Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-02 13:49:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge "KeyMint VTS: cope with ATTEST_KEY +/- SIGN" into tm-dev am: df427391cd

Browse Source 
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/18868609

Change-Id: I24aff2fca88674b9bc6497e208f92e2bd1d899ec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
David Drysdale
2022-06-20 06:47:39 +00:00
committed by Automerger Merge Worker
parent 527c55f1c4 df427391cd
commit 63dfce8d55
1 changed files with 112 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

193
security/keymint/aidl/vts/functional/AttestKeyTest.cpp
View File

@@ -16,6 +16,7 @@
#define LOG_TAG "keymint_1_attest_key_test" #define LOG_TAG "keymint_1_attest_key_test"
#include <cutils/log.h> #include <cutils/log.h>
#include <cutils/properties.h>
#include <keymint_support/key_param_output.h> #include <keymint_support/key_param_output.h>
#include <keymint_support/openssl_utils.h> #include <keymint_support/openssl_utils.h>
@@ -33,7 +34,33 @@ bool IsSelfSigned(const vector<Certificate>& chain) {
} // namespace } // namespace
using AttestKeyTest = KeyMintAidlTestBase; class AttestKeyTest : public KeyMintAidlTestBase {
protected:
ErrorCode GenerateAttestKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain) {
// The original specification for KeyMint v1 required ATTEST_KEY not be combined
// with any other key purpose, but the original VTS tests incorrectly did exactly that.
// This means that a device that launched prior to Android T (API level 33) may
// accept or even require KeyPurpose::SIGN too.
if (property_get_int32("ro.board.first_api_level", 0) < 33) {
AuthorizationSet key_desc_plus_sign = key_desc;
key_desc_plus_sign.push_back(TAG_PURPOSE, KeyPurpose::SIGN);
auto result = GenerateKey(key_desc_plus_sign, attest_key, key_blob, key_characteristics,
cert_chain);
if (result == ErrorCode::OK) {
return result;
}
// If the key generation failed, it may be because the device is (correctly)
// rejecting the combination of ATTEST_KEY+SIGN. Fall through to try again with
// just ATTEST_KEY.
}
return GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
}
};
/* /*
* AttestKeyTest.AllRsaSizes * AttestKeyTest.AllRsaSizes
@@ -49,12 +76,13 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
AttestationKey attest_key; AttestationKey attest_key;
vector<KeyCharacteristics> attest_key_characteristics; vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain; vector<Certificate> attest_key_cert_chain;
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() ASSERT_EQ(ErrorCode::OK,
.RsaKey(size, 65537) GenerateAttestKey(AuthorizationSetBuilder()
.AttestKey() .RsaKey(size, 65537)
.SetDefaultValidity(), .AttestKey()
{} /* attestation signing key */, &attest_key.keyBlob, .SetDefaultValidity(),
&attest_key_characteristics, &attest_key_cert_chain)); {} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain));
ASSERT_GT(attest_key_cert_chain.size(), 0); ASSERT_GT(attest_key_cert_chain.size(), 0);
EXPECT_EQ(attest_key_cert_chain.size(), 1); EXPECT_EQ(attest_key_cert_chain.size(), 1);
@@ -227,17 +255,17 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
AttestationKey attest_key; AttestationKey attest_key;
vector<KeyCharacteristics> attest_key_characteristics; vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain; vector<Certificate> attest_key_cert_chain;
auto result = GenerateKey(AuthorizationSetBuilder() auto result = GenerateAttestKey(AuthorizationSetBuilder()
.RsaKey(2048, 65537) .RsaKey(2048, 65537)
.AttestKey() .AttestKey()
.AttestationChallenge(challenge) .AttestationChallenge(challenge)
.AttestationApplicationId(app_id) .AttestationApplicationId(app_id)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(), .SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob, {} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain); &attest_key_characteristics, &attest_key_cert_chain);
// Strongbox may not support factory provisioned attestation key. // Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) { if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
@@ -331,17 +359,17 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
attest_key_opt = attest_key; attest_key_opt = attest_key;
} }
auto result = GenerateKey(AuthorizationSetBuilder() auto result = GenerateAttestKey(AuthorizationSetBuilder()
.RsaKey(2048, 65537) .RsaKey(2048, 65537)
.AttestKey() .AttestKey()
.AttestationChallenge("foo") .AttestationChallenge("foo")
.AttestationApplicationId("bar") .AttestationApplicationId("bar")
.Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(), .SetDefaultValidity(),
attest_key_opt, &key_blob_list[i], &attested_key_characteristics, attest_key_opt, &key_blob_list[i],
&cert_chain_list[i]); &attested_key_characteristics, &cert_chain_list[i]);
// Strongbox may not support factory provisioned attestation key. // Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) { if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
@@ -408,17 +436,17 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
attest_key_opt = attest_key; attest_key_opt = attest_key;
} }
auto result = GenerateKey(AuthorizationSetBuilder() auto result = GenerateAttestKey(AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256) .EcdsaKey(EcCurve::P_256)
.AttestKey() .AttestKey()
.AttestationChallenge("foo") .AttestationChallenge("foo")
