Loading security/keymint/aidl/vts/functional/AttestKeyTest.cpp +76 −61 Original line number Diff line number Diff line Loading @@ -219,8 +219,7 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { AttestationKey attest_key; vector<KeyCharacteristics> attest_key_characteristics; vector<Certificate> attest_key_cert_chain; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaKey(2048, 65537) .AttestKey() .AttestationChallenge(challenge) Loading @@ -230,7 +229,12 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), {} /* attestation signing key */, &attest_key.keyBlob, &attest_key_characteristics, &attest_key_cert_chain)); &attest_key_characteristics, &attest_key_cert_chain); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); EXPECT_GT(attest_key_cert_chain.size(), 1); verify_subject_and_serial(attest_key_cert_chain[0], serial_int, subject, false); Loading Loading @@ -319,8 +323,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { attest_key_opt = attest_key; } EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaKey(2048, 65537) .AttestKey() .AttestationChallenge("foo") Loading @@ -330,7 +333,12 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i])); &cert_chain_list[i]); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); Loading Loading @@ -392,8 +400,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { attest_key_opt = attest_key; } EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .AttestationChallenge("foo") Loading @@ -403,7 +410,12 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i])); &cert_chain_list[i]); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); Loading Loading @@ -484,10 +496,9 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { attest_key.keyBlob = key_blob_list[i - 1]; attest_key_opt = attest_key; } ErrorCode result; if ((i & 0x1) == 1) { EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() result = GenerateKey(AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .AttestationChallenge("foo") Loading @@ -497,10 +508,9 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i])); &cert_chain_list[i]); } else { EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() result = GenerateKey(AuthorizationSetBuilder() .RsaKey(2048, 65537) .AttestKey() .AttestationChallenge("foo") Loading @@ -510,8 +520,13 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i])); &cert_chain_list[i]); } // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); Loading security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +8 −0 Original line number Diff line number Diff line Loading @@ -1228,6 +1228,14 @@ vector<EcCurve> KeyMintAidlTestBase::InvalidCurves() { } } vector<uint64_t> KeyMintAidlTestBase::ValidExponents() { if (SecLevel() == SecurityLevel::STRONGBOX) { return {65537}; } else { return {3, 65537}; } } vector<Digest> KeyMintAidlTestBase::ValidDigests(bool withNone, bool withMD5) { switch (SecLevel()) { case SecurityLevel::SOFTWARE: Loading security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h +9 −2 Original line number Diff line number Diff line Loading @@ -253,7 +253,10 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> { .SetDefaultValidity(); tagModifier(&rsaBuilder); errorCode = GenerateKey(rsaBuilder, &rsaKeyData.blob, &rsaKeyData.characteristics); if (!(SecLevel() == SecurityLevel::STRONGBOX && ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED == errorCode)) { EXPECT_EQ(expectedReturn, errorCode); } /* ECDSA */ KeyData ecdsaKeyData; Loading @@ -265,7 +268,10 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> { .SetDefaultValidity(); tagModifier(&ecdsaBuilder); errorCode = GenerateKey(ecdsaBuilder, &ecdsaKeyData.blob, &ecdsaKeyData.characteristics); if (!(SecLevel() == SecurityLevel::STRONGBOX && ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED == errorCode)) { EXPECT_EQ(expectedReturn, errorCode); } return {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}; } bool IsSecure() const { return securityLevel_ != SecurityLevel::SOFTWARE; } Loading @@ -282,6 +288,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> { vector<EcCurve> InvalidCurves(); vector<Digest> ValidDigests(bool withNone, bool withMD5); vector<uint64_t> ValidExponents(); static vector<string> build_params() { auto params = ::android::getAidlHalInstanceNames(IKeyMintDevice::descriptor); Loading security/keymint/aidl/vts/functional/KeyMintTest.cpp +126 −77 Original line number Diff line number Diff line Loading @@ -1036,8 +1036,7 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(key_size, 65537) .Digest(Digest::NONE) .Padding(PaddingMode::NONE) Loading @@ -1047,7 +1046,11 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) { .