Loading security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp +18 −6 Original line number Diff line number Diff line Loading @@ -64,7 +64,9 @@ class DeviceUniqueAttestationTest : public KeyMintAidlTestBase { * attestation. */ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; Loading @@ -91,7 +93,9 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) { * attestation. */ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; Loading @@ -117,7 +121,9 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) { * attestation correctly, if implemented. */ TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) { if (SecLevel() != SecurityLevel::STRONGBOX) return; if (SecLevel() != SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to non-StrongBox device"; } vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; Loading Loading @@ -174,7 +180,9 @@ TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) { * attestation correctly, if implemented. */ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) { if (SecLevel() != SecurityLevel::STRONGBOX) return; if (SecLevel() != SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to non-StrongBox device"; } vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; Loading Loading @@ -226,7 +234,9 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) { * local device. */ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) { if (SecLevel() != SecurityLevel::STRONGBOX) return; if (SecLevel() != SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to non-StrongBox device"; } // Collection of valid attestation ID tags. auto attestation_id_tags = AuthorizationSetBuilder(); Loading Loading @@ -292,7 +302,9 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) { * don't match the local device. */ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) { if (SecLevel() != SecurityLevel::STRONGBOX) return; if (SecLevel() != SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to non-StrongBox device"; } // Collection of invalid attestation ID tags. auto attestation_id_tags = Loading security/keymint/aidl/vts/functional/KeyMintTest.cpp +112 −79 Original line number Diff line number Diff line Loading @@ -1840,7 +1840,9 @@ TEST_P(NewKeyGenerationTest, EcdsaInvalidSize) { * INVALID_ARGUMENT. */ TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } auto result = GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_ALGORITHM, Algorithm::EC) Loading Loading @@ -2067,7 +2069,9 @@ TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) { * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms. */ TEST_P(NewKeyGenerationTest, HmacMultipleDigests) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST, GenerateKey(AuthorizationSetBuilder() Loading Loading @@ -2291,7 +2295,9 @@ TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { * presented. */ TEST_P(SigningOperationsTest, NoUserConfirmation) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(1024, 65537) .Digest(Digest::NONE) Loading Loading @@ -2381,7 +2387,9 @@ TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) { * for a 1024-bit key. */ TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(1024, 65537) .Digest(Digest::SHA_2_512) Loading Loading @@ -3200,7 +3208,9 @@ TEST_P(ImportKeyTest, EcdsaP256SEC1Success) { * Verifies that importing and using an ECDSA P-521 key pair works correctly. */ TEST_P(ImportKeyTest, Ecdsa521Success) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .EcdsaSigningKey(EcCurve::P_521) Loading Loading @@ -3909,7 +3919,9 @@ TEST_P(EncryptionOperationsTest, RsaOaepInvalidPadding) { * with a different digest than was used to encrypt. */ TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -5823,7 +5835,9 @@ typedef KeyMintAidlTestBase MaxOperationsTest; * Verifies that the max uses per boot tag works correctly with AES keys. */ TEST_P(MaxOperationsTest, TestLimitAes) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading @@ -5850,7 +5864,9 @@ TEST_P(MaxOperationsTest, TestLimitAes) { * Verifies that the max uses per boot tag works correctly with RSA keys. */ TEST_P(MaxOperationsTest, TestLimitRsa) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -5881,7 +5897,9 @@ typedef KeyMintAidlTestBase UsageCountLimitTest; * Verifies that the usage count limit tag = 1 works correctly with AES keys. */ TEST_P(UsageCountLimitTest, TestSingleUseAes) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -5925,7 +5943,9 @@ TEST_P(UsageCountLimitTest, TestSingleUseAes) { * Verifies that the usage count limit tag > 1 