diff options
| author | Treehugger Robot <treehugger-gerrit@google.com> | 2022-02-16 16:56:12 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-02-16 16:56:12 +0000 |
| commit | 999b0e3efc9dfc391abc1d4782c5f21f117fa059 (patch) | |
| tree | fd90bdcc56fa58bb194bfe068ea2815991a7c33c /security/keymint/aidl/vts/functional/KeyMintTest.cpp | |
| parent | 24b8a977f7847a0da6f6f2a3ae77773968a9651d (diff) | |
| parent | 07c1601d5f7c683a16e8ffb8a041b7e2b2d31f05 (diff) | |
Merge "Fixed vts tests cases which do not support factory attestation. Test: Run keymint Vts tests." am: 0f7d419136 am: c1603e8ef5 am: 07c1601d5f
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1972595
Change-Id: I27812795afb51c66ebacc735b1986bd508c71cc4
Diffstat (limited to 'security/keymint/aidl/vts/functional/KeyMintTest.cpp')
| -rw-r--r-- | security/keymint/aidl/vts/functional/KeyMintTest.cpp | 197 |
1 files changed, 123 insertions, 74 deletions
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index 7357ac7425..6263c0a09c 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -1036,18 +1036,21 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(key_size, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); @@ -1169,17 +1172,21 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaEncryptionKey(key_size, 65537) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .RsaEncryptionKey(key_size, 65537) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); AuthorizationSet auths; @@ -1281,15 +1288,19 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, - GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(2048, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(2048, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } /* @@ -1399,19 +1410,23 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(key_size, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_USAGE_COUNT_LIMIT, 1) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_USAGE_COUNT_LIMIT, 1) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); @@ -1601,17 +1616,21 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { for (auto curve : ValidCurves()) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(curve) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(curve) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); CheckCharacteristics(key_blob, key_characteristics); @@ -1745,6 +1764,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) { // Tag not required to be supported by all KeyMint implementations. continue; } + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } ASSERT_EQ(result, ErrorCode::OK); ASSERT_GT(key_blob.size(), 0U); @@ -1840,6 +1863,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) { AuthorizationSetBuilder builder = base_builder; builder.push_back(tag); auto result = GenerateKey(builder, &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } if (result == ErrorCode::CANNOT_ATTEST_IDS) { // Device ID attestation is optional; KeyMint may not support it at all. continue; @@ -1997,6 +2024,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) { .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } ASSERT_EQ(result, ErrorCode::OK); ASSERT_GT(key_blob.size(), 0U); @@ -2076,13 +2107,17 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, - GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(EcCurve::P_256) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .EcdsaSigningKey(EcCurve::P_256) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } /* @@ -2139,14 +2174,19 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) { const string app_id(length, 'a'); vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(EcCurve::P_256) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(EcCurve::P_256) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); CheckCharacteristics(key_blob, key_characteristics); @@ -4646,7 +4686,7 @@ typedef KeyMintAidlTestBase EncryptionOperationsTest; * Verifies that raw RSA decryption works. */ TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { - for (uint64_t exponent : {3, 65537}) { + for (uint64_t exponent : ValidExponents()) { ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .RsaEncryptionKey(2048, exponent) @@ -7654,14 +7694,23 @@ TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) { }); for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) { + // Strongbox may not support factory attestation. Key creation might fail with + // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED + if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) { + continue; + } ASSERT_GT(keyData.blob.size(), 0U); AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics); EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params; } CheckedDeleteKey(&aesKeyData.blob); CheckedDeleteKey(&hmacKeyData.blob); - CheckedDeleteKey(&rsaKeyData.blob); - CheckedDeleteKey(&ecdsaKeyData.blob); + if (rsaKeyData.blob.size() != 0U) { + CheckedDeleteKey(&rsaKeyData.blob); + } + if (ecdsaKeyData.blob.size() != 0U) { + CheckedDeleteKey(&ecdsaKeyData.blob); + } } /* |