diff options
author | Rajesh Nyamagoud <nyamagoud@google.com> | 2023-05-11 00:31:40 +0000 |
---|---|---|
committer | Rajesh Nyamagoud <nyamagoud@google.com> | 2023-10-09 21:10:00 +0000 |
commit | 75dfa0c2ec8c93cc5b064838401fef32a07147ab (patch) | |
tree | c2ee5c30676ba43f9aa0269e21964623081230d8 /keystore2/tests | |
parent | 3363996eafe6f49817a6f7bed409e37c735021bb (diff) | |
download | security-75dfa0c2ec8c93cc5b064838401fef32a07147ab.tar.gz |
Adding tests using tags ACTIVE_DATETIME, ORIGINATION_EXPIRE_DATETIME,
USAGE_EXPIRE_DATETIME.
1. Tests will generate a key with current date and time set to
active-datetime and verify the key characteristics. Test will use
this key to create a sign operation successfully.
2. Test will generate a key with future date set to active-datetime and
verify the key characteristics. Test will fail with error code
`KEY_NOT_YET_VALID` while creating an operation using generated key.
3. Tests will generate a key with future date and time set to
origination-expire-datetime and verify the key characteristics. Test
will use this key to create a sign operation successfully.
4. Test will generate a key with current date and time set to
origination-expire-datetime and verify the key characteristics. Test
will fail with error code `KEY_EXPIRED` while creating an operation
using generated key.
5. Tests will generate a key with future date and time set to
usage-expire-datetime and verify the key characteristics. Test
will use this key to successfully verify the signature created using
this key.
6. Tests will generate a key with current date and time set to
usage-expire-datetime and verify the key characteristics. Test
will fail with error code `KEY_EXPIRED` while verifying the signature
created using this key.
7. Test will generate a AES key with future date and time set to
usage-expire-datetime and verify the key characteristics. Test
will perform encrypt and decrypt operations using this generated key
successfully.
8. Test will generate a AES key with current date and time set to
usage-expire-datetime and verify the key characteristics. Test
will fail with error code `KEY_EXPIRED` while creating Decrypt
operation using generated key.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I8a0865a6256a6da133e95d0ee8250ba67359a2a2
Diffstat (limited to 'keystore2/tests')
-rw-r--r-- | keystore2/tests/keystore2_client_authorizations_tests.rs | 322 | ||||
-rw-r--r-- | keystore2/tests/keystore2_client_tests.rs | 1 |
2 files changed, 323 insertions, 0 deletions
diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs new file mode 100644 index 00000000..e518a1c7 --- /dev/null +++ b/keystore2/tests/keystore2_client_authorizations_tests.rs @@ -0,0 +1,322 @@ +// Copyright 2023, The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +use std::time::SystemTime; + +use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ + Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve, + ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, + SecurityLevel::SecurityLevel, +}; + +use keystore2_test_utils::{ + authorizations, get_keystore_service, key_generations, key_generations::Error, +}; + +use crate::keystore2_client_test_utils::{ + delete_app_key, perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op, + perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT, +}; + +/// Generate a key with `ACTIVE_DATETIME` set to current time. Test should successfully generate +/// a key and verify the key characteristics. Test should be able to create a sign operation using +/// the generated key successfully. +#[test] +fn keystore2_gen_key_auth_active_datetime_test_success() { + let keystore2 = get_keystore_service(); + let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); + + let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap(); + let active_datetime = duration_since_epoch.as_millis(); + let gen_params = authorizations::AuthSetBuilder::new() + .no_auth_required() + .algorithm(Algorithm::EC) + .purpose(KeyPurpose::SIGN) + .purpose(KeyPurpose::VERIFY) + .digest(Digest::SHA_2_256) + .ec_curve(EcCurve::P_256) + .attestation_challenge(b"foo".to_vec()) + .active_date_time(active_datetime.try_into().unwrap()); + + let alias = "ks_test_auth_tags_test"; + let result = key_generations::create_key_and_operation( + &sec_level, + &gen_params, + &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256), + alias, + ); + + assert!