Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 94042a98 authored by David Drysdale's avatar David Drysdale
Browse files

Allow extra error code in device ID attestation 

Generalize the existing helper function to allow more variants.

Remove a couple of pointless invocations of the existing helper.

Bug: 286733800
Test: VtsAidlKeyMintTargetTest
(cherry picked from https://android-review.googlesource.com/q/commit:f42238c99ffe0df2e51cec84a96ed859a878b2b0)
Merged-In: Ic01c53cbe79f55c2d403a66acbfd04029395c287
Change-Id: Ic01c53cbe79f55c2d403a66acbfd04029395c287
parent 5e896c98

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+1 −8
Original line number Diff line number Diff line
@@ -961,10 +961,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) { 
        vector<Certificate> attested_key_cert_chain;

        auto result = GenerateKey(builder, attest_key, &attested_key_blob,

                                  &attested_key_characteristics, &attested_key_cert_chain);



        ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG)

                << "result = " << result;

        device_id_attestation_vsr_check(result);

        device_id_attestation_check_acceptable_error(invalid_tag.tag, result);

    }

    CheckedDeleteKey(&attest_key.keyBlob);

}
@@ -1026,8 +1023,6 @@ TEST_P(AttestKeyTest, SecondIMEIAttestationIDSuccess) { 


    ASSERT_EQ(result, ErrorCode::OK);



    device_id_attestation_vsr_check(result);



    CheckedDeleteKey(&attested_key_blob);



    AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
@@ -1107,8 +1102,6 @@ TEST_P(AttestKeyTest, MultipleIMEIAttestationIDSuccess) { 


    ASSERT_EQ(result, ErrorCode::OK);



    device_id_attestation_vsr_check(result);



    CheckedDeleteKey(&attested_key_blob);



    AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);

security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp

+2 −2
Original line number Diff line number Diff line
@@ -374,8 +374,8 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) { 
        // Add the tag that doesn't match the local device's real ID.

        builder.push_back(invalid_tag);

        auto result = GenerateKey(builder, &key_blob, &key_characteristics);

        ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG);

        device_id_attestation_vsr_check(result);



        device_id_attestation_check_acceptable_error(invalid_tag.tag, result);

    }

}

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+21 −3
Original line number Diff line number Diff line
@@ -2153,14 +2153,32 @@ void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey) 
    *signingKey = std::move(pubKey);

}



void device_id_attestation_vsr_check(const ErrorCode& result) {

    if (get_vsr_api_level() > __ANDROID_API_T__) {

        ASSERT_FALSE(result == ErrorCode::INVALID_TAG)

// Check the error code from an attempt to perform device ID attestation with an invalid value.

void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result) {

    // Standard/default error code for ID mismatch.

    if (result == ErrorCode::CANNOT_ATTEST_IDS) {

        return;

    }



    // Depending on the situation, other error codes may be acceptable.  First, allow older

    // implementations to use INVALID_TAG.

    if (result == ErrorCode::INVALID_TAG) {

        ASSERT_FALSE(get_vsr_api_level() > __ANDROID_API_T__)

                << "It is a specification violation for INVALID_TAG to be returned due to ID "

                << "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to "

                << "be used for a case where updateAad() is called after update(). As of "

                << "VSR-14, this is now enforced as an error.";

    }



    // If the device is not a phone, it will not have IMEI/MEID values available.  Allow

    // ATTESTATION_IDS_NOT_PROVISIONED in this case.

    if (result == ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED) {

        ASSERT_TRUE((tag == TAG_ATTESTATION_ID_IMEI || tag == TAG_ATTESTATION_ID_MEID ||

                     tag == TAG_ATTESTATION_ID_SECOND_IMEI))

                << "incorrect error code on attestation ID mismatch";

    }

    ADD_FAILURE() << "Error code " << result

                  << " returned on attestation ID mismatch, should be CANNOT_ATTEST_IDS";

}



// Check whether the given named feature is available.

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+1 −1
Original line number Diff line number Diff line
@@ -421,7 +421,7 @@ vector<uint8_t> make_name_from_str(const string& name); 
void check_maced_pubkey(const MacedPublicKey& macedPubKey, bool testMode,

                        vector<uint8_t>* payload_value);

void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey);

void device_id_attestation_vsr_check(const ErrorCode& result);

void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result);

bool check_feature(const std::string& name);



AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);