keystore2/test_utils/ffi_test_utils.rs - platform/system/security - Git at Google

 // Copyright 2022, The Android Open Source Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 //! This module implements helper methods to access the functionalities implemented in CPP.

 use crate::key_generations::Error;
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::Tag::Tag;

 #[cxx::bridge]
 mod ffi {
     struct CxxResult {
         data: Vec<u8>,
         error: i32,
     }

     unsafe extern "C++" {
         include!("ffi_test_utils.hpp");
         fn validateCertChain(cert_buf: Vec<u8>, cert_len: u32, strict_issuer_check: bool) -> bool;
         fn createWrappedKey(
             encrypted_secure_key: Vec<u8>,
             encrypted_transport_key: Vec<u8>,
             iv: Vec<u8>,
             tag: Vec<u8>,
         ) -> CxxResult;
         fn buildAsn1DerEncodedWrappedKeyDescription() -> CxxResult;
         fn performCryptoOpUsingKeystoreEngine(grant_id: i64) -> bool;
         fn getValueFromAttestRecord(cert_buf: Vec<u8>, tag: i32) -> CxxResult;
     }
 }

 /// Validate given certificate chain.
 pub fn validate_certchain(cert_buf: &[u8]) -> Result<bool, Error> {
     if ffi::validateCertChain(cert_buf.to_vec(), cert_buf.len().try_into().unwrap(), true) {
         return Ok(true);
     }

     Err(Error::ValidateCertChainFailed)
 }

 /// Collect the result from CxxResult into a Rust supported structure.
 fn get_result(result: ffi::CxxResult) -> Result<Vec<u8>, Error> {
     if result.error == 0 && !result.data.is_empty() {
         Ok(result.data)
     } else {
         Err(Error::DerEncodeFailed)
     }
 }

 /// Creates wrapped key material to import in ASN.1 DER-encoded data corresponding to
 /// `SecureKeyWrapper`. See `IKeyMintDevice.aidl` for documentation of the `SecureKeyWrapper`
 /// schema.
 pub fn create_wrapped_key(
     encrypted_secure_key: &[u8],
     encrypted_transport_key: &[u8],
     iv: &[u8],
     tag: &[u8],
 ) -> Result<Vec<u8>, Error> {
     get_result(ffi::createWrappedKey(
         encrypted_secure_key.to_vec(),
         encrypted_transport_key.to_vec(),
         iv.to_vec(),
         tag.to_vec(),
     ))
 }

 /// Creates ASN.1 DER-encoded data corresponding to `KeyDescription` schema.
 /// See `IKeyMintDevice.aidl` for documentation of the `KeyDescription` schema.
 /// Below mentioned key parameters are used -
 ///     Algorithm: AES-256
 ///     Padding: PKCS7
 ///     Blockmode: ECB
 ///     Purpose: Encrypt, Decrypt
 pub fn create_wrapped_key_additional_auth_data() -> Result<Vec<u8>, Error> {
     get_result(ffi::buildAsn1DerEncodedWrappedKeyDescription())
 }

 /// Performs crypto operation using Keystore-Engine APIs.
 pub fn perform_crypto_op_using_keystore_engine(grant_id: i64) -> Result<bool, Error> {
     if ffi::performCryptoOpUsingKeystoreEngine(grant_id) {
         return Ok(true);
     }

     Err(Error::Keystore2EngineOpFailed)
 }

 /// Get the value of the given `Tag` from attestation record.
 pub fn get_value_from_attest_record(cert_buf: &[u8], tag: Tag) -> Result<Vec<u8>, Error> {
     let result = ffi::getValueFromAttestRecord(cert_buf.to_vec(), tag.0);
     if result.error == 0 && !result.data.is_empty() {
         return Ok(result.data);
     }
     Err(Error::AttestRecordGetValueFailed)
 }
	// Copyright 2022, The Android Open Source Project
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	//! This module implements helper methods to access the functionalities implemented in CPP.

	use crate::key_generations::Error;
	use android_hardware_security_keymint::aidl::android::hardware::security::keymint::Tag::Tag;

	#[cxx::bridge]
	mod ffi {
	struct CxxResult {
	data: Vec<u8>,
	error: i32,
	}

	unsafe extern "C++" {
	include!("ffi_test_utils.hpp");
	fn validateCertChain(cert_buf: Vec<u8>, cert_len: u32, strict_issuer_check: bool) -> bool;
	fn createWrappedKey(
	encrypted_secure_key: Vec<u8>,
	encrypted_transport_key: Vec<u8>,
	iv: Vec<u8>,
	tag: Vec<u8>,
	) -> CxxResult;
	fn buildAsn1DerEncodedWrappedKeyDescription() -> CxxResult;
	fn performCryptoOpUsingKeystoreEngine(grant_id: i64) -> bool;
	fn getValueFromAttestRecord(cert_buf: Vec<u8>, tag: i32) -> CxxResult;
	}
	}

	/// Validate given certificate chain.
	pub fn validate_certchain(cert_buf: &[u8]) -> Result<bool, Error> {
	if ffi::validateCertChain(cert_buf.to_vec(), cert_buf.len().try_into().unwrap(), true) {
	return Ok(true);
	}

	Err(Error::ValidateCertChainFailed)
	}

	/// Collect the result from CxxResult into a Rust supported structure.
	fn get_result(result: ffi::CxxResult) -> Result<Vec<u8>, Error> {
	if result.error == 0 && !result.data.is_empty() {
	Ok(result.data)
	} else {
	Err(Error::DerEncodeFailed)
	}
	}

	/// Creates wrapped key material to import in ASN.1 DER-encoded data corresponding to
	/// `SecureKeyWrapper`. See `IKeyMintDevice.aidl` for documentation of the `SecureKeyWrapper`
	/// schema.
	pub fn create_wrapped_key(
	encrypted_secure_key: &[u8],
	encrypted_transport_key: &[u8],
	iv: &[u8],
	tag: &[u8],
	) -> Result<Vec<u8>, Error> {
	get_result(ffi::createWrappedKey(
	encrypted_secure_key.to_vec(),
	encrypted_transport_key.to_vec(),
	iv.to_vec(),
	tag.to_vec(),
	))
	}

	/// Creates ASN.1 DER-encoded data corresponding to `KeyDescription` schema.
	/// See `IKeyMintDevice.aidl` for documentation of the `KeyDescription` schema.
	/// Below mentioned key parameters are used -
	/// Algorithm: AES-256
	/// Padding: PKCS7
	/// Blockmode: ECB
	/// Purpose: Encrypt, Decrypt
	pub fn create_wrapped_key_additional_auth_data() -> Result<Vec<u8>, Error> {
	get_result(ffi::buildAsn1DerEncodedWrappedKeyDescription())
	}

	/// Performs crypto operation using Keystore-Engine APIs.
	pub fn perform_crypto_op_using_keystore_engine(grant_id: i64) -> Result<bool, Error> {
	if ffi::performCryptoOpUsingKeystoreEngine(grant_id) {
	return Ok(true);
	}

	Err(Error::Keystore2EngineOpFailed)
	}

	/// Get the value of the given `Tag` from attestation record.
	pub fn get_value_from_attest_record(cert_buf: &[u8], tag: Tag) -> Result<Vec<u8>, Error> {
	let result = ffi::getValueFromAttestRecord(cert_buf.to_vec(), tag.0);
	if result.error == 0 && !result.data.is_empty() {
	return Ok(result.data);
	}
	Err(Error::AttestRecordGetValueFailed)
	}