Merge TP1A.220107.002

Change-Id: I655d5412ccd734059dfb19075bb9abc810396975
author: Scott Lobdell <slobdell@google.com> 2022-01-30 02:48:00 +0000
committer: Scott Lobdell <slobdell@google.com> 2022-01-30 03:00:47 +0000
commit: a028272dee9220e6810cbdcfb2328c34f8afe4c2 (patch)
tree: 67574a4494f5fccdb37925294b32d5b62642fa4d /security/keymint/aidl/vts/functional/AttestKeyTest.cpp
parent: c8ad7b85d490d5c925d708f36f4dd74a64e591be (diff)
parent: 8338316c8344ab2707b6572e34e42e5fca9f9ee9 (diff)
1 files changed, 59 insertions, 14 deletions
diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
index 73c382092e..727c6b72cd 100644
--- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
+++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
@@ -81,7 +81,8 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
 
         AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
         AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
-        EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
+        EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
+                                              SecLevel(),
                                               attested_key_cert_chain[0].encodedCertificate));
 
         // Attestation by itself is not valid (last entry is not self-signed).
@@ -113,7 +114,8 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
 
         hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
         sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
-        EXPECT_TRUE(verify_attestation_record("foo2", "bar2", sw_enforced, hw_enforced, SecLevel(),
+        EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo2", "bar2", sw_enforced,
+                                              hw_enforced, SecLevel(),
                                               attested_key_cert_chain[0].encodedCertificate));
 
         // Attestation by itself is not valid (last entry is not self-signed).
@@ -154,12 +156,13 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
         sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
 
         // The client-specified CREATION_DATETIME should be in sw_enforced.
-        // Its presence will also trigger verify_attestation_record() to check that it
-        // is in the attestation extension with a matching value.
+        // Its presence will also trigger verify_attestation_record() to check that
+        // it is in the attestation extension with a matching value.
         EXPECT_TRUE(sw_enforced.Contains(TAG_CREATION_DATETIME, timestamp))
                 << "expected CREATION_TIMESTAMP in sw_enforced:" << sw_enforced
                 << " not in hw_enforced:" << hw_enforced;
-        EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
+        EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
+                                              SecLevel(),
                                               attested_key_cert_chain[0].encodedCertificate));
 
         // Attestation by itself is not valid (last entry is not self-signed).
@@ -175,6 +178,24 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
 }
 
 /*
+ * AttestKeyTest.RsaAttestKeyMultiPurposeFail
+ *
+ * This test attempts to create an RSA attestation key that also allows signing.
+ */
+TEST_P(AttestKeyTest, RsaAttestKeyMultiPurposeFail) {
+    vector<uint8_t> attest_key_blob;
+    vector<KeyCharacteristics> attest_key_characteristics;
+    vector<Certificate> attest_key_cert_chain;
+    ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
+              GenerateKey(AuthorizationSetBuilder()
+                                  .RsaSigningKey(2048, 65537)
+                                  .AttestKey()
+                                  .SetDefaultValidity(),
+                          {} /* attestation signing key */, &attest_key_blob,
+                          &attest_key_characteristics, &attest_key_cert_chain));
+}
+
+/*
  * AttestKeyTest.RsaAttestedAttestKeys
  *
  * This test creates an RSA attestation key signed by factory keys, and varifies it can be
@@ -217,7 +238,7 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
 
     AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attest_key_characteristics);
     AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attest_key_characteristics);
-    EXPECT_TRUE(verify_attestation_record(challenge, app_id,  //
+    EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id,  //
                                           sw_enforced, hw_enforced, SecLevel(),
                                           attest_key_cert_chain[0].encodedCertificate));
 
@@ -252,7 +273,8 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
 
     AuthorizationSet hw_enforced2 = HwEnforcedAuthorizations(attested_key_characteristics);
     AuthorizationSet sw_enforced2 = SwEnforcedAuthorizations(attested_key_characteristics);
-    EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced2, hw_enforced2, SecLevel(),
+    EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced2, hw_enforced2,
+                                          SecLevel(),
                                           attested_key_cert_chain[0].encodedCertificate));
 