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); Loading Loading @@ -1169,8 +1172,7 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaEncryptionKey(key_size, 65537) .Padding(PaddingMode::NONE) .AttestationChallenge(challenge) Loading @@ -1179,7 +1181,12 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); AuthorizationSet auths; Loading Loading @@ -1281,15 +1288,19 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(2048, 65537) .Digest(Digest::NONE) .Padding(PaddingMode::NONE) .AttestationChallenge(challenge) .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } /* Loading Loading @@ -1399,8 +1410,7 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(key_size, 65537) .Digest(Digest::NONE) .Padding(PaddingMode::NONE) Loading @@ -1411,7 +1421,12 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) { .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); Loading Loading @@ -1601,8 +1616,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { for (auto curve : ValidCurves()) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .EcdsaSigningKey(curve) .Digest(Digest::NONE) Loading @@ -1611,7 +1625,12 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); CheckCharacteristics(key_blob, key_characteristics); Loading Loading @@ -1745,6 +1764,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) { // Tag not required to be supported by all KeyMint implementations. continue; } // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(result, ErrorCode::OK); ASSERT_GT(key_blob.size(), 0U); Loading Loading @@ -1840,6 +1863,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) { AuthorizationSetBuilder builder = base_builder; builder.push_back(tag); auto result = GenerateKey(builder, &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } if (result == ErrorCode::CANNOT_ATTEST_IDS) { // Device ID attestation is optional; KeyMint may not support it at all. continue; Loading Loading @@ -1997,6 +2024,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) { .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(result, ErrorCode::OK); ASSERT_GT(key_blob.size(), 0U); Loading Loading @@ -2076,13 +2107,17 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .EcdsaSigningKey(EcCurve::P_256) .Digest(Digest::NONE) .AttestationChallenge(challenge) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } /* Loading Loading @@ -2139,14 +2174,19 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) { const string app_id(length, 'a'); vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .EcdsaSigningKey(EcCurve::P_256) .Digest(Digest::NONE) .AttestationChallenge(challenge) .AttestationApplicationId(app_id) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); CheckCharacteristics(key_blob, key_characteristics); Loading Loading @@ -4646,7 +4686,7 @@ typedef KeyMintAidlTestBase EncryptionOperationsTest; * Verifies that raw RSA decryption works. */ TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { for (uint64_t exponent : {3, 65537}) { for (uint64_t exponent : ValidExponents()) { ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .RsaEncryptionKey(2048, exponent) Loading Loading @@ -7209,7 +7249,7 @@ TEST_P(ClearOperationsTest, TooManyOperations) { size_t i; for (i = 0; i < max_operations; i++) { result = Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params, op_handles[i]); result = Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params, op_handles[i]); if (ErrorCode::OK != result) { break; } Loading @@ -7217,12 +7257,12 @@ TEST_P(ClearOperationsTest, TooManyOperations) { EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result); // Try again just in case there's a weird overflow bug EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params)); Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params)); for (size_t j = 0; j < i; j++) { EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j])) << "Aboort failed for i = " << j << std::endl; } EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params)); EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params)); AbortIfNeeded(); } Loading Loading @@ -7611,15 +7651,24 @@ TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) { }); for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) { // Strongbox may not support factory attestation. Key creation might fail with // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) { continue; } ASSERT_GT(keyData.blob.size(), 0U); AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics); EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params; } CheckedDeleteKey(&aesKeyData.blob); CheckedDeleteKey(&hmacKeyData.blob); if (rsaKeyData.blob.size() != 0U) { CheckedDeleteKey(&rsaKeyData.blob); } if (ecdsaKeyData.blob.size() != 0U) { CheckedDeleteKey(&ecdsaKeyData.blob); } } /* * EarlyBootKeyTest.UseEarlyBootKeyFailure Loading Loading
