode::ECB)
+        .usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
+
+    let alias = "ks_test_auth_tags_test";
+    let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+    let cipher_text = perform_sample_sym_key_encrypt_op(
+        &sec_level,
+        PaddingMode::PKCS7,
+        BlockMode::ECB,
+        &mut None,
+        None,
+        &key_metadata.key,
+    )
+    .unwrap();
+
+    assert!(cipher_text.is_some());
+
+    let result = key_generations::map_ks_error(perform_sample_sym_key_decrypt_op(
+        &sec_level,
+        &cipher_text.unwrap(),
+        PaddingMode::PKCS7,
+        BlockMode::ECB,
+        &mut None,
+        None,
+        &key_metadata.key,
+    ));
+    assert!(result.is_err());
+    assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err());
+    delete_app_key(&keystore2, alias).unwrap();
+}
diff --git a/keystore2/tests/keystore2_client_tests.rs b/keystore2/tests/keystore2_client_tests.rs
index 3b6a78c3..ac7f19f8 100644
--- a/keystore2/tests/keystore2_client_tests.rs
+++ b/keystore2/tests/keystore2_client_tests.rs
@@ -15,6 +15,7 @@
 pub mod keystore2_client_3des_key_tests;
 pub mod keystore2_client_aes_key_tests;
 pub mod keystore2_client_attest_key_tests;
+pub mod keystore2_client_authorizations_tests;
 pub mod keystore2_client_delete_key_tests;
 pub mod keystore2_client_ec_key_tests;
 pub mod keystore2_client_grant_key_tests;