Allow extra error code in device ID attestation am: 94042a987c am: 7a46f5c9aa am: 6d11e19f39 (47df38dc) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+1 −8

Original line number	Original line	Diff line number	Diff line
	@@ -961,10 +961,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) {
	vector<Certificate> attested_key_cert_chain;		vector<Certificate> attested_key_cert_chain;
	auto result = GenerateKey(builder, attest_key, &attested_key_blob,		auto result = GenerateKey(builder, attest_key, &attested_key_blob,
	&attested_key_characteristics, &attested_key_cert_chain);		&attested_key_characteristics, &attested_key_cert_chain);
			device_id_attestation_check_acceptable_error(invalid_tag.tag, result);
	ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS \|\| result == ErrorCode::INVALID_TAG)
	<< "result = " << result;
	device_id_attestation_vsr_check(result);
	}		}
	CheckedDeleteKey(&attest_key.keyBlob);		CheckedDeleteKey(&attest_key.keyBlob);
	}		}
	@@ -1026,8 +1023,6 @@ TEST_P(AttestKeyTest, SecondIMEIAttestationIDSuccess) {

	ASSERT_EQ(result, ErrorCode::OK);		ASSERT_EQ(result, ErrorCode::OK);

	device_id_attestation_vsr_check(result);

	CheckedDeleteKey(&attested_key_blob);		CheckedDeleteKey(&attested_key_blob);

	AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
	@@ -1107,8 +1102,6 @@ TEST_P(AttestKeyTest, MultipleIMEIAttestationIDSuccess) {

	ASSERT_EQ(result, ErrorCode::OK);		ASSERT_EQ(result, ErrorCode::OK);

	device_id_attestation_vsr_check(result);

	CheckedDeleteKey(&attested_key_blob);		CheckedDeleteKey(&attested_key_blob);

	AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);

security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -374,8 +374,8 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) {
	// Add the tag that doesn't match the local device's real ID.		// Add the tag that doesn't match the local device's real ID.
	builder.push_back(invalid_tag);		builder.push_back(invalid_tag);
	auto result = GenerateKey(builder, &key_blob, &key_characteristics);		auto result = GenerateKey(builder, &key_blob, &key_characteristics);
	ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS \|\| result == ErrorCode::INVALID_TAG);
	device_id_attestation_vsr_check(result);		device_id_attestation_check_acceptable_error(invalid_tag.tag, result);
	}		}
	}		}

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+21 −3

Original line number	Original line	Diff line number	Diff line
	@@ -2153,14 +2153,32 @@ void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey)
	*signingKey = std::move(pubKey);		*signingKey = std::move(pubKey);
	}		}

	void device_id_attestation_vsr_check(const ErrorCode& result) {		// Check the error code from an attempt to perform device ID attestation with an invalid value.
	if (get_vsr_api_level() > __ANDROID_API_T__) {		void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result) {
	ASSERT_FALSE(result == ErrorCode::INVALID_TAG)		// Standard/default error code for ID mismatch.
			if (result == ErrorCode::CANNOT_ATTEST_IDS) {
			return;
			}

			// Depending on the situation, other error codes may be acceptable. First, allow older
			// implementations to use INVALID_TAG.
			if (result == ErrorCode::INVALID_TAG) {
			ASSERT_FALSE(get_vsr_api_level() > __ANDROID_API_T__)
	<< "It is a specification violation for INVALID_TAG to be returned due to ID "		<< "It is a specification violation for INVALID_TAG to be returned due to ID "
	<< "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to "		<< "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to "
	<< "be used for a case where updateAad() is called after update(). As of "		<< "be used for a case where updateAad() is called after update(). As of "
	<< "VSR-14, this is now enforced as an error.";		<< "VSR-14, this is now enforced as an error.";
	}		}

			// If the device is not a phone, it will not have IMEI/MEID values available. Allow
			// ATTESTATION_IDS_NOT_PROVISIONED in this case.
			if (result == ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED) {
			ASSERT_TRUE((tag == TAG_ATTESTATION_ID_IMEI \|\| tag == TAG_ATTESTATION_ID_MEID \|\|
			tag == TAG_ATTESTATION_ID_SECOND_IMEI))
			<< "incorrect error code on attestation ID mismatch";
			}
			ADD_FAILURE() << "Error code " << result
			<< " returned on attestation ID mismatch, should be CANNOT_ATTEST_IDS";
	}		}

	// Check whether the given named feature is available.		// Check whether the given named feature is available.

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -421,7 +421,7 @@ vector<uint8_t> make_name_from_str(const string& name);
	void check_maced_pubkey(const MacedPublicKey& macedPubKey, bool testMode,		void check_maced_pubkey(const MacedPublicKey& macedPubKey, bool testMode,
	vector<uint8_t>* payload_value);		vector<uint8_t>* payload_value);
	void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey);		void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey);
	void device_id_attestation_vsr_check(const ErrorCode& result);		void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result);
	bool check_feature(const std::string& name);		bool check_feature(const std::string& name);

	AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);		AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);