     // Attestation by itself is not valid (last entry is not self-signed).
@@ -313,7 +335,8 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
         AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
         AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
         ASSERT_GT(cert_chain_list[i].size(), 0);
-        EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
+        EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
+                                              SecLevel(),
                                               cert_chain_list[i][0].encodedCertificate));
 
         if (i > 0) {
@@ -385,7 +408,8 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
         AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
         AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
         ASSERT_GT(cert_chain_list[i].size(), 0);
-        EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
+        EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
+                                              SecLevel(),
                                               cert_chain_list[i][0].encodedCertificate));
 
         if (i > 0) {
@@ -412,6 +436,24 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
 }
 
 /*
+ * AttestKeyTest.EcAttestKeyMultiPurposeFail
+ *
+ * This test attempts to create an EC attestation key that also allows signing.
+ */
+TEST_P(AttestKeyTest, EcAttestKeyMultiPurposeFail) {
+    vector<uint8_t> attest_key_blob;
+    vector<KeyCharacteristics> attest_key_characteristics;
+    vector<Certificate> attest_key_cert_chain;
+    ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
+              GenerateKey(AuthorizationSetBuilder()
+                                  .EcdsaSigningKey(EcCurve::P_256)
+                                  .AttestKey()
+                                  .SetDefaultValidity(),
+                          {} /* attestation signing key */, &attest_key_blob,
+                          &attest_key_characteristics, &attest_key_cert_chain));
+}
+
+/*
  * AttestKeyTest.AlternateAttestKeyChaining
  *
  * This test creates a chain of multiple attest keys, in the order Ec - RSA - Ec - RSA ....
@@ -474,7 +516,8 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
         AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
         AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
         ASSERT_GT(cert_chain_list[i].size(), 0);
-        EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
+        EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
+                                              SecLevel(),
                                               cert_chain_list[i][0].encodedCertificate));
 
         if (i > 0) {
@@ -588,7 +631,8 @@ TEST_P(AttestKeyTest, AllEcCurves) {
 
         AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
         AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
-        EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
+        EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
+                                              SecLevel(),
                                               attested_key_cert_chain[0].encodedCertificate));
 
         // Attestation by itself is not valid (last entry is not self-signed).
@@ -619,7 +663,8 @@ TEST_P(AttestKeyTest, AllEcCurves) {
 
         hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
         sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
-        EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
+        EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
+                                              SecLevel(),
                                               attested_key_cert_chain[0].encodedCertificate));
 
         // Attestation by itself is not valid (last entry is not self-signed).
@@ -724,8 +769,8 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) {
         // attestation extension should contain them, so make sure the extra tag is added.
         hw_enforced.push_back(tag);
 
-        EXPECT_TRUE(verify_attestation_record("challenge", "foo", sw_enforced, hw_enforced,
-                                              SecLevel(),
+        EXPECT_TRUE(verify_attestation_record(AidlVersion(), "challenge", "foo", sw_enforced,
+                                              hw_enforced, SecLevel(),
                                               attested_key_cert_chain[0].encodedCertificate));
     }
     CheckedDeleteKey(&attest_key.keyBlob);
author	Scott Lobdell <slobdell@google.com>	2022-01-30 02:48:00 +0000
committer	Scott Lobdell <slobdell@google.com>	2022-01-30 03:00:47 +0000
commit	a028272dee9220e6810cbdcfb2328c34f8afe4c2 (patch)
tree	67574a4494f5fccdb37925294b32d5b62642fa4d /security/keymint/aidl/vts/functional/AttestKeyTest.cpp
parent	c8ad7b85d490d5c925d708f36f4dd74a64e591be (diff)
parent	8338316c8344ab2707b6572e34e42e5fca9f9ee9 (diff)