Merge "Whenever `generateKey` fails updated AttestKeyTests to abort instead of... (28fa7893) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+33 −22

Original line number	Diff line number	Diff line
		@@ -156,7 +156,7 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
		vector<uint8_t> attested_key_blob;
		vector<KeyCharacteristics> attested_key_characteristics;
		vector<Certificate> attested_key_cert_chain;
		EXPECT_EQ(ErrorCode::OK,
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		@@ -167,9 +167,11 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
		&attested_key_cert_chain));
		KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);

		ASSERT_GT(attested_key_cert_chain.size(), 0);

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		SecLevel(),
		attested_key_cert_chain[0].encodedCertificate));

		@@ -186,7 +188,7 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
		*/
		attested_key_characteristics.resize(0);
		attested_key_cert_chain.resize(0);
		EXPECT_EQ(ErrorCode::OK,
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.RsaEncryptionKey(2048, 65537)
		.Digest(Digest::NONE)
		@@ -199,9 +201,11 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
		&attested_key_cert_chain));
		KeyBlobDeleter attested_deleter2(keymint_, attested_key_blob);

		ASSERT_GT(attested_key_cert_chain.size(), 0);

		hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo2", "bar2", sw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo2", "bar2", sw_enforced,
		hw_enforced, SecLevel(),
		attested_key_cert_chain[0].encodedCertificate));

		@@ -219,7 +223,7 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
		attested_key_characteristics.resize(0);
		attested_key_cert_chain.resize(0);
		uint64_t timestamp = 1619621648000;
		EXPECT_EQ(ErrorCode::OK,
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		@@ -231,6 +235,8 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
		&attested_key_cert_chain));
		KeyBlobDeleter attested_deleter3(keymint_, attested_key_blob);

		ASSERT_GT(attested_key_cert_chain.size(), 0);

		// The returned key characteristics will include CREATION_DATETIME (checked below)
		// in SecurityLevel::KEYSTORE; this will be stripped out in the CheckCharacteristics()
		// call below, to match what getKeyCharacteristics() returns (which doesn't include
		@@ -246,7 +252,7 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
		EXPECT_TRUE(sw_enforced.Contains(TAG_CREATION_DATETIME, timestamp))
		<< "expected CREATION_TIMESTAMP in sw_enforced:" << sw_enforced
		<< " not in hw_enforced:" << hw_enforced;
		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		SecLevel(),
		attested_key_cert_chain[0].encodedCertificate));

		@@ -336,7 +342,7 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attest_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attest_key_characteristics);
		EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
		sw_enforced, hw_enforced, SecLevel(),
		attest_key_cert_chain[0].encodedCertificate));

		@@ -354,7 +360,7 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
		uint64_t serial_int2 = 255;
		vector<uint8_t> serial_blob2(build_serial_blob(serial_int2));

		EXPECT_EQ(ErrorCode::OK,
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		@@ -367,9 +373,11 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
		&attested_key_cert_chain));
		KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);

		ASSERT_GT(attested_key_cert_chain.size(), 0);

		AuthorizationSet hw_enforced2 = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced2 = SwEnforcedAuthorizations(attested_key_characteristics);
		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced2, hw_enforced2,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced2, hw_enforced2,
		SecLevel(),
		attested_key_cert_chain[0].encodedCertificate));

		@@ -437,7 +445,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		ASSERT_GT(cert_chain_list[i].size(), 0);
		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		SecLevel(),
		cert_chain_list[i][0].encodedCertificate));

		@@ -512,7 +520,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		ASSERT_GT(cert_chain_list[i].size(), 0);
		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		SecLevel(),
		cert_chain_list[i][0].encodedCertificate));

		@@ -628,7 +636,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		ASSERT_GT(cert_chain_list[i].size(), 0);
		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		SecLevel(),
		cert_chain_list[i][0].encodedCertificate));

