Merge "More KeyMint VTS testcases" am: 3368b3c6b0 am: f8991afa01 am: f15bc0f935 am: 7df1d7d4f7 (2b75f141) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

+1 −2

Original line number	Original line	Diff line number	Diff line
	@@ -275,8 +275,7 @@ interface IKeyMintDevice {
	*		*
	* o Tag::RSA_PUBLIC_EXPONENT specifies the RSA public exponent value. If omitted, generateKey		* o Tag::RSA_PUBLIC_EXPONENT specifies the RSA public exponent value. If omitted, generateKey
	* must return ErrorCode::INVALID_ARGUMENT. The values 3 and 65537 must be supported. It is		* must return ErrorCode::INVALID_ARGUMENT. The values 3 and 65537 must be supported. It is
	* recommended to support all prime values up to 2^64. If provided with a non-prime value,		* recommended to support all prime values up to 2^64.
	* generateKey must return ErrorCode::INVALID_ARGUMENT.
	*		*
	* The following parameters are not necessary to generate a usable RSA key, but generateKey must		* The following parameters are not necessary to generate a usable RSA key, but generateKey must
	* not return an error if they are omitted:		* not return an error if they are omitted:

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+56 −1

Original line number	Original line	Diff line number	Diff line
	@@ -124,16 +124,18 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
	EXPECT_EQ(attested_key_cert_chain.size(), 2);		EXPECT_EQ(attested_key_cert_chain.size(), 2);

	/*		/*
	* Use attestation key to sign EC key		* Use attestation key to sign EC key. Specify a CREATION_DATETIME for this one.
	*/		*/
	attested_key_characteristics.resize(0);		attested_key_characteristics.resize(0);
	attested_key_cert_chain.resize(0);		attested_key_cert_chain.resize(0);
			uint64_t timestamp = 1619621648000;
	EXPECT_EQ(ErrorCode::OK,		EXPECT_EQ(ErrorCode::OK,
	GenerateKey(AuthorizationSetBuilder()		GenerateKey(AuthorizationSetBuilder()
	.EcdsaSigningKey(EcCurve::P_256)		.EcdsaSigningKey(EcCurve::P_256)
	.Authorization(TAG_NO_AUTH_REQUIRED)		.Authorization(TAG_NO_AUTH_REQUIRED)
	.AttestationChallenge("foo")		.AttestationChallenge("foo")
	.AttestationApplicationId("bar")		.AttestationApplicationId("bar")
			.Authorization(TAG_CREATION_DATETIME, timestamp)
	.SetDefaultValidity(),		.SetDefaultValidity(),
	attest_key, &attested_key_blob, &attested_key_characteristics,		attest_key, &attested_key_blob, &attested_key_characteristics,
	&attested_key_cert_chain));		&attested_key_cert_chain));
	@@ -143,6 +145,12 @@ TEST_P(AttestKeyTest, AllRsaSizes) {

	hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);		hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
	sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);		sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
			// The client-specified CREATION_DATETIME should be in sw_enforced.
			// Its presence will also trigger verify_attestation_record() to check that it
			// is in the attestation extension with a matching value.
			EXPECT_TRUE(sw_enforced.Contains(TAG_CREATION_DATETIME, timestamp))
			<< "expected CREATION_TIMESTAMP in sw_enforced:" << sw_enforced
			<< " not in hw_enforced:" << hw_enforced;
	EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),		EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
	attested_key_cert_chain[0].encodedCertificate));		attested_key_cert_chain[0].encodedCertificate));

	@@ -479,6 +487,53 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
	}		}
	}		}

			TEST_P(AttestKeyTest, MissingChallenge) {
			for (auto size : ValidKeySizes(Algorithm::RSA)) {
			/*
			* Create attestation key.
			*/
			AttestationKey attest_key;
			vector<KeyCharacteristics> attest_key_characteristics;
			vector<Certificate> attest_key_cert_chain;
			ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
			.RsaSigningKey(size, 65537)
			.AttestKey()
			.SetDefaultValidity(),
			{} /* attestation signing key */, &attest_key.keyBlob,
			&attest_key_characteristics, &attest_key_cert_chain));

