diff options
| author | Treehugger Robot <treehugger-gerrit@google.com> | 2022-02-16 16:10:06 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-02-16 16:10:06 +0000 |
| commit | c1603e8ef5d9e1d7dcbe4c19744893c60ce54f4f (patch) | |
| tree | ba548a1a4c6996399d17b6b7ed0efebfb0a38a03 /security/keymint/aidl/vts/functional/KeyMintTest.cpp | |
| parent | 5e547de67dc3cbbbd28572c8a892de90ff52893e (diff) | |
| parent | 0f7d41913658132823980112d6f704b6489396d2 (diff) | |
Merge "Fixed vts tests cases which do not support factory attestation. Test: Run keymint Vts tests." am: 0f7d419136
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1972595
Change-Id: Idd3b8dc691be5d50136af7001adb077b759ba217
Diffstat (limited to 'security/keymint/aidl/vts/functional/KeyMintTest.cpp')
| -rw-r--r-- | security/keymint/aidl/vts/functional/KeyMintTest.cpp | 203 |
1 files changed, 126 insertions, 77 deletions
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index 62f22bb67b..4a32c2f37b 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -1036,18 +1036,21 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(key_size, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); @@ -1169,17 +1172,21 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaEncryptionKey(key_size, 65537) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .RsaEncryptionKey(key_size, 65537) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); AuthorizationSet auths; @@ -1281,15 +1288,19 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, - GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(2048, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(2048, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } /* @@ -1399,19 +1410,23 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(key_size, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_USAGE_COUNT_LIMIT, 1) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_USAGE_COUNT_LIMIT, 1) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); @@ -1601,17 +1616,21 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { for (auto curve : ValidCurves()) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(curve) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(curve) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); CheckCharacteristics(key_blob, key_characteristics); @@ -1745,6 +1764,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) { // Tag not required to be supported by all KeyMint implementations. continue; } + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } ASSERT_EQ(result, ErrorCode::OK); ASSERT_GT(key_blob.size(), 0U); @@ -1840,6 +1863,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) { AuthorizationSetBuilder builder = base_builder; builder.push_back(tag); auto result = GenerateKey(builder, &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } if (result == ErrorCode::CANNOT_ATTEST_IDS) { // Device ID attestation is optional; KeyMint may not support it at all. continue; @@ -1997,6 +2024,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) { .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } ASSERT_EQ(result, ErrorCode::OK); ASSERT_GT(key_blob.size(), 0U); @@ -2076,13 +2107,17 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) { vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, - GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(EcCurve::P_256) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .EcdsaSigningKey(EcCurve::P_256) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } /* @@ -2139,14 +2174,19 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) { const string app_id(length, 'a'); vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(EcCurve::P_256) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .SetDefaultValidity(), - &key_blob, &key_characteristics)); + auto result = GenerateKey(AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(EcCurve::P_256) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .SetDefaultValidity(), + &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); CheckCharacteristics(key_blob, key_characteristics); @@ -4646,7 +4686,7 @@ typedef KeyMintAidlTestBase EncryptionOperationsTest; * Verifies that raw RSA decryption works. */ TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { - for (uint64_t exponent : {3, 65537}) { + for (uint64_t exponent : ValidExponents()) { ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .RsaEncryptionKey(2048, exponent) @@ -7209,7 +7249,7 @@ TEST_P(ClearOperationsTest, TooManyOperations) { size_t i; for (i = 0; i < max_operations; i++) { - result = Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params, op_handles[i]); + result = Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params, op_handles[i]); if (ErrorCode::OK != result) { break; } @@ -7217,12 +7257,12 @@ TEST_P(ClearOperationsTest, TooManyOperations) { EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result); // Try again just in case there's a weird overflow bug EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, - Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params)); + Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params)); for (size_t j = 0; j < i; j++) { EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j])) << "Aboort failed for i = " << j << std::endl; } - EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params)); + EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params)); AbortIfNeeded(); } @@ -7611,14 +7651,23 @@ TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) { }); for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) { + // Strongbox may not support factory attestation. Key creation might fail with + // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED + if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) { + continue; + } ASSERT_GT(keyData.blob.size(), 0U); AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics); EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params; } CheckedDeleteKey(&aesKeyData.blob); CheckedDeleteKey(&hmacKeyData.blob); - CheckedDeleteKey(&rsaKeyData.blob); - CheckedDeleteKey(&ecdsaKeyData.blob); + if (rsaKeyData.blob.size() != 0U) { + CheckedDeleteKey(&rsaKeyData.blob); + } + if (ecdsaKeyData.blob.size() != 0U) { + CheckedDeleteKey(&ecdsaKeyData.blob); + } } /* |