1 // Copyright 2022, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 use crate::keystore2_client_test_utils::{
16 encrypt_secure_key, encrypt_transport_key, get_vsr_api_level,
17 perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
18 perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
19 };
20 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
21 Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
22 ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
23 KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
24 };
25 use android_system_keystore2::aidl::android::system::keystore2::{
26 AuthenticatorSpec::AuthenticatorSpec, Domain::Domain,
27 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
28 KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
29 };
30 use keystore2_test_utils::ffi_test_utils::{
31 create_wrapped_key, create_wrapped_key_additional_auth_data,
32 };
33 use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
34 use nix::unistd::getuid;
35 use openssl::rand::rand_bytes;
36 use openssl::x509::X509;
37
import_rsa_sign_key_and_perform_sample_operation( sl: &SecLevel, domain: Domain, nspace: i64, alias: Option<String>, import_params: authorizations::AuthSetBuilder, )38 pub fn import_rsa_sign_key_and_perform_sample_operation(
39 sl: &SecLevel,
40 domain: Domain,
41 nspace: i64,
42 alias: Option<String>,
43 import_params: authorizations::AuthSetBuilder,
44 ) {
45 let key_metadata =
46 key_generations::import_rsa_2048_key(sl, domain, nspace, alias, import_params).unwrap();
47
48 perform_sample_asym_sign_verify_op(
49 &sl.binder,
50 &key_metadata,
51 Some(PaddingMode::RSA_PSS),
52 Some(Digest::SHA_2_256),
53 );
54 }
55
perform_sym_key_encrypt_decrypt_op( sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>, key_metadata: &KeyMetadata, )56 fn perform_sym_key_encrypt_decrypt_op(
57 sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
58 key_metadata: &KeyMetadata,
59 ) {
60 let cipher_text = perform_sample_sym_key_encrypt_op(
61 sec_level,
62 PaddingMode::PKCS7,
63 BlockMode::ECB,
64 &mut None,
65 None,
66 &key_metadata.key,
67 )
68 .unwrap();
69
70 assert!(cipher_text.is_some());
71
72 let plain_text = perform_sample_sym_key_decrypt_op(
73 sec_level,
74 &cipher_text.unwrap(),
75 PaddingMode::PKCS7,
76 BlockMode::ECB,
77 &mut None,
78 None,
79 &key_metadata.key,
80 )
81 .unwrap();
82
83 assert!(plain_text.is_some());
84 assert_eq!(plain_text.unwrap(), SAMPLE_PLAIN_TEXT.to_vec());
85 }
86
build_secure_key_wrapper( sl: &SecLevel, secure_key: &[u8], transport_key: &[u8], nonce: &[u8], aad: &[u8], wrapping_key_metadata: &KeyMetadata, ) -> Result<Vec<u8>, Error>87 fn build_secure_key_wrapper(
88 sl: &SecLevel,
89 secure_key: &[u8],
90 transport_key: &[u8],
91 nonce: &[u8],
92 aad: &[u8],
93 wrapping_key_metadata: &KeyMetadata,
94 ) -> Result<Vec<u8>, Error> {
95 // Encrypt secure key with transport key.
96 let transport_key_alias = format!("ks_transport_key_aes_256_key_test_{}", getuid());
97 let transport_key_metadata =
98 key_generations::import_transport_key(sl, Some(transport_key_alias), transport_key)
99 .unwrap();
100 let encrypted_secure_key = encrypt_secure_key(
101 &sl.binder,
102 secure_key,
103 aad,
104 nonce.to_vec(),
105 128,
106 &transport_key_metadata.key,
107 )
108 .unwrap();
109
110 // Extract GCM-tag and encrypted secure key data.
111 let encrypted_secure_key = encrypted_secure_key.unwrap();
112 let gcm_tag: Vec<u8> =
113 encrypted_secure_key[secure_key.len()..(encrypted_secure_key.len())].to_vec();
114 let encrypted_secure_key: Vec<u8> = encrypted_secure_key[0..secure_key.len()].to_vec();
115
116 // Get wrapping key puplic part and encrypt the transport key.
117 let cert_bytes = wrapping_key_metadata.certificate.as_ref().unwrap();
118 let cert = X509::from_der(cert_bytes.as_ref()).unwrap();
119 let public_key = cert.public_key().unwrap();
120 let encrypted_transport_key = encrypt_transport_key(transport_key, &public_key).unwrap();
121
122 // Create `SecureKeyWrapper` ASN.1 DER-encoded data.
