Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-01 16:50:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix overly relaxed Device ID Test.

Browse Source 
Previous versions of VTS had to allow a Device ID attestation failure
to return INVALID_TAG even though this is inconsistent with the KeyMint
spec. This was due to previous KM implementations returning this before
the test was added to validate the precise error code being returned
from Device ID attestation.

For VSR-14 and newer devices, the test will now enforce that only
CANNOT_ATTEST_IDS is returned from a failed device ID attestation call.

Test: atest VtsAidlKeyMintTargetTest
Change-Id: I6acff3fd32f3f251f946e3603283535f36d99a5d
This commit is contained in:
Max Bires
2022-11-21 23:37:54 -08:00
parent 3777e1cb44
commit a97ec69e4b
4 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
security/keymint/aidl/vts/functional/AttestKeyTest.cpp
View File

@@ -892,6 +892,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) {
ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG)
<< "result = " << result;
device_id_attestation_vsr_check(result);
}
CheckedDeleteKey(&attest_key.keyBlob);
}

2
security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
View File

@@ -348,8 +348,8 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) {
// Add the tag that doesn't match the local device's real ID.
builder.push_back(invalid_tag);
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG);
device_id_attestation_vsr_check(result);
}
}

10
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
View File

@@ -2031,6 +2031,16 @@ void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey)
*signingKey = std::move(pubKey);
}
void device_id_attestation_vsr_check(const ErrorCode& result) {
if (get_vsr_api_level() >= 34) {
ASSERT_FALSE(result == ErrorCode::INVALID_TAG)
<< "It is a specification violation for INVALID_TAG to be returned due to ID "
<< "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to "
<< "be used for a case where updateAad() is called after update(). As of "
<< "VSR-14, this is now enforced as an error.";
}
}
} // namespace test
} // namespace aidl::android::hardware::security::keymint

1
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
View File

@@ -395,6 +395,7 @@ vector<uint8_t> make_name_from_str(const string& name);
void check_maced_pubkey(const MacedPublicKey& macedPubKey, bool testMode,
vector<uint8_t>* payload_value);
void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey);
void device_id_attestation_vsr_check(const ErrorCode& result);
AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);
AuthorizationSet SwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);