works correctly with AES keys. */ TEST_P(UsageCountLimitTest, TestLimitedUseAes) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -5970,7 +5990,9 @@ TEST_P(UsageCountLimitTest, TestLimitedUseAes) { * Verifies that the usage count limit tag = 1 works correctly with RSA keys. */ TEST_P(UsageCountLimitTest, TestSingleUseRsa) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -6014,7 +6036,9 @@ TEST_P(UsageCountLimitTest, TestSingleUseRsa) { * Verifies that the usage count limit tag > 1 works correctly with RSA keys. */ TEST_P(UsageCountLimitTest, TestLimitUseRsa) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -6061,7 +6085,9 @@ TEST_P(UsageCountLimitTest, TestLimitUseRsa) { * in hardware. */ TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } auto error = GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(2048, 65537) Loading @@ -6070,10 +6096,12 @@ TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) { .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_ROLLBACK_RESISTANCE) .SetDefaultValidity()); ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK); if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) { GTEST_SKIP() << "Rollback resistance not supported"; } if (error == ErrorCode::OK) { // Rollback resistance is supported by KeyMint, verify it is enforced in hardware. ASSERT_EQ(ErrorCode::OK, error); AuthorizationSet hardwareEnforced(SecLevelAuthorizations()); ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE)); ASSERT_EQ(ErrorCode::OK, DeleteKey()); Loading Loading @@ -6102,7 +6130,6 @@ TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) { // must be invalidated from secure storage (such as RPMB partition). EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params)); } } INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest); Loading Loading @@ -6178,10 +6205,12 @@ TEST_P(KeyDeletionTest, DeleteKey) { .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_ROLLBACK_RESISTANCE) .SetDefaultValidity()); ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK); if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) { GTEST_SKIP() << "Rollback resistance not supported"; } // Delete must work if rollback protection is implemented if (error == ErrorCode::OK) { ASSERT_EQ(ErrorCode::OK, error); AuthorizationSet hardwareEnforced(SecLevelAuthorizations()); ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE)); Loading @@ -6196,7 +6225,6 @@ TEST_P(KeyDeletionTest, DeleteKey) { AbortIfNeeded(); key_blob_ = AidlBuf(); } } /** * KeyDeletionTest.DeleteInvalidKey Loading @@ -6212,10 +6240,12 @@ TEST_P(KeyDeletionTest, DeleteInvalidKey) { .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_ROLLBACK_RESISTANCE) .SetDefaultValidity()); ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK); if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) { GTEST_SKIP() << "Rollback resistance not supported"; } // Delete must work if rollback protection is implemented if (error == ErrorCode::OK) { ASSERT_EQ(ErrorCode::OK, error); AuthorizationSet enforced(SecLevelAuthorizations()); ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE)); Loading @@ -6227,7 +6257,6 @@ TEST_P(KeyDeletionTest, DeleteInvalidKey) { ASSERT_EQ(ErrorCode::OK, DeleteKey()); } } /** * KeyDeletionTest.DeleteAllKeys Loading @@ -6241,7 +6270,10 @@ TEST_P(KeyDeletionTest, DeleteInvalidKey) { * credentials stored in Keystore/Keymint. */ TEST_P(KeyDeletionTest, DeleteAllKeys) { if (!arm_deleteAllKeys) return; if (!arm_deleteAllKeys) { GTEST_SKIP() << "Option --arm_deleteAllKeys not set"; return; } auto error = GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(2048, 65537) .Digest(Digest::NONE) Loading @@ -6249,10 +6281,12 @@ TEST_P(KeyDeletionTest, DeleteAllKeys) { .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_ROLLBACK_RESISTANCE) .SetDefaultValidity()); ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK); if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) { GTEST_SKIP() << "Rollback resistance not supported"; } // Delete must work if rollback protection is implemented if (error == ErrorCode::OK) { ASSERT_EQ(ErrorCode::OK, error); AuthorizationSet hardwareEnforced(SecLevelAuthorizations()); ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE)); Loading @@ -6268,7 +6302,6 @@ TEST_P(KeyDeletionTest, DeleteAllKeys) { AbortIfNeeded(); key_blob_ = AidlBuf(); } } INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest); Loading Loading