123 create_wrapped_key(&encrypted_secure_key, &encrypted_transport_key, nonce, &gcm_tag)
124 }
125
126 /// Import RSA key and verify imported key parameters. Try to create an operation using the
127 /// imported key. Test should be able to create an operation successfully.
128 #[test]
keystore2_rsa_import_key_success()129 fn keystore2_rsa_import_key_success() {
130 let sl = SecLevel::tee();
131
132 let alias = format!("ks_rsa_key_test_import_1_{}{}", getuid(), 2048);
133
134 let import_params = authorizations::AuthSetBuilder::new()
135 .no_auth_required()
136 .algorithm(Algorithm::RSA)
137 .digest(Digest::SHA_2_256)
138 .purpose(KeyPurpose::SIGN)
139 .purpose(KeyPurpose::VERIFY)
140 .padding_mode(PaddingMode::RSA_PSS)
141 .key_size(2048)
142 .rsa_public_exponent(65537)
143 .cert_not_before(0)
144 .cert_not_after(253402300799000);
145
146 import_rsa_sign_key_and_perform_sample_operation(
147 &sl,
148 Domain::APP,
149 -1,
150 Some(alias),
151 import_params,
152 );
153 }
154
155 /// Import RSA key without providing key-size and public exponent in import key parameters list.
156 /// Let Key-size and public-exponent to be determined from the imported key material. Verify
157 /// imported key parameters. Try to create an operation using the imported key. Test should be
158 /// able to create an operation successfully.
159 #[test]
keystore2_rsa_import_key_determine_key_size_and_pub_exponent()160 fn keystore2_rsa_import_key_determine_key_size_and_pub_exponent() {
161 let sl = SecLevel::tee();
162
163 let alias = format!("ks_rsa_key_test_import_2_{}{}", getuid(), 2048);
164
165 // key-size and public-exponent shouldn't be specified in import key parameters list.
166 let import_params = authorizations::AuthSetBuilder::new()
167 .no_auth_required()
168 .algorithm(Algorithm::RSA)
169 .digest(Digest::SHA_2_256)
170 .purpose(KeyPurpose::SIGN)
171 .purpose(KeyPurpose::VERIFY)
172 .padding_mode(PaddingMode::RSA_PSS)
173 .cert_not_before(0)
174 .cert_not_after(253402300799000);
175
176 import_rsa_sign_key_and_perform_sample_operation(
177 &sl,
178 Domain::APP,
179 -1,
180 Some(alias),
181 import_params,
182 );
183 }
184
185 /// Try to import RSA key with wrong key size as import-key-parameter. Test should fail to import
186 /// a key with `IMPORT_PARAMETER_MISMATCH` error code.
187 #[test]
keystore2_rsa_import_key_fails_with_keysize_param_mismatch_error()188 fn keystore2_rsa_import_key_fails_with_keysize_param_mismatch_error() {
189 let sl = SecLevel::tee();
190
191 let alias = format!("ks_rsa_key_test_import_3_{}{}", getuid(), 2048);
192
193 let import_params = authorizations::AuthSetBuilder::new()
194 .no_auth_required()
195 .algorithm(Algorithm::RSA)
196 .digest(Digest::SHA_2_256)
197 .purpose(KeyPurpose::SIGN)
198 .purpose(KeyPurpose::VERIFY)
199 .padding_mode(PaddingMode::RSA_PSS)
200 .key_size(1024) // Wrong key size is specified, (actual key-size is 2048).
201 .rsa_public_exponent(65537)
202 .cert_not_before(0)
203 .cert_not_after(253402300799000);
204
205 let result = key_generations::map_ks_error(sl.binder.importKey(
206 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
207 None,
208 &import_params,
209 0,
210 key_generations::RSA_2048_KEY,
211 ));
212
213 assert!(result.is_err());
214 assert_eq!(Error::Km(ErrorCode::IMPORT_PARAMETER_MISMATCH), result.unwrap_err());
215 }
216
217 /// Try to import RSA key with wrong public-exponent as import-key-parameter.
218 /// Test should fail to import a key with `IMPORT_PARAMETER_MISMATCH` error code.
