From a722ff42a961e12d284b64f3b2d633dc4c2ee81f Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Wed, 16 Oct 2019 13:02:11 -0700
Subject: [PATCH] Adding test to check that ASN.1 lengths are properly encoded

This test checks that length metadata for the ASN.1 encoding of
attestation application ids are correct. It generates an app id that
will have a length between 127 and 256, which should create an encoding
that requires two bytes of length metadata - one byte to specify how many
bytes are needed for the length, and one byte for the length.

Some implementations of keymaster only use one byte in this case, which
will fail on strict ASN.1 parsers.

Bug: 142674020
Test: m VtsHalKeymasterV4_0TargetTest && adb sync data \
&& adb shell data/nativetest64/VtsHalKeymasterV4_0TargetTest/VtsHalKeymasterV4_0TargetTest

Change-Id: I7dfc38a09247eb3cb237f33a202044668d15cbca
---
 .../functional/keymaster_hidl_hal_test.cpp    | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index 0ac7e481ae..c5acf8cc53 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -4412,6 +4412,35 @@ TEST_F(AttestationTest, EcAttestationRequiresAttestationAppId) {
                         &cert_chain));
 }
 
+/*
+ * AttestationTest.AttestationApplicationIDLengthProperlyEncoded
+ *
+ * Verifies that the Attestation Application ID software enforced tag has a proper length encoding.
+ * Some implementations break strict encoding rules by encoding a length between 127 and 256 in one
+ * byte. Proper DER encoding specifies that for lengths greather than 127, one byte should be used
+ * to specify how many following bytes will be used to encode the length.
+ */
+TEST_F(AttestationTest, AttestationApplicationIDLengthProperlyEncoded) {
+    auto creation_time = std::chrono::system_clock::now();
+    ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
+                                                 .Authorization(TAG_NO_AUTH_REQUIRED)
+                                                 .EcdsaSigningKey(EcCurve::P_256)
+                                                 .Digest(Digest::SHA_2_256)));
+
+    hidl_vec<hidl_vec<uint8_t>> cert_chain;
+    const string app_id(143, 'a');
+    ASSERT_EQ(ErrorCode::OK,
+              AttestKey(AuthorizationSetBuilder()
+                                .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
+                                .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf(app_id)),
+                        &cert_chain));
+    EXPECT_GE(cert_chain.size(), 2U);
+
+    EXPECT_TRUE(verify_attestation_record("challenge", app_id,                    //
+                                          key_characteristics_.softwareEnforced,  //
+                                          key_characteristics_.hardwareEnforced,  //
+                                          SecLevel(), cert_chain[0], creation_time));
+}
 /*
  * AttestationTest.AesAttestation
  *