security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp +18 −6 Original line number Diff line number Diff line Loading @@ -64,7 +64,9 @@ class DeviceUniqueAttestationTest : public KeyMintAidlTestBase { * attestation. */ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; Loading @@ -91,7 +93,9 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) { * attestation. */ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; Loading @@ -117,7 +121,9 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) { * attestation correctly, if implemented. */ TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) { if (SecLevel() != SecurityLevel::STRONGBOX) return; if (SecLevel() != SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to non-StrongBox device"; } vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; Loading Loading @@ -174,7 +180,9 @@ TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) { * attestation correctly, if implemented. */ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) { if (SecLevel() != SecurityLevel::STRONGBOX) return; if (SecLevel() != SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to non-StrongBox device"; } vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; Loading Loading @@ -226,7 +234,9 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) { * local device. */ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) { if (SecLevel() != SecurityLevel::STRONGBOX) return; if (SecLevel() != SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to non-StrongBox device"; } // Collection of valid attestation ID tags. auto attestation_id_tags = AuthorizationSetBuilder(); Loading Loading @@ -292,7 +302,9 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) { * don't match the local device. */ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) { if (SecLevel() != SecurityLevel::STRONGBOX) return; if (SecLevel() != SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to non-StrongBox device"; } // Collection of invalid attestation ID tags. auto attestation_id_tags = Loading
security/keymint/aidl/vts/functional/KeyMintTest.cpp +112 −79 Original line number Diff line number Diff line Loading @@ -1840,7 +1840,9 @@ TEST_P(NewKeyGenerationTest, EcdsaInvalidSize) { * INVALID_ARGUMENT. */ TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } auto result = GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_ALGORITHM, Algorithm::EC) Loading Loading @@ -2067,7 +2069,9 @@ TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) { * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms. */ TEST_P(NewKeyGenerationTest, HmacMultipleDigests) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST, GenerateKey(AuthorizationSetBuilder() Loading Loading @@ -2291,7 +2295,9 @@ TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { * presented. */ TEST_P(SigningOperationsTest, NoUserConfirmation) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(1024, 65537) .Digest(Digest::NONE) Loading Loading @@ -2381,7 +2387,9 @@ TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) { * for a 1024-bit key. */ TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(1024, 65537) .Digest(Digest::SHA_2_512) Loading Loading @@ -3200,7 +3208,9 @@ TEST_P(ImportKeyTest, EcdsaP256SEC1Success) { * Verifies that importing and using an ECDSA P-521 key pair works correctly. */ TEST_P(ImportKeyTest, Ecdsa521Success) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .EcdsaSigningKey(EcCurve::P_521) Loading Loading @@ -3909,7 +3919,9 @@ TEST_P(EncryptionOperationsTest, RsaOaepInvalidPadding) { * with a different digest than was used to encrypt. */ TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -5823,7 +5835,9 @@ typedef KeyMintAidlTestBase MaxOperationsTest; * Verifies that the max uses per boot tag works correctly with AES keys. */ TEST_P(MaxOperationsTest, TestLimitAes) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading @@ -5850,7 +5864,9 @@ TEST_P(MaxOperationsTest, TestLimitAes) { * Verifies that the max uses per boot tag works correctly with RSA keys. */ TEST_P(MaxOperationsTest, TestLimitRsa) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -5881,7 +5897,9 @@ typedef KeyMintAidlTestBase UsageCountLimitTest; * Verifies that the usage count limit tag = 1 works correctly with AES keys. */ TEST_P(UsageCountLimitTest, TestSingleUseAes) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -5925,7 +5943,9 @@ TEST_P(UsageCountLimitTest, TestSingleUseAes) { * Verifies that the usage count limit tag > 1 works correctly with AES keys. */ TEST_P(UsageCountLimitTest, TestLimitedUseAes) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -5970,7 +5990,9 @@ TEST_P(UsageCountLimitTest, TestLimitedUseAes) { * Verifies that the usage count limit tag = 1 works correctly with RSA keys. */ TEST_P(UsageCountLimitTest, TestSingleUseRsa) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -6014,7 +6036,9 @@ TEST_P(UsageCountLimitTest, TestSingleUseRsa) { * Verifies that the usage count limit tag > 1 works correctly with RSA keys. */ TEST_P(UsageCountLimitTest, TestLimitUseRsa) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) Loading Loading @@ -6061,7 +6085,9 @@ TEST_P(UsageCountLimitTest, TestLimitUseRsa) { * in hardware. */ TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) { if (SecLevel() == SecurityLevel::STRONGBOX) return; if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "Test not applicable to StrongBox device"; } auto error = GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(2048, 65537) Loading @@ -6070,10 +6096,12 @@ TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) { .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_ROLLBACK_RESISTANCE) .SetDefaultValidity()); ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK); if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) { GTEST_SKIP() << "Rollback resistance not supported"; } if (error == ErrorCode::OK) { // Rollback resistance is supported by KeyMint, verify it is enforced in hardware. ASSERT_EQ(ErrorCode::OK, error); AuthorizationSet hardwareEnforced(SecLevelAuthorizations()); ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE)); ASSERT_EQ(ErrorCode::OK, DeleteKey()); Loading Loading @@ -6102,7 +6130,6 @@ TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) { // must be invalidated from secure storage (such as RPMB partition). EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params)); } } INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest); Loading Loading @@ -6178,10 +6205,12 @@ TEST_P(KeyDeletionTest, DeleteKey) { .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_ROLLBACK_RESISTANCE) .SetDefaultValidity()); ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK); if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) { GTEST_SKIP() << "Rollback resistance not supported"; } // Delete must work if rollback protection is implemented if (error == ErrorCode::OK) { ASSERT_EQ(ErrorCode::OK, error); AuthorizationSet hardwareEnforced(SecLevelAuthorizations()); ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE)); Loading @@ -6196,7 +6225,6 @@ TEST_P(KeyDeletionTest, DeleteKey) { AbortIfNeeded(); key_blob_ = AidlBuf(); } } /** * KeyDeletionTest.DeleteInvalidKey Loading @@ -6212,10 +6240,12 @@ TEST_P(KeyDeletionTest, DeleteInvalidKey) { .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_ROLLBACK_RESISTANCE) .SetDefaultValidity()); ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK); if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) { GTEST_SKIP() << "Rollback resistance not supported"; } // Delete must work if rollback protection is implemented if (error == ErrorCode::OK) { ASSERT_EQ(ErrorCode::OK, error); AuthorizationSet enforced(SecLevelAuthorizations()); ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE)); Loading @@ -6227,7 +6257,6 @@ TEST_P(KeyDeletionTest, DeleteInvalidKey) { ASSERT_EQ(ErrorCode::OK, DeleteKey()); } } /** * KeyDeletionTest.DeleteAllKeys Loading @@ -6241,7 +6270,10 @@ TEST_P(KeyDeletionTest, DeleteInvalidKey) { * credentials stored in Keystore/Keymint. */ TEST_P(KeyDeletionTest, DeleteAllKeys) { if (!arm_deleteAllKeys) return; if (!arm_deleteAllKeys) { GTEST_SKIP() << "Option --arm_deleteAllKeys not set"; return; } auto error = GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(2048, 65537) .Digest(Digest::NONE) Loading @@ -6249,10 +6281,12 @@ TEST_P(KeyDeletionTest, DeleteAllKeys) { .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_ROLLBACK_RESISTANCE) .SetDefaultValidity()); ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK); if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) { GTEST_SKIP() << "Rollback resistance not supported"; } // Delete must work if rollback protection is implemented if (error == ErrorCode::OK) { ASSERT_EQ(ErrorCode::OK, error); AuthorizationSet hardwareEnforced(SecLevelAuthorizations()); ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE)); Loading @@ -6268,7 +6302,6 @@ TEST_P(KeyDeletionTest, DeleteAllKeys) { AbortIfNeeded(); key_blob_ = AidlBuf(); } } INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest); Loading