219 #[test]
keystore2_rsa_import_key_fails_with_public_exponent_param_mismatch_error()220 fn keystore2_rsa_import_key_fails_with_public_exponent_param_mismatch_error() {
221 let sl = SecLevel::tee();
222
223 let alias = format!("ks_rsa_key_test_import_4_{}{}", getuid(), 2048);
224
225 let import_params = authorizations::AuthSetBuilder::new()
226 .no_auth_required()
227 .algorithm(Algorithm::RSA)
228 .digest(Digest::SHA_2_256)
229 .purpose(KeyPurpose::SIGN)
230 .purpose(KeyPurpose::VERIFY)
231 .padding_mode(PaddingMode::RSA_PSS)
232 .key_size(2048)
233 .rsa_public_exponent(3) // This doesn't match the key.
234 .cert_not_before(0)
235 .cert_not_after(253402300799000);
236
237 let result = key_generations::map_ks_error(sl.binder.importKey(
238 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
239 None,
240 &import_params,
241 0,
242 key_generations::RSA_2048_KEY,
243 ));
244
245 assert!(result.is_err());
246 assert_eq!(Error::Km(ErrorCode::IMPORT_PARAMETER_MISMATCH), result.unwrap_err());
247 }
248
249 /// Try to import a key with multiple purposes. Test should fail to import a key with
250 /// `INCOMPATIBLE_PURPOSE` error code. If the backend is `keymaster` or KeyMint-version-1 then
251 /// `importKey` shall be successful.
252 #[test]
keystore2_rsa_import_key_with_multipurpose_fails_incompt_purpose_error()253 fn keystore2_rsa_import_key_with_multipurpose_fails_incompt_purpose_error() {
254 let sl = SecLevel::tee();
255
256 let alias = format!("ks_rsa_key_test_import_5_{}{}", getuid(), 2048);
257
258 let import_params = authorizations::AuthSetBuilder::new()
259 .no_auth_required()
260 .algorithm(Algorithm::RSA)
261 .digest(Digest::SHA_2_256)
262 .purpose(KeyPurpose::SIGN)
263 .purpose(KeyPurpose::ATTEST_KEY)
264 .padding_mode(PaddingMode::RSA_PSS)
265 .key_size(2048)
266 .rsa_public_exponent(65537)
267 .cert_not_before(0)
268 .cert_not_after(253402300799000);
269
270 let result = key_generations::map_ks_error(sl.binder.importKey(
271 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
272 None,
273 &import_params,
274 0,
275 key_generations::RSA_2048_KEY,
276 ));
277
278 if sl.is_keymint() {
279 if sl.get_keymint_version() >= 2 {
280 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
281 // with other key purposes. However, this was not checked at the time
282 // so we can only be strict about checking this for implementations of KeyMint
283 // version 2 and above.
284 assert!(result.is_err());
285 assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_PURPOSE), result.unwrap_err());
286 }
287 } else {
288 assert!(result.is_ok());
289 }
290 }
291
292 /// Import EC key and verify imported key parameters. Let ec-curve to be determined from the
293 /// imported key material. Try to create an operation using the imported key. Test should be
294 /// able to create an operation successfully.
295 #[test]
keystore2_import_ec_key_success()296 fn keystore2_import_ec_key_success() {
297 let sl = SecLevel::tee();
298
299 let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256);
300
301 if get_vsr_api_level() < 35 {
302 // The KeyMint spec was previously not clear as to whether EC_CURVE was optional on import
303 // of EC keys. However, this was not checked at the time so we can only be strict about
304 // checking this for implementations at VSR-V or later.
305 println!("Skipping EC_CURVE on import only strict >= VSR-V");
306 return;
307 }
308 // Don't specify ec-curve.
309 let import_params = authorizations::AuthSetBuilder::new()
310 .no_auth_required()
311 .algorithm(Algorithm::EC)
312 .digest(Digest::SHA_2_256)
313 .purpose(KeyPurpose::SIGN)
314 .purpose(KeyPurpose::VERIFY)
315 .cert_not_before(0)
316 .cert_not_after(253402300799000);
317
318 let key_metadata =
319 key_generations::import_ec_p_256_key(&sl, Domain::APP, -1, Some(alias), import_params)
320 .expect("Failed to import EC key.");
321
322 perform_sample_asym_sign_verify_op(&sl.binder, &key_metadata, None, Some(Digest::SHA_2_256));
323 }
324
325 /// Try to import EC key with wrong ec-curve as import-key-parameter. Test should fail to import a
326 /// key with `IMPORT_PARAMETER_MISMATCH` error code.
