Merge "KeyMint VTS: re-order auth failure arms" into main am: 2ef3749cba (e865448a) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/AuthTest.cpp

+11 −8

Original line number	Diff line number	Diff line
		@@ -350,14 +350,14 @@ TEST_P(AuthTest, TimeoutAuthentication) {

		// Wait for long enough that the hardware auth token expires.
		sleep(timeout_secs + 1);
		if (!timestamp_token_required_) {
		// KeyMint implementation has its own clock, and can immediately detect timeout.
		EXPECT_EQ(ErrorCode::KEY_USER_NOT_AUTHENTICATED,
		Begin(KeyPurpose::ENCRYPT, keyblob, params, &out_params, hat));
		} else {
		// KeyMint implementation has no clock, so only detects timeout via timestamp token provided
		// on update()/finish().
		ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, keyblob, params, &out_params, hat));

		auto begin_result = Begin(KeyPurpose::ENCRYPT, keyblob, params, &out_params, hat);
		if (begin_result == ErrorCode::OK) {
		// If begin() succeeds despite the out-of-date HAT, that must mean that the KeyMint
		// device doesn't have its own clock. In that case, it only detects timeout via a
		// timestamp token provided on update()/finish()
		ASSERT_TRUE(timestamp_token_required_);

		secureclock::TimeStampToken time_token;
		EXPECT_EQ(ErrorCode::OK,
		GetReturnErrorCode(clock_->generateTimeStamp(challenge_, &time_token)));
		@@ -365,6 +365,9 @@ TEST_P(AuthTest, TimeoutAuthentication) {
		string output;
		EXPECT_EQ(ErrorCode::KEY_USER_NOT_AUTHENTICATED,
		Finish(message, {} /* signature */, &output, hat, time_token));
		} else {
		// The KeyMint implementation may have its own clock that can immediately detect timeout.
		ASSERT_EQ(ErrorCode::KEY_USER_NOT_AUTHENTICATED, begin_result);
		}
		}