Removed `libkeymint_vts_test_utils` and its dependent libs from static
libs list and added only `libkeymint_vts_test_utils` in shared libs
list.
Test: m libkeystore2_test_utils; atest keystore2_client_tests; atest keystore2_test_utils_test;
atest keystore2_test
Bug: 194359114
Change-Id: Iab4b8c174af81a8c64a9f44fcd634d54f78773da
These will soon be required by a lint.
Some functions were incorrectly marked as safe which were not actually
safe, so I've fixed those too.
Bug: 290018030
Test: m rust
Change-Id: I38df6a8162d430617f123ab1aace38b741458fce
Changes made in keystore2-client-tests to verify the key characteristics
of generated and imported keys.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I30c1fb2bdb1d69d321d356453d895db73347acde
- Generate an RSA/EC attested keys with attestation of the device's
identifiers. Test should succeed in generatating a attested key with
attestation of device identifier. Test might fail on devices which
doesn't support device id attestation with error response code
`CANNOT_ATTEST_IDS or INVALID_TAG`.
- Try to generate an attested key with attestation of invalid device's
identifiers. Test should fail with error response `CANNOT_ATTEST_IDS`
- Test to make sure `CANNOT_ATTEST_IDS` error code is returned while
trying to generate a key on a device which doesn't support
`FEATURE_DEVICE_ID_ATTESTATION`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ib57c58d3ea89279eb69db342c3343b8d99ddc639
1. Generate RSA key and grant it to a user. In user context load the
key using `EVP_PKEY_from_keystore` and perform sign and verify
opeearions.
[keystore2_perofrm_crypto_op_using_keystore2_engine_rsa_key_success]
2. Generate EC key and grant it to a user. In user context load the
key using `EVP_PKEY_from_keystore` and perform sign and verify
operations.
[keystore2_perofrm_crypto_op_using_keystore2_engine_ec_key_success]
3. Generate RSA key and grant it to a user. Re-encode the certificate
as PEM and update the certificate using `updateSubcomponents`.
In user context load the key using `EVP_PKEY_from_keystore` and
perform sign and verify operations.
Bug: 201343811
Test: atest keystore2_client_tests
Change-Id: I7dafd598f4198e11103cd11695b2f67636f24755
1. Try to list large number of aliases such that aliases list would
exceed the binder transaction size limit. Test should successfully
list the aliases using `listEntriesBatched` API.
2. Import keys from multiple processes having same user context. Try to
list the aliases in all the processes with and without providing
`startingPastAlias`. Test should list aliases using
`listEntriesBatched` in all the processes using any of the alias as
`startingPastAlias` and match with expected list of aliases. Test
should also list all the aliases without providing
`startingPastAlias`.
3. Try to list aliases with empty keystore using `listEntriesBatched`
API. Test should successfully query the Keystore for aliases and
vrify that keystore is empty.
4. Test to list aliases using domain as SELINUX using
`listEntriesBatched` API.
5. Import multiple number of keys in an app context and try to list the
aliases using imported keys aliases as `startingPastAlias` and verify
the retrived the list of aliases matches the expected list of alises
in all the cases.
6. Try to list the key entries with domain SELINUX from user context
where user doesn't possesses `GET_INFO` permission for specified
namespace. Test should fail to list key entries with error response
code `PERMISSION_DENIED`.
7. Try to list key entries with domain BLOB. Test should fail with error
response code `INVALID_ARGUMENT`.
8. Try to get the total number of keystore entries with domain SELINUX
from user context where user doesn't possesses `GET_INFO` permission
for specified namespace. Test should fail to get the count with
error response code `PERMISSION_DENIED`.
9. Try to get the count of total number of entries in keystore with
domain BLOB. Test should fail with error response code
`INVALID_ARGUMENT`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I7dd52230cd602a1ae33e3f9f2a22d2dd2c447df7
1. Verify that key agreement works with curves `P_224, P_256, P_384 and
P_521`. Test should generate KeyMint EC key with purpose `AGREE_KEY`
and OpenSSL EC key with same curve as KeyMint key. Perform local ECDH
between these two keys and verify that derived secrets are the same.
