Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ac47d937 authored by David Drysdale's avatar David Drysdale Committed by Automerger Merge Worker
Browse files

Merge "Allow extra error code in device ID attestation" am: 1d7447e5 am:... 

Merge "Allow extra error code in device ID attestation" am: 1d7447e5 am: 013030d9 am: 36a30021 am: 5f7d0654 am: 0e7e98d5

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2627969



Change-Id: I1efc35638c1b39edb99ce147a8e1b05fa1f0d5bc
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents aa1f8755 0e7e98d5

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+1 −8
Original line number Diff line number Diff line
@@ -950,10 +950,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) { 
        vector<Certificate> attested_key_cert_chain;

        auto result = GenerateKey(builder, attest_key, &attested_key_blob,

                                  &attested_key_characteristics, &attested_key_cert_chain);



        ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG)

                << "result = " << result;

        device_id_attestation_vsr_check(result);

        device_id_attestation_check_acceptable_error(invalid_tag.tag, result);

    }

}
@@ -1016,8 +1013,6 @@ TEST_P(AttestKeyTest, SecondIMEIAttestationIDSuccess) { 
    ASSERT_EQ(result, ErrorCode::OK);

    KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);



    device_id_attestation_vsr_check(result);



    AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);

    AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
@@ -1095,8 +1090,6 @@ TEST_P(AttestKeyTest, MultipleIMEIAttestationIDSuccess) { 
    ASSERT_EQ(result, ErrorCode::OK);

    KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);



    device_id_attestation_vsr_check(result);



    AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);

    AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);

security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp

+2 −2
Original line number Diff line number Diff line
@@ -374,8 +374,8 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) { 
        // Add the tag that doesn't match the local device's real ID.

        builder.push_back(invalid_tag);

        auto result = GenerateKey(builder, &key_blob, &key_characteristics);

        ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG);

        device_id_attestation_vsr_check(result);



        device_id_attestation_check_acceptable_error(invalid_tag.tag, result);

    }

}

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+21 −3
Original line number Diff line number Diff line
@@ -2162,14 +2162,32 @@ void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey) 
    *signingKey = std::move(pubKey);

}



void device_id_attestation_vsr_check(const ErrorCode& result) {

    if (get_vsr_api_level() > __ANDROID_API_T__) {

        ASSERT_FALSE(result == ErrorCode::INVALID_TAG)

// Check the error code from an attempt to perform device ID attestation with an invalid value.

void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result) {

    // Standard/default error code for ID mismatch.

    if (result == ErrorCode::CANNOT_ATTEST_IDS) {

        return;

    }



    // Depending on the situation, other error codes may be acceptable.  First, allow older

    // implementations to use INVALID_TAG.

    if (result == ErrorCode::INVALID_TAG) {

        ASSERT_FALSE(get_vsr_api_level() > __ANDROID_API_T__)

                << "It is a specification violation for INVALID_TAG to be returned due to ID "

                << "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to "

                << "be used for a case where updateAad() is called after update(). As of "

                << "VSR-14, this is now enforced as an error.";

    }



    // If the device is not a phone, it will not have IMEI/MEID values available.  Allow

    // ATTESTATION_IDS_NOT_PROVISIONED in this case.

    if (result == ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED) {

        ASSERT_TRUE((tag == TAG_ATTESTATION_ID_IMEI || tag == TAG_ATTESTATION_ID_MEID ||

                     tag == TAG_ATTESTATION_ID_SECOND_IMEI))

                << "incorrect error code on attestation ID mismatch";

    }

    ADD_FAILURE() << "Error code " << result

                  << " returned on attestation ID mismatch, should be CANNOT_ATTEST_IDS";

}



// Check whether the given named feature is available.

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+1 −1
Original line number Diff line number Diff line
@@ -432,7 +432,7 @@ vector<uint8_t> make_name_from_str(const string& name); 
void check_maced_pubkey(const MacedPublicKey& macedPubKey, bool testMode,

                        vector<uint8_t>* payload_value);

void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey);

void device_id_attestation_vsr_check(const ErrorCode& result);

void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result);

bool check_feature(const std::string& name);



AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);