1 // Copyright 2022, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 use nix::unistd::getuid;
16
17 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
18 ErrorCode::ErrorCode, SecurityLevel::SecurityLevel,
19 };
20 use android_system_keystore2::aidl::android::system::keystore2::{
21 Domain::Domain, KeyDescriptor::KeyDescriptor, ResponseCode::ResponseCode,
22 };
23
24 use keystore2_test_utils::{get_keystore_service, key_generations, key_generations::Error};
25
26 /// Generate a key and delete it using keystore2 service `deleteKey` API. Test should successfully
27 /// delete the generated key.
28 #[test]
keystore2_delete_key_success()29 fn keystore2_delete_key_success() {
30 let keystore2 = get_keystore_service();
31 let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
32 let alias = "delete_key_success_key";
33
34 let key_metadata = key_generations::generate_ec_p256_signing_key(
35 &sec_level,
36 Domain::APP,
37 -1,
38 Some(alias.to_string()),
39 None,
40 )
41 .unwrap();
42
43 keystore2.deleteKey(&key_metadata.key).expect("Failed to delete a key.");
44
45 // Check wehther deleted key is removed from keystore.
46 let result = key_generations::map_ks_error(keystore2.getKeyEntry(&key_metadata.key));
47 assert!(result.is_err());
48 assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err());
49 }
50
51 /// Try to delete non-existing key with domain other than BLOB using keystore2 service `deleteKey`
52 /// API. Test should fail with an error code `KEY_NOT_FOUND`.
53 #[test]
keystore2_delete_key_fail()54 fn keystore2_delete_key_fail() {
55 let test_alias = "delete_key_failure_key";
56 let keystore2 = get_keystore_service();
57
58 let result = key_generations::map_ks_error(keystore2.deleteKey(&KeyDescriptor {
59 domain: Domain::SELINUX,
60 nspace: key_generations::SELINUX_SHELL_NAMESPACE,
61 alias: Some(test_alias.to_string()),
62 blob: None,
63 }));
64 assert!(result.is_err());
65 assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err());
66 }
67
68 /// Generate a key with `Domain::BLOB`. Try to delete a key with `Domain::BLOB` using keystore2
69 /// service `deleteKey` API. Test should fail to delete a key with domain BLOB with an error code
70 /// `INVALID_ARGUMENT`.
71 #[test]
keystore2_delete_key_with_blob_domain_fail()72 fn keystore2_delete_key_with_blob_domain_fail() {
73 let keystore2 = get_keystore_service();
74 let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
75 let alias = "delete_key_blob_fail_key";
76
77 let key_metadata = key_generations::generate_ec_p256_signing_key(
78 &sec_level,
79 Domain::BLOB,
80 key_generations::SELINUX_SHELL_NAMESPACE,
81 Some(alias.to_string()),
82 None,
83 )
84 .unwrap();
85
86 let result = key_generations::map_ks_error(keystore2.deleteKey(&key_metadata.key));
87 assert!(result.is_err());
88 assert_eq!(Error::Rc(ResponseCode::INVALID_ARGUMENT), result.unwrap_err());
89 }
90
91 /// Generate a key with `Domain::BLOB`. Delete generated key with `Domain::BLOB` using underlying
92 /// security level `deleteKey` API. Test should delete the key successfully.
93 #[test]
keystore2_delete_key_blob_success()94 fn keystore2_delete_key_blob_success() {
95 let keystore2 = get_keystore_service();
96 let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
97 let alias = "delete_key_blob_success_key";
98
99 let key_metadata = key_generations::generate_ec_p256_signing_key(
100 &sec_level,
101 Domain::BLOB,
102 key_generations::SELINUX_SHELL_NAMESPACE,
103 Some(alias.to_string()),
104 None,
105 )
106 .unwrap();
107
108 let result = sec_level.deleteKey(&key_metadata.key);
109 assert!(result.is_ok());
110 }
111
112 /// Try to delete a key with `Domain::BLOB` without providing key-blob. Test should fail to delete a
113 /// key with error code `INVALID_ARGUMENT`.
114 #[test]
keystore2_delete_key_fails_with_missing_key_blob()115 fn keystore2_delete_key_fails_with_missing_key_blob() {
116 let keystore2 = get_keystore_service();
117 let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
118
119 let result = key_generations::map_ks_error(sec_level.deleteKey(&KeyDescriptor {
120 domain: Domain::BLOB,
121 nspace: key_generations::SELINUX_SHELL_NAMESPACE,
122 alias: None,
123 blob: None,
124 }));
125 assert!(result.is_err());
126 assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err());
127 }
128
129 /// Try to delete a key with domain other than `Domain::BLOB` using underlying security-level
130 /// `deleteKey` API. Test should fail to delete a key-blob from underlying security-level backend
131 /// with error code `INVALID_ARGUMENT`.
132 #[test]
keystore2_delete_key_blob_fail()133 fn keystore2_delete_key_blob_fail() {
134 let keystore2 = get_keystore_service();
135 let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
136 let alias = format!("ks_delete_keyblob_test_key_{}", getuid());
137
138 let key_metadata = key_generations::generate_ec_p256_signing_key(
139 &sec_level,
140 Domain::APP,
141 -1,
142 Some(alias),
143 None,
144 )
145 .unwrap();
146
147 let result = key_generations::map_ks_error(sec_level.deleteKey(&key_metadata.key));
148 assert!(result.is_err());
149 assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err());
150 }
151