Updated the vts attestation tests for strongbox implementations which (7d9bc46f) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl

+4 −2

Original line number	Diff line number	Diff line
		@@ -61,13 +61,15 @@ parcelable KeyCreationResult {
		* the non-attestation case, whether the key can self-sign.
		*
		* 1. Asymmetric key attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided
		* and the `attestationKey` parameter on the generate/import call is null, the returned
		* and the `attestationKey` parameter on the generate/import call is null, and if the
		* KeyMint implementation supports factory-provisioned attestation keys, the returned
		* certificate chain must contain an attestation certificate signed with a factory-
		* provisioned attestation key, and the full certificate chain for that factory-provisioned
		* attestation key. Tag::ATTESTATION_APPLICATION_ID must also be provided when the
		* ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be
		* returned. KeyMint implementations are not required to support factory-provisioned
		* attestation keys.
		* attestation keys. If the KeyMint implementation does not support factory-provisioned
		* keys, it must return ATTESTATION_KEYS_NOT_PROVISIONED.
		*
		* 2. Asymmetric key attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is
		* provided and the `attestationKey` parameter on the generate/import call is non-null and

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+24 −0

Original line number	Diff line number	Diff line
		@@ -312,6 +312,30 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
		return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
		}

		ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
		const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
		vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
		vector<Certificate>* cert_chain) {
		AttestationKey attest_key;
		vector<Certificate> attest_cert_chain;
		vector<KeyCharacteristics> attest_key_characteristics;
		// Generate a key with self signed attestation.
		auto error = GenerateKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
		&attest_key_characteristics, &attest_cert_chain);
		if (error != ErrorCode::OK) {
		return error;
		}

		attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
		// Generate a key, by passing the above self signed attestation key as attest key.
		error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
		if (error == ErrorCode::OK) {
		// Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
		cert_chain->push_back(attest_cert_chain[0]);
		}
		return error;
		}

		ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
		const string& key_material, vector<uint8_t>* key_blob,
		vector<KeyCharacteristics>* key_characteristics) {

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+15 −0

Original line number	Diff line number	Diff line
		@@ -96,6 +96,21 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
		ErrorCode GenerateKey(const AuthorizationSet& key_desc,
		const optional<AttestationKey>& attest_key = std::nullopt);

		// Generate key for implementations which do not support factory attestation.
		ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
		const AuthorizationSet& key_desc,
		vector<uint8_t>* key_blob,
		vector<KeyCharacteristics>* key_characteristics,
		vector<Certificate>* cert_chain);

		ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
		const AuthorizationSet& key_desc,
		vector<uint8_t>* key_blob,
		vector<KeyCharacteristics>* key_characteristics) {
		return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob,
		key_characteristics, &cert_chain_);
		}

		ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
		const string& key_material, vector<uint8_t>* key_blob,
		vector<KeyCharacteristics>* key_characteristics);

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+203 −100

Original line number	Diff line number	Diff line
		@@ -1067,7 +1067,7 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
		for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		auto result = GenerateKey(AuthorizationSetBuilder()
		auto builder = AuthorizationSetBuilder()
		.RsaSigningKey(key_size, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		@@ -1076,13 +1076,21 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics);
		.SetDefaultValidity();

		auto result = GenerateKey(builder, &key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.RsaKey(key_size, 65537)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob, &key_characteristics);
		}

		}
		ASSERT_EQ(ErrorCode::OK, result);
		ASSERT_GT(key_blob.size(), 0U);
		CheckBaseParams(key_characteristics);
		CheckCharacteristics(key_blob, key_characteristics);
		@@ -1203,7 +1211,7 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {

		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		auto result = GenerateKey(AuthorizationSetBuilder()
		auto builder = AuthorizationSetBuilder()
		.RsaEncryptionKey(key_size, 65537)
		.Padding(PaddingMode::NONE)
		.AttestationChallenge(challenge)
		@@ -1211,11 +1219,19 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics);
		.SetDefaultValidity();

		auto result = GenerateKey(builder, &key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.RsaKey(key_size, 65537)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob, &key_characteristics);
		}
		}
		ASSERT_EQ(ErrorCode::OK, result);

		@@ -1319,17 +1335,25 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;

		auto result = GenerateKey(AuthorizationSetBuilder()
		auto builder = AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		.AttestationChallenge(challenge)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics);
		.SetDefaultValidity();

		auto result = GenerateKey(builder, &key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob, &key_characteristics);
		}
		}
		ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
		}
		@@ -1441,7 +1465,7 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
		for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		auto result = GenerateKey(AuthorizationSetBuilder()
		auto builder = AuthorizationSetBuilder()
		.RsaSigningKey(key_size, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		@@ -1451,11 +1475,19 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
		.Authorization(TAG_USAGE_COUNT_LIMIT, 1)
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics);
		.SetDefaultValidity();

		auto result = GenerateKey(builder, &key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.RsaKey(key_size, 65537)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob, &key_characteristics);
		}
		}
		ASSERT_EQ(ErrorCode::OK, result);

