Snap for 7546365 from 17ae17af to sc-v2-release

    /**

     * DEVICE_UNIQUE_ATTESTATION is an argument to IKeyMintDevice::attested key generation/import

     * operations.  It indicates that attestation using a device-unique key is requested, rather

     * than a batch key.  When a device-unique key is used, the returned chain should contain two

     * certificates:

     * than a batch key. When a device-unique key is used, the returned chain contains two or

     * three certificates.

     *

     * In case the chain contains two certificates, they should be:

     *    * The attestation certificate, containing the attestation extension, as described in

            KeyCreationResult.aidl.

     *      KeyCreationResult.aidl.

     *    * A self-signed root certificate, signed by the device-unique key.

     *

     * In case the chain contains three certificates, they should be:

     *    * The attestation certificate, containing the attestation extension, as described in

     *      KeyCreationResult.aidl, signed by the device-unique key.

     *    * An intermediate certificate, containing the public portion of the device-unique key.

     *    * A self-signed root certificate, signed by a dedicated key, certifying the

     *      intermediate.

     *

     * No additional chained certificates are provided. Only SecurityLevel::STRONGBOX

     * IKeyMintDevices may support device-unique attestations.  SecurityLevel::TRUSTED_ENVIRONMENT

     * IKeyMintDevices must return ErrorCode::INVALID_ARGUMENT if they receive

        AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);

        // The device-unique attestation chain should contain exactly two certificates:

        // The device-unique attestation chain should contain exactly three certificates:

        // * The leaf with the attestation extension.

        // * A self-signed root, signed using the device-unique key.

        ASSERT_EQ(cert_chain_.size(), 2);

        EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));

        // * An intermediate, signing the leaf using the device-unique key.

        // * A self-signed root, signed using some authority's key, certifying

        //   the device-unique key.

        const size_t chain_length = cert_chain_.size();

        ASSERT_TRUE(chain_length == 2 || chain_length == 3);

        // TODO(b/191361618): Once StrongBox implementations use a correctly-issued

        // certificate chain, do not skip issuers matching.

        EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_, /* strict_issuer_check= */ false));

        AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);

        EXPECT_TRUE(verify_attestation_record("challenge", "foo", sw_enforced, hw_enforced,

    return authList;

}

AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain) {

AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain,

                                        bool strict_issuer_check) {

    std::stringstream cert_data;

    for (size_t i = 0; i < chain.size(); ++i) {

        string cert_issuer = x509NameToStr(X509_get_issuer_name(key_cert.get()));

        string signer_subj = x509NameToStr(X509_get_subject_name(signing_cert.get()));

        if (cert_issuer != signer_subj) {

        if (cert_issuer != signer_subj && strict_issuer_check) {

            return AssertionFailure() << "Cert " << i << " has wrong issuer.\n"

                                      << " Signer subject is " << signer_subj

                                      << " Issuer subject is " << cert_issuer << endl

AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);

AuthorizationSet SwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);

::testing::AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain);

::testing::AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain,

                                                   bool strict_issuer_check = true);

#define INSTANTIATE_KEYMINT_AIDL_TEST(name)                                          \

    INSTANTIATE_TEST_SUITE_P(PerInstance, name,                                      \

            tag.tag == TAG_ROLLBACK_RESISTANCE) {

            continue;

        }

        if (result == ErrorCode::UNSUPPORTED_TAG &&

            (tag.tag == TAG_ALLOW_WHILE_ON_BODY || tag.tag == TAG_TRUSTED_USER_PRESENCE_REQUIRED)) {

            // Optional tag not supported by this KeyMint implementation.

        if (result == ErrorCode::UNSUPPORTED_TAG && tag.tag == TAG_TRUSTED_USER_PRESENCE_REQUIRED) {

            // Tag not required to be supported by all KeyMint implementations.

            continue;

        }

        ASSERT_EQ(result, ErrorCode::OK);

        AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);

        AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);

        if (tag.tag != TAG_ATTESTATION_APPLICATION_ID) {

            // Expect to find most of the extra tags in the key characteristics

            // of the generated key (but not for ATTESTATION_APPLICATION_ID).

        // Some tags are optional, so don't require them to be in the enforcements.

        if (tag.tag != TAG_ATTESTATION_APPLICATION_ID && tag.tag != TAG_ALLOW_WHILE_ON_BODY) {

            EXPECT_TRUE(hw_enforced.Contains(tag.tag) || sw_enforced.Contains(tag.tag))

                    << tag << " not in hw:" << hw_enforced << " nor sw:" << sw_enforced;

        }