2. Verify that key agreement works with CURVE_25519 curve.
Test should generate KeyMint EC-CURVE_25519 key with purpose
`AGREE_KEY` and OpenSSL EC key with same curve as KeyMint key.
Perform local ECDH between these two keys and verify that derived
secrets are the same.
3. Verify that key agreement doesn't work when EC keys are using
different curves. Generate a KeyMine EC key using P_256 curve and
OpenSSL EC key using CURVE_25519. Try to perform a local ECDH between
these keys and operation should fail with `INVALID_ARGUMENT` error
code.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I3da7af09908d6828ad617c833469bbd786b09e8f
- Don't specify a BlockMode for RSA operations.
- Don't set ATTESTATION_APPLICATION_ID from the client; keystore will
fill this in itself whenever an ATTESTATION_CHALLENGE is present.
- Rename `has_trusty_keymint` to `has_default_keymint`, as it has
nothing to do with Trusty.
- Allow wider ranges of error codes.
Bug: 197891150
Test: keystore2_client_tests
Change-Id: I17d4eff724c554cbd89dfcc0a4e3ec7beb4e08db
- Build ASN.1 DER-encoded wrapped key material `SecureKeyWrapper`.
Import the wrapped key material. Test should create DER-encoded
wrapped key material and import the secure key successfully.
Imported key should be used perform crypto operation successfully.
- Build ASN.1 DER-encoded wrapped key material `SecureKeyWrapper` with
invalid AAD. Try to import the wrapped key material. Test should
create DER-encoded wrapped key material. Test should fail to import
the secure key with error code `VERIFICATION_FAILED`.
- Import wrapped AES key and use it for crypto operations. Test should
import wrapped key and user it for performing crypto operations
successfully.
- Import a key wihtout WRAP_KEY purpose and try to use it as wrapping
key while importing wrapped key. Test should fail to import wrapped
key with an error code `INCOMPATIBLE_PURPOSE`.
- Try to import wrapped key using non-existing wrapping key in Android
keystore. Test should fail to import wrapped key with an error code
`KEY_NOT_FOUND`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ic9ed03b6f945bd41c4873f97a84c1658c284e918
- Test to import a RSA key and validate imported key parameters.
Perform an operation using imported key. Test should be able to
import the key and complete the operation successfully.
- Test to import a RSA key without specifying key size and public
expenent. Determine key-size and public exponent from key material.
Validate imported key parameters. Perform an operation using imported
key. Test should be able to import the key and complete the operation
successfully.
- Test to import a RSA key with incorrect key-size as import key
parameter. Test should fail to import a key with an error code
`IMPORT_PARAMETER_MISMATCH`.
- Test to import a RSA key with incorrect public exponent as import key
parameter. Test should fail to import a key with an error code
`IMPORT_PARAMETER_MISMATCH`.
- Test to import a RSA key with multiple pursposes [SIGN and ATTEST_KEY]
as import key parameters. Test should fail to import a key with an
error code `INCOMPATIBLE_PURPOSE`.
- Test to import a EC key without specifying curve. Determine ec-curve
from key material. Validate imported key parameters. Perform an
operation using imported key. Test should be able to import the key
and complete the operation successfully.
- Test to import a EC key with incorrect ec-curve as import key
parameter. Test should fail to import a key with an error code
`IMPORT_PARAMETER_MISMATCH`.
- Test to import a AES, 3DES and HMAC keys. Validate imported keys
parameters. Perform operations using imported keys. Test should
be able to import the key and complete the operation successfully.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ib90c05b93929b8b0e1d4cb9542f5b8493a116c39
- Generate EC/RSA attestation keys and use it for signing RSA and EC
keys. Test should be able to use the attest keys for signing the
generated keys successfully.
- Generate EC-CURVE_25519 attestation key and use it for signing RSA
key. Test should be able to generate RSA key with EC-CURVE_25519 key
as attestation key.
- Generate an asymmetric key which doesn't possess ATTEST_KEY purpose.