		@@ -678,7 +686,7 @@ TEST_P(AttestKeyTest, MissingChallenge) {
		vector<uint8_t> attested_key_blob;
		vector<KeyCharacteristics> attested_key_characteristics;
		vector<Certificate> attested_key_cert_chain;
		EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
		ASSERT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		@@ -687,7 +695,7 @@ TEST_P(AttestKeyTest, MissingChallenge) {
		attest_key, &attested_key_blob, &attested_key_characteristics,
		&attested_key_cert_chain));

		EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
		ASSERT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		@@ -725,7 +733,7 @@ TEST_P(AttestKeyTest, AllEcCurves) {
		vector<uint8_t> attested_key_blob;
		vector<KeyCharacteristics> attested_key_characteristics;
		vector<Certificate> attested_key_cert_chain;
		EXPECT_EQ(ErrorCode::OK,
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		@@ -740,7 +748,7 @@ TEST_P(AttestKeyTest, AllEcCurves) {

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		SecLevel(),
		attested_key_cert_chain[0].encodedCertificate));

		@@ -756,7 +764,7 @@ TEST_P(AttestKeyTest, AllEcCurves) {
		/*
		* Use attestation key to sign EC key
		*/
		EXPECT_EQ(ErrorCode::OK,
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		@@ -771,7 +779,7 @@ TEST_P(AttestKeyTest, AllEcCurves) {

		hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
		SecLevel(),
		attested_key_cert_chain[0].encodedCertificate));

		@@ -809,7 +817,7 @@ TEST_P(AttestKeyTest, AttestWithNonAttestKey) {
		vector<uint8_t> attested_key_blob;
		vector<KeyCharacteristics> attested_key_characteristics;
		vector<Certificate> attested_key_cert_chain;
		EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
		ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		@@ -872,6 +880,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) {
		}

		ASSERT_EQ(result, ErrorCode::OK);
		ASSERT_GT(attested_key_cert_chain.size(), 0);
		KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		@@ -882,7 +891,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) {
		// attestation extension should contain them, so make sure the extra tag is added.
		hw_enforced.push_back(tag);

		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "challenge", "foo", sw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "challenge", "foo", sw_enforced,
		hw_enforced, SecLevel(),
		attested_key_cert_chain[0].encodedCertificate));
		}
		@@ -998,6 +1007,7 @@ TEST_P(AttestKeyTest, SecondIMEIAttestationIDSuccess) {
		}

		ASSERT_EQ(result, ErrorCode::OK);
		ASSERT_GT(attested_key_cert_chain.size(), 0);
		KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		@@ -1010,7 +1020,7 @@ TEST_P(AttestKeyTest, SecondIMEIAttestationIDSuccess) {
		KeyParameter imei_tag = Authorization(TAG_ATTESTATION_ID_SECOND_IMEI, imei_blob);
		hw_enforced.push_back(imei_tag);

		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "challenge", "foo", sw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "challenge", "foo", sw_enforced,
		hw_enforced, SecLevel(),
		attested_key_cert_chain[0].encodedCertificate));
		}
		@@ -1069,6 +1079,7 @@ TEST_P(AttestKeyTest, MultipleIMEIAttestationIDSuccess) {
		}

		ASSERT_EQ(result, ErrorCode::OK);
		ASSERT_GT(attested_key_cert_chain.size(), 0);
		KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		@@ -1084,7 +1095,7 @@ TEST_P(AttestKeyTest, MultipleIMEIAttestationIDSuccess) {
		KeyParameter sec_imei_tag = Authorization(TAG_ATTESTATION_ID_SECOND_IMEI, sec_imei_blob);
		hw_enforced.push_back(sec_imei_tag);

		EXPECT_TRUE(verify_attestation_record(AidlVersion(), "challenge", "foo", sw_enforced,
		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "challenge", "foo", sw_enforced,
		hw_enforced, SecLevel(),
		attested_key_cert_chain[0].encodedCertificate));
		}