1 // Copyright 2022, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::ErrorCode::ErrorCode;
16 use android_system_keystore2::aidl::android::system::keystore2::{
17 Domain::Domain, KeyDescriptor::KeyDescriptor, ResponseCode::ResponseCode,
18 };
19 use keystore2_test_utils::{
20 get_keystore_service, key_generations, key_generations::Error, SecLevel,
21 };
22 use nix::unistd::getuid;
23
24 /// Generate a key and delete it using keystore2 service `deleteKey` API. Test should successfully
25 /// delete the generated key.
26 #[test]
keystore2_delete_key_success()27 fn keystore2_delete_key_success() {
28 let sl = SecLevel::tee();
29 let alias = "delete_key_success_key";
30
31 let key_metadata = key_generations::generate_ec_p256_signing_key(
32 &sl,
33 Domain::APP,
34 -1,
35 Some(alias.to_string()),
36 None,
37 )
38 .unwrap();
39
40 sl.keystore2.deleteKey(&key_metadata.key).expect("Failed to delete a key.");
41
42 // Check wehther deleted key is removed from keystore.
43 let result = key_generations::map_ks_error(sl.keystore2.getKeyEntry(&key_metadata.key));
44 assert!(result.is_err());
45 assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err());
46 }
47
48 /// Try to delete non-existing key with domain other than BLOB using keystore2 service `deleteKey`
49 /// API. Test should fail with an error code `KEY_NOT_FOUND`.
50 #[test]
keystore2_delete_key_fail()51 fn keystore2_delete_key_fail() {
52 let test_alias = "delete_key_failure_key";
53 let keystore2 = get_keystore_service();
54
55 let result = key_generations::map_ks_error(keystore2.deleteKey(&KeyDescriptor {
56 domain: Domain::SELINUX,
57 nspace: key_generations::SELINUX_SHELL_NAMESPACE,
58 alias: Some(test_alias.to_string()),
59 blob: None,
60 }));
61 assert!(result.is_err());
62 assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err());
63 }
64
65 /// Generate a key with `Domain::BLOB`. Try to delete a key with `Domain::BLOB` using keystore2
66 /// service `deleteKey` API. Test should fail to delete a key with domain BLOB with an error code
67 /// `INVALID_ARGUMENT`.
68 #[test]
keystore2_delete_key_with_blob_domain_fail()69 fn keystore2_delete_key_with_blob_domain_fail() {
70 let sl = SecLevel::tee();
71 let alias = "delete_key_blob_fail_key";
72
73 let key_metadata = key_generations::generate_ec_p256_signing_key(
74 &sl,
75 Domain::BLOB,
76 key_generations::SELINUX_SHELL_NAMESPACE,
77 Some(alias.to_string()),
78 None,
79 )
80 .unwrap();
81
82 let result = key_generations::map_ks_error(sl.keystore2.deleteKey(&key_metadata.key));
83 assert!(result.is_err());
84 assert_eq!(Error::Rc(ResponseCode::INVALID_ARGUMENT), result.unwrap_err());
85 }
86
87 /// Generate a key with `Domain::BLOB`. Delete generated key with `Domain::BLOB` using underlying
88 /// security level `deleteKey` API. Test should delete the key successfully.
89 #[test]
keystore2_delete_key_blob_success()90 fn keystore2_delete_key_blob_success() {
91 let sl = SecLevel::tee();
92 let alias = "delete_key_blob_success_key";
93
94 let key_metadata = key_generations::generate_ec_p256_signing_key(
95 &sl,
96 Domain::BLOB,
97 key_generations::SELINUX_SHELL_NAMESPACE,
98 Some(alias.to_string()),
99 None,
100 )
101 .unwrap();
102
103 let result = sl.delete_key(&key_metadata.key);
104 assert!(result.is_ok());
105 }
106
107 /// Try to delete a key with `Domain::BLOB` without providing key-blob. Test should fail to delete a
108 /// key with error code `INVALID_ARGUMENT`.
109 #[test]
keystore2_delete_key_fails_with_missing_key_blob()110 fn keystore2_delete_key_fails_with_missing_key_blob() {
111 let sl = SecLevel::tee();
112
113 let result = key_generations::map_ks_error(sl.delete_key(&KeyDescriptor {
114 domain: Domain::BLOB,
115 nspace: key_generations::SELINUX_SHELL_NAMESPACE,
116 alias: None,
117 blob: None,
118 }));
119 assert!(result.is_err());
120 assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err());
121 }
122
123 /// Try to delete a key with domain other than `Domain::BLOB` using underlying security-level
124 /// `deleteKey` API. Test should fail to delete a key-blob from underlying security-level backend
125 /// with error code `INVALID_ARGUMENT`.
126 #[test]
keystore2_delete_key_blob_fail()127 fn keystore2_delete_key_blob_fail() {
128 let sl = SecLevel::tee();
129 let alias = format!("ks_delete_keyblob_test_key_{}", getuid());
130
131 let key_metadata =
132 key_generations::generate_ec_p256_signing_key(&sl, Domain::APP, -1, Some(alias), None)
133 .unwrap();
134
135 let result = key_generations::map_ks_error(sl.delete_key(&key_metadata.key));
136 assert!(result.is_err());
137 assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err());
138 }
139