.AttestationApplicationId("bar") .AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(), .SetDefaultValidity(),
attest_key_opt, &key_blob_list[i], &attested_key_characteristics, attest_key_opt, &key_blob_list[i],
&cert_chain_list[i]); &attested_key_characteristics, &cert_chain_list[i]);
// Strongbox may not support factory provisioned attestation key. // Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) { if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
@@ -513,29 +541,29 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
} }
ErrorCode result; ErrorCode result;
if ((i & 0x1) == 1) { if ((i & 0x1) == 1) {
result = GenerateKey(AuthorizationSetBuilder() result = GenerateAttestKey(AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256) .EcdsaKey(EcCurve::P_256)
.AttestKey() .AttestKey()
.AttestationChallenge("foo") .AttestationChallenge("foo")
.AttestationApplicationId("bar") .AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(), .SetDefaultValidity(),
attest_key_opt, &key_blob_list[i], &attested_key_characteristics, attest_key_opt, &key_blob_list[i],
&cert_chain_list[i]); &attested_key_characteristics, &cert_chain_list[i]);
} else { } else {
result = GenerateKey(AuthorizationSetBuilder() result = GenerateAttestKey(AuthorizationSetBuilder()
.RsaKey(2048, 65537) .RsaKey(2048, 65537)
.AttestKey() .AttestKey()
.AttestationChallenge("foo") .AttestationChallenge("foo")
.AttestationApplicationId("bar") .AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(), .SetDefaultValidity(),
attest_key_opt, &key_blob_list[i], &attested_key_characteristics, attest_key_opt, &key_blob_list[i],
&cert_chain_list[i]); &attested_key_characteristics, &cert_chain_list[i]);
} }
// Strongbox may not support factory provisioned attestation key. // Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) { if (SecLevel() == SecurityLevel::STRONGBOX) {
@@ -581,12 +609,13 @@ TEST_P(AttestKeyTest, MissingChallenge) {
AttestationKey attest_key; AttestationKey attest_key;
vector<KeyCharacteristics> attest_key_characteristics; vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain; vector<Certificate> attest_key_cert_chain;
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() ASSERT_EQ(ErrorCode::OK,
.RsaKey(size, 65537) GenerateAttestKey(AuthorizationSetBuilder()
.AttestKey() .RsaKey(size, 65537)
.SetDefaultValidity(), .AttestKey()
{} /* attestation signing key */, &attest_key.keyBlob, .SetDefaultValidity(),
&attest_key_characteristics, &attest_key_cert_chain)); {} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain));
EXPECT_EQ(attest_key_cert_chain.size(), 1); EXPECT_EQ(attest_key_cert_chain.size(), 1);
EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on size " << size; EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on size " << size;
@@ -630,7 +659,7 @@ TEST_P(AttestKeyTest, AllEcCurves) {
vector<Certificate> attest_key_cert_chain; vector<Certificate> attest_key_cert_chain;
ASSERT_EQ( ASSERT_EQ(
ErrorCode::OK, ErrorCode::OK,
GenerateKey( GenerateAttestKey(
AuthorizationSetBuilder().EcdsaKey(curve).AttestKey().SetDefaultValidity(), AuthorizationSetBuilder().EcdsaKey(curve).AttestKey().SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob, {} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain)); &attest_key_characteristics, &attest_key_cert_chain));
@@ -752,12 +781,13 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) {
AttestationKey attest_key; AttestationKey attest_key;
vector<KeyCharacteristics> attest_key_characteristics; vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain; vector<Certificate> attest_key_cert_chain;
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() ASSERT_EQ(ErrorCode::OK,
.EcdsaKey(EcCurve::P_256) GenerateAttestKey(AuthorizationSetBuilder()
.AttestKey() .EcdsaKey(EcCurve::P_256)
.SetDefaultValidity(), .AttestKey()
{} /* attestation signing key */, &attest_key.keyBlob, .SetDefaultValidity(),
&attest_key_characteristics, &attest_key_cert_chain)); {} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain));
attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key"); attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
ASSERT_GT(attest_key_cert_chain.size(), 0); ASSERT_GT(attest_key_cert_chain.size(), 0);
EXPECT_EQ(attest_key_cert_chain.size(), 1); EXPECT_EQ(attest_key_cert_chain.size(), 1);
@@ -816,12 +846,13 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) {
AttestationKey attest_key; AttestationKey attest_key;
vector<KeyCharacteristics> attest_key_characteristics; vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain; vector<Certificate> attest_key_cert_chain;
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() ASSERT_EQ(ErrorCode::OK,
.EcdsaKey(EcCurve::P_256) GenerateAttestKey(AuthorizationSetBuilder()
.AttestKey() .EcdsaKey(EcCurve::P_256)
.SetDefaultValidity(), .AttestKey()
{} /* attestation signing key */, &attest_key.keyBlob, .SetDefaultValidity(),
&attest_key_characteristics, &attest_key_cert_chain)); {} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain));
attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key"); attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
ASSERT_GT(attest_key_cert_chain.size(), 0); ASSERT_GT(attest_key_cert_chain.size(), 0);
EXPECT_EQ(attest_key_cert_chain.size(), 1); EXPECT_EQ(attest_key_cert_chain.size(), 1);