diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h index c49b303f50..4d31fa4d36 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h @@ -16,6 +16,7 @@ #pragma once +#include #include #include @@ -206,50 +207,58 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam { template std::tuple - CreateTestKeys(TagType tagToTest, ErrorCode expectedReturn) { + CreateTestKeys( + TagType tagToTest, ErrorCode expectedReturn, + std::function tagModifier = + [](AuthorizationSetBuilder*) {}) { /* AES */ KeyData aesKeyData; - ErrorCode errorCode = GenerateKey(AuthorizationSetBuilder() - .AesEncryptionKey(128) - .Authorization(tagToTest) - .BlockMode(BlockMode::ECB) - .Padding(PaddingMode::NONE) - .Authorization(TAG_NO_AUTH_REQUIRED), - &aesKeyData.blob, &aesKeyData.characteristics); + AuthorizationSetBuilder aesBuilder = AuthorizationSetBuilder() + .AesEncryptionKey(128) + .Authorization(tagToTest) + .BlockMode(BlockMode::ECB) + .Padding(PaddingMode::NONE) + .Authorization(TAG_NO_AUTH_REQUIRED); + tagModifier(&aesBuilder); + ErrorCode errorCode = + GenerateKey(aesBuilder, &aesKeyData.blob, &aesKeyData.characteristics); EXPECT_EQ(expectedReturn, errorCode); /* HMAC */ KeyData hmacKeyData; - errorCode = GenerateKey(AuthorizationSetBuilder() - .HmacKey(128) - .Authorization(tagToTest) - .Digest(Digest::SHA_2_256) - .Authorization(TAG_MIN_MAC_LENGTH, 128) - .Authorization(TAG_NO_AUTH_REQUIRED), - &hmacKeyData.blob, &hmacKeyData.characteristics); + AuthorizationSetBuilder hmacBuilder = AuthorizationSetBuilder() + .HmacKey(128) + .Authorization(tagToTest) + .Digest(Digest::SHA_2_256) + .Authorization(TAG_MIN_MAC_LENGTH, 128) + .Authorization(TAG_NO_AUTH_REQUIRED); + tagModifier(&hmacBuilder); + errorCode = GenerateKey(hmacBuilder, &hmacKeyData.blob, &hmacKeyData.characteristics); EXPECT_EQ(expectedReturn, errorCode); /* RSA */ KeyData rsaKeyData; - errorCode = GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(2048, 65537) - .Authorization(tagToTest) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - &rsaKeyData.blob, &rsaKeyData.characteristics); + AuthorizationSetBuilder rsaBuilder = AuthorizationSetBuilder() + .RsaSigningKey(2048, 65537) + .Authorization(tagToTest) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(); + tagModifier(&rsaBuilder); + errorCode = GenerateKey(rsaBuilder, &rsaKeyData.blob, &rsaKeyData.characteristics); EXPECT_EQ(expectedReturn, errorCode); /* ECDSA */ KeyData ecdsaKeyData; - errorCode = GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(256) - .Authorization(tagToTest) - .Digest(Digest::SHA_2_256) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - &ecdsaKeyData.blob, &ecdsaKeyData.characteristics); + AuthorizationSetBuilder ecdsaBuilder = AuthorizationSetBuilder() + .EcdsaSigningKey(256) + .Authorization(tagToTest) + .Digest(Digest::SHA_2_256) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(); + tagModifier(&ecdsaBuilder); + errorCode = GenerateKey(ecdsaBuilder, &ecdsaKeyData.blob, &ecdsaKeyData.characteristics); EXPECT_EQ(expectedReturn, errorCode); return {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}; } diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index 5dcfcaaa63..295be1a48d 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -6355,6 +6355,11 @@ TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) { auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] = CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK); + for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) { + ASSERT_GT(keyData.blob.size(), 0U); + AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics); + EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params; + } CheckedDeleteKey(&aesKeyData.blob); CheckedDeleteKey(&hmacKeyData.blob); CheckedDeleteKey(&rsaKeyData.blob); @@ -6362,7 +6367,30 @@ TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) { } /* - * EarlyBootKeyTest.UsetEarlyBootKeyFailure + * EarlyBootKeyTest.CreateAttestedEarlyBootKey + * + * Verifies that creating an early boot key with attestation succeeds. + */ +TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) { + auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] = CreateTestKeys( + TAG_EARLY_BOOT_ONLY, ErrorCode::OK, [](AuthorizationSetBuilder* builder) { + builder->AttestationChallenge("challenge"); + builder->AttestationApplicationId("app_id"); + }); + + for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) { + ASSERT_GT(keyData.blob.size(), 0U); + AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics); + EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params; + } + CheckedDeleteKey(&aesKeyData.blob); + CheckedDeleteKey(&hmacKeyData.blob); + CheckedDeleteKey(&rsaKeyData.blob); + CheckedDeleteKey(&ecdsaKeyData.blob); +} + +/* + * EarlyBootKeyTest.UseEarlyBootKeyFailure * * Verifies that using early boot keys at a later stage fails. */