This updates the test: supportsValidCurve, for IRPC implementations
that supports only V3+.
Bug: 239476788
Test: atest VtsRemotelyProvisionedComponentTests with IRPC V3
implementation
Change-Id: Ic0f1223b30e31dc537155e19e800b3001ce0fc01
- STATUS_TEST_KEY_IN_PRODUCTION_REQUEST is still required for V3
- PubKeyEcdhP256 & PubKeyX25519 are unused in V3
- SignedDataSigStruct and DiceChainEntryInput should be an cbor array
when being the input of PureEd25519/ECDSA
Bug: 243454124
Test: VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: Ice400bb15413eac164f2630cc2fbb66e6d3624b1
It's not enough to verify that the system is running KeyMint 2+. We
also need to verify that the vendor partition has RKP support.
Since VSR 13+ requires KeyMint 2+, change the test assumption so that
we don't run the test against systems that may have shipped with an
older VSR chipset (which won't support RKP).
Bug: 263844771
Test: VtsAidlKeyMintTargetTest (on old and new device)
Change-Id: Iac15f69db1152851f5a92d3929cb258b1b1a6b02
Check the VSR API level for the device under test and ensure that the
appropriate HAL version for the IRemotelyProvisionedComponent interface
is present. E.g. a VSR 13 chipset should have IRPC v2 or newer.
Bug: 251185719
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I136cac27953d1d5acaa45510ad9efec2a75d8038
This integration was technically a requirement on keymint v2, but we
weren't enforcing it with a test. So realistically we are only able
to start enforcing the test with keymint v3.
Test: atest VtsAidlKeyMintTargetTest
Change-Id: Ia4feb8ce4b7fd1e47a5c6c9b06ddb12276a9c5ee
Now that the RKP HAL AIDL has been moved to it's own directory, we
should keep the tests with the AIDL.
Test: atest VtsAidlKeyMintTargetTest
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: Ia87d3ea0a1b9e6704f0dea8f98b0bbaa049472fe
As we've updated the KeyMint version to 3, update the default feature
version to 300. That allows external developers to tell which KeyMint
version is running on the device.
Bug: 244732345
Test: atest android.keystore.cts.DeviceOwnerKeyManagementTest
Change-Id: I9b333eeb77a62a79e8e664d40b5564767643aa3d
This add a cpp default so that the latest cpp code can be
used across the codebase. When this is changed we dont
need to bump versions across multiple files and can just
change it in this one file.
Test: Run and tested using `atest keystore2_test` for Rust test and CTS test with `atest CtsKeystoreTestCases`
Bug: 244730020
Change-Id: Ifae1c5f2403210c2dec1bc337553fbbde73ed4c8
Specifically, we want IRPC v3 to be able to serve old v2 clients. This
way we can ship parts IRPC v3 stack incrementally.
To that end, allow IRPC v3 to implement v2 behavior of
generateCertificateRequest and testMode.
Bug: 260920864
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I9e47697bd948c8fd6b82147165d0c67bdef9fbd3
Previous versions of VTS had to allow a Device ID attestation failure
to return INVALID_TAG even though this is inconsistent with the KeyMint
spec. This was due to previous KM implementations returning this before
the test was added to validate the precise error code being returned
from Device ID attestation.
For VSR-14 and newer devices, the test will now enforce that only
CANNOT_ATTEST_IDS is returned from a failed device ID attestation call.
Test: atest VtsAidlKeyMintTargetTest
Change-Id: I6acff3fd32f3f251f946e3603283535f36d99a5d
This change clarifies some more items that have changed between v2 and
v3 of the IRPC spec, along with fixing and clarifying some more
messaging in the .aidl documentation.
Test: Someone else can intelligibly read what was written
Change-Id: Ia9fa1595a72c818f93ce6fb31ea38c97d997488b
Update the comment describing the attestation record:
* KeyMint version bump to V3
* Inclusion of the 2nd IMEI.
Bug: 244732345
Test: That it builds
Change-Id: I19f89bc9936b747647dc690d4702c60d2bbe92c5
Rationale here is that many IRPC implementations are memory constrained.
We add a way for implementations to report the maximum number of
supported keys. This way we can guarantee consistent behavior across
different devices.
For implementation of IRPC version 3 and later we define the lowest
number of keys supported to be 20. This specific value was chosen
because the current implementation of RemoteProvisioner already combines
keys into batches of exactly 20.
Bug: 254137722
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: Ib6fb6d6ec7c74004524a5505a37aa82c9e44ef91
The key validity can be ignored when generatKey on Android-12 (S).
Bug: 257445538
Test: Pass on S builds
Change-Id: Iafd8d080f324c7d8d6affbb9d28d4f265f13e2ab
Conform to the latest CDDL changes. Organize parsing to observe the
AuthenticatedRequest structure.
Return the deserialized CSR payload rather than the DICE chain keys
because it simplified the return types. The return value is only used
by one VTS test that checks sequential CSRs consist of the same request.
The test was incomplete before and it now only looks as the CSR payload
whereas it previously only look at the DICE chain keys.
Bug: 250910137
Test: atest libkeymint_remote_prov_support_test librkp_factory_extraction_test
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I1ba2e0cec22e25312fb890923a4c93043e9046cd
Rename from AuthenticatedMessage to AuthenticatedRequest in order to
make the direction of the message clear.
Move the challenge out of the endpoint-specific message and up into the
common authentication wrapper as it is uesd in the authentication
protocol.
Simplify the versioning by having the CSR version continue sequentially,
making the current version 3. Have the AuthenticatedMessage version
start from 1 as it's value isn't used to distinguish v2 and v3 CSRs
anyway and it will avoid confusion with the CSR version which has
already moved beyond this value.
Bug: 250910137
Test: n/a -- comments only
Change-Id: I13836e90fa76b1b22cb6627f3d987828ffeb0adc
Define a KeyMint tag for a second IMEI to be included in the attestation
record.
Also clarify that the IMEI tag is meant to include one, and only one,
IMEI.
Bug: 244732345
Test: android.keystore.cts.DeviceOwnerKeyManagementTest
Merged-In: I70ecbb0245ba2e517e5d0db0cfdce4525846f3e5
Change-Id: I70ecbb0245ba2e517e5d0db0cfdce4525846f3e5
Our old NetBSD regex implementation didn't care, but the current NetBSD
implementation rejects unquoted `{` and `}`s that aren't actually part
of a repetition. glibc shares this behavior.
Interestingly, the new NetBSD code was itself an sync with FreeBSD, so
although macOS right now allows this (as Android did), they may well
switch too.
Anyway, this way of writing the regular expressions is strictly correct,
so regardless of whether or not we can actually land this change to the
regex implementation without causing app compat chaos, we should fix
this test.
Bug: http://b/258469149
Test: treehugger
Change-Id: I85bf5d8f557a4fe5ac5ebeea565892d36da30b55
We are now checking the imports of frozen versions of interfaces and
need mark keystore2 as `frozen: false` so the aidl_interfaces that
import it will import the latest unfrozen version.
Test: hal_implementation_test
Bug: 257338648
Change-Id: Ibcb151abd2fc13e3f7dfbcf515d0f62839d1caf9
Execute only relevant benchmark tests for StrongBox.
Bug: b/229819550
Test: run VtsAidlKeyMintBenchmarkTest in the adb shell
Change-Id: I3bf95dc5d4bcd1da027e09b1bbde7e6173749481
