Merge "More KeyMint VTS testcases" (3368b3c6) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

+1 −2

Original line number	Diff line number	Diff line
		@@ -275,8 +275,7 @@ interface IKeyMintDevice {
		*
		* o Tag::RSA_PUBLIC_EXPONENT specifies the RSA public exponent value. If omitted, generateKey
		* must return ErrorCode::INVALID_ARGUMENT. The values 3 and 65537 must be supported. It is
		* recommended to support all prime values up to 2^64. If provided with a non-prime value,
		* generateKey must return ErrorCode::INVALID_ARGUMENT.
		* recommended to support all prime values up to 2^64.
		*
		* The following parameters are not necessary to generate a usable RSA key, but generateKey must
		* not return an error if they are omitted:

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+56 −1

Original line number	Diff line number	Diff line
		@@ -124,16 +124,18 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
		EXPECT_EQ(attested_key_cert_chain.size(), 2);

		/*
		* Use attestation key to sign EC key
		* Use attestation key to sign EC key. Specify a CREATION_DATETIME for this one.
		*/
		attested_key_characteristics.resize(0);
		attested_key_cert_chain.resize(0);
		uint64_t timestamp = 1619621648000;
		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.AttestationChallenge("foo")
		.AttestationApplicationId("bar")
		.Authorization(TAG_CREATION_DATETIME, timestamp)
		.SetDefaultValidity(),
		attest_key, &attested_key_blob, &attested_key_characteristics,
		&attested_key_cert_chain));
		@@ -143,6 +145,12 @@ TEST_P(AttestKeyTest, AllRsaSizes) {

		hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		// The client-specified CREATION_DATETIME should be in sw_enforced.
		// Its presence will also trigger verify_attestation_record() to check that it
		// is in the attestation extension with a matching value.
		EXPECT_TRUE(sw_enforced.Contains(TAG_CREATION_DATETIME, timestamp))
		<< "expected CREATION_TIMESTAMP in sw_enforced:" << sw_enforced
		<< " not in hw_enforced:" << hw_enforced;
		EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
		attested_key_cert_chain[0].encodedCertificate));

		@@ -479,6 +487,53 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		}
		}

		TEST_P(AttestKeyTest, MissingChallenge) {
		for (auto size : ValidKeySizes(Algorithm::RSA)) {
		/*
		* Create attestation key.
		*/
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(size, 65537)
		.AttestKey()
		.SetDefaultValidity(),
		{} /* attestation signing key */, &attest_key.keyBlob,
		&attest_key_characteristics, &attest_key_cert_chain));

		EXPECT_EQ(attest_key_cert_chain.size(), 1);
		EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on size " << size;

		/*
		* Use attestation key to sign RSA / ECDSA key but forget to provide a challenge
		*/
		attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
		vector<uint8_t> attested_key_blob;
		vector<KeyCharacteristics> attested_key_characteristics;
		vector<Certificate> attested_key_cert_chain;
		EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.AttestationApplicationId("bar")
		.SetDefaultValidity(),
		attest_key, &attested_key_blob, &attested_key_characteristics,
		&attested_key_cert_chain));

		EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.AttestationApplicationId("bar")
		.SetDefaultValidity(),
		attest_key, &attested_key_blob, &attested_key_characteristics,
		&attested_key_cert_chain));

		CheckedDeleteKey(&attest_key.keyBlob);
		}
		}

		TEST_P(AttestKeyTest, AllEcCurves) {
		for (auto curve : ValidCurves()) {
		/*

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+21 −3

Original line number	Diff line number	Diff line
		@@ -167,6 +167,7 @@ void KeyMintAidlTestBase::InitializeKeyMint(std::shared_ptr<IKeyMintDevice> keyM
		securityLevel_ = info.securityLevel;
		name_.assign(info.keyMintName.begin(), info.keyMintName.end());
		author_.assign(info.keyMintAuthorName.begin(), info.keyMintAuthorName.end());
		timestamp_token_required_ = info.timestampTokenRequired;

