From 126869a0097a4d87f9f7f5d514da7ee8f973e85c Mon Sep 17 00:00:00 2001 From: Max Bires Date: Sun, 21 Feb 2021 18:32:59 -0800 Subject: [PATCH] Fixing VTS tests after IKeyMint breakage This CL re-enables the IRemotelyProvisionedComponent VTS tests after updating the IRemotelyProvisionedComponent HAL to generate keys with PURPOSE_ATTEST_KEY instead of PURPOSE_ATTEST_SIGN to match the new PURPOSE_* functionality in KeyMint. Test: atest VtsHalRemotelyProvisionedComponentTargetTest Change-Id: I70c7918b460898d31e343c060ac07986271148a9 --- .../default/RemotelyProvisionedComponent.cpp | 5 +++-- .../VtsRemotelyProvisionedComponentTests.cpp | 16 ++++++++-------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp b/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp index f2651fbce7..2373b2682b 100644 --- a/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp +++ b/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp @@ -259,8 +259,9 @@ cppbor::Array buildCertReqRecipients(const bytevec& pubkey, const bytevec& kid) } static keymaster_key_param_t kKeyMintEcdsaP256Params[] = { - Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC), - Authorization(TAG_KEY_SIZE, 256), Authorization(TAG_DIGEST, KM_DIGEST_SHA_2_256), + Authorization(TAG_PURPOSE, KM_PURPOSE_ATTEST_KEY), + Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC), Authorization(TAG_KEY_SIZE, 256), + Authorization(TAG_DIGEST, KM_DIGEST_SHA_2_256), Authorization(TAG_EC_CURVE, KM_EC_CURVE_P_256), Authorization(TAG_NO_AUTH_REQUIRED), // The certificate generated by KM will be discarded, these values don't matter. Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0), Authorization(TAG_CERTIFICATE_NOT_AFTER, 0)}; diff --git a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp index 45f9df6307..db53a8f8fa 100644 --- a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp +++ b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp @@ -80,7 +80,7 @@ INSTANTIATE_REM_PROV_AIDL_TEST(GenerateKeyTests); /** * Generate and validate a production-mode key. MAC tag can't be verified. */ -TEST_P(GenerateKeyTests, DISABLED_generateEcdsaP256Key_prodMode) { +TEST_P(GenerateKeyTests, generateEcdsaP256Key_prodMode) { MacedPublicKey macedPubKey; bytevec privateKeyBlob; bool testMode = false; @@ -133,7 +133,7 @@ TEST_P(GenerateKeyTests, DISABLED_generateEcdsaP256Key_prodMode) { /** * Generate and validate a test-mode key. */ -TEST_P(GenerateKeyTests, DISABLED_generateEcdsaP256Key_testMode) { +TEST_P(GenerateKeyTests, generateEcdsaP256Key_testMode) { MacedPublicKey macedPubKey; bytevec privateKeyBlob; bool testMode = true; @@ -224,7 +224,7 @@ class CertificateRequestTest : public VtsRemotelyProvisionedComponentTests { * Generate an empty certificate request in test mode, and decrypt and verify the structure and * content. */ -TEST_P(CertificateRequestTest, DISABLED_EmptyRequest_testMode) { +TEST_P(CertificateRequestTest, EmptyRequest_testMode) { bool testMode = true; bytevec keysToSignMac; ProtectedData protectedData; @@ -294,7 +294,7 @@ TEST_P(CertificateRequestTest, DISABLED_EmptyRequest_testMode) { * TODO(swillden): Get a valid GEEK and use it so the generation can succeed, though we won't be * able to decrypt. */ -TEST_P(CertificateRequestTest, DISABLED_EmptyRequest_prodMode) { +TEST_P(CertificateRequestTest, EmptyRequest_prodMode) { bool testMode = false; bytevec keysToSignMac; ProtectedData protectedData; @@ -309,7 +309,7 @@ TEST_P(CertificateRequestTest, DISABLED_EmptyRequest_prodMode) { /** * Generate a non-empty certificate request in test mode. Decrypt, parse and validate the contents. */ -TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_testMode) { +TEST_P(CertificateRequestTest, NonEmptyRequest_testMode) { bool testMode = true; generateKeys(testMode, 4 /* numKeys */); @@ -379,7 +379,7 @@ TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_testMode) { * TODO(swillden): Get a valid GEEK and use it so the generation can succeed, though we won't be * able to decrypt. */ -TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_prodMode) { +TEST_P(CertificateRequestTest, NonEmptyRequest_prodMode) { bool testMode = false; generateKeys(testMode, 4 /* numKeys */); @@ -396,7 +396,7 @@ TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_prodMode) { * Generate a non-empty certificate request in test mode, with prod keys. Must fail with * STATUS_PRODUCTION_KEY_IN_TEST_REQUEST. */ -TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_prodKeyInTestCert) { +TEST_P(CertificateRequestTest, NonEmptyRequest_prodKeyInTestCert) { generateKeys(false /* testMode */, 2 /* numKeys */); bytevec keysToSignMac; @@ -414,7 +414,7 @@ TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_prodKeyInTestCert) { * Generate a non-empty certificate request in prod mode, with test keys. Must fail with * STATUS_TEST_KEY_IN_PRODUCTION_REQUEST. */ -TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_testKeyInProdCert) { +TEST_P(CertificateRequestTest, NonEmptyRequest_testKeyInProdCert) { generateKeys(true /* testMode */, 2 /* numKeys */); bytevec keysToSignMac;