Merge "KeyMint VTS: cope with ATTEST_KEY +/- SIGN" into tm-dev am: df427391cd (5801bae2) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+112 −81

Original line number	Diff line number	Diff line
		@@ -16,6 +16,7 @@

		#define LOG_TAG "keymint_1_attest_key_test"
		#include <cutils/log.h>
		#include <cutils/properties.h>

		#include <keymint_support/key_param_output.h>
		#include <keymint_support/openssl_utils.h>
		@@ -33,7 +34,33 @@ bool IsSelfSigned(const vector<Certificate>& chain) {

		} // namespace

		using AttestKeyTest = KeyMintAidlTestBase;
		class AttestKeyTest : public KeyMintAidlTestBase {
		protected:
		ErrorCode GenerateAttestKey(const AuthorizationSet& key_desc,
		const optional<AttestationKey>& attest_key,
		vector<uint8_t>* key_blob,
		vector<KeyCharacteristics>* key_characteristics,
		vector<Certificate>* cert_chain) {
		// The original specification for KeyMint v1 required ATTEST_KEY not be combined
		// with any other key purpose, but the original VTS tests incorrectly did exactly that.
		// This means that a device that launched prior to Android T (API level 33) may
		// accept or even require KeyPurpose::SIGN too.
		if (property_get_int32("ro.board.first_api_level", 0) < 33) {
		AuthorizationSet key_desc_plus_sign = key_desc;
		key_desc_plus_sign.push_back(TAG_PURPOSE, KeyPurpose::SIGN);

		auto result = GenerateKey(key_desc_plus_sign, attest_key, key_blob, key_characteristics,
		cert_chain);
		if (result == ErrorCode::OK) {
		return result;
		}
		// If the key generation failed, it may be because the device is (correctly)
		// rejecting the combination of ATTEST_KEY+SIGN. Fall through to try again with
		// just ATTEST_KEY.
		}
		return GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
		}
		};

		/*
		* AttestKeyTest.AllRsaSizes
		@@ -49,7 +76,8 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		ASSERT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(size, 65537)
		.AttestKey()
		.SetDefaultValidity(),
		@@ -227,7 +255,7 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		auto result = GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge(challenge)
		@@ -331,7 +359,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
		attest_key_opt = attest_key;
		}

		auto result = GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -340,8 +368,8 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]);
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		@@ -408,7 +436,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
		attest_key_opt = attest_key;
		}

		auto result = GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateAttestKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -417,8 +445,8 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]);
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		@@ -513,7 +541,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		}
		ErrorCode result;
		if ((i & 0x1) == 1) {
		result = GenerateKey(AuthorizationSetBuilder()
		result = GenerateAttestKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -522,10 +550,10 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]);
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]);
		} else {
		result = GenerateKey(AuthorizationSetBuilder()
		result = GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -534,8 +562,8 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]);
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]);
		}
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		@@ -581,7 +609,8 @@ TEST_P(AttestKeyTest, MissingChallenge) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		ASSERT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(size, 65537)
		.AttestKey()
		.SetDefaultValidity(),
		@@ -630,7 +659,7 @@ TEST_P(AttestKeyTest, AllEcCurves) {
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(
		ErrorCode::OK,
		GenerateKey(
		GenerateAttestKey(
		AuthorizationSetBuilder().EcdsaKey(curve).AttestKey().SetDefaultValidity(),
		{} /* attestation signing key */, &attest_key.keyBlob,
		&attest_key_characteristics, &attest_key_cert_chain));
		@@ -752,7 +781,8 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		ASSERT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(),
		@@ -816,7 +846,8 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		ASSERT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(),