			EXPECT_EQ(attest_key_cert_chain.size(), 1);
			EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on size " << size;

			/*
			* Use attestation key to sign RSA / ECDSA key but forget to provide a challenge
			*/
			attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
			vector<uint8_t> attested_key_blob;
			vector<KeyCharacteristics> attested_key_characteristics;
			vector<Certificate> attested_key_cert_chain;
			EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
			GenerateKey(AuthorizationSetBuilder()
			.RsaSigningKey(2048, 65537)
			.Authorization(TAG_NO_AUTH_REQUIRED)
			.AttestationApplicationId("bar")
			.SetDefaultValidity(),
			attest_key, &attested_key_blob, &attested_key_characteristics,
			&attested_key_cert_chain));

			EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
			GenerateKey(AuthorizationSetBuilder()
			.EcdsaSigningKey(EcCurve::P_256)
			.Authorization(TAG_NO_AUTH_REQUIRED)
			.AttestationApplicationId("bar")
			.SetDefaultValidity(),
			attest_key, &attested_key_blob, &attested_key_characteristics,
			&attested_key_cert_chain));

			CheckedDeleteKey(&attest_key.keyBlob);
			}
			}

	TEST_P(AttestKeyTest, AllEcCurves) {		TEST_P(AttestKeyTest, AllEcCurves) {
	for (auto curve : ValidCurves()) {		for (auto curve : ValidCurves()) {
	/*		/*

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+21 −3

Original line number	Original line	Diff line number	Diff line
	@@ -167,6 +167,7 @@ void KeyMintAidlTestBase::InitializeKeyMint(std::shared_ptr<IKeyMintDevice> keyM
	securityLevel_ = info.securityLevel;		securityLevel_ = info.securityLevel;
	name_.assign(info.keyMintName.begin(), info.keyMintName.end());		name_.assign(info.keyMintName.begin(), info.keyMintName.end());
	author_.assign(info.keyMintAuthorName.begin(), info.keyMintAuthorName.end());		author_.assign(info.keyMintAuthorName.begin(), info.keyMintAuthorName.end());
			timestamp_token_required_ = info.timestampTokenRequired;

	os_version_ = getOsVersion();		os_version_ = getOsVersion();
	os_patch_level_ = getOsPatchlevel();		os_patch_level_ = getOsPatchlevel();
	@@ -273,7 +274,8 @@ ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFo
	ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapping_key,		ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapping_key,
	const AuthorizationSet& wrapping_key_desc,		const AuthorizationSet& wrapping_key_desc,
	string masking_key,		string masking_key,
	const AuthorizationSet& unwrapping_params) {		const AuthorizationSet& unwrapping_params,
			int64_t password_sid, int64_t biometric_sid) {
	EXPECT_EQ(ErrorCode::OK, ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key));		EXPECT_EQ(ErrorCode::OK, ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key));

	key_characteristics_.clear();		key_characteristics_.clear();
	@@ -282,8 +284,7 @@ ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapp
	Status result = keymint_->importWrappedKey(		Status result = keymint_->importWrappedKey(
	vector<uint8_t>(wrapped_key.begin(), wrapped_key.end()), key_blob_,		vector<uint8_t>(wrapped_key.begin(), wrapped_key.end()), key_blob_,
	vector<uint8_t>(masking_key.begin(), masking_key.end()),		vector<uint8_t>(masking_key.begin(), masking_key.end()),
	unwrapping_params.vector_data(), 0 /* passwordSid /, 0 / biometricSid */,		unwrapping_params.vector_data(), password_sid, biometric_sid, &creationResult);
	&creationResult);

	if (result.isOk()) {		if (result.isOk()) {
	EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),		EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
	@@ -332,6 +333,11 @@ ErrorCode KeyMintAidlTestBase::DeleteAllKeys() {
	return GetReturnErrorCode(result);		return GetReturnErrorCode(result);
	}		}

