Merge "KeyMint vts: Correct the EC curve parameter and some return code" am:... (fdb60f6a) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

+5 −4

Original line number	Diff line number	Diff line
		@@ -318,10 +318,11 @@ interface IKeyMintDevice {
		* @param attestationKey, if provided, specifies the key that must be used to sign the
		* attestation certificate. If `keyParams` does not contain a Tag::ATTESTATION_CHALLENGE
		* but `attestationKey` is non-null, the IKeyMintDevice must return
		* ErrorCode::INVALID_ARGUMENT. If the provided AttestationKey does not contain a key
		* blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must
		* return ErrorCode::INCOMPATIBLE_PURPOSE. If the provided AttestationKey has an empty
		* issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
		* ErrorCode::ATTESTATION_CHALLENGE_MISSING. If the provided AttestationKey does not
		* contain a key blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the
		* IKeyMintDevice must return ErrorCode::INCOMPATIBLE_PURPOSE. If the provided
		* AttestationKey has an empty issuer subject name, the IKeyMintDevice must return
		* ErrorCode::INVALID_ARGUMENT.
		*
		* If `attestationKey` is null and `keyParams` contains Tag::ATTESTATION_CHALLENGE but
		* the KeyMint implementation does not have factory-provisioned attestation keys, it must

+4 −4

Original line number	Diff line number	Diff line
		@@ -361,7 +361,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {

		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(224)
		.EcdsaSigningKey(EcCurve::P_256)
		.AttestKey()
		.AttestationChallenge("foo")
		.AttestationApplicationId("bar")
		@@ -435,7 +435,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
		if ((i & 0x1) == 1) {
		EXPECT_EQ(ErrorCode::OK,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(224)
		.EcdsaSigningKey(EcCurve::P_256)
		.AttestKey()
		.AttestationChallenge("foo")
		.AttestationApplicationId("bar")
		@@ -513,7 +513,7 @@ TEST_P(AttestKeyTest, MissingChallenge) {
		vector<uint8_t> attested_key_blob;
		vector<KeyCharacteristics> attested_key_characteristics;
		vector<Certificate> attested_key_cert_chain;
		EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
		EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
		GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(2048, 65537)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		@@ -522,7 +522,7 @@ TEST_P(AttestKeyTest, MissingChallenge) {
		attest_key, &attested_key_blob, &attested_key_characteristics,
		&attested_key_cert_chain));

		EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
		EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
		GenerateKey(AuthorizationSetBuilder()
		.EcdsaSigningKey(EcCurve::P_256)
		.Authorization(TAG_NO_AUTH_REQUIRED)

+4 −4

Original line number	Diff line number	Diff line
		@@ -119,7 +119,7 @@ char nibble2hex[16] = {'0', '1', '2', '3', '4', '5', '6', '7',
		// Attestations don't contain everything in key authorization lists, so we need to filter the key
		// lists to produce the lists that we expect to match the attestations.
		auto kTagsToFilter = {
		Tag::CREATION_DATETIME, //
		Tag::CREATION_DATETIME,
		Tag::EC_CURVE,
		Tag::HARDWARE_TYPE,
		Tag::INCLUDE_UNIQUE_ID,

+5 −5

Original line number	Diff line number	Diff line
		@@ -2261,11 +2261,11 @@ TEST_P(SigningOperationsTest, RsaNonUniqueParams) {
		.Padding(PaddingMode::NONE)
		.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));

		ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
		Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
		auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
		.Digest(Digest::NONE)
		.Digest(Digest::SHA1)
		.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
		.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
		ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST \|\| result == ErrorCode::INVALID_ARGUMENT);

		ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
		Begin(KeyPurpose::SIGN,