security/keymint/aidl/vts/functional/AttestKeyTest.cpp +76 −61 Original line number Diff line number Diff line Loading @@ -219,8 +219,7 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { AttestationKey attest_key; vector<KeyCharacteristics> attest_key_characteristics; vector<Certificate> attest_key_cert_chain; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaKey(2048, 65537) .AttestKey() .AttestationChallenge(challenge) Loading @@ -230,7 +229,12 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), {} /* attestation signing key */, &attest_key.keyBlob, &attest_key_characteristics, &attest_key_cert_chain)); &attest_key_characteristics, &attest_key_cert_chain); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); EXPECT_GT(attest_key_cert_chain.size(), 1); verify_subject_and_serial(attest_key_cert_chain[0], serial_int, subject, false); Loading Loading @@ -319,8 +323,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { attest_key_opt = attest_key; } EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaKey(2048, 65537) .AttestKey() .AttestationChallenge("foo") Loading @@ -330,7 +333,12 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i])); &cert_chain_list[i]); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); Loading Loading @@ -392,8 +400,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { attest_key_opt = attest_key; } EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .AttestationChallenge("foo") Loading @@ -403,7 +410,12 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i])); &cert_chain_list[i]); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); Loading Loading @@ -484,10 +496,9 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { attest_key.keyBlob = key_blob_list[i - 1]; attest_key_opt = attest_key; } ErrorCode result; if ((i & 0x1) == 1) { EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() result = GenerateKey(AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .AttestationChallenge("foo") Loading @@ -497,10 +508,9 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i])); &cert_chain_list[i]); } else { EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() result = GenerateKey(AuthorizationSetBuilder() .RsaKey(2048, 65537) .AttestKey() .AttestationChallenge("foo") Loading @@ -510,8 +520,13 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i])); &cert_chain_list[i]); } // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); Loading
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +8 −0 Original line number Diff line number Diff line Loading @@ -1228,6 +1228,14 @@ vector<EcCurve> KeyMintAidlTestBase::InvalidCurves() { } } vector<uint64_t> KeyMintAidlTestBase::ValidExponents() { if (SecLevel() == SecurityLevel::STRONGBOX) { return {65537}; } else { return {3, 65537}; } } vector<Digest> KeyMintAidlTestBase::ValidDigests(bool withNone, bool withMD5) { switch (SecLevel()) { case SecurityLevel::SOFTWARE: Loading
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h +9 −2 Original line number Diff line number Diff line Loading @@ -253,7 +253,10 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> { .SetDefaultValidity(); tagModifier(&rsaBuilder); errorCode = GenerateKey(rsaBuilder, &rsaKeyData.blob, &rsaKeyData.characteristics); if (!(SecLevel() == SecurityLevel::STRONGBOX && ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED == errorCode)) { EXPECT_EQ(expectedReturn, errorCode); } /* ECDSA */ KeyData ecdsaKeyData; Loading @@ -265,7 +268,10 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> { .SetDefaultValidity(); tagModifier(&ecdsaBuilder); errorCode = GenerateKey(ecdsaBuilder, &ecdsaKeyData.blob, &ecdsaKeyData.characteristics); if (!(SecLevel() == SecurityLevel::STRONGBOX && ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED == errorCode)) { EXPECT_EQ(expectedReturn, errorCode); } return {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}; } bool IsSecure() const { return securityLevel_ != SecurityLevel::SOFTWARE; } Loading @@ -282,6 +288,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> { vector<EcCurve> InvalidCurves(); vector<Digest> ValidDigests(bool withNone, bool withMD5); vector<uint64_t> ValidExponents(); static vector<string> build_params() { auto params = ::android::getAidlHalInstanceNames(IKeyMintDevice::descriptor); Loading
