From b17178a1a4a67340c1529f77d3983ac2185edb63 Mon Sep 17 00:00:00 2001
From: Janis Danisevskis <jdanis@google.com>
Date: Thu, 27 Jul 2017 15:41:50 -0700
Subject: [PATCH] Fix wrong origin assumption for wrapped KM0 hals

KM0 supports only asymmetric encryption. And for those we cannot
distinguish between imported and generated keys.
This patch adds correct handling for KM0 origin tags.

Test: run vts test with wrapped km0 module from
      system/security/softkeymaster

Bug: 67358942
Bug: 67363396

Test: VtsHalKeymasterV3_0TargetTest
Change-Id: I7f5ddd21dde284dbfbd68b3b83fb75c1457dbd59
---
 .../functional/keymaster_hidl_hal_test.cpp    | 29 +++++++++++++------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
index 02e238adf5..7948015548 100644
--- a/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -898,13 +898,20 @@ class KeymasterHidlTest : public ::testing::VtsHalHidlTargetTestBase {
         }
     }
 
-    void CheckOrigin() {
+    void CheckOrigin(bool asymmetric = false) {
         SCOPED_TRACE("CheckOrigin");
         if (is_secure_ && supports_symmetric_) {
             EXPECT_TRUE(
                 contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED));
         } else if (is_secure_) {
-            EXPECT_TRUE(contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN));
+            // wrapped KM0
+            if (asymmetric) {
+                EXPECT_TRUE(
+                    contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN));
+            } else {
+                EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, TAG_ORIGIN,
+                                     KeyOrigin::IMPORTED));
+            }
         } else {
             EXPECT_TRUE(
                 contains(key_characteristics_.softwareEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED));
@@ -1059,13 +1066,17 @@ TEST_F(KeymasterVersionTest, SensibleFeatures) {
 
 class NewKeyGenerationTest : public KeymasterHidlTest {
   protected:
-    void CheckBaseParams(const KeyCharacteristics& keyCharacteristics) {
+    void CheckBaseParams(const KeyCharacteristics& keyCharacteristics, bool asymmetric = false) {
         // TODO(swillden): Distinguish which params should be in which auth list.
 
         AuthorizationSet auths(keyCharacteristics.teeEnforced);
         auths.push_back(AuthorizationSet(keyCharacteristics.softwareEnforced));
 
-        EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
+        if (!SupportsSymmetric() && asymmetric) {
+            EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::UNKNOWN));
+        } else {
+            EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
+        }
 
         EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
         EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
@@ -1114,7 +1125,7 @@ TEST_F(NewKeyGenerationTest, Rsa) {
                                              &key_blob, &key_characteristics));
 
         ASSERT_GT(key_blob.size(), 0U);
-        CheckBaseParams(key_characteristics);
+        CheckBaseParams(key_characteristics, true /* asymmetric */);
 
         AuthorizationSet crypto_params;
         if (IsSecure()) {
@@ -1160,7 +1171,7 @@ TEST_F(NewKeyGenerationTest, Ecdsa) {
                                                  .Authorizations(UserAuths()),
                                              &key_blob, &key_characteristics));
         ASSERT_GT(key_blob.size(), 0U);
-        CheckBaseParams(key_characteristics);
+        CheckBaseParams(key_characteristics, true /* asymmetric */);
 
         AuthorizationSet crypto_params;
         if (IsSecure()) {
@@ -2359,7 +2370,7 @@ TEST_F(ImportKeyTest, RsaSuccess) {
     CheckKm0CryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
     CheckKm1CryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
-    CheckOrigin();
+    CheckOrigin(true /* asymmetric */);
 
     string message(1024 / 8, 'a');
     auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
@@ -2415,7 +2426,7 @@ TEST_F(ImportKeyTest, EcdsaSuccess) {
     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
     CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_256);
 
-    CheckOrigin();
+    CheckOrigin(true /* asymmetric */);
 
     string message(32, 'a');
     auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
@@ -2441,7 +2452,7 @@ TEST_F(ImportKeyTest, Ecdsa521Success) {
     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
     CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_521);
 
-    CheckOrigin();
+    CheckOrigin(true /* asymmetric */);
 
     string message(32, 'a');
     auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);