(result.is_ok()); + delete_app_key(&keystore2, alias).unwrap(); +} + +/// Generate a key with `ACTIVE_DATETIME` set to future date and time. Test should successfully +/// generate a key and verify the key characteristics. Try to create a sign operation +/// using the generated key, test should fail to create an operation with error code +/// `KEY_NOT_YET_VALID`. +#[test] +fn keystore2_gen_key_auth_future_active_datetime_test_op_fail() { + let keystore2 = get_keystore_service(); + let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); + + let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap(); + let future_active_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000); + let gen_params = authorizations::AuthSetBuilder::new() + .no_auth_required() + .algorithm(Algorithm::EC) + .purpose(KeyPurpose::SIGN) + .purpose(KeyPurpose::VERIFY) + .digest(Digest::SHA_2_256) + .ec_curve(EcCurve::P_256) + .attestation_challenge(b"foo".to_vec()) + .active_date_time(future_active_datetime.try_into().unwrap()); + + let alias = "ks_test_auth_tags_test"; + let result = key_generations::map_ks_error(key_generations::create_key_and_operation( + &sec_level, + &gen_params, + &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256), + alias, + )); + assert!(result.is_err()); + assert_eq!(Error::Km(ErrorCode::KEY_NOT_YET_VALID), result.unwrap_err()); + delete_app_key(&keystore2, alias).unwrap(); +} + +/// Generate a key with `ORIGINATION_EXPIRE_DATETIME` set to future date and time. Test should +/// successfully generate a key and verify the key characteristics. Test should be able to create +/// sign operation using the generated key successfully. +#[test] +fn keystore2_gen_key_auth_future_origination_expire_datetime_test_success() { + let keystore2 = get_keystore_service(); + let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); + + let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap(); + let origination_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000); + let gen_params = authorizations::AuthSetBuilder::new() + .no_auth_required() + .algorithm(Algorithm::EC) + .purpose(KeyPurpose::SIGN) + .purpose(KeyPurpose::VERIFY) + .digest(Digest::SHA_2_256) + .ec_curve(EcCurve::P_256) + .attestation_challenge(b"foo".to_vec()) + .origination_expire_date_time(origination_expire_datetime.try_into().unwrap()); + + let alias = "ks_test_auth_tags_test"; + let result = key_generations::create_key_and_operation( + &sec_level, + &gen_params, + &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256), + alias, + ); + assert!(result.is_ok()); + delete_app_key(&keystore2, alias).unwrap(); +} + +/// Generate a key with `ORIGINATION_EXPIRE_DATETIME` set to current date and time. Test should +/// successfully generate a key and verify the key characteristics. Try to create a sign operation +/// using the generated key, test should fail to create an operation with error code +/// `KEY_EXPIRED`. +#[test] +fn keystore2_gen_key_auth_origination_expire_datetime_test_op_fail() { + let keystore2 = get_keystore_service(); + let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); + + let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap(); + let origination_expire_datetime = duration_since_epoch.as_millis(); + let gen_params = authorizations::AuthSetBuilder::new() + .no_auth_required() + .algorithm(Algorithm::EC) + .purpose(KeyPurpose::SIGN) + .purpose(KeyPurpose::VERIFY) + .digest(Digest::SHA_2_256) + .ec_curve(EcCurve::P_256) + .attestation_challenge(b"foo".to_vec()) + .origination_expire_date_time(origination_expire_datetime.try_into().unwrap()); + + let alias = "ks_test_auth_tags_test"; + let result = key_generations::map_ks_error(key_generations::create_key_and_operation( + &sec_level, + &gen_params, + &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256), + alias, + )); + assert!(result.is_err()); + assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err()); + delete_app_key(&keystore2, alias).unwrap(); +} + +/// Generate a HMAC key with `USAGE_EXPIRE_DATETIME` set to future date and time. Test should +/// successfully generate a key and verify the key characteristics. Test should be able to create +/// sign and verify operations using the generated key successfully. +#[test] +fn keystore2_gen_key_auth_future_usage_expire_datetime_hmac_verify_op_success() { + let keystore2 = get_keystore_service(); + let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); + + let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap(); + let usage_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000); + let gen_params = authorizations::AuthSetBuilder::new() + .no_auth_required() + .algorithm(Algorithm::HMAC) + .purpose(KeyPurpose::SIGN) + .purpose(KeyPurpose::VERIFY) + .key_size(128) + .min_mac_length(256) + .digest(Digest::SHA_2_256) + .usage_expire_date_time(usage_expire_datetime.try_into().unwrap()); + + let alias = "ks_test_auth_tags_hmac_verify_success"; + let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap(); + + perform_sample_hmac_sign_verify_op(&sec_level, &key_metadata.key); + delete_app_key(&keystore2, alias).unwrap(); +} + +/// Generate a key with `USAGE_EXPIRE_DATETIME` set to current date and time. Test should +/// successfully generate a key and verify the key characteristics. Test should be able to create +/// sign operation successfully