Merge "Fixed vts tests cases which do not support factory attestation. Test:... (0f7d4191) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+76 −61

Original line number	Diff line number	Diff line
		@@ -219,8 +219,7 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge(challenge)
		@@ -230,7 +229,12 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		{} /* attestation signing key */, &attest_key.keyBlob,
		&attest_key_characteristics, &attest_key_cert_chain));
		&attest_key_characteristics, &attest_key_cert_chain);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		EXPECT_GT(attest_key_cert_chain.size(), 1);
		verify_subject_and_serial(attest_key_cert_chain[0], serial_int, subject, false);
		@@ -319,8 +323,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
		attest_key_opt = attest_key;
		}

		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -330,7 +333,12 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]));
		&cert_chain_list[i]);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		@@ -392,8 +400,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
		attest_key_opt = attest_key;
		}

		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -403,7 +410,12 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]));
		&cert_chain_list[i]);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		@@ -484,10 +496,9 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		attest_key.keyBlob = key_blob_list[i - 1];
		attest_key_opt = attest_key;
		}

		ErrorCode result;
		if ((i & 0x1) == 1) {
		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		result = GenerateKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -497,10 +508,9 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]));
		&cert_chain_list[i]);
		} else {
		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		result = GenerateKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -510,8 +520,13 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]));
		&cert_chain_list[i]);
		}
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+8 −0

Original line number	Diff line number	Diff line
		@@ -1228,6 +1228,14 @@ vector<EcCurve> KeyMintAidlTestBase::InvalidCurves() {
		}
		}

		vector<uint64_t> KeyMintAidlTestBase::ValidExponents() {
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		return {65537};
		} else {
		return {3, 65537};
		}
		}

		vector<Digest> KeyMintAidlTestBase::ValidDigests(bool withNone, bool withMD5) {
		switch (SecLevel()) {
		case SecurityLevel::SOFTWARE:

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+9 −2

Original line number	Diff line number	Diff line
		@@ -253,7 +253,10 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
		.SetDefaultValidity();
		tagModifier(&rsaBuilder);
		errorCode = GenerateKey(rsaBuilder, &rsaKeyData.blob, &rsaKeyData.characteristics);
		if (!(SecLevel() == SecurityLevel::STRONGBOX &&
		ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED == errorCode)) {
		EXPECT_EQ(expectedReturn, errorCode);
		}

		/* ECDSA */
		KeyData ecdsaKeyData;
		@@ -265,7 +268,10 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
		.SetDefaultValidity();
		tagModifier(&ecdsaBuilder);
		errorCode = GenerateKey(ecdsaBuilder, &ecdsaKeyData.blob, &ecdsaKeyData.characteristics);
		if (!(SecLevel() == SecurityLevel::STRONGBOX &&
		ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED == errorCode)) {
		EXPECT_EQ(expectedReturn, errorCode);
		}
		return {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData};
		}
		bool IsSecure() const { return securityLevel_ != SecurityLevel::SOFTWARE; }
		@@ -282,6 +288,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
		vector<EcCurve> InvalidCurves();

		vector<Digest> ValidDigests(bool withNone, bool withMD5);
		vector<uint64_t> ValidExponents();

		static vector<string> build_params() {
		auto params = ::android::getAidlHalInstanceNames(IKeyMintDevice::descriptor);

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+126 −77

Original line number	Diff line number	Diff line
		@@ -1036,8 +1036,7 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
		for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(key_size, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		@@ -1047,7 +1046,11 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}

		ASSERT_GT(key_blob.size(), 0U);
		CheckBaseParams(key_characteristics);
		@@ -1169,8 +1172,7 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {

		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.RsaEncryptionKey(key_size, 65537)
		.Padding(PaddingMode::NONE)
		.AttestationChallenge(challenge)
		@@ -1179,7 +1181,12 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		ASSERT_GT(key_blob.size(), 0U);
		AuthorizationSet auths;
		@@ -1281,15 +1288,19 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;

		ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		.AttestationChallenge(challenge)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
		}

		/*
		@@ -1399,8 +1410,7 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
		for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(key_size, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		@@ -1411,7 +1421,12 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		ASSERT_GT(key_blob.size(), 0U);
		CheckBaseParams(key_characteristics);
		@@ -1601,8 +1616,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
		for (auto curve : ValidCurves()) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.EcdsaSigningKey(curve)
		.Digest(Digest::NONE)
		@@ -1611,7 +1625,12 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);
		ASSERT_GT(key_blob.size(), 0U);
		CheckBaseParams(key_characteristics);
		CheckCharacteristics(key_blob, key_characteristics);
		@@ -1745,6 +1764,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
		// Tag not required to be supported by all KeyMint implementations.
		continue;
		}
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(result, ErrorCode::OK);
		ASSERT_GT(key_blob.size(), 0U);

		@@ -1840,6 +1863,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
		AuthorizationSetBuilder builder = base_builder;
		builder.push_back(tag);
		auto result = GenerateKey(builder, &key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		if (result == ErrorCode::CANNOT_ATTEST_IDS) {
		// Device ID attestation is optional; KeyMint may not support it at all.
		continue;
		@@ -1997,6 +2024,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(result, ErrorCode::OK);
		ASSERT_GT(key_blob.size(), 0U);

		@@ -2076,13 +2107,17 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;

		ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Digest(Digest::NONE)
		.AttestationChallenge(challenge)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
		}

		/*
		@@ -2139,14 +2174,19 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
		const string app_id(length, 'a');
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.EcdsaSigningKey(EcCurve::P_256)
		.Digest(Digest::NONE)
		.AttestationChallenge(challenge)
		.AttestationApplicationId(app_id)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);
		ASSERT_GT(key_blob.size(), 0U);
		CheckBaseParams(key_characteristics);
		CheckCharacteristics(key_blob, key_characteristics);
		@@ -4646,7 +4686,7 @@ typedef KeyMintAidlTestBase EncryptionOperationsTest;
		* Verifies that raw RSA decryption works.
		*/
		TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
		for (uint64_t exponent : {3, 65537}) {
		for (uint64_t exponent : ValidExponents()) {
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.RsaEncryptionKey(2048, exponent)
		@@ -7209,7 +7249,7 @@ TEST_P(ClearOperationsTest, TooManyOperations) {
		size_t i;

		for (i = 0; i < max_operations; i++) {
		result = Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params, op_handles[i]);
		result = Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params, op_handles[i]);
		if (ErrorCode::OK != result) {
		break;
		}
		@@ -7217,12 +7257,12 @@ TEST_P(ClearOperationsTest, TooManyOperations) {
		EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
		// Try again just in case there's a weird overflow bug
		EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
		Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
		Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
		for (size_t j = 0; j < i; j++) {
		EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
		<< "Aboort failed for i = " << j << std::endl;
		}
		EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
		EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
		AbortIfNeeded();
		}

		@@ -7611,15 +7651,24 @@ TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
		});

		for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
		// Strongbox may not support factory attestation. Key creation might fail with
		// ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
		if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
		continue;
		}
		ASSERT_GT(keyData.blob.size(), 0U);
		AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
		EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
		}
		CheckedDeleteKey(&aesKeyData.blob);
		CheckedDeleteKey(&hmacKeyData.blob);
		if (rsaKeyData.blob.size() != 0U) {
		CheckedDeleteKey(&rsaKeyData.blob);
		}
		if (ecdsaKeyData.blob.size() != 0U) {
		CheckedDeleteKey(&ecdsaKeyData.blob);
		}
		}

		/*
		* EarlyBootKeyTest.UseEarlyBootKeyFailure