Merge "Allow RKP-only devices to pass keymint VTS" into main (fae563ac) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

+76 −85

Original line number	Original line	Diff line number	Diff line
	@@ -20,6 +20,7 @@
	#include <cutils/log.h>		#include <cutils/log.h>
	#include <cutils/properties.h>		#include <cutils/properties.h>

			#include <keymint_support/authorization_set.h>
	#include <keymint_support/key_param_output.h>		#include <keymint_support/key_param_output.h>
	#include <keymint_support/openssl_utils.h>		#include <keymint_support/openssl_utils.h>

	@@ -93,7 +94,7 @@ string get_imei(int slot) {
	class AttestKeyTest : public KeyMintAidlTestBase {		class AttestKeyTest : public KeyMintAidlTestBase {
	public:		public:
	void SetUp() override {		void SetUp() override {
	skipAttestKeyTest();		skipAttestKeyTestIfNeeded();
	KeyMintAidlTestBase::SetUp();		KeyMintAidlTestBase::SetUp();
	}		}
	};		};
	@@ -273,7 +274,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyMultiPurposeFail) {
	/*		/*
	* AttestKeyTest.RsaAttestedAttestKeys		* AttestKeyTest.RsaAttestedAttestKeys
	*		*
	* This test creates an RSA attestation key signed by factory keys, and varifies it can be		* This test creates an RSA attestation key signed by factory keys, and verifies it can be
	* used to sign other RSA and EC keys.		* used to sign other RSA and EC keys.
	*/		*/
	TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {		TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
	@@ -305,9 +306,8 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
	.SetDefaultValidity(),		.SetDefaultValidity(),
	{} /* attestation signing key */, &attest_key.keyBlob,		{} /* attestation signing key */, &attest_key.keyBlob,
	&attest_key_characteristics, &attest_key_cert_chain);		&attest_key_characteristics, &attest_key_cert_chain);
	// Strongbox may not support factory provisioned attestation key.		if (isRkpOnly() && result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
	if (SecLevel() == SecurityLevel::STRONGBOX) {		GTEST_SKIP() << "RKP-only devices do not have a factory key";
	if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
	}		}
	ASSERT_EQ(ErrorCode::OK, result);		ASSERT_EQ(ErrorCode::OK, result);
	KeyBlobDeleter attest_deleter(keymint_, attest_key.keyBlob);		KeyBlobDeleter attest_deleter(keymint_, attest_key.keyBlob);
	@@ -400,30 +400,32 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
	attest_key_opt = attest_key;		attest_key_opt = attest_key;
	}		}

	auto result = GenerateAttestKey(AuthorizationSetBuilder()		AuthorizationSetBuilder auth_set_builder =
			AuthorizationSetBuilder()
	.RsaKey(2048, 65537)		.RsaKey(2048, 65537)
	.AttestKey()		.AttestKey()
	.AttestationChallenge("foo")
	.AttestationApplicationId("bar")		.AttestationApplicationId("bar")
	.Authorization(TAG_NO_AUTH_REQUIRED)		.Authorization(TAG_NO_AUTH_REQUIRED)
	.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
	.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
	.SetDefaultValidity(),		.SetDefaultValidity();
	attest_key_opt, &key_blob_list[i],		// In RKP-only systems, the first key cannot be attested due to lack of batch key
	&attested_key_characteristics, &cert_chain_list[i]);		if (!isRkpOnly() \|\| i > 0) {
	// Strongbox may not support factory provisioned attestation key.		auth_set_builder.AttestationChallenge("foo");
	if (SecLevel() == SecurityLevel::STRONGBOX) {
	if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
	}		}
			auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
			&attested_key_characteristics, &cert_chain_list[i]);
	ASSERT_EQ(ErrorCode::OK, result);		ASSERT_EQ(ErrorCode::OK, result);
	deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));		deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));

			if (!isRkpOnly() \|\| i > 0) {
	AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
	AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
	ASSERT_GT(cert_chain_list[i].size(), 0);		ASSERT_GT(cert_chain_list[i].size(), 0);
	ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
	SecLevel(),		hw_enforced, SecLevel(),
	cert_chain_list[i][0].encodedCertificate));		cert_chain_list[i][0].encodedCertificate));
			}

	if (i > 0) {		if (i > 0) {
	/*		/*
	@@ -439,7 +441,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
	}		}

	EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));		EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
	EXPECT_GT(cert_chain_list[i].size(), i + 1);		EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
	verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);		verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
	}		}
	}		}
	@@ -475,36 +477,34 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
	attest_key_opt = attest_key;		attest_key_opt = attest_key;
	}		}

	auto result = GenerateAttestKey(AuthorizationSetBuilder()		AuthorizationSetBuilder auth_set_builder =
			AuthorizationSetBuilder()
	.EcdsaKey(EcCurve::P_256)		.EcdsaKey(EcCurve::P_256)
	.AttestKey()		.AttestKey()
	.AttestationChallenge("foo")
	.AttestationApplicationId("bar")		.AttestationApplicationId("bar")
	.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
	.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
	.Authorization(TAG_NO_AUTH_REQUIRED)		.Authorization(TAG_NO_AUTH_REQUIRED)
	.SetDefaultValidity(),		.SetDefaultValidity();
	attest_key_opt, &key_blob_list[i],		// In RKP-only systems, the first key cannot be attested due to lack of batch key
	&attested_key_characteristics, &cert_chain_list[i]);		if (!isRkpOnly() \|\| i > 0) {
	// Strongbox may not support factory provisioned attestation key.		auth_set_builder.AttestationChallenge("foo");
	if (SecLevel() == SecurityLevel::STRONGBOX) {
	if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
	}		}
			auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
			&attested_key_characteristics, &cert_chain_list[i]);
	ASSERT_EQ(ErrorCode::OK, result);		ASSERT_EQ(ErrorCode::OK, result);
	deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));		deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));

			if (!isRkpOnly() \|\| i > 0) {
	AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
	AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
	ASSERT_GT(cert_chain_list[i].size(), 0);		ASSERT_GT(cert_chain_list[i].size(), 0);
	ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
	SecLevel(),		hw_enforced, SecLevel(),
	cert_chain_list[i][0].encodedCertificate));		cert_chain_list[i][0].encodedCertificate));
			}

	if (i > 0) {		if (i > 0) {
	/*
	* The first key is attestated with factory chain, but all the rest of the keys are
	* not supposed to be returned in attestation certificate chains.
	*/
	EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_list[i]));		EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_list[i]));

	// Appending the attest_key chain to the attested_key_chain should yield a valid chain.		// Appending the attest_key chain to the attested_key_chain should yield a valid chain.
	@@ -514,7 +514,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
	}		}

	EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));		EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
	EXPECT_GT(cert_chain_list[i].size(), i + 1);		EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
	verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);		verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
	}		}
	}		}
	@@ -576,45 +576,36 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
	attest_key.keyBlob = key_blob_list[i - 1];		attest_key.keyBlob = key_blob_list[i - 1];
	attest_key_opt = attest_key;		attest_key_opt = attest_key;
	}		}
	ErrorCode result;		AuthorizationSetBuilder auth_set_builder =
	if ((i & 0x1) == 1) {		AuthorizationSetBuilder()
	result = GenerateAttestKey(AuthorizationSetBuilder()
	.EcdsaKey(EcCurve::P_256)
	.AttestKey()
	.AttestationChallenge("foo")
	.AttestationApplicationId("bar")
	.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
	.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
	.Authorization(TAG_NO_AUTH_REQUIRED)
	.SetDefaultValidity(),
	attest_key_opt, &key_blob_list[i],
	&attested_key_characteristics, &cert_chain_list[i]);
	} else {
	result = GenerateAttestKey(AuthorizationSetBuilder()
	.RsaKey(2048, 65537)
	.AttestKey()		.AttestKey()
	.AttestationChallenge("foo")
	.AttestationApplicationId("bar")		.AttestationApplicationId("bar")
	.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)		.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
	.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)		.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
	.Authorization(TAG_NO_AUTH_REQUIRED)		.Authorization(TAG_NO_AUTH_REQUIRED)
	.SetDefaultValidity(),		.SetDefaultValidity();
	attest_key_opt, &key_blob_list[i],		// In RKP-only systems, the first key cannot be attested due to lack of batch key
	&attested_key_characteristics, &cert_chain_list[i]);		if (!isRkpOnly() \|\| i > 0) {
			auth_set_builder.AttestationChallenge("foo");
	}		}
	// Strongbox may not support factory provisioned attestation key.		if ((i & 0x1) == 1) {
	if (SecLevel() == SecurityLevel::STRONGBOX) {		auth_set_builder.EcdsaKey(EcCurve::P_256);
	if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;		} else {
			auth_set_builder.RsaKey(2048, 65537);
	}		}
			ErrorCode result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
			&attested_key_characteristics, &cert_chain_list[i]);
	ASSERT_EQ(ErrorCode::OK, result);		ASSERT_EQ(ErrorCode::OK, result);
	deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));		deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));

