diff options
Diffstat (limited to 'security/keymint/aidl/vts/functional/AttestKeyTest.cpp')
| -rw-r--r-- | security/keymint/aidl/vts/functional/AttestKeyTest.cpp | 317 |
1 files changed, 215 insertions, 102 deletions
diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp index 64550eff2d..ca517ac61c 100644 --- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp +++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp @@ -16,6 +16,7 @@ #define LOG_TAG "keymint_1_attest_key_test" #include <cutils/log.h> +#include <cutils/properties.h> #include <keymint_support/key_param_output.h> #include <keymint_support/openssl_utils.h> @@ -33,7 +34,33 @@ bool IsSelfSigned(const vector<Certificate>& chain) { } // namespace -using AttestKeyTest = KeyMintAidlTestBase; +class AttestKeyTest : public KeyMintAidlTestBase { + protected: + ErrorCode GenerateAttestKey(const AuthorizationSet& key_desc, + const optional<AttestationKey>& attest_key, + vector<uint8_t>* key_blob, + vector<KeyCharacteristics>* key_characteristics, + vector<Certificate>* cert_chain) { + // The original specification for KeyMint v1 required ATTEST_KEY not be combined + // with any other key purpose, but the original VTS tests incorrectly did exactly that. + // This means that a device that launched prior to Android T (API level 33) may + // accept or even require KeyPurpose::SIGN too. + if (property_get_int32("ro.board.first_api_level", 0) < 33) { + AuthorizationSet key_desc_plus_sign = key_desc; + key_desc_plus_sign.push_back(TAG_PURPOSE, KeyPurpose::SIGN); + + auto result = GenerateKey(key_desc_plus_sign, attest_key, key_blob, key_characteristics, + cert_chain); + if (result == ErrorCode::OK) { + return result; + } + // If the key generation failed, it may be because the device is (correctly) + // rejecting the combination of ATTEST_KEY+SIGN. Fall through to try again with + // just ATTEST_KEY. + } + return GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain); + } +}; /* * AttestKeyTest.AllRsaSizes @@ -49,12 +76,13 @@ TEST_P(AttestKeyTest, AllRsaSizes) { AttestationKey attest_key; vector<KeyCharacteristics> attest_key_characteristics; vector<Certificate> attest_key_cert_chain; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .RsaKey(size, 65537) - .AttestKey() - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + ASSERT_EQ(ErrorCode::OK, + GenerateAttestKey(AuthorizationSetBuilder() + .RsaKey(size, 65537) + .AttestKey() + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain)); ASSERT_GT(attest_key_cert_chain.size(), 0); EXPECT_EQ(attest_key_cert_chain.size(), 1); @@ -81,7 +109,8 @@ TEST_P(AttestKeyTest, AllRsaSizes) { AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); - EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), + EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, + SecLevel(), attested_key_cert_chain[0].encodedCertificate)); // Attestation by itself is not valid (last entry is not self-signed). @@ -113,7 +142,8 @@ TEST_P(AttestKeyTest, AllRsaSizes) { hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); - EXPECT_TRUE(verify_attestation_record("foo2", "bar2", sw_enforced, hw_enforced, SecLevel(), + EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo2", "bar2", sw_enforced, + hw_enforced, SecLevel(), attested_key_cert_chain[0].encodedCertificate)); // Attestation by itself is not valid (last entry is not self-signed). @@ -154,12 +184,13 @@ TEST_P(AttestKeyTest, AllRsaSizes) { sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); // The client-specified CREATION_DATETIME should be in sw_enforced. - // Its presence will also trigger verify_attestation_record() to check that it - // is in the attestation extension with a matching value. + // Its presence will also trigger verify_attestation_record() to check that + // it is in the attestation extension with a matching value. EXPECT_TRUE(sw_enforced.Contains(TAG_CREATION_DATETIME, timestamp)) << "expected CREATION_TIMESTAMP in sw_enforced:" << sw_enforced << " not in hw_enforced:" << hw_enforced; - EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), + EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, + SecLevel(), attested_key_cert_chain[0].encodedCertificate)); // Attestation by itself is not valid (last entry is not self-signed). @@ -175,6 +206,32 @@ TEST_P(AttestKeyTest, AllRsaSizes) { } /* + * AttestKeyTest.RsaAttestKeyMultiPurposeFail + * + * This test attempts to create an RSA attestation key that also allows signing. + */ +TEST_P(AttestKeyTest, RsaAttestKeyMultiPurposeFail) { + if (AidlVersion() < 2) { + // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined + // with other key purposes. However, this was not checked at the time + // so we can only be strict about checking this for implementations of KeyMint + // version 2 and above. + GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2"; + } + + vector<uint8_t> attest_key_blob; + vector<KeyCharacteristics> attest_key_characteristics; + vector<Certificate> attest_key_cert_chain; + ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, + GenerateKey(AuthorizationSetBuilder() + .RsaSigningKey(2048, 