From 810fbcffed8e86a3b53e8212ce4fdb64971d812f Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Tue, 4 Jul 2023 13:08:30 +0100 Subject: [PATCH] Fix attestation error checks Avoid the ADD_FAILURE at the end if attestion ID failure uses an allowed return code. Test: VtsAidlKeyMintTargetTest Bug: 286733800 Change-Id: I0dcac312ac4516a078b2742721e3a19074da52b1 --- .../vts/functional/KeyMintAidlTestBase.cpp | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp index ee490a37b7..d280c7111e 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp @@ -2192,30 +2192,26 @@ void p256_pub_key(const vector& coseKeyData, EVP_PKEY_Ptr* signingKey) // Check the error code from an attempt to perform device ID attestation with an invalid value. void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result) { - // Standard/default error code for ID mismatch. if (result == ErrorCode::CANNOT_ATTEST_IDS) { - return; - } - - // Depending on the situation, other error codes may be acceptable. First, allow older - // implementations to use INVALID_TAG. - if (result == ErrorCode::INVALID_TAG) { + // Standard/default error code for ID mismatch. + } else if (result == ErrorCode::INVALID_TAG) { + // Depending on the situation, other error codes may be acceptable. First, allow older + // implementations to use INVALID_TAG. ASSERT_FALSE(get_vsr_api_level() > __ANDROID_API_T__) << "It is a specification violation for INVALID_TAG to be returned due to ID " << "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to " << "be used for a case where updateAad() is called after update(). As of " << "VSR-14, this is now enforced as an error."; - } - - // If the device is not a phone, it will not have IMEI/MEID values available. Allow - // ATTESTATION_IDS_NOT_PROVISIONED in this case. - if (result == ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED) { + } else if (result == ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED) { + // If the device is not a phone, it will not have IMEI/MEID values available. Allow + // ATTESTATION_IDS_NOT_PROVISIONED in this case. ASSERT_TRUE((tag == TAG_ATTESTATION_ID_IMEI || tag == TAG_ATTESTATION_ID_MEID || tag == TAG_ATTESTATION_ID_SECOND_IMEI)) << "incorrect error code on attestation ID mismatch"; + } else { + ADD_FAILURE() << "Error code " << result + << " returned on attestation ID mismatch, should be CANNOT_ATTEST_IDS"; } - ADD_FAILURE() << "Error code " << result - << " returned on attestation ID mismatch, should be CANNOT_ATTEST_IDS"; } // Check whether the given named feature is available.