			if (!isRkpOnly() \|\| i > 0) {
	AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);		AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
	AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);		AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
	ASSERT_GT(cert_chain_list[i].size(), 0);		ASSERT_GT(cert_chain_list[i].size(), 0);
	ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,		ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
	SecLevel(),		hw_enforced, SecLevel(),
	cert_chain_list[i][0].encodedCertificate));		cert_chain_list[i][0].encodedCertificate));
			}

	if (i > 0) {		if (i > 0) {
	/*		/*
	@@ -630,7 +621,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
	}		}

	EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));		EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
	EXPECT_GT(cert_chain_list[i].size(), i + 1);		EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
	verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);		verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
	}		}
	}		}

security/keymint/aidl/vts/functional/AuthTest.cpp

+1 −12

Original line number	Original line	Diff line number	Diff line
	@@ -455,18 +455,7 @@ TEST_P(AuthTest, TimeoutAuthenticationMultiSid) {
	.Authorization(TAG_AUTH_TIMEOUT, timeout_secs);		.Authorization(TAG_AUTH_TIMEOUT, timeout_secs);
	vector<uint8_t> keyblob;		vector<uint8_t> keyblob;
	vector<KeyCharacteristics> key_characteristics;		vector<KeyCharacteristics> key_characteristics;
	vector<Certificate> cert_chain;		auto result = GenerateKey(builder, &keyblob, &key_characteristics);
	auto result = GenerateKey(builder, std::nullopt, &keyblob, &key_characteristics, &cert_chain);
	if (SecLevel() == SecurityLevel::STRONGBOX) {
	if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
	result = GenerateKeyWithSelfSignedAttestKey(AuthorizationSetBuilder()
	.EcdsaKey(EcCurve::P_256)
	.AttestKey()
	.SetDefaultValidity(),
	builder, &keyblob, &key_characteristics,
	&cert_chain);
	}
	}
	ASSERT_EQ(ErrorCode::OK, result);		ASSERT_EQ(ErrorCode::OK, result);

	// Verify first user to get a HAT that should work.		// Verify first user to get a HAT that should work.

security/keymint/aidl/vts/functional/BootloaderStateTest.cpp

+0 −12

Original line number	Original line	Diff line number	Diff line
	@@ -54,18 +54,6 @@ class BootloaderStateTest : public KeyMintAidlTestBase {
	.Digest(Digest::NONE)		.Digest(Digest::NONE)
	.SetDefaultValidity();		.SetDefaultValidity();
	auto result = GenerateKey(keyDesc, &key_blob, &key_characteristics);		auto result = GenerateKey(keyDesc, &key_blob, &key_characteristics);
	// If factory provisioned attestation key is not supported by Strongbox,
	// then create a key with self-signed attestation and use it as the
	// attestation key instead.
	if (SecLevel() == SecurityLevel::STRONGBOX &&
	result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
	result = GenerateKeyWithSelfSignedAttestKey(
	AuthorizationSetBuilder()
	.EcdsaKey(EcCurve::P_256)
	.AttestKey()
	.SetDefaultValidity(), /* attest key params */
	keyDesc, &key_blob, &key_characteristics);
	}
	ASSERT_EQ(ErrorCode::OK, result);		ASSERT_EQ(ErrorCode::OK, result);