Use this key for attesting asymmetric key. It should fail to generate
key with incompatible purpose error.
- Generate a symmetric key. Try to use this symmetric key as attestation
key while generating asymmetric key. It should fail to generate a key
with system error.
- Try to generate symmetric key with valid attestation key,
attstation-challenge and attestation-app-id. Test should generate a
key without attestation record.
- Try to generate RSA/EC attestation keys with multiple purpose. Test
should fail to generate keys with incompatible purpose error code.
- Generate an attestation key and try to use it for signing a key
without providing attestation challenge. Test should fail with missing
attestation challenge error.
Note: These tests are executed on devices where
`android.hardware.keystore.app_attest_key` feature is enabled, otherwise
tests are skipped.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I4228dc5fe5e207995472c3425d5f2696ef95249f
Added macros to generate test code for RSA and EC keys use cases.
Test cases are split to run them in distict test cases to avoid
timeout issues. Limiting RSA and EC each test cases to generate only
one key and perform an operation.
Bug: 242356276
Test: atest keystore2_client_tests
Change-Id: I2841734f329afb0005727da26cc5b9ff532b9e73
- Generate HMAC keys with digest modes [SHA1, SHA_2_224, SHA_2_256,
SHA_2_384, SHA_2_512], should be able to create operations using
generated keys successfully.
- Try to generate HAMC keys with key size in the range 0..513. For
invalid key size, key generation should fail with an error code
`UNSUPPORTED_KEY_SIZE`.
- Generate HMAC keys with min-mac-lengths in the range 0..257. For
invalid min-mac-length, key generation should fail with an error
code `UNSUPPORTED_MIN_MAC_LENGTH`.
- Try to generate HMAC key with multiple digest modes, key generation
should fail with an error code `UNSUPPORTED_DIGEST`.
- Try to generate HMAC key without providing digest mode, key
generation should fail with an error code `UNSUPPORTED_DIGEST`.
- Try to generate HMAC key with digest mode `NONE`, key
generation should fail with an error code `UNSUPPORTED_DIGEST`.
- Generate HMAC key with min-mac-length of 128 bits and digests
[SHA1, SHA-2-224], try to create operations with mac-len greater than
digest lengths. Test should fail to create an operation with an error
code `UNSUPPORTED_MAC_LENGTH`.
- Generate HMAC key with min-mac-length of 128 bits and digests
[SHA1, SHA-2-224], try to create operations with mac-len less than
min-mac-length. Test should fail to create an operation with an error
code `INVALID_MAC_LENGTH`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I594c9718b0f6a67f2655faca4bf100abf2ced3a3
- Generate 3DES keys with block modes [ECB, CBC] and padding modes
[NONE, PKCS7]. Should be able to create operations successfully
with these generated keys.
- Try to generate a key and create an operation with invalid inputs, it
should fail with proper error codes
- with unsupported key size
- with unsupported padding mode
- with padding mode NONE and input text whose length isn't a
multiple of the DES block size
- with unsupported blockmode
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ida98fd2e6f9b7ba84b8beba9ea979d5aeb2240ee
- Generate AES keys with block modes [ECB, CBC] and padding modes [NONE,
PKCS7]. Should be able to create operations successfully with these
generated keys.
- Generate AES keys with block modes [CTR, GCM] and padding modes [NONE,
PKCS7]. Should be able to create operations successfully with padding
mode NONE. With PKCS7 padding mode creation of an operation should
fail with incompatible padding mode.
- Try to generate a key and create an operation with invalid inputs, it
should fail with proper error codes.
- with unsupported key size
- with GCM block mode without providing min-mac-length
- with multiple block modes
- with multiple padding modes
- with incompatible padding modes
- with incompatible block modes
- with missing mac-length
- with invalid mac-length
- with unsupported mac-length
- With AES-CBC-PKCS7 key without `CALLER_NONCE` authorization, Try to
set nonce while creating an operation.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ibf1b8460317b4c99d9060d5889c8b3778a80ca5b
- Generate RSA signing keys with combinations of digest modes [NONE,
MD5, SHA1, SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512] and padding
modes [NONE, RSA_PKCS1_1_5_SIGN, RSA_PSS]. Should be able to
create operations using these keys except in below cases.
