Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-01 16:50:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updated the vts attestation tests for strongbox implementations which am: 4f4d7d7615

Browse Source 
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2963909

Change-Id: I0baad8c5208771261625ee609d69b5a64f4b6d42
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
subrahmanyaman
2024-09-17 22:23:11 +00:00
committed by Automerger Merge Worker
parent 59737c281f 4f4d7d7615
commit 4d4f7cb075
4 changed files with 237 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
security/keymint/aidl/vts/functional/AttestKeyTest.cpp
View File

@@ -289,17 +289,18 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
AttestationKey attest_key;
vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain;
auto result = GenerateAttestKey(AuthorizationSetBuilder()
.RsaKey(2048, 65537)
.AttestKey()
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain);
auto result =
GenerateAttestKey(AuthorizationSetBuilder()
.RsaKey(2048, 65537)
.AttestKey()
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;

24
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
View File

@@ -269,6 +269,30 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
}
ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain) {
AttestationKey attest_key;
vector<Certificate> attest_cert_chain;
vector<KeyCharacteristics> attest_key_characteristics;
// Generate a key with self signed attestation.
auto error = GenerateKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
&attest_key_characteristics, &attest_cert_chain);
if (error != ErrorCode::OK) {
return error;
}
attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
// Generate a key, by passing the above self signed attestation key as attest key.
error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
if (error == ErrorCode::OK) {
// Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
cert_chain->push_back(attest_cert_chain[0]);
}
return error;
}
ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
const string& key_material, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {

15
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
View File

@@ -93,6 +93,21 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
ErrorCode GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key = std::nullopt);
// Generate key for implementations which do not support factory attestation.
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain);
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {
return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob,
key_characteristics, &cert_chain_);
}
ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
const string& key_material, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics);

280
security/keymint/aidl/vts/functional/KeyMintTest.cpp
View File

@@ -902,22 +902,30 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(key_size, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
auto builder = AuthorizationSetBuilder()
.RsaSigningKey(key_size, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob.size(), 0U);
CheckBaseParams(key_characteristics);
CheckCharacteristics(key_blob, key_characteristics);
@@ -1038,19 +1046,27 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
.RsaEncryptionKey(key_size, 65537)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
auto builder = AuthorizationSetBuilder()
.RsaEncryptionKey(key_size, 65537)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
@@ -1154,17 +1170,25 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
auto builder = AuthorizationSetBuilder()
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(2048, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
}
@@ -1276,21 +1300,29 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(key_size, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_USAGE_COUNT_LIMIT, 1)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
auto builder = AuthorizationSetBuilder()
.RsaSigningKey(key_size, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_USAGE_COUNT_LIMIT, 1)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
@@ -1423,19 +1455,27 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
for (auto curve : ValidCurves()) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(curve)
.Digest(Digest::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
auto builder = AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(curve)
.Digest(Digest::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(curve)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob.size(), 0U);
@@ -1516,7 +1556,14 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
}
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(result, ErrorCode::OK);
ASSERT_GT(key_blob.size(), 0U);
@@ -1567,8 +1614,20 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity();
builder.push_back(tag);
ASSERT_EQ(ErrorCode::CANNOT_ATTEST_IDS,
GenerateKey(builder, &key_blob, &key_characteristics));
auto error = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
error = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(error, ErrorCode::CANNOT_ATTEST_IDS);
}
}
@@ -1688,21 +1747,29 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
// to confirm that this field never makes it into the attestation extension.
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(attest_app_id)
.Authorization(TAG_APPLICATION_ID, "client_id")
.Authorization(TAG_APPLICATION_DATA, "appdata")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
auto builder = AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(attest_app_id)
.Authorization(TAG_APPLICATION_ID, "client_id")
.Authorization(TAG_APPLICATION_DATA, "appdata")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(result, ErrorCode::OK);
ASSERT_GT(key_blob.size(), 0U);
@@ -1781,16 +1848,23 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
auto challenge = "hello";
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto builder = AuthorizationSetBuilder()
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::NONE)
.AttestationChallenge(challenge)
.SetDefaultValidity();
auto result = GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::NONE)
.AttestationChallenge(challenge)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
}
@@ -1849,17 +1923,25 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
const string app_id(length, 'a');
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
auto builder = AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob.size(), 0U);
@@ -6505,17 +6587,27 @@ TEST_P(KeyAgreementTest, Ecdh) {
// Generate EC key in KeyMint (only access to public key material)
vector<uint8_t> challenge = {0x41, 0x42};
EXPECT_EQ(
ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
auto builder = AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_EC_CURVE, curve)
.Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
.Authorization(TAG_ALGORITHM, Algorithm::EC)
.Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
.SetDefaultValidity()))
<< "Failed to generate key";
.SetDefaultValidity();
ErrorCode result = GenerateKey(builder);
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob_, &key_characteristics_, &cert_chain_);
}
}
ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
ASSERT_GT(cert_chain_.size(), 0);
X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
ASSERT_NE(kmKeyCert, nullptr);