	// Parse attested AVB values.		// Parse attested AVB values.

security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp

+31 −27

Original line number	Original line	Diff line number	Diff line
	@@ -73,7 +73,8 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
	vector<KeyCharacteristics> key_characteristics;		vector<KeyCharacteristics> key_characteristics;

	// Check RSA implementation		// Check RSA implementation
	auto result = GenerateKey(AuthorizationSetBuilder()		auto result =
			GenerateKey(AuthorizationSetBuilder()
	.Authorization(TAG_NO_AUTH_REQUIRED)		.Authorization(TAG_NO_AUTH_REQUIRED)
	.RsaSigningKey(2048, 65537)		.RsaSigningKey(2048, 65537)
	.Digest(Digest::SHA_2_256)		.Digest(Digest::SHA_2_256)
	@@ -84,9 +85,10 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
	.AttestationChallenge("challenge")		.AttestationChallenge("challenge")
	.AttestationApplicationId("foo")		.AttestationApplicationId("foo")
	.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),		.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
	&key_blob, &key_characteristics);		/attest_key=/std::nullopt, &key_blob, &key_characteristics, &cert_chain_);

	ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT \|\| result == ErrorCode::UNSUPPORTED_TAG);		ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT \|\| result == ErrorCode::UNSUPPORTED_TAG)
			<< "Result: " << result;
	}		}

	/*		/*
	@@ -104,7 +106,8 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
	vector<KeyCharacteristics> key_characteristics;		vector<KeyCharacteristics> key_characteristics;

	// Check Ecdsa implementation		// Check Ecdsa implementation
	auto result = GenerateKey(AuthorizationSetBuilder()		auto result =
			GenerateKey(AuthorizationSetBuilder()
	.Authorization(TAG_NO_AUTH_REQUIRED)		.Authorization(TAG_NO_AUTH_REQUIRED)
	.EcdsaSigningKey(EcCurve::P_256)		.EcdsaSigningKey(EcCurve::P_256)
	.Digest(Digest::SHA_2_256)		.Digest(Digest::SHA_2_256)
	@@ -114,9 +117,10 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
	.AttestationChallenge("challenge")		.AttestationChallenge("challenge")
	.AttestationApplicationId("foo")		.AttestationApplicationId("foo")
	.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),		.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
	&key_blob, &key_characteristics);		/attest_key=/std::nullopt, &key_blob, &key_characteristics, &cert_chain_);

	ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT \|\| result == ErrorCode::UNSUPPORTED_TAG);		ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT \|\| result == ErrorCode::UNSUPPORTED_TAG)
			<< "Result: " << result;
	}		}

	/*		/*

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+46 −31

Original line number	Original line	Diff line number	Diff line
	@@ -20,6 +20,10 @@
	#include <fstream>		#include <fstream>
	#include <unordered_set>		#include <unordered_set>
	#include <vector>		#include <vector>
			#include "aidl/android/hardware/security/keymint/AttestationKey.h"
			#include "aidl/android/hardware/security/keymint/ErrorCode.h"
			#include "keymint_support/authorization_set.h"
			#include "keymint_support/keymint_tags.h"

	#include <android-base/logging.h>		#include <android-base/logging.h>
	#include <android/binder_manager.h>		#include <android/binder_manager.h>
	@@ -245,6 +249,13 @@ bool KeyMintAidlTestBase::isSecondImeiIdAttestationRequired() {
	return AidlVersion() >= 3 && property_get_int32("ro.vendor.api_level", 0) > __ANDROID_API_T__;		return AidlVersion() >= 3 && property_get_int32("ro.vendor.api_level", 0) > __ANDROID_API_T__;
	}		}

			bool KeyMintAidlTestBase::isRkpOnly() {
			if (SecLevel() == SecurityLevel::STRONGBOX) {
			return property_get_bool("remote_provisioning.strongbox.rkp_only", false);
			}
			return property_get_bool("remote_provisioning.tee.rkp_only", false);
			}

	bool KeyMintAidlTestBase::Curve25519Supported() {		bool KeyMintAidlTestBase::Curve25519Supported() {
	// Strongbox never supports curve 25519.		// Strongbox never supports curve 25519.
	if (SecLevel() == SecurityLevel::STRONGBOX) {		if (SecLevel() == SecurityLevel::STRONGBOX) {
	@@ -295,6 +306,40 @@ void KeyMintAidlTestBase::SetUp() {
	}		}
	}		}

			ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) {
			return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
			}

			ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
			vector<uint8_t>* key_blob,
			vector<KeyCharacteristics>* key_characteristics) {
			std::optional<AttestationKey> attest_key = std::nullopt;
			vector<Certificate> attest_cert_chain;
			// If an attestation is requested, but the system is RKP-only, we need to supply an explicit
			// attestation key. Else the result is a key without an attestation.
			if (isRkpOnly() && key_desc.Contains(TAG_ATTESTATION_CHALLENGE)) {
			skipAttestKeyTestIfNeeded();
			AuthorizationSet attest_key_desc =
			AuthorizationSetBuilder().EcdsaKey(EcCurve::P_256).AttestKey().SetDefaultValidity();
			attest_key.emplace();
			vector<KeyCharacteristics> attest_key_characteristics;
			auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.value().keyBlob,
			&attest_key_characteristics, &attest_cert_chain);
			EXPECT_EQ(error, ErrorCode::OK);
			EXPECT_EQ(attest_cert_chain.size(), 1);
			attest_key.value().issuerSubjectName = make_name_from_str("Android Keystore Key");
			}

			ErrorCode error =
			GenerateKey(key_desc, attest_key, key_blob, key_characteristics, &cert_chain_);

			if (error == ErrorCode::OK && attest_cert_chain.size() > 0) {
			cert_chain_.push_back(attest_cert_chain[0]);
			}

			return error;
			}

	ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,		ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
	const optional<AttestationKey>& attest_key,		const optional<AttestationKey>& attest_key,
	vector<uint8_t>* key_blob,		vector<uint8_t>* key_blob,
	@@ -335,36 +380,6 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
	return GetReturnErrorCode(result);		return GetReturnErrorCode(result);
	}		}

	ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
	const optional<AttestationKey>& attest_key) {
	return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
	}

	ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
	const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
	vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
	vector<Certificate>* cert_chain) {
	skipAttestKeyTest();
	AttestationKey attest_key;
	vector<Certificate> attest_cert_chain;
	vector<KeyCharacteristics> attest_key_characteristics;
	// Generate a key with self signed attestation.
	auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
	&attest_key_characteristics, &attest_cert_chain);
	if (error != ErrorCode::OK) {
	return error;
	}

	attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
	// Generate a key, by passing the above self signed attestation key as attest key.
	error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
	if (error == ErrorCode::OK) {
	// Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
	cert_chain->push_back(attest_cert_chain[0]);
	}
	return error;
	}

	ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,		ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
	const string& key_material, vector<uint8_t>* key_blob,		const string& key_material, vector<uint8_t>* key_blob,
	vector<KeyCharacteristics>* key_characteristics) {		vector<KeyCharacteristics>* key_characteristics) {
	@@ -1663,7 +1678,7 @@ bool KeyMintAidlTestBase::shouldSkipAttestKeyTest(void) const {

	// Skip a test that involves use of the ATTEST_KEY feature in specific configurations		// Skip a test that involves use of the ATTEST_KEY feature in specific configurations
	// where ATTEST_KEY is not supported (for either StrongBox or TEE).		// where ATTEST_KEY is not supported (for either StrongBox or TEE).
	void KeyMintAidlTestBase::skipAttestKeyTest(void) const {		void KeyMintAidlTestBase::skipAttestKeyTestIfNeeded() const {
	if (shouldSkipAttestKeyTest()) {		if (shouldSkipAttestKeyTest()) {
	GTEST_SKIP() << "Test using ATTEST_KEY is not applicable on waivered device";		GTEST_SKIP() << "Test using ATTEST_KEY is not applicable on waivered device";
	}		}