diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp index 784ae30c04..a9c6f6ca93 100644 --- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp +++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp @@ -181,7 +181,35 @@ X509* parse_cert_blob(const hidl_vec& blob) { return d2i_X509(nullptr, &p, blob.size()); } -bool verify_chain(const hidl_vec>& chain) { +bool verify_chain(const hidl_vec>& chain, const std::string& msg, + const std::string& signature) { + { + EVP_MD_CTX md_ctx_verify; + X509_Ptr signing_cert(parse_cert_blob(chain[0])); + EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get())); + EXPECT_TRUE(signing_pubkey); + ERR_print_errors_cb( + [](const char* str, size_t len, void* ctx) -> int { + (void)ctx; + std::cerr << std::string(str, len) << std::endl; + return 1; + }, + nullptr); + + EVP_MD_CTX_init(&md_ctx_verify); + + bool result = false; + EXPECT_TRUE((result = EVP_DigestVerifyInit(&md_ctx_verify, NULL, EVP_sha256(), NULL, + signing_pubkey.get()))); + EXPECT_TRUE( + (result = result && EVP_DigestVerifyUpdate(&md_ctx_verify, msg.c_str(), msg.size()))); + EXPECT_TRUE((result = result && EVP_DigestVerifyFinal( + &md_ctx_verify, + reinterpret_cast(signature.c_str()), + signature.size()))); + EVP_MD_CTX_cleanup(&md_ctx_verify); + if (!result) return false; + } for (size_t i = 0; i < chain.size(); ++i) { X509_Ptr key_cert(parse_cert_blob(chain[i])); X509_Ptr signing_cert; @@ -3833,8 +3861,8 @@ TEST_F(AttestationTest, RsaAttestation) { ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .RsaSigningKey(2048, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) + .Digest(Digest::SHA_2_256) + .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN) .Authorization(TAG_INCLUDE_UNIQUE_ID))); hidl_vec> cert_chain; @@ -3844,7 +3872,13 @@ TEST_F(AttestationTest, RsaAttestation) { .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")), &cert_chain)); EXPECT_GE(cert_chain.size(), 2U); - EXPECT_TRUE(verify_chain(cert_chain)); + + string message = "12345678901234567890123456789012"; + string signature = SignMessage(message, AuthorizationSetBuilder() + .Digest(Digest::SHA_2_256) + .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)); + + EXPECT_TRUE(verify_chain(cert_chain, message, signature)); EXPECT_TRUE(verify_attestation_record("challenge", "foo", // key_characteristics_.softwareEnforced, // key_characteristics_.hardwareEnforced, // @@ -3890,7 +3924,11 @@ TEST_F(AttestationTest, EcAttestation) { .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")), &cert_chain)); EXPECT_GE(cert_chain.size(), 2U); - EXPECT_TRUE(verify_chain(cert_chain)); + + string message(1024, 'a'); + string signature = SignMessage(message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256)); + + EXPECT_TRUE(verify_chain(cert_chain, message, signature)); EXPECT_TRUE(verify_attestation_record("challenge", "foo", // key_characteristics_.softwareEnforced, //