summaryrefslogtreecommitdiff
path: root/security/keymint/aidl/vts/functional/KeyMintTest.cpp
diff options
context:
space:
mode:
authorScott Lobdell <slobdell@google.com>2022-01-30 02:48:00 +0000
committerScott Lobdell <slobdell@google.com>2022-01-30 03:00:47 +0000
commita028272dee9220e6810cbdcfb2328c34f8afe4c2 (patch)
tree67574a4494f5fccdb37925294b32d5b62642fa4d /security/keymint/aidl/vts/functional/KeyMintTest.cpp
parentc8ad7b85d490d5c925d708f36f4dd74a64e591be (diff)
parent8338316c8344ab2707b6572e34e42e5fca9f9ee9 (diff)
Merge TP1A.220107.002
Change-Id: I655d5412ccd734059dfb19075bb9abc810396975
Diffstat (limited to 'security/keymint/aidl/vts/functional/KeyMintTest.cpp')
-rw-r--r--security/keymint/aidl/vts/functional/KeyMintTest.cpp73
1 files changed, 57 insertions, 16 deletions
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index d8b19dcf4f..dd3719bc7d 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -942,7 +942,7 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
- EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
+ EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
sw_enforced, hw_enforced, SecLevel(),
cert_chain_[0].encodedCertificate));
@@ -1093,7 +1093,7 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
- EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
+ EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
sw_enforced, hw_enforced, SecLevel(),
cert_chain_[0].encodedCertificate));
@@ -1315,7 +1315,7 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
- EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
+ EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
sw_enforced, hw_enforced, SecLevel(),
cert_chain_[0].encodedCertificate));
@@ -1444,7 +1444,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
- EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
+ EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
sw_enforced, hw_enforced, SecLevel(),
cert_chain_[0].encodedCertificate));
@@ -1523,8 +1523,9 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
// Verifying the attestation record will check for the specific tag because
// it's included in the authorizations.
- EXPECT_TRUE(verify_attestation_record(challenge, app_id, sw_enforced, hw_enforced,
- SecLevel(), cert_chain_[0].encodedCertificate));
+ EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
+ hw_enforced, SecLevel(),
+ cert_chain_[0].encodedCertificate));
CheckedDeleteKey(&key_blob);
}
@@ -1621,8 +1622,9 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
// Verifying the attestation record will check for the specific tag because
// it's included in the authorizations.
- EXPECT_TRUE(verify_attestation_record(challenge, app_id, sw_enforced, hw_enforced,
- SecLevel(), cert_chain_[0].encodedCertificate));
+ EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
+ hw_enforced, SecLevel(),
+ cert_chain_[0].encodedCertificate));
CheckedDeleteKey(&key_blob);
}
@@ -1668,9 +1670,9 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics_);
// Check that the unique ID field in the extension is non-empty.
- EXPECT_TRUE(verify_attestation_record(challenge, app_id, sw_enforced, hw_enforced,
- SecLevel(), cert_chain_[0].encodedCertificate,
- unique_id));
+ EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
+ hw_enforced, SecLevel(),
+ cert_chain_[0].encodedCertificate, unique_id));
EXPECT_GT(unique_id->size(), 0);
CheckedDeleteKey();
};
@@ -1765,8 +1767,9 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
- EXPECT_TRUE(verify_attestation_record(challenge, attest_app_id, sw_enforced, hw_enforced,
- SecLevel(), cert_chain_[0].encodedCertificate));
+ EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, attest_app_id, sw_enforced,
+ hw_enforced, SecLevel(),
+ cert_chain_[0].encodedCertificate));
// Check that the app id is not in the cert.
string app_id = "clientid";
@@ -1919,7 +1922,7 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
- EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
+ EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
sw_enforced, hw_enforced, SecLevel(),
cert_chain_[0].encodedCertificate));
@@ -3352,6 +3355,26 @@ TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
}
/*
+ * ImportKeyTest.RsaAttestMultiPurposeFail
+ *
+ * Verifies that importing an RSA key pair with purpose ATTEST_KEY+SIGN fails.
+ */
+TEST_P(ImportKeyTest, RsaAttestMultiPurposeFail) {
+ uint32_t key_size = 2048;
+ string key = rsa_2048_key;
+
+ ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
+ ImportKey(AuthorizationSetBuilder()
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .RsaSigningKey(key_size, 65537)
+ .AttestKey()
+ .Digest(Digest::SHA_2_256)
+ .Padding(PaddingMode::RSA_PSS)
+ .SetDefaultValidity(),
+ KeyFormat::PKCS8, key));
+}
+
+/*
* ImportKeyTest.EcdsaSuccess
*
* Verifies that importing and using an ECDSA P-256 key pair works correctly.
@@ -3470,6 +3493,22 @@ TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
}
/*
+ * ImportKeyTest.EcdsaAttestMultiPurposeFail
+ *
+ * Verifies that importing and using an ECDSA P-256 key pair with purpose ATTEST_KEY+SIGN fails.
+ */
+TEST_P(ImportKeyTest, EcdsaAttestMultiPurposeFail) {
+ ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
+ ImportKey(AuthorizationSetBuilder()
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .EcdsaSigningKey(EcCurve::P_256)
+ .AttestKey()
+ .Digest(Digest::SHA_2_256)
+ .SetDefaultValidity(),
+ KeyFormat::PKCS8, ec_256_key));
+}
+
+/*
* ImportKeyTest.AesSuccess
*
* Verifies that importing and using an AES key works.
@@ -6661,7 +6700,7 @@ INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
typedef KeyMintAidlTestBase KeyAgreementTest;
-int CurveToOpenSslCurveName(EcCurve curve) {
+static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
switch (curve) {
case EcCurve::P_224:
return NID_secp224r1;
@@ -6671,6 +6710,8 @@ int CurveToOpenSslCurveName(EcCurve curve) {
return NID_secp384r1;
case EcCurve::P_521:
return NID_secp521r1;
+ case EcCurve::CURVE_25519:
+ return NID_X25519;
}
}
@@ -6692,7 +6733,7 @@ TEST_P(KeyAgreementTest, Ecdh) {
for (auto localCurve : ValidCurves()) {
// Generate EC key locally (with access to private key material)
auto ecKey = EC_KEY_Ptr(EC_KEY_new());
- int curveName = CurveToOpenSslCurveName(localCurve);
+ int curveName = EcdhCurveToOpenSslCurveName(localCurve);
auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
ASSERT_NE(group, nullptr);
ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 16:05:45 +0000