security/keymint/aidl/vts/functional/KeyMintTest.cpp +126 −77 Original line number Diff line number Diff line Loading @@ -1036,8 +1036,7 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(key_size, 65537) .Digest(Digest::NONE) .Padding(PaddingMode::NONE) Loading @@ -1047,7 +1046,11 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) { .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); Loading Loading @@ -1169,8 +1172,7 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaEncryptionKey(key_size, 65537) .Padding(PaddingMode::NONE) .AttestationChallenge(challenge) Loading @@ -1179,7 +1181,12 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); AuthorizationSet auths; Loading Loading @@ -1281,15 +1288,19 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(2048, 65537) .Digest(Digest::NONE) .Padding(PaddingMode::NONE) .AttestationChallenge(challenge) .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } /* Loading Loading @@ -1399,8 +1410,7 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(key_size, 65537) .Digest(Digest::NONE) .Padding(PaddingMode::NONE) Loading @@ -1411,7 +1421,12 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) { .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); Loading Loading @@ -1601,8 +1616,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { for (auto curve : ValidCurves()) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .EcdsaSigningKey(curve) .Digest(Digest::NONE) Loading @@ -1611,7 +1625,12 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); CheckCharacteristics(key_blob, key_characteristics); Loading Loading @@ -1745,6 +1764,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) { // Tag not required to be supported by all KeyMint implementations. continue; } // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(result, ErrorCode::OK); ASSERT_GT(key_blob.size(), 0U); Loading Loading @@ -1840,6 +1863,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) { AuthorizationSetBuilder builder = base_builder; builder.push_back(tag); auto result = GenerateKey(builder, &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } if (result == ErrorCode::CANNOT_ATTEST_IDS) { // Device ID attestation is optional; KeyMint may not support it at all. continue; Loading Loading @@ -1997,6 +2024,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) { .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(result, ErrorCode::OK); ASSERT_GT(key_blob.size(), 0U); Loading Loading @@ -2076,13 +2107,17 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .EcdsaSigningKey(EcCurve::P_256) .Digest(Digest::NONE) .AttestationChallenge(challenge) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } /* Loading Loading @@ -2139,14 +2174,19 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) { const string app_id(length, 'a'); vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() auto result = GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .EcdsaSigningKey(EcCurve::P_256) .Digest(Digest::NONE) .AttestationChallenge(challenge) .AttestationApplicationId(app_id) .SetDefaultValidity(), &key_blob, &key_characteristics)); &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); CheckCharacteristics(key_blob, key_characteristics); Loading Loading @@ -4646,7 +4686,7 @@ typedef KeyMintAidlTestBase EncryptionOperationsTest; * Verifies that raw RSA decryption works. */ TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { for (uint64_t exponent : {3, 65537}) { for (uint64_t exponent : ValidExponents()) { ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .RsaEncryptionKey(2048, exponent) Loading Loading @@ -7209,7 +7249,7 @@ TEST_P(ClearOperationsTest, TooManyOperations) { size_t i; for (i = 0; i < max_operations; i++) { result = Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params, op_handles[i]); result = Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params, op_handles[i]); if (ErrorCode::OK != result) { break; } Loading @@ -7217,12 +7257,12 @@ TEST_P(ClearOperationsTest, TooManyOperations) { EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result); // Try again just in case there's a weird overflow bug EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params)); Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params)); for (size_t j = 0; j < i; j++) { EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j])) << "Aboort failed for i = " << j << std::endl; } EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params)); EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params)); AbortIfNeeded(); } Loading Loading @@ -7611,15 +7651,24 @@ TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) { }); for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) { // Strongbox may not support factory attestation. Key creation might fail with // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) { continue; } ASSERT_GT(keyData.blob.size(), 0U); AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics); EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params; } CheckedDeleteKey(&aesKeyData.blob); CheckedDeleteKey(&hmacKeyData.blob); if (rsaKeyData.blob.size() != 0U) { CheckedDeleteKey(&rsaKeyData.blob); } if (ecdsaKeyData.blob.size() != 0U) { CheckedDeleteKey(&ecdsaKeyData.blob); } } /* * EarlyBootKeyTest.UseEarlyBootKeyFailure Loading
