mirror of
https://github.com/Evolution-X/hardware_interfaces
synced 2026-02-01 21:37:44 +00:00
Merge "More KeyMint VTS testcases"
This commit is contained in:
David Drysdale
Gerrit Code Review
@@ -275,8 +275,7 @@ interface IKeyMintDevice {
|
||||
*
|
||||
* o Tag::RSA_PUBLIC_EXPONENT specifies the RSA public exponent value. If omitted, generateKey
|
||||
* must return ErrorCode::INVALID_ARGUMENT. The values 3 and 65537 must be supported. It is
|
||||
* recommended to support all prime values up to 2^64. If provided with a non-prime value,
|
||||
* generateKey must return ErrorCode::INVALID_ARGUMENT.
|
||||
* recommended to support all prime values up to 2^64.
|
||||
*
|
||||
* The following parameters are not necessary to generate a usable RSA key, but generateKey must
|
||||
* not return an error if they are omitted:
|
||||
|
||||
@@ -124,16 +124,18 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
|
||||
EXPECT_EQ(attested_key_cert_chain.size(), 2);
|
||||
|
||||
/*
|
||||
* Use attestation key to sign EC key
|
||||
* Use attestation key to sign EC key. Specify a CREATION_DATETIME for this one.
|
||||
*/
|
||||
attested_key_characteristics.resize(0);
|
||||
attested_key_cert_chain.resize(0);
|
||||
uint64_t timestamp = 1619621648000;
|
||||
EXPECT_EQ(ErrorCode::OK,
|
||||
GenerateKey(AuthorizationSetBuilder()
|
||||
.EcdsaSigningKey(EcCurve::P_256)
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.AttestationChallenge("foo")
|
||||
.AttestationApplicationId("bar")
|
||||
.Authorization(TAG_CREATION_DATETIME, timestamp)
|
||||
.SetDefaultValidity(),
|
||||
attest_key, &attested_key_blob, &attested_key_characteristics,
|
||||
&attested_key_cert_chain));
|
||||
@@ -143,6 +145,12 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
|
||||
|
||||
hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
|
||||
sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
|
||||
// The client-specified CREATION_DATETIME should be in sw_enforced.
|
||||
// Its presence will also trigger verify_attestation_record() to check that it
|
||||
// is in the attestation extension with a matching value.
|
||||
EXPECT_TRUE(sw_enforced.Contains(TAG_CREATION_DATETIME, timestamp))
|
||||
<< "expected CREATION_TIMESTAMP in sw_enforced:" << sw_enforced
|
||||
<< " not in hw_enforced:" << hw_enforced;
|
||||
EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
|
||||
attested_key_cert_chain[0].encodedCertificate));
|
||||
|
||||
@@ -479,6 +487,53 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
|
||||
}
|
||||
}
|
||||
|
||||
TEST_P(AttestKeyTest, MissingChallenge) {
|
||||
for (auto size : ValidKeySizes(Algorithm::RSA)) {
|
||||
/*
|
||||
* Create attestation key.
|
||||
*/
|
||||
AttestationKey attest_key;
|
||||
vector<KeyCharacteristics> attest_key_characteristics;
|
||||
vector<Certificate> attest_key_cert_chain;
|
||||
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
|
||||
.RsaSigningKey(size, 65537)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(),
|
||||
{} /* attestation signing key */, &attest_key.keyBlob,
|
||||
&attest_key_characteristics, &attest_key_cert_chain));
|
||||
|
||||
EXPECT_EQ(attest_key_cert_chain.size(), 1);
|
||||
EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on size " << size;
|
||||
|
||||
/*
|
||||
* Use attestation key to sign RSA / ECDSA key but forget to provide a challenge
|
||||
*/
|
||||
attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
|
||||
vector<uint8_t> attested_key_blob;
|
||||
vector<KeyCharacteristics> attested_key_characteristics;
|
||||
vector<Certificate> attested_key_cert_chain;
|
||||
EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
|
||||
GenerateKey(AuthorizationSetBuilder()
|
||||
.RsaSigningKey(2048, 65537)
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.AttestationApplicationId("bar")
|
||||
.SetDefaultValidity(),
|
||||
attest_key, &attested_key_blob, &attested_key_characteristics,
|
||||
&attested_key_cert_chain));
|
||||
|
||||
EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
|
||||
GenerateKey(AuthorizationSetBuilder()
|
||||
.EcdsaSigningKey(EcCurve::P_256)
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.AttestationApplicationId("bar")
|
||||
.SetDefaultValidity(),
|
||||
attest_key, &attested_key_blob, &attested_key_characteristics,
|
||||
&attested_key_cert_chain));
|
||||
|
||||
CheckedDeleteKey(&attest_key.keyBlob);
|
||||
}
|
||||
}
|
||||
|
||||
TEST_P(AttestKeyTest, AllEcCurves) {
|
||||
for (auto curve : ValidCurves()) {
|
||||
/*
|
||||
|
||||
@@ -167,6 +167,7 @@ void KeyMintAidlTestBase::InitializeKeyMint(std::shared_ptr<IKeyMintDevice> keyM
|
||||