65537) + .AttestKey() + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key_blob, + &attest_key_characteristics, &attest_key_cert_chain)); +} + +/* * AttestKeyTest.RsaAttestedAttestKeys * * This test creates an RSA attestation key signed by factory keys, and varifies it can be @@ -198,18 +255,22 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { AttestationKey attest_key; vector<KeyCharacteristics> attest_key_characteristics; vector<Certificate> attest_key_cert_chain; - ASSERT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaKey(2048, 65537) - .AttestKey() - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + auto result = GenerateAttestKey(AuthorizationSetBuilder() + .RsaKey(2048, 65537) + .AttestKey() + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); EXPECT_GT(attest_key_cert_chain.size(), 1); verify_subject_and_serial(attest_key_cert_chain[0], serial_int, subject, false); @@ -217,7 +278,7 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attest_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attest_key_characteristics); - EXPECT_TRUE(verify_attestation_record(challenge, app_id, // + EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, // sw_enforced, hw_enforced, SecLevel(), attest_key_cert_chain[0].encodedCertificate)); @@ -252,7 +313,8 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { AuthorizationSet hw_enforced2 = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced2 = SwEnforcedAuthorizations(attested_key_characteristics); - EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced2, hw_enforced2, SecLevel(), + EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced2, hw_enforced2, + SecLevel(), attested_key_cert_chain[0].encodedCertificate)); // Attestation by itself is not valid (last entry is not self-signed). @@ -297,23 +359,28 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { attest_key_opt = attest_key; } - EXPECT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaKey(2048, 65537) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], &attested_key_characteristics, - &cert_chain_list[i])); + auto result = GenerateAttestKey(AuthorizationSetBuilder() + .RsaKey(2048, 65537) + .AttestKey() + .AttestationChallenge("foo") + .AttestationApplicationId("bar") + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i]); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); ASSERT_GT(cert_chain_list[i].size(), 0); - EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), + EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, + SecLevel(), cert_chain_list[i][0].encodedCertificate)); if (i > 0) { @@ -369,23 +436,28 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { attest_key_opt = attest_key; } - EXPECT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], &attested_key_characteristics, - &cert_chain_list[i])); + auto result = GenerateAttestKey(AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .AttestationChallenge("foo") + .AttestationApplicationId("bar") + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(), + attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i]); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + } + ASSERT_EQ(ErrorCode::OK, result); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); ASSERT_GT(cert_chain_list[i].size(), 0); - EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), + EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, + SecLevel(), cert_chain_list[i][0].encodedCertificate)); if (i > 0) { @@ -412,6 +484,31 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { } /* + * AttestKeyTest.EcAttestKeyMultiPurposeFail + * + * This test attempts to create an EC attestation key that also allows signing. + */ +TEST_P(AttestKeyTest, EcAttestKeyMultiPurposeFail) { + if (AidlVersion() < 2) { + // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined + // with other key purposes. However, this was not checked at the time + // so we can only be strict about checking this for implementations of KeyMint + // version 2 and above. + GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2"; + } + vector<uint8_t> attest_key_blob; + vector<KeyCharacteristics> attest_key_characteristics; + vector<Certificate> attest_key_cert_chain; + ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, + GenerateKey(AuthorizationSetBuilder() + .EcdsaSigningKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key_blob, + &attest_key_characteristics, &attest_key_cert_chain)); +} + +/* * AttestKeyTest.AlternateAttestKeyChaining * * This test creates a chain of multiple attest keys, in the order Ec - RSA - Ec - RSA .... @@ -442,39 +539,43 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { attest_key.keyBlob = key_blob_list[i - 1]; attest_key_opt = attest_key; } - + ErrorCode result; if ((i & 0x1) == 1) { - EXPECT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], &attested_key_characteristics, - &cert_chain_list[i])); + result = GenerateAttestKey(AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .AttestationChallenge("foo") + .AttestationApplicationId("bar") + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(), + attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i]); } else { - EXPECT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaKey(2048, 65537) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], &attested_key_characteristics, - &cert_chain_list[i])); + result = GenerateAttestKey(AuthorizationSetBuilder() + .RsaKey(2048, 65537) + .AttestKey() + .AttestationChallenge("foo") + .AttestationApplicationId("bar") + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(), + attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i]); + } + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } + ASSERT_EQ(ErrorCode::OK, result); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); ASSERT_GT(cert_chain_list[i].size(), 0); - EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), + EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, + SecLevel(), cert_chain_list[i][0].encodedCertificate)); if (i > 0) { @@ -508,12 +609,13 @@ TEST_P(AttestKeyTest, MissingChallenge) { AttestationKey attest_key; vector<KeyCharacteristics> attest_key_characteristics; vector<Certificate> attest_key_cert_chain; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .RsaKey(size, 65537) - .AttestKey() - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + ASSERT_EQ(ErrorCode::OK, + GenerateAttestKey(AuthorizationSetBuilder() + .RsaKey(size, 65537) + .AttestKey() + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain)); EXPECT_EQ(attest_key_cert_chain.size(), 1); EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on size " << size; @@ -557,7 +659,7 @@ TEST_P(AttestKeyTest, AllEcCurves) { vector<Certificate> attest_key_cert_chain; ASSERT_EQ( ErrorCode::OK, - GenerateKey( + GenerateAttestKey( AuthorizationSetBuilder().EcdsaKey(curve).AttestKey().SetDefaultValidity(), {} /* attestation signing key */, &attest_key.keyBlob, &attest_key_characteristics, &attest_key_cert_chain)); @@ -583,11 +685,13 @@ TEST_P(AttestKeyTest, AllEcCurves) { attest_key, &attested_key_blob, &attested_key_characteristics, &attested_key_cert_chain)); + ASSERT_GT(attested_key_cert_chain.size(), 0); CheckedDeleteKey(&attested_key_blob); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); - EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), + EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, + SecLevel(), attested_key_cert_chain[0].encodedCertificate)); // Attestation by itself is not valid (last entry is not self-signed). @@ -612,12 +716,14 @@ TEST_P(AttestKeyTest, AllEcCurves) { attest_key, &attested_key_blob, &attested_key_characteristics, &attested_key_cert_chain)); + ASSERT_GT(attested_key_cert_chain.size(), 0); CheckedDeleteKey(&attested_key_blob); CheckedDeleteKey(&attest_key.keyBlob); hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); - EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), + EXPECT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, + SecLevel(), attested_key_cert_chain[0].encodedCertificate)); // Attestation by itself is not valid (last entry is not self-signed). @@ -666,16 +772,22 @@ TEST_P(AttestKeyTest, AttestWithNonAttestKey) { } TEST_P(AttestKeyTest, EcdsaAttestationID) { + if (is_gsi_image()) { + // GSI sets up a standard set of device identifiers that may not match + // the device identifiers held by the device. + GTEST_SKIP() << "Test not applicable under GSI"; + } // Create attestation key. AttestationKey attest_key; vector<KeyCharacteristics> attest_key_characteristics; vector<Certificate> attest_key_cert_chain; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + ASSERT_EQ(ErrorCode::OK, + GenerateAttestKey(AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain)); attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key"); ASSERT_GT(attest_key_cert_chain.size(), 0); EXPECT_EQ(attest_key_cert_chain.size(), 1); @@ -706,7 +818,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) { vector<Certificate> attested_key_cert_chain; auto result = GenerateKey(builder, attest_key, &attested_key_blob, &attested_key_characteristics, &attested_key_cert_chain); - if (result == ErrorCode::CANNOT_ATTEST_IDS) { + if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) { continue; } @@ -722,8 +834,8 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) { // attestation extension should contain them, so make sure the extra tag is added. hw_enforced.push_back(tag); - EXPECT_TRUE(verify_attestation_record("challenge", "foo", sw_enforced, hw_enforced, - SecLevel(), + EXPECT_TRUE(verify_attestation_record(AidlVersion(), "challenge", "foo", sw_enforced, + hw_enforced, SecLevel(), attested_key_cert_chain[0].encodedCertificate)); } CheckedDeleteKey(&attest_key.keyBlob); @@ -734,12 +846,13 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) { AttestationKey attest_key; vector<KeyCharacteristics> attest_key_characteristics; vector<Certificate> attest_key_cert_chain; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + ASSERT_EQ(ErrorCode::OK, + GenerateAttestKey(AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain)); attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key"); ASSERT_GT(attest_key_cert_chain.size(), 0); EXPECT_EQ(attest_key_cert_chain.size(), 1); |