Merge "KeyMint VTS: better early boot key tests" am: f3374d4237 am: 83b0b9a2fc am: 5cbbb6d580 (7d0868a1) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+39 −30

Original line number	Diff line number	Diff line
		@@ -16,6 +16,7 @@

		#pragma once

		#include <functional>
		#include <string_view>

		#include <aidl/Gtest.h>
		@@ -206,50 +207,58 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
		template <typename TagType>
		std::tuple<KeyData /* aesKey /, KeyData / hmacKey /, KeyData / rsaKey */,
		KeyData /* ecdsaKey */>
		CreateTestKeys(TagType tagToTest, ErrorCode expectedReturn) {
		CreateTestKeys(
		TagType tagToTest, ErrorCode expectedReturn,
		std::function<void(AuthorizationSetBuilder*)> tagModifier =
		[](AuthorizationSetBuilder*) {}) {
		/* AES */
		KeyData aesKeyData;
		ErrorCode errorCode = GenerateKey(AuthorizationSetBuilder()
		AuthorizationSetBuilder aesBuilder = AuthorizationSetBuilder()
		.AesEncryptionKey(128)
		.Authorization(tagToTest)
		.BlockMode(BlockMode::ECB)
		.Padding(PaddingMode::NONE)
		.Authorization(TAG_NO_AUTH_REQUIRED),
		&aesKeyData.blob, &aesKeyData.characteristics);
		.Authorization(TAG_NO_AUTH_REQUIRED);
		tagModifier(&aesBuilder);
		ErrorCode errorCode =
		GenerateKey(aesBuilder, &aesKeyData.blob, &aesKeyData.characteristics);
		EXPECT_EQ(expectedReturn, errorCode);

		/* HMAC */
		KeyData hmacKeyData;
		errorCode = GenerateKey(AuthorizationSetBuilder()
		AuthorizationSetBuilder hmacBuilder = AuthorizationSetBuilder()
		.HmacKey(128)
		.Authorization(tagToTest)
		.Digest(Digest::SHA_2_256)
		.Authorization(TAG_MIN_MAC_LENGTH, 128)
		.Authorization(TAG_NO_AUTH_REQUIRED),
		&hmacKeyData.blob, &hmacKeyData.characteristics);
		.Authorization(TAG_NO_AUTH_REQUIRED);
		tagModifier(&hmacBuilder);
		errorCode = GenerateKey(hmacBuilder, &hmacKeyData.blob, &hmacKeyData.characteristics);
		EXPECT_EQ(expectedReturn, errorCode);

		/* RSA */
		KeyData rsaKeyData;
		errorCode = GenerateKey(AuthorizationSetBuilder()
		AuthorizationSetBuilder rsaBuilder = AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Authorization(tagToTest)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		&rsaKeyData.blob, &rsaKeyData.characteristics);
		.SetDefaultValidity();
		tagModifier(&rsaBuilder);
		errorCode = GenerateKey(rsaBuilder, &rsaKeyData.blob, &rsaKeyData.characteristics);
		EXPECT_EQ(expectedReturn, errorCode);

		/* ECDSA */
		KeyData ecdsaKeyData;
		errorCode = GenerateKey(AuthorizationSetBuilder()
		AuthorizationSetBuilder ecdsaBuilder = AuthorizationSetBuilder()
		.EcdsaSigningKey(256)
		.Authorization(tagToTest)
		.Digest(Digest::SHA_2_256)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		&ecdsaKeyData.blob, &ecdsaKeyData.characteristics);
		.SetDefaultValidity();
		tagModifier(&ecdsaBuilder);
		errorCode = GenerateKey(ecdsaBuilder, &ecdsaKeyData.blob, &ecdsaKeyData.characteristics);
		EXPECT_EQ(expectedReturn, errorCode);
		return {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData};
		}

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+29 −1

Original line number	Diff line number	Diff line
		@@ -6355,6 +6355,34 @@ TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
		auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
		CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);

		for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
		ASSERT_GT(keyData.blob.size(), 0U);
		AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
		EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
		}
		CheckedDeleteKey(&aesKeyData.blob);
		CheckedDeleteKey(&hmacKeyData.blob);
		CheckedDeleteKey(&rsaKeyData.blob);
		CheckedDeleteKey(&ecdsaKeyData.blob);
		}

		/*
		* EarlyBootKeyTest.CreateAttestedEarlyBootKey
		*
		* Verifies that creating an early boot key with attestation succeeds.
		*/
		TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
		auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] = CreateTestKeys(
		TAG_EARLY_BOOT_ONLY, ErrorCode::OK, [](AuthorizationSetBuilder* builder) {
		builder->AttestationChallenge("challenge");
		builder->AttestationApplicationId("app_id");
		});

		for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
		ASSERT_GT(keyData.blob.size(), 0U);
		AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
		EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
		}
		CheckedDeleteKey(&aesKeyData.blob);
		CheckedDeleteKey(&hmacKeyData.blob);
		CheckedDeleteKey(&rsaKeyData.blob);
		@@ -6362,7 +6390,7 @@ TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
		}

		/*
		* EarlyBootKeyTest.UsetEarlyBootKeyFailure
		* EarlyBootKeyTest.UseEarlyBootKeyFailure
		*
		* Verifies that using early boot keys at a later stage fails.
		*/