and fail while performing verify operation with error code +/// `KEY_EXPIRED`. +#[test] +fn keystore2_gen_key_auth_usage_expire_datetime_hmac_verify_op_fail() { + let keystore2 = get_keystore_service(); + let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); + + let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap(); + let usage_expire_datetime = duration_since_epoch.as_millis(); + let gen_params = authorizations::AuthSetBuilder::new() + .no_auth_required() + .algorithm(Algorithm::HMAC) + .purpose(KeyPurpose::SIGN) + .purpose(KeyPurpose::VERIFY) + .key_size(128) + .min_mac_length(256) + .digest(Digest::SHA_2_256) + .usage_expire_date_time(usage_expire_datetime.try_into().unwrap()); + + let alias = "ks_test_auth_tags_hamc_verify_fail"; + let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap(); + + let result = key_generations::map_ks_error( + sec_level.createOperation( + &key_metadata.key, + &authorizations::AuthSetBuilder::new() + .purpose(KeyPurpose::VERIFY) + .digest(Digest::SHA_2_256), + false, + ), + ); + assert!(result.is_err()); + assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err()); + delete_app_key(&keystore2, alias).unwrap(); +} + +/// Generate AES key with `USAGE_EXPIRE_DATETIME` set to future date and time. Test should +/// successfully generate a key and verify the key characteristics. Test should be able to create +/// Encrypt and Decrypt operations successfully. +#[test] +fn keystore2_gen_key_auth_usage_future_expire_datetime_decrypt_op_success() { + let keystore2 = get_keystore_service(); + let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); + + let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap(); + let usage_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000); + let gen_params = authorizations::AuthSetBuilder::new() + .no_auth_required() + .algorithm(Algorithm::AES) + .purpose(KeyPurpose::ENCRYPT) + .purpose(KeyPurpose::DECRYPT) + .key_size(128) + .padding_mode(PaddingMode::PKCS7) + .block_mode(BlockMode::ECB) + .usage_expire_date_time(usage_expire_datetime.try_into().unwrap()); + + let alias = "ks_test_auth_tags_test"; + let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap(); + let cipher_text = perform_sample_sym_key_encrypt_op( + &sec_level, + PaddingMode::PKCS7, + BlockMode::ECB, + &mut None, + None, + &key_metadata.key, + ) + .unwrap(); + + assert!(cipher_text.is_some()); + + let plain_text = perform_sample_sym_key_decrypt_op( + &sec_level, + &cipher_text.unwrap(), + PaddingMode::PKCS7, + BlockMode::ECB, + &mut None, + None, + &key_metadata.key, + ) + .unwrap(); + assert!(plain_text.is_some()); + assert_eq!(plain_text.unwrap(), SAMPLE_PLAIN_TEXT.to_vec()); + delete_app_key(&keystore2, alias).unwrap(); +} + +/// Generate AES key with `USAGE_EXPIRE_DATETIME` set to current date and time. Test should +/// successfully generate a key and verify the key characteristics. Test should be able to create +/// Encrypt operation successfully and fail while performing decrypt operation with error code +/// `KEY_EXPIRED`. +#[test] +fn keystore2_gen_key_auth_usage_expire_datetime_decrypt_op_fail() { + let keystore2 = get_keystore_service(); + let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); + + let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap(); + let usage_expire_datetime = duration_since_epoch.as_millis(); + let gen_params = authorizations::AuthSetBuilder::new() + .no_auth_required() + .algorithm(Algorithm::AES) + .purpose(KeyPurpose::ENCRYPT) + .purpose(KeyPurpose::DECRYPT) + .key_size(128) + .padding_mode(PaddingMode::PKCS7) + .block_mode(BlockMode::ECB) + .usage_expire_date_time(usage_expire_datetime.try_into().unwrap()); + + let alias = "ks_test_auth_tags_test"; + let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap(); + let cipher_text = perform_sample_sym_key_encrypt_op( + &sec_level, + PaddingMode::PKCS7, + BlockMode::ECB, + &mut None, + None, + &key_metadata.key, + ) + .unwrap(); + + assert!(cipher_text.is_some()); + + let result = key_generations::map_ks_error(perform_sample_sym_key_decrypt_op( + &sec_level, + &cipher_text.unwrap(), + PaddingMode::PKCS7, + BlockMode::ECB, + &mut None, + None, + &key_metadata.key, + )); + assert!(result.is_err()); + assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err()); + delete_app_key(&keystore2, alias).unwrap(); +} diff --git a/keystore2/tests/keystore2_client_tests.rs b/keystore2/tests/keystore2_client_tests.rs index 3b6a78c3..ac7f19f8 100644 --- a/keystore2/tests/keystore2_client_tests.rs +++ b/keystore2/tests/keystore2_client_tests.rs @@ -15,6 +15,7 @@ pub mod keystore2_client_3des_key_tests; pub mod keystore2_client_aes_key_tests; pub mod keystore2_client_attest_key_tests; +pub mod keystore2_client_authorizations_tests; pub mod keystore2_client_delete_key_tests; pub mod keystore2_client_ec_key_tests; pub mod keystore2_client_grant_key_tests; |