diff options
author | Selene Huang <seleneh@google.com> | 2021-04-20 19:20:11 -0700 |
---|---|---|
committer | Selene Huang <seleneh@google.com> | 2021-04-22 15:18:32 -0700 |
commit | 6e46f1467c3f691b20e736832d6e10f31747fb3f (patch) | |
tree | 529291813843176c604232ff56ac8535f1efdee3 /security/keymint/aidl/vts/functional/KeyMintTest.cpp | |
parent | de2b8f248e8df09793e6505cab67f41a318d45e5 (diff) |
Added vts tests for certificate subject and serial for various
algorithms and self sign or non-self sign certificates.
Test: atest VtsAidlKeyMintTargetTest
Change-Id: I4e9d8db7be500f165c3a9f240ea2dfe00c2a70d1
Diffstat (limited to 'security/keymint/aidl/vts/functional/KeyMintTest.cpp')
-rw-r--r-- | security/keymint/aidl/vts/functional/KeyMintTest.cpp | 180 |
1 files changed, 125 insertions, 55 deletions
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index 09cdab1a48..aa008f8a87 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -362,18 +362,27 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) { auto challenge = "hello"; auto app_id = "foo"; + auto subject = "cert subj 2"; + vector<uint8_t> subject_der(make_name_from_str(subject)); + + uint64_t serial_int = 66; + vector<uint8_t> serial_blob(build_serial_blob(serial_int)); + for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(key_size, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + ASSERT_EQ(ErrorCode::OK, + GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics)); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); @@ -385,6 +394,7 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) { << "Key size " << key_size << "missing"; EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U)); + verify_subject_and_serial(cert_chain_[0], serial_int, subject, false); EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); ASSERT_GT(cert_chain_.size(), 0); @@ -480,16 +490,25 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { auto challenge = "hello"; auto app_id = "foo"; + auto subject = "subj 2"; + vector<uint8_t> subject_der(make_name_from_str(subject)); + + uint64_t serial_int = 111166; + vector<uint8_t> serial_blob(build_serial_blob(serial_int)); + vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .RsaEncryptionKey(key_size, 65537) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + ASSERT_EQ(ErrorCode::OK, + GenerateKey(AuthorizationSetBuilder() + .RsaEncryptionKey(key_size, 65537) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics)); ASSERT_GT(key_blob.size(), 0U); AuthorizationSet auths; @@ -521,6 +540,7 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { << "Key size " << key_size << "missing"; EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U)); + verify_subject_and_serial(cert_chain_[0], serial_int, subject, false); EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); ASSERT_GT(cert_chain_.size(), 0); @@ -541,16 +561,25 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { * works as expected. */ TEST_P(NewKeyGenerationTest, RsaWithSelfSign) { + auto subject = "cert subj subj subj subj subj subj 22222222222222222222"; + vector<uint8_t> subject_der(make_name_from_str(subject)); + + uint64_t serial_int = 0; + vector<uint8_t> serial_blob(build_serial_blob(serial_int)); + for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(key_size, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + ASSERT_EQ(ErrorCode::OK, + GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics)); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); @@ -562,6 +591,7 @@ TEST_P(NewKeyGenerationTest, RsaWithSelfSign) { << "Key size " << key_size << "missing"; EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U)); + verify_subject_and_serial(cert_chain_[0], serial_int, subject, false); EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); ASSERT_EQ(cert_chain_.size(), 1); @@ -599,16 +629,25 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationAppIdIgnored) { auto key_size = 2048; auto app_id = "foo"; + auto subject = "cert subj 2"; + vector<uint8_t> subject_der(make_name_from_str(subject)); + + uint64_t serial_int = 1; + vector<uint8_t> serial_blob(build_serial_blob(serial_int)); + vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(key_size, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + ASSERT_EQ(ErrorCode::OK, + GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics)); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); @@ -620,6 +659,7 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationAppIdIgnored) { << "Key size " << key_size << "missing"; EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U)); + verify_subject_and_serial(cert_chain_[0], serial_int, subject, false); EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); ASSERT_EQ(cert_chain_.size(), 1); @@ -676,19 +716,28 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) { auto challenge = "hello"; auto app_id = "foo"; + auto subject = "cert subj 2"; + vector<uint8_t> subject_der(make_name_from_str(subject)); + + uint64_t serial_int = 66; + vector<uint8_t> serial_blob(build_serial_blob(serial_int)); + for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(key_size, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_USAGE_COUNT_LIMIT, 1) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + ASSERT_EQ(ErrorCode::OK, + GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_USAGE_COUNT_LIMIT, 1) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics)); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); @@ -711,6 +760,7 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) { // Check the usage count limit tag also appears in the attestation. EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); ASSERT_GT(cert_chain_.size(), 0); + verify_subject_and_serial(cert_chain_[0], serial_int, subject, false); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics); @@ -794,17 +844,26 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { auto challenge = "hello"; auto app_id = "foo"; + auto subject = "cert subj 2"; + vector<uint8_t> subject_der(make_name_from_str(subject)); + + uint64_t serial_int = 0xFFFFFFFFFFFFFFFF; + vector<uint8_t> serial_blob(build_serial_blob(serial_int)); + for (auto key_size : ValidKeySizes(Algorithm::EC)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(key_size) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + ASSERT_EQ(ErrorCode::OK, + GenerateKey(AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(key_size) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics)); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); @@ -816,6 +875,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); ASSERT_GT(cert_chain_.size(), 0); + verify_subject_and_serial(cert_chain_[0], serial_int, subject, false); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics); @@ -834,14 +894,23 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { * the key will generate a self signed attestation. */ TEST_P(NewKeyGenerationTest, EcdsaSelfSignAttestation) { + auto subject = "cert subj 2"; + vector<uint8_t> subject_der(make_name_from_str(subject)); + + uint64_t serial_int = 0x123456FFF1234; + vector<uint8_t> serial_blob(build_serial_blob(serial_int)); + for (auto key_size : ValidKeySizes(Algorithm::EC)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(key_size) - .Digest(Digest::NONE) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + ASSERT_EQ(ErrorCode::OK, + GenerateKey(AuthorizationSetBuilder() + .EcdsaSigningKey(key_size) + .Digest(Digest::NONE) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics)); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); @@ -852,6 +921,7 @@ TEST_P(NewKeyGenerationTest, EcdsaSelfSignAttestation) { << "Key size " << key_size << "missing"; EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); + verify_subject_and_serial(cert_chain_[0], serial_int, subject, false); ASSERT_EQ(cert_chain_.size(), 1); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics); |