		@@ -1676,7 +1708,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
		for (auto curve : ValidCurves()) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		auto result = GenerateKey(AuthorizationSetBuilder()
		auto builder = AuthorizationSetBuilder()
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.EcdsaSigningKey(curve)
		.Digest(Digest::NONE)
		@@ -1684,11 +1716,19 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
		.AttestationApplicationId(app_id)
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics);
		.SetDefaultValidity();

		auto result = GenerateKey(builder, &key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.EcdsaKey(curve)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob, &key_characteristics);
		}
		}
		ASSERT_EQ(ErrorCode::OK, result);
		ASSERT_GT(key_blob.size(), 0U);
		@@ -1826,7 +1866,14 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
		}
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob, &key_characteristics);
		}
		}
		ASSERT_EQ(result, ErrorCode::OK);
		ASSERT_GT(key_blob.size(), 0U);
		@@ -1878,8 +1925,20 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity();
		builder.push_back(tag);
		ASSERT_EQ(ErrorCode::CANNOT_ATTEST_IDS,
		GenerateKey(builder, &key_blob, &key_characteristics));

		auto error = GenerateKey(builder, &key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		error = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob, &key_characteristics);
		}
		}
		ASSERT_EQ(error, ErrorCode::CANNOT_ATTEST_IDS);
		}
		}

		@@ -1984,8 +2043,18 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
		if (reset) {
		builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
		}

		ASSERT_EQ(ErrorCode::OK, GenerateKey(builder));
		auto result = GenerateKey(builder);
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob_, &key_characteristics_, &cert_chain_);
		}
		}
		ASSERT_EQ(ErrorCode::OK, result);
		ASSERT_GT(key_blob_.size(), 0U);

		EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
		@@ -2072,7 +2141,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
		// to confirm that this field never makes it into the attestation extension.
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		auto result = GenerateKey(AuthorizationSetBuilder()
		auto builder = AuthorizationSetBuilder()
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.EcdsaSigningKey(EcCurve::P_256)
		.Digest(Digest::NONE)
		@@ -2082,11 +2151,19 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
		.Authorization(TAG_APPLICATION_DATA, "appdata")
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics);
		.SetDefaultValidity();

		auto result = GenerateKey(builder, &key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob, &key_characteristics);
		}
		}
		ASSERT_EQ(result, ErrorCode::OK);
		ASSERT_GT(key_blob.size(), 0U);
		@@ -2166,16 +2243,23 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
		auto challenge = "hello";
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;

		auto result = GenerateKey(AuthorizationSetBuilder()
		auto builder = AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Digest(Digest::NONE)
		.AttestationChallenge(challenge)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics);
		.SetDefaultValidity();

		auto result = GenerateKey(builder, &key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob, &key_characteristics);
		}
		}
		ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
		}
		@@ -2234,17 +2318,25 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
		const string app_id(length, 'a');
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		auto result = GenerateKey(AuthorizationSetBuilder()
		auto builder = AuthorizationSetBuilder()
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.EcdsaSigningKey(EcCurve::P_256)
		.Digest(Digest::NONE)
		.AttestationChallenge(challenge)
		.AttestationApplicationId(app_id)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics);
		.SetDefaultValidity();

		auto result = GenerateKey(builder, &key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob, &key_characteristics);
		}
		}
		ASSERT_EQ(ErrorCode::OK, result);
		ASSERT_GT(key_blob.size(), 0U);
		@@ -7370,15 +7462,26 @@ class KeyAgreementTest : public KeyMintAidlTestBase {

		void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) {
		vector<uint8_t> challenge = {0x41, 0x42};
		ErrorCode result =
		GenerateKey(AuthorizationSetBuilder()
		auto builder = AuthorizationSetBuilder()
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.Authorization(TAG_EC_CURVE, curve)
		.Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
		.Authorization(TAG_ALGORITHM, Algorithm::EC)
		.Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
		.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
		.SetDefaultValidity());
		.SetDefaultValidity();
		ErrorCode result = GenerateKey(builder);

		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
		result = GenerateKeyWithSelfSignedAttestKey(
		AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(), /* attest key params */
		builder, &key_blob_, &key_characteristics_, &cert_chain_);
		}
		}
		ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
		ASSERT_GT(cert_chain_.size(), 0);
		X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));