			ErrorCode KeyMintAidlTestBase::DestroyAttestationIds() {
			Status result = keymint_->destroyAttestationIds();
			return GetReturnErrorCode(result);
			}

	void KeyMintAidlTestBase::CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {		void KeyMintAidlTestBase::CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
	ErrorCode result = DeleteKey(key_blob, keep_key_blob);		ErrorCode result = DeleteKey(key_blob, keep_key_blob);
	EXPECT_TRUE(result == ErrorCode::OK \|\| result == ErrorCode::UNIMPLEMENTED) << result << endl;		EXPECT_TRUE(result == ErrorCode::OK \|\| result == ErrorCode::UNIMPLEMENTED) << result << endl;
	@@ -654,6 +660,18 @@ string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode bloc
	return ciphertext;		return ciphertext;
	}		}

			string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
			PaddingMode padding, uint8_t mac_length_bits) {
			SCOPED_TRACE("EncryptMessage");
			auto params = AuthorizationSetBuilder()
			.BlockMode(block_mode)
			.Padding(padding)
			.Authorization(TAG_MAC_LENGTH, mac_length_bits);
			AuthorizationSet out_params;
			string ciphertext = EncryptMessage(message, params, &out_params);
			return ciphertext;
			}

	string KeyMintAidlTestBase::DecryptMessage(const vector<uint8_t>& key_blob,		string KeyMintAidlTestBase::DecryptMessage(const vector<uint8_t>& key_blob,
	const string& ciphertext,		const string& ciphertext,
	const AuthorizationSet& params) {		const AuthorizationSet& params) {

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+13 −1

Original line number	Original line	Diff line number	Diff line
	@@ -95,13 +95,22 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {

	ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key,		ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key,
	const AuthorizationSet& wrapping_key_desc, string masking_key,		const AuthorizationSet& wrapping_key_desc, string masking_key,
	const AuthorizationSet& unwrapping_params);		const AuthorizationSet& unwrapping_params, int64_t password_sid,
			int64_t biometric_sid);
			ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key,
			const AuthorizationSet& wrapping_key_desc, string masking_key,
			const AuthorizationSet& unwrapping_params) {
			return ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, masking_key,
			unwrapping_params, 0 /* password_sid /, 0 / biometric_sid */);
			}

	ErrorCode DeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob = false);		ErrorCode DeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob = false);
	ErrorCode DeleteKey(bool keep_key_blob = false);		ErrorCode DeleteKey(bool keep_key_blob = false);

	ErrorCode DeleteAllKeys();		ErrorCode DeleteAllKeys();

			ErrorCode DestroyAttestationIds();

	void CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob = false);		void CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob = false);
	void CheckedDeleteKey();		void CheckedDeleteKey();

	@@ -166,6 +175,8 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
	const vector<uint8_t>& iv_in);		const vector<uint8_t>& iv_in);
	string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,		string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,
	uint8_t mac_length_bits, const vector<uint8_t>& iv_in);		uint8_t mac_length_bits, const vector<uint8_t>& iv_in);
			string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,
			uint8_t mac_length_bits);

	string DecryptMessage(const vector<uint8_t>& key_blob, const string& ciphertext,		string DecryptMessage(const vector<uint8_t>& key_blob, const string& ciphertext,
	const AuthorizationSet& params);		const AuthorizationSet& params);
	@@ -268,6 +279,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
	uint32_t os_version_;		uint32_t os_version_;
	uint32_t os_patch_level_;		uint32_t os_patch_level_;
	uint32_t vendor_patch_level_;		uint32_t vendor_patch_level_;
			bool timestamp_token_required_;

	SecurityLevel securityLevel_;		SecurityLevel securityLevel_;
	string name_;		string name_;

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+1005 −197

File changed.

Preview size limit exceeded, changes collapsed.