Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7bbf6298 authored by Shawn Willden's avatar Shawn Willden
Browse files

Correct error code in attest_key docs. 

Also adds a test to verify that implementations return the expected
error code.

Test: VtsAidlKeyMintTargetTest
Change-Id: Ic8e9953a2572eb0cc8fefc363934eaf9b432b5a4
parent 49e5b5ea

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

+4 −4
Original line number Diff line number Diff line
@@ -321,8 +321,8 @@ interface IKeyMintDevice { 
     *        but `attestationKey` is non-null, the IKeyMintDevice must return

     *        ErrorCode::INVALID_ARGUMENT.  If the provided AttestationKey does not contain a key

     *        blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must

     *        return ErrorCode::INVALID_PURPOSE.  If the provided AttestationKey has an empty issuer

     *        subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.

     *        return ErrorCode::INCOMPATIBLE_PURPOSE.  If the provided AttestationKey has an empty

     *        issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.

     *

     * @return The result of key creation.  See KeyCreationResult.aidl.

     */
@@ -360,8 +360,8 @@ interface IKeyMintDevice { 
     *        but `attestationKey` is non-null, the IKeyMintDevice must return

     *        ErrorCode::INVALID_ARGUMENT.  If the provided AttestationKey does not contain a key

     *        blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must

     *        return ErrorCode::INVALID_PURPOSE.  If the provided AttestationKey has an empty issuer

     *        subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.

     *        return ErrorCode::INCOMPATIBLE_PURPOSE.  If the provided AttestationKey has an empty

     *        issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.

     *

     * @return The result of key creation.  See KeyCreationResult.aidl.

     */

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+30 −0
Original line number Diff line number Diff line
@@ -207,6 +207,36 @@ TEST_P(AttestKeyTest, AllEcCurves) { 
    }

}



TEST_P(AttestKeyTest, AttestWithNonAttestKey) {

    // Create non-attestaton key.

    AttestationKey non_attest_key;

    vector<KeyCharacteristics> non_attest_key_characteristics;

    vector<Certificate> non_attest_key_cert_chain;

    ASSERT_EQ(

            ErrorCode::OK,

            GenerateKey(

                    AuthorizationSetBuilder().EcdsaSigningKey(EcCurve::P_256).SetDefaultValidity(),

                    {} /* attestation siging key */, &non_attest_key.keyBlob,

                    &non_attest_key_characteristics, &non_attest_key_cert_chain));



    EXPECT_EQ(non_attest_key_cert_chain.size(), 1);

    EXPECT_TRUE(IsSelfSigned(non_attest_key_cert_chain));



    // Attempt to sign attestation with non-attest key.

    vector<uint8_t> attested_key_blob;

    vector<KeyCharacteristics> attested_key_characteristics;

    vector<Certificate> attested_key_cert_chain;

    EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,

              GenerateKey(AuthorizationSetBuilder()

                                  .EcdsaSigningKey(EcCurve::P_256)

                                  .Authorization(TAG_NO_AUTH_REQUIRED)

                                  .AttestationChallenge("foo")

                                  .AttestationApplicationId("bar")

                                  .SetDefaultValidity(),

                          non_attest_key, &attested_key_blob, &attested_key_characteristics,

                          &attested_key_cert_chain));

}



INSTANTIATE_KEYMINT_AIDL_TEST(AttestKeyTest);



}  // namespace aidl::android::hardware::security::keymint::test