327 #[test]
keystore2_ec_import_key_fails_with_mismatch_curve_error()328 fn keystore2_ec_import_key_fails_with_mismatch_curve_error() {
329 let sl = SecLevel::tee();
330
331 let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256);
332
333 let import_params = authorizations::AuthSetBuilder::new()
334 .no_auth_required()
335 .algorithm(Algorithm::EC)
336 .digest(Digest::SHA_2_256)
337 .ec_curve(EcCurve::P_224) // It doesn't match with key material.
338 .purpose(KeyPurpose::SIGN)
339 .purpose(KeyPurpose::VERIFY)
340 .cert_not_before(0)
341 .cert_not_after(253402300799000);
342
343 let result = key_generations::map_ks_error(sl.binder.importKey(
344 &KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
345 None,
346 &import_params,
347 0,
348 key_generations::EC_P_256_KEY,
349 ));
350 assert!(result.is_err());
351 assert_eq!(Error::Km(ErrorCode::IMPORT_PARAMETER_MISMATCH), result.unwrap_err());
352 }
353
354 /// Import AES key and verify key parameters. Try to create an operation using the imported key.
355 /// Test should be able to create an operation successfully.
356 #[test]
keystore2_import_aes_key_success()357 fn keystore2_import_aes_key_success() {
358 let sl = SecLevel::tee();
359
360 let alias = format!("ks_aes_key_test_import_1_{}{}", getuid(), 256);
361 let key_metadata = key_generations::import_aes_key(&sl, Domain::APP, -1, Some(alias))
362 .expect("Failed to import AES key.");
363
364 perform_sym_key_encrypt_decrypt_op(&sl.binder, &key_metadata);
365 }
366
367 /// Import 3DES key and verify key parameters. Try to create an operation using the imported key.
368 /// Test should be able to create an operation successfully.
369 #[test]
keystore2_import_3des_key_success()370 fn keystore2_import_3des_key_success() {
371 let sl = SecLevel::tee();
372
373 let alias = format!("ks_3des_key_test_import_1_{}{}", getuid(), 168);
374
375 let key_metadata = key_generations::import_3des_key(&sl, Domain::APP, -1, Some(alias))
376 .expect("Failed to import 3DES key.");
377
378 perform_sym_key_encrypt_decrypt_op(&sl.binder, &key_metadata);
379 }
380
381 /// Import HMAC key and verify key parameters. Try to create an operation using the imported key.
382 /// Test should be able to create an operation successfully.
383 #[test]
keystore2_import_hmac_key_success()384 fn keystore2_import_hmac_key_success() {
385 let sl = SecLevel::tee();
386
387 let alias = format!("ks_hmac_key_test_import_1_{}", getuid());
388
389 let key_metadata = key_generations::import_hmac_key(&sl, Domain::APP, -1, Some(alias))
390 .expect("Failed to import HMAC key.");
391
392 perform_sample_hmac_sign_verify_op(&sl.binder, &key_metadata.key);
393 }
394
395 /// This test creates a wrapped key data and imports it. Validates the imported wrapped key.
396 /// 1. Create a wrapped key material to import, as ASN.1 DER-encoded data corresponding to the
397 /// `SecureKeyWrapper` schema defined in IKeyMintDevice.aidl.
398 /// 2. Import wrapped key and use it for crypto operations.
399 /// Test should successfully import the wrapped key and perform crypto operations.
400 #[test]
keystore2_create_wrapped_key_and_import_wrapped_key_success()401 fn keystore2_create_wrapped_key_and_import_wrapped_key_success() {
402 let sl = SecLevel::tee();
403
404 let mut secure_key = [0; 32];
405 rand_bytes(&mut secure_key).unwrap();
406
407 let mut transport_key = [0; 32];
408 rand_bytes(&mut transport_key).unwrap();
409
410 let mut nonce = [0; 12];
411 rand_bytes(&mut nonce).unwrap();
412
413 // Import wrapping key.