securityLevel_ = info.securityLevel;
|
||||
name_.assign(info.keyMintName.begin(), info.keyMintName.end());
|
||||
author_.assign(info.keyMintAuthorName.begin(), info.keyMintAuthorName.end());
|
||||
timestamp_token_required_ = info.timestampTokenRequired;
|
||||
|
||||
os_version_ = getOsVersion();
|
||||
os_patch_level_ = getOsPatchlevel();
|
||||
@@ -273,7 +274,8 @@ ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFo
|
||||
ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapping_key,
|
||||
const AuthorizationSet& wrapping_key_desc,
|
||||
string masking_key,
|
||||
const AuthorizationSet& unwrapping_params) {
|
||||
const AuthorizationSet& unwrapping_params,
|
||||
int64_t password_sid, int64_t biometric_sid) {
|
||||
EXPECT_EQ(ErrorCode::OK, ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key));
|
||||
|
||||
key_characteristics_.clear();
|
||||
@@ -282,8 +284,7 @@ ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapp
|
||||
Status result = keymint_->importWrappedKey(
|
||||
vector<uint8_t>(wrapped_key.begin(), wrapped_key.end()), key_blob_,
|
||||
vector<uint8_t>(masking_key.begin(), masking_key.end()),
|
||||
unwrapping_params.vector_data(), 0 /* passwordSid */, 0 /* biometricSid */,
|
||||
&creationResult);
|
||||
unwrapping_params.vector_data(), password_sid, biometric_sid, &creationResult);
|
||||
|
||||
if (result.isOk()) {
|
||||
EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
|
||||
@@ -332,6 +333,11 @@ ErrorCode KeyMintAidlTestBase::DeleteAllKeys() {
|
||||
return GetReturnErrorCode(result);
|
||||
}
|
||||
|
||||
ErrorCode KeyMintAidlTestBase::DestroyAttestationIds() {
|
||||
Status result = keymint_->destroyAttestationIds();
|
||||
return GetReturnErrorCode(result);
|
||||
}
|
||||
|
||||
void KeyMintAidlTestBase::CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
|
||||
ErrorCode result = DeleteKey(key_blob, keep_key_blob);
|
||||
EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED) << result << endl;
|
||||
@@ -654,6 +660,18 @@ string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode bloc
|
||||
return ciphertext;
|
||||
}
|
||||
|
||||
string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
|
||||
PaddingMode padding, uint8_t mac_length_bits) {
|
||||
SCOPED_TRACE("EncryptMessage");
|
||||
auto params = AuthorizationSetBuilder()
|
||||
.BlockMode(block_mode)
|
||||
.Padding(padding)
|
||||
.Authorization(TAG_MAC_LENGTH, mac_length_bits);
|
||||
AuthorizationSet out_params;
|
||||
string ciphertext = EncryptMessage(message, params, &out_params);
|
||||
return ciphertext;
|
||||
}
|
||||
|
||||
string KeyMintAidlTestBase::DecryptMessage(const vector<uint8_t>& key_blob,
|
||||
const string& ciphertext,
|
||||
const AuthorizationSet& params) {
|
||||
|
||||
@@ -95,13 +95,22 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
|
||||
|
||||
ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key,
|
||||
const AuthorizationSet& wrapping_key_desc, string masking_key,
|
||||
const AuthorizationSet& unwrapping_params);
|
||||
const AuthorizationSet& unwrapping_params, int64_t password_sid,
|
||||
int64_t biometric_sid);
|
||||
ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key,
|
||||
const AuthorizationSet& wrapping_key_desc, string masking_key,
|
||||
const AuthorizationSet& unwrapping_params) {
|
||||
return ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, masking_key,
|
||||
unwrapping_params, 0 /* password_sid */, 0 /* biometric_sid */);
|
||||
}
|
||||
|
||||
ErrorCode DeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob = false);
|
||||
ErrorCode DeleteKey(bool keep_key_blob = false);
|
||||
|
||||
ErrorCode DeleteAllKeys();
|
||||
|
||||
ErrorCode DestroyAttestationIds();
|
||||
|
||||
void CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob = false);
|
||||
void CheckedDeleteKey();
|
||||
|
||||
@@ -166,6 +175,8 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
|
||||
const vector<uint8_t>& iv_in);
|
||||
string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,
|
||||
uint8_t mac_length_bits, const vector<uint8_t>& iv_in);
|
||||
string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,
|
||||
uint8_t mac_length_bits);
|
||||
|
||||
string DecryptMessage(const vector<uint8_t>& key_blob, const string& ciphertext,
|
||||
const AuthorizationSet& params);
|
||||
@@ -268,6 +279,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
|
||||
uint32_t os_version_;
|
||||
uint32_t os_patch_level_;
|
||||
uint32_t vendor_patch_level_;
|
||||
bool timestamp_token_required_;
|
||||
|
||||
SecurityLevel securityLevel_;
|
||||
string name_;
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user