Merge "KeyMint: Test generation of asymmetric keys fails with missing... (140062e6) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp

+6 −0

Original line number	Diff line number	Diff line
		@@ -80,6 +80,7 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
		.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
		.Authorization(TAG_INCLUDE_UNIQUE_ID)
		.Authorization(TAG_CREATION_DATETIME, 1619621648000)
		.SetDefaultValidity()
		.AttestationChallenge("challenge")
		.AttestationApplicationId("foo")
		.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
		@@ -109,6 +110,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
		.Digest(Digest::SHA_2_256)
		.Authorization(TAG_INCLUDE_UNIQUE_ID)
		.Authorization(TAG_CREATION_DATETIME, 1619621648000)
		.SetDefaultValidity()
		.AttestationChallenge("challenge")
		.AttestationApplicationId("foo")
		.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
		@@ -139,6 +141,7 @@ TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) {
		.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
		.Authorization(TAG_INCLUDE_UNIQUE_ID)
		.Authorization(TAG_CREATION_DATETIME, 1619621648000)
		.SetDefaultValidity()
		.AttestationChallenge("challenge")
		.AttestationApplicationId("foo")
		.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
		@@ -197,6 +200,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) {
		.Digest(Digest::SHA_2_256)
		.Authorization(TAG_INCLUDE_UNIQUE_ID)
		.Authorization(TAG_CREATION_DATETIME, 1619621648000)
		.SetDefaultValidity()
		.AttestationChallenge("challenge")
		.AttestationApplicationId("foo")
		.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
		@@ -264,6 +268,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) {
		.Digest(Digest::SHA_2_256)
		.Authorization(TAG_INCLUDE_UNIQUE_ID)
		.Authorization(TAG_CREATION_DATETIME, 1619621648000)
		.SetDefaultValidity()
		.AttestationChallenge("challenge")
		.AttestationApplicationId("foo")
		.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
		@@ -336,6 +341,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) {
		.Digest(Digest::SHA_2_256)
		.Authorization(TAG_INCLUDE_UNIQUE_ID)
		.Authorization(TAG_CREATION_DATETIME, 1619621648000)
		.SetDefaultValidity()
		.AttestationChallenge("challenge")
		.AttestationApplicationId("foo")
		.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+60 −0

Original line number	Diff line number	Diff line
		@@ -1017,6 +1017,37 @@ TEST_P(NewKeyGenerationTest, Rsa) {
		}
		}

		/*
		* NewKeyGenerationTest.RsaWithMissingValidity
		*
		* Verifies that keymint returns an error while generating asymmetric key
		* without providing NOT_BEFORE and NOT_AFTER parameters.
		*/
		TEST_P(NewKeyGenerationTest, RsaWithMissingValidity) {
		// Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
		// GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
		constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;

		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		.Authorization(TAG_CERTIFICATE_NOT_AFTER,
		kUndefinedExpirationDateTime),
		&key_blob, &key_characteristics));

		ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		.Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
		&key_blob, &key_characteristics));
		}

		/*
		* NewKeyGenerationTest.RsaWithAttestation
		*
		@@ -1597,6 +1628,35 @@ TEST_P(NewKeyGenerationTest, EcdsaCurve25519MultiPurposeFail) {
		ASSERT_EQ(result, ErrorCode::INCOMPATIBLE_PURPOSE);
		}

		/*
		* NewKeyGenerationTest.EcdsaWithMissingValidity
		*
		* Verifies that keymint returns an error while generating asymmetric key
		* without providing NOT_BEFORE and NOT_AFTER parameters.
		*/
		TEST_P(NewKeyGenerationTest, EcdsaWithMissingValidity) {
		// Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
		// GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
		constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;

		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Digest(Digest::NONE)
		.Authorization(TAG_CERTIFICATE_NOT_AFTER,
		kUndefinedExpirationDateTime),
		&key_blob, &key_characteristics));

		ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Digest(Digest::NONE)
		.Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
		&key_blob, &key_characteristics));
		}

		/*
		* NewKeyGenerationTest.EcdsaAttestation
		*