- when padding mode is RSA_PSS and digest mode is NONE
- when padding mode is NONE and digest is other than NONE.
- Generate RSA encrypt/decrypt keys with OAEP padding mode, combinations
of digests [MD5, SHA1, SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512] and
mgf-digests [MD5, SHA1, SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512].
Should be able to create operations with these generated keys
successfully.
- Generate RSA encrypt/decrypt keys with combinations of padding modes
[NONE, RSA_PKCS1_1_5_ENCRYPT, RSA_OAEP], digests [NONE, MD5, SHA1,
SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512]. Should be able to create
operations with these generated keys successfully except in below case
- with padding mode RSA_OAEP and digest mode NONE an error is
expected.
- Generate RSA encrypt/decrypt keys with padding modes [NONE,
RSA_PKCS1_1_5_ENCRYPT, RSA_OAEP] and without digests. Should be able
to create operations with these generated keys successfully.
- Generate RSA keys without padding modes and digest modes. Creation of
an operation should fail with unsupported padding mode error.
- Tests to validate failure of generating RSA keys with incompatible
purpose, unsupported purpose, unsupported padding mode, unsupported
digest and unsupported key sizes.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I16843932cc170d0e820208f558587aacf13b9272
Test 1: Should fail to generate a key with domain not listed
in keystore2::Domain.
Test 2: Should fail to generate a EC key without providing curve.
Test 3: Should fail to generate a EC key with 25519 curve having
sign and agree_key purposes.
Test 4: Generate a EC keys with `NONE, MD5, SHA1, SHA-2 224,
SHA-2 256, SHA-2 384 and SHA-2 512` digest modes and P_224,
P_256, P_384, P_521 ec curves combinations. Should be able
to create operations with these keys successfully for all
digest modes except NONE and MD5.
Test 5: Generate a EC key with curve CURVE_25519 and digest mode NONE.
Should be able to create an operation with digest mode NONE.
Test 6: Generate a EC keys with curve CURVE_25519 and digest modes
`MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
combinations. Creation of an operation should fail with
unsupported digest error.
Test 7: Should fail to create an operation with incompatible digest
mode in key authorizations.
Test 8: Test for key owner validation. Generate a key in one user and
try to use it in another user context where it should fail to
load the key as it doesn't own the key generated by prior user.
Test 9: Generate a key with Domain::BLOB. Verify that key descriptor
holds the key blob. Try to use this key to perform an operation
successfully.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I8b923cfdd9dbd50d1ebaab03560e9378ede7cdee
Verify that the clients (for ex: clients with `vold` context) with
`req_forced_op` permission are allowed to create forced (unpruneable)
operations otherwise the creation of forced operation is denied.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I73d85ac127274e623095e233368b0211f6738d6e
- Forced operation creation with all slots filled with normal operations
- Forced operation creation with all slots filled with forced operations
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I493ea1c25d09597c44add430a20b5ca9c983e8d3
Creates multiple child procs and creates opearations in it and
parent proc waits for all child procs operations status, expects
one or more opearations to fail with backeend busy error.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I52f95a7cfd031d80c88bfc2ca478a26572f40150
- authorizations: helper struct to create set of key authorizations
- key_generations: helper methods to generate various keys.
Test: N/A
Change-Id: I23250838b7b6d8ad59f5ef8682861a07e856299f
This CL adds run_as_child which starts a child asynchronously and
returns a handle that allows waiting for and communicating with the
child process.
Test: keystore2_test_utils_test
Change-Id: Ibde858f249c94295b5f1c0c0cb29b8a98fb98a3a
The run_as function allows a test with sufficient privileges to run a
closure as different identity given by a tuple of UID, GID, and SELinux
context. This is infrastructure in preparation for the keystore2 vts
test.
Test: keystore2_test_utils_test
Bug: 182508302
Change-Id: Ic1923028e5bc4ca4b1112e34669d52687450fd14
