Merge "KeyMint VTS: cope with ATTEST_KEY +/- SIGN" into android12-tests-dev (bbecb456) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+117 −86

Original line number	Diff line number	Diff line
		@@ -16,6 +16,7 @@

		#define LOG_TAG "keymint_1_attest_key_test"
		#include <cutils/log.h>
		#include <cutils/properties.h>

		#include <keymint_support/key_param_output.h>
		#include <keymint_support/openssl_utils.h>
		@@ -33,7 +34,33 @@ bool IsSelfSigned(const vector<Certificate>& chain) {

		} // namespace

		using AttestKeyTest = KeyMintAidlTestBase;
		class AttestKeyTest : public KeyMintAidlTestBase {
		protected:
		ErrorCode GenerateAttestKey(const AuthorizationSet& key_desc,
		const optional<AttestationKey>& attest_key,
		vector<uint8_t>* key_blob,
		vector<KeyCharacteristics>* key_characteristics,
		vector<Certificate>* cert_chain) {
		// The original specification for KeyMint v1 required ATTEST_KEY not be combined
		// with any other key purpose, but the original VTS tests incorrectly did exactly that.
		// This means that a device that launched prior to Android T (API level 33) may
		// accept or even require KeyPurpose::SIGN too.
		if (property_get_int32("ro.board.first_api_level", 0) < 33) {
		AuthorizationSet key_desc_plus_sign = key_desc;
		key_desc_plus_sign.push_back(TAG_PURPOSE, KeyPurpose::SIGN);

		auto result = GenerateKey(key_desc_plus_sign, attest_key, key_blob, key_characteristics,
		cert_chain);
		if (result == ErrorCode::OK) {
		return result;
		}
		// If the key generation failed, it may be because the device is (correctly)
		// rejecting the combination of ATTEST_KEY+SIGN. Fall through to try again with
		// just ATTEST_KEY.
		}
		return GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
		}
		};

		/*
		* AttestKeyTest.AllRsaSizes
		@@ -49,8 +76,9 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(size, 65537)
		ASSERT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(size, 65537)
		.AttestKey()
		.SetDefaultValidity(),
		{} /* attestation signing key */, &attest_key.keyBlob,
		@@ -199,8 +227,8 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge(challenge)
		.AttestationApplicationId(app_id)
		@@ -298,8 +326,8 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
		}

		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge("foo")
		.AttestationApplicationId("bar")
		@@ -307,8 +335,8 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]));
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]));

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		@@ -369,8 +397,8 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
		}

		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		GenerateAttestKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.AttestationChallenge("foo")
		.AttestationApplicationId("bar")
		@@ -378,8 +406,8 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]));
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]));

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
		@@ -443,8 +471,8 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {

		if ((i & 0x1) == 1) {
		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		GenerateAttestKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.AttestationChallenge("foo")
		.AttestationApplicationId("bar")
		@@ -452,12 +480,12 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]));
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]));
		} else {
		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(2048, 65537)
		.AttestKey()
		.AttestationChallenge("foo")
		.AttestationApplicationId("bar")
		@@ -465,8 +493,8 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.SetDefaultValidity(),
		attest_key_opt, &key_blob_list[i], &attested_key_characteristics,
		&cert_chain_list[i]));
		attest_key_opt, &key_blob_list[i],
		&attested_key_characteristics, &cert_chain_list[i]));
		}

		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
		@@ -505,8 +533,9 @@ TEST_P(AttestKeyTest, MissingChallenge) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(size, 65537)
		ASSERT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		.RsaKey(size, 65537)
		.AttestKey()
		.SetDefaultValidity(),
		{} /* attestation signing key */, &attest_key.keyBlob,
		@@ -552,10 +581,10 @@ TEST_P(AttestKeyTest, AllEcCurves) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(curve)
		.AttestKey()
		.SetDefaultValidity(),
		ASSERT_EQ(
		ErrorCode::OK,
		GenerateAttestKey(
		AuthorizationSetBuilder().EcdsaKey(curve).AttestKey().SetDefaultValidity(),
		{} /* attestation signing key */, &attest_key.keyBlob,
		&attest_key_characteristics, &attest_key_cert_chain));

		@@ -667,8 +696,9 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		ASSERT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(),
		{} /* attestation signing key */, &attest_key.keyBlob,
		@@ -731,8 +761,9 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) {
		AttestationKey attest_key;
		vector<KeyCharacteristics> attest_key_characteristics;
		vector<Certificate> attest_key_cert_chain;
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		ASSERT_EQ(ErrorCode::OK,
		GenerateAttestKey(AuthorizationSetBuilder()
		.EcdsaKey(EcCurve::P_256)
		.AttestKey()
		.SetDefaultValidity(),
		{} /* attestation signing key */, &attest_key.keyBlob,