414 let wrapping_key_alias = format!("ks_wrapping_key_test_import_2_{}_2048", getuid());
415 let wrapping_key_metadata = key_generations::import_wrapping_key(
416 &sl,
417 key_generations::RSA_2048_KEY,
418 Some(wrapping_key_alias),
419 )
420 .unwrap();
421
422 // Create the DER-encoded representation of `KeyDescription` schema defined in
423 // `IKeyMintDevice.aidl` and use it as additional authenticated data.
424 let aad = create_wrapped_key_additional_auth_data().unwrap();
425
426 // Build ASN.1 DER-encoded wrapped key material as described in `SecureKeyWrapper` schema.
427 let wrapped_key_data = build_secure_key_wrapper(
428 &sl,
429 &secure_key,
430 &transport_key,
431 &nonce,
432 &aad,
433 &wrapping_key_metadata,
434 )
435 .unwrap();
436
437 // Unwrap the key. Import wrapped key.
438 let secured_key_alias = format!("ks_wrapped_aes_key_{}", getuid());
439 let secured_key_metadata = key_generations::import_wrapped_key(
440 &sl,
441 Some(secured_key_alias),
442 &wrapping_key_metadata,
443 Some(wrapped_key_data.to_vec()),
444 )
445 .unwrap();
446
447 perform_sym_key_encrypt_decrypt_op(&sl.binder, &secured_key_metadata);
448 }
449
450 /// Create a wrapped key data with invalid Additional Authenticated Data (AAD) and
451 /// try to import wrapped key.
452 /// 1. Create a wrapped key material with invalid AAD to import, as ASN.1 DER-encoded
453 /// data corresponding to the `SecureKeyWrapper` schema defined in IKeyMintDevice.aidl.
454 /// 2. Import wrapped key and use it for crypto operations.
455 /// Test should fail to import the wrapped key with error code `VERIFICATION_FAILED`.
456 #[test]
keystore2_create_wrapped_key_with_invalid_aad_and_import_wrapped_key_fail()457 fn keystore2_create_wrapped_key_with_invalid_aad_and_import_wrapped_key_fail() {
458 let sl = SecLevel::tee();
459
460 let mut secure_key = [0; 32];
461 rand_bytes(&mut secure_key).unwrap();
462
463 let mut transport_key = [0; 32];
464 rand_bytes(&mut transport_key).unwrap();
465
466 let mut nonce = [0; 12];
467 rand_bytes(&mut nonce).unwrap();
468
469 // Import wrapping key.
470 let wrapping_key_alias = format!("ks_wrapping_key_test_import_2_{}_2048", getuid());
471 let wrapping_key_metadata = key_generations::import_wrapping_key(
472 &sl,
473 key_generations::RSA_2048_KEY,
474 Some(wrapping_key_alias),
475 )
476 .unwrap();
477
478 // Use invalid value as the additional authenticated data.
479 let aad = b"foo";
480
481 // Build ASN.1 DER-encoded wrapped key material as described in `SecureKeyWrapper` schema.
482 let wrapped_key_data = build_secure_key_wrapper(
483 &sl,
484 &secure_key,
485 &transport_key,
486 &nonce,
487 aad,
488 &wrapping_key_metadata,
489 )
490 .unwrap();
491
492 // Unwrap the key. Import wrapped key.
493 let secured_key_alias = format!("ks_wrapped_aes_key_{}", getuid());
494 let result = key_generations::map_ks_error(key_generations::import_wrapped_key(
495 &sl,
496 Some(secured_key_alias),
497 &wrapping_key_metadata,
498 Some(wrapped_key_data.to_vec()),
499 ));
500
501 assert!(result.is_err());
502 assert_eq!(Error::Km(ErrorCode::VERIFICATION_FAILED), result.unwrap_err());
503 }
504
505 /// Import wrapped AES key and use it for crypto operations. Test should import wrapped key and
506 /// perform crypto operations successfully.
