Fixed vts tests cases which do not support factory attestation. am: 7e1dd8a3a3 (abfb309c) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+76 −61

Original line number	Diff line number	Diff line
		@@ -289,8 +289,7 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		auto result = GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge(challenge)
		@@ -300,7 +299,12 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		{} /* attestation signing key */, &attest_key.keyBlob,
		&attest_key_characteristics, &attest_key_cert_chain));
		&attest_key_characteristics, &attest_key_cert_chain);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		EXPECT_GT(attest_key_cert_chain.size(), 1);
		verify_subject_and_serial(attest_key_cert_chain[0], serial_int, subject, false);
		@@ -388,8 +392,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
		attest_key_opt = attest_key;
		}

		EXPECT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		auto result = GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -399,7 +402,12 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]));
		&attested_key_characteristics, &cert_chain_list[i]);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		@@ -460,8 +468,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
		attest_key_opt = attest_key;
		}

		EXPECT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		auto result = GenerateAttestKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -471,7 +478,12 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]));
		&attested_key_characteristics, &cert_chain_list[i]);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		@@ -533,10 +545,9 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		attest_key.keyBlob = key_blob_list[i - 1];
		attest_key_opt = attest_key;
		}

		ErrorCode result;
		if ((i & 0x1) == 1) {
		EXPECT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		result = GenerateAttestKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -546,10 +557,9 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]));
		&attested_key_characteristics, &cert_chain_list[i]);
		} else {
		EXPECT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		result = GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge("foo")
		@@ -559,8 +569,13 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]));
		&attested_key_characteristics, &cert_chain_list[i]);
		}
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+8 −0

Original line number	Diff line number	Diff line
		@@ -1146,6 +1146,14 @@ vector<EcCurve> KeyMintAidlTestBase::InvalidCurves() {
		}
		}

		vector<uint64_t> KeyMintAidlTestBase::ValidExponents() {
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		return {65537};
		} else {
		return {3, 65537};
		}
		}

		vector<Digest> KeyMintAidlTestBase::ValidDigests(bool withNone, bool withMD5) {
		switch (SecLevel()) {
		case SecurityLevel::SOFTWARE:

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+9 −2

Original line number	Diff line number	Diff line
		@@ -250,7 +250,10 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
		.SetDefaultValidity();
		tagModifier(&rsaBuilder);
		errorCode = GenerateKey(rsaBuilder, &rsaKeyData.blob, &rsaKeyData.characteristics);
		if (!(SecLevel() == SecurityLevel::STRONGBOX &&
		ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED == errorCode)) {
		EXPECT_EQ(expectedReturn, errorCode);
		}

		/* ECDSA */
		KeyData ecdsaKeyData;
		@@ -262,7 +265,10 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
		.SetDefaultValidity();
		tagModifier(&ecdsaBuilder);
		errorCode = GenerateKey(ecdsaBuilder, &ecdsaKeyData.blob, &ecdsaKeyData.characteristics);
		if (!(SecLevel() == SecurityLevel::STRONGBOX &&
		ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED == errorCode)) {
		EXPECT_EQ(expectedReturn, errorCode);
		}
		return {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData};
		}
		bool IsSecure() const { return securityLevel_ != SecurityLevel::SOFTWARE; }
		@@ -279,6 +285,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
		vector<EcCurve> InvalidCurves();

		vector<Digest> ValidDigests(bool withNone, bool withMD5);
		vector<uint64_t> ValidExponents();

		static vector<string> build_params() {
		auto params = ::android::getAidlHalInstanceNames(IKeyMintDevice::descriptor);

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+122 −77

Original line number	Diff line number	Diff line
		@@ -902,8 +902,7 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
		for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(key_size, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		@@ -913,7 +912,11 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}

		ASSERT_GT(key_blob.size(), 0U);
		CheckBaseParams(key_characteristics);
		@@ -1035,8 +1038,7 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {

		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.RsaEncryptionKey(key_size, 65537)
		.Padding(PaddingMode::NONE)
		.AttestationChallenge(challenge)
		@@ -1045,7 +1047,12 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		ASSERT_GT(key_blob.size(), 0U);
		AuthorizationSet auths;
		@@ -1147,15 +1154,19 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;

		ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		.AttestationChallenge(challenge)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
		}

		/*
		@@ -1265,8 +1276,7 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
		for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(key_size, 65537)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		@@ -1277,7 +1287,12 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);

		ASSERT_GT(key_blob.size(), 0U);
		CheckBaseParams(key_characteristics);
		@@ -1408,8 +1423,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
		for (auto curve : ValidCurves()) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.EcdsaSigningKey(curve)
		.Digest(Digest::NONE)
		@@ -1418,7 +1432,12 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);
		ASSERT_GT(key_blob.size(), 0U);
		CheckBaseParams(key_characteristics);
		CheckCharacteristics(key_blob, key_characteristics);
		@@ -1495,6 +1514,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
		// Tag not required to be supported by all KeyMint implementations.
		continue;
		}
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(result, ErrorCode::OK);
		ASSERT_GT(key_blob.size(), 0U);

		@@ -1677,6 +1700,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(result, ErrorCode::OK);
		ASSERT_GT(key_blob.size(), 0U);

		@@ -1755,13 +1782,17 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;

		ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
		GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Digest(Digest::NONE)
		.AttestationChallenge(challenge)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
		}

		/*
		@@ -1818,14 +1849,19 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
		const string app_id(length, 'a');
		vector<uint8_t> key_blob;
		vector<KeyCharacteristics> key_characteristics;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		auto result = GenerateKey(AuthorizationSetBuilder()
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.EcdsaSigningKey(EcCurve::P_256)
		.Digest(Digest::NONE)
		.AttestationChallenge(challenge)
		.AttestationApplicationId(app_id)
		.SetDefaultValidity(),
		&key_blob, &key_characteristics));
		&key_blob, &key_characteristics);
		// Strongbox may not support factory provisioned attestation key.
		if (SecLevel() == SecurityLevel::STRONGBOX) {
		if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
		}
		ASSERT_EQ(ErrorCode::OK, result);
		ASSERT_GT(key_blob.size(), 0U);
		CheckBaseParams(key_characteristics);
		CheckCharacteristics(key_blob, key_characteristics);
		@@ -3856,7 +3892,7 @@ typedef KeyMintAidlTestBase EncryptionOperationsTest;
		* Verifies that raw RSA decryption works.
		*/
		TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
		for (uint64_t exponent : {3, 65537}) {
		for (uint64_t exponent : ValidExponents()) {
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.RsaEncryptionKey(2048, exponent)
		@@ -6356,7 +6392,7 @@ TEST_P(ClearOperationsTest, TooManyOperations) {
		size_t i;

		for (i = 0; i < max_operations; i++) {
		result = Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params, op_handles[i]);
		result = Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params, op_handles[i]);
		if (ErrorCode::OK != result) {
		break;
		}
		@@ -6364,12 +6400,12 @@ TEST_P(ClearOperationsTest, TooManyOperations) {
		EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
		// Try again just in case there's a weird overflow bug
		EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
		Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
		Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
		for (size_t j = 0; j < i; j++) {
		EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
		<< "Aboort failed for i = " << j << std::endl;
		}
		EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
		EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
		AbortIfNeeded();
		}

		@@ -6580,15 +6616,24 @@ TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
		});

		for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
		// Strongbox may not support factory attestation. Key creation might fail with
		// ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
		if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
		continue;
		}
		ASSERT_GT(keyData.blob.size(), 0U);
		AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
		EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
		}
		CheckedDeleteKey(&aesKeyData.blob);
		CheckedDeleteKey(&hmacKeyData.blob);
		if (rsaKeyData.blob.size() != 0U) {
		CheckedDeleteKey(&rsaKeyData.blob);
		}
		if (ecdsaKeyData.blob.size() != 0U) {
		CheckedDeleteKey(&ecdsaKeyData.blob);
		}
		}

		/*
		* EarlyBootKeyTest.UseEarlyBootKeyFailure