• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2022, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 //! This module implements test utils to generate various types of keys.
16 
17 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
18     Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, KeyPurpose::KeyPurpose,
19 };
20 use android_system_keystore2::aidl::android::system::keystore2::{
21     Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
22     KeyMetadata::KeyMetadata,
23 };
24 
25 use crate::authorizations::AuthSetBuilder;
26 
27 const SELINUX_SHELL_NAMESPACE: i64 = 1;
28 
29 /// Generate attested EC Key blob using given security level with below key parameters -
30 ///     Purposes: SIGN and VERIFY
31 ///     Digest: SHA_2_256
32 ///     Curve: P_256
generate_ec_p256_signing_key_with_attestation( sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>, ) -> binder::Result<KeyMetadata>33 pub fn generate_ec_p256_signing_key_with_attestation(
34     sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
35 ) -> binder::Result<KeyMetadata> {
36     let att_challenge: &[u8] = b"foo";
37     let att_app_id: &[u8] = b"bar";
38     let gen_params = AuthSetBuilder::new()
39         .algorithm(Algorithm::EC)
40         .purpose(KeyPurpose::SIGN)
41         .purpose(KeyPurpose::VERIFY)
42         .digest(Digest::SHA_2_256)
43         .ec_curve(EcCurve::P_256)
44         .attestation_challenge(att_challenge.to_vec())
45         .attestation_app_id(att_app_id.to_vec());
46 
47     match sec_level.generateKey(
48         &KeyDescriptor {
49             domain: Domain::BLOB,
50             nspace: SELINUX_SHELL_NAMESPACE,
51             alias: None,
52             blob: None,
53         },
54         None,
55         &gen_params,
56         0,
57         b"entropy",
58     ) {
59         Ok(key_metadata) => {
60             assert!(key_metadata.certificate.is_some());
61             assert!(key_metadata.certificateChain.is_some());
62             assert!(key_metadata.key.blob.is_some());
63 
64             Ok(key_metadata)
65         }
66         Err(e) => Err(e),
67     }
68 }
69