507 #[test]
keystore2_import_wrapped_key_success()508 fn keystore2_import_wrapped_key_success() {
509 let sl = SecLevel::tee();
510
511 let alias = format!("ks_wrapped_key_test_import_1_{}_256", getuid());
512 let wrapping_key_alias = format!("ks_wrapping_key_test_import_1_{}_2048", getuid());
513
514 let wrapping_key_params = authorizations::AuthSetBuilder::new()
515 .no_auth_required()
516 .algorithm(Algorithm::RSA)
517 .digest(Digest::SHA_2_256)
518 .purpose(KeyPurpose::ENCRYPT)
519 .purpose(KeyPurpose::DECRYPT)
520 .purpose(KeyPurpose::WRAP_KEY)
521 .padding_mode(PaddingMode::RSA_OAEP)
522 .key_size(2048)
523 .rsa_public_exponent(65537)
524 .cert_not_before(0)
525 .cert_not_after(253402300799000);
526
527 let key_metadata = key_generations::import_wrapping_key_and_wrapped_key(
528 &sl,
529 Domain::APP,
530 -1,
531 Some(alias),
532 Some(wrapping_key_alias),
533 wrapping_key_params,
534 )
535 .expect("Failed to import wrapped key.");
536
537 // Try to perform operations using wrapped key.
538 perform_sym_key_encrypt_decrypt_op(&sl.binder, &key_metadata);
539 }
540
541 /// Import wrapping-key without specifying KeyPurpose::WRAP_KEY in import key parameters. Try to
542 /// use this as wrapping-key for importing wrapped-key. Test should fail with an error code
543 /// `INCOMPATIBLE_PURPOSE` to import wrapped-key using a wrapping-key which doesn't possess
544 /// `WRAP_KEY` purpose.
545 #[test]
keystore2_import_wrapped_key_fails_with_wrong_purpose()546 fn keystore2_import_wrapped_key_fails_with_wrong_purpose() {
547 let sl = SecLevel::tee();
548
549 let wrapping_key_alias = format!("ks_wrapping_key_test_import_2_{}_2048", getuid());
550 let alias = format!("ks_wrapped_key_test_import_2_{}_256", getuid());
551
552 // In this KeyPurpose::WRAP_KEY is missing.
553 let wrapping_key_params = authorizations::AuthSetBuilder::new()
554 .no_auth_required()
555 .algorithm(Algorithm::RSA)
556 .digest(Digest::SHA_2_256)
557 .purpose(KeyPurpose::SIGN)
558 .purpose(KeyPurpose::VERIFY)
559 .padding_mode(PaddingMode::RSA_OAEP)
560 .key_size(2048)
561 .rsa_public_exponent(65537)
562 .cert_not_before(0)
563 .cert_not_after(253402300799000);
564
565 let result =
566 key_generations::map_ks_error(key_generations::import_wrapping_key_and_wrapped_key(
567 &sl,
568 Domain::APP,
569 -1,
570 Some(alias),
571 Some(wrapping_key_alias),
572 wrapping_key_params,
573 ));
574
575 assert!(result.is_err());
576 assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_PURPOSE), result.unwrap_err());
577 }
578
579 /// Try to import wrapped key whose wrapping key is missing in Android Keystore.
580 /// Test should fail to import wrapped key with `ResponseCode::KEY_NOT_FOUND`.
581 #[test]
keystore2_import_wrapped_key_fails_with_missing_wrapping_key()582 fn keystore2_import_wrapped_key_fails_with_missing_wrapping_key() {
583 let sl = SecLevel::tee();
584
585 let unwrap_params = authorizations::AuthSetBuilder::new()
586 .digest(Digest::SHA_2_256)
587 .padding_mode(PaddingMode::RSA_OAEP);
588
589 let authenticator_spec: &[AuthenticatorSpec] = &[AuthenticatorSpec {
590 authenticatorType: HardwareAuthenticatorType::NONE,
591 authenticatorId: 0,
592 }];
593
594 let alias = format!("ks_wrapped_key_test_import_3_{}_256", getuid());
595
596 // Wrapping key with this alias doesn't exist.
597 let wrapping_key_alias = format!("ks_wrapping_key_not_exist_{}_2048", getuid());
598
599 let result = key_generations::map_ks_error(sl.binder.importWrappedKey(
600 &KeyDescriptor {
601 domain: Domain::APP,
602 nspace: -1,
603 alias: Some(alias),
604 blob: Some(key_generations::WRAPPED_KEY.to_vec()),
605 },
606 &KeyDescriptor {
607 domain: Domain::APP,
608 nspace: -1,
609 alias: Some(wrapping_key_alias),
610 blob: None,
611 },
612 None,
613 &unwrap_params,
614 authenticator_spec,
615 ));
616
617 assert!(result.is_err());
618 assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err());
619 }
620