		os_version_ = getOsVersion();
		os_patch_level_ = getOsPatchlevel();
		@@ -273,7 +274,8 @@ ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFo
		ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapping_key,
		const AuthorizationSet& wrapping_key_desc,
		string masking_key,
		const AuthorizationSet& unwrapping_params) {
		const AuthorizationSet& unwrapping_params,
		int64_t password_sid, int64_t biometric_sid) {
		EXPECT_EQ(ErrorCode::OK, ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key));

		key_characteristics_.clear();
		@@ -282,8 +284,7 @@ ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapp
		Status result = keymint_->importWrappedKey(
		vector<uint8_t>(wrapped_key.begin(), wrapped_key.end()), key_blob_,
		vector<uint8_t>(masking_key.begin(), masking_key.end()),
		unwrapping_params.vector_data(), 0 /* passwordSid /, 0 / biometricSid */,
		&creationResult);
		unwrapping_params.vector_data(), password_sid, biometric_sid, &creationResult);

		if (result.isOk()) {
		EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
		@@ -332,6 +333,11 @@ ErrorCode KeyMintAidlTestBase::DeleteAllKeys() {
		return GetReturnErrorCode(result);
		}

		ErrorCode KeyMintAidlTestBase::DestroyAttestationIds() {
		Status result = keymint_->destroyAttestationIds();
		return GetReturnErrorCode(result);
		}

		void KeyMintAidlTestBase::CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
		ErrorCode result = DeleteKey(key_blob, keep_key_blob);
		EXPECT_TRUE(result == ErrorCode::OK \|\| result == ErrorCode::UNIMPLEMENTED) << result << endl;
		@@ -654,6 +660,18 @@ string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode bloc
		return ciphertext;
		}

		string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
		PaddingMode padding, uint8_t mac_length_bits) {
		SCOPED_TRACE("EncryptMessage");
		auto params = AuthorizationSetBuilder()
		.BlockMode(block_mode)
		.Padding(padding)
		.Authorization(TAG_MAC_LENGTH, mac_length_bits);
		AuthorizationSet out_params;
		string ciphertext = EncryptMessage(message, params, &out_params);
		return ciphertext;
		}

		string KeyMintAidlTestBase::DecryptMessage(const vector<uint8_t>& key_blob,
		const string& ciphertext,
		const AuthorizationSet& params) {

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+13 −1

Original line number	Diff line number	Diff line
		@@ -95,13 +95,22 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {

		ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key,
		const AuthorizationSet& wrapping_key_desc, string masking_key,
		const AuthorizationSet& unwrapping_params);
		const AuthorizationSet& unwrapping_params, int64_t password_sid,
		int64_t biometric_sid);
		ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key,
		const AuthorizationSet& wrapping_key_desc, string masking_key,
		const AuthorizationSet& unwrapping_params) {
		return ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, masking_key,
		unwrapping_params, 0 /* password_sid /, 0 / biometric_sid */);
		}

		ErrorCode DeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob = false);
		ErrorCode DeleteKey(bool keep_key_blob = false);

		ErrorCode DeleteAllKeys();

		ErrorCode DestroyAttestationIds();

		void CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob = false);
		void CheckedDeleteKey();

		@@ -166,6 +175,8 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
		const vector<uint8_t>& iv_in);
		string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,
		uint8_t mac_length_bits, const vector<uint8_t>& iv_in);
		string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,
		uint8_t mac_length_bits);

		string DecryptMessage(const vector<uint8_t>& key_blob, const string& ciphertext,
		const AuthorizationSet& params);
		@@ -268,6 +279,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
		uint32_t os_version_;
		uint32_t os_patch_level_;
		uint32_t vendor_patch_level_;
		bool timestamp_token_required_;

		SecurityLevel securityLevel_;
		string name_;

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+1005 −197

File changed.

Preview size limit exceeded, changes collapsed.