It's not enough to verify that the system is running KeyMint 2+. We
also need to verify that the vendor partition has RKP support.
Since VSR 13+ requires KeyMint 2+, change the test assumption so that
we don't run the test against systems that may have shipped with an
older VSR chipset (which won't support RKP).
Bug: 263844771
Test: VtsAidlKeyMintTargetTest (on old and new device)
Change-Id: Iac15f69db1152851f5a92d3929cb258b1b1a6b02
Alternet device properties used for attestation on AOSP and GSI builds.
Attestation ids were different in AOSP/GSI builds than provisioned ids
in keymint. Hence additional properties used to make these ids identical
to provisioned ids.
Bug: 110779648
Bug: 259376922
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/1_android_hardware_security_keymint_IKeyMintDevice_strongbox
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest CtsKeystoreTestCases:DeviceOwnerKeyManagementTest
Change-Id: I4bb2e2ebba617972e29ad86ea477eb9b6f35d21a
This integration was technically a requirement on keymint v2, but we
weren't enforcing it with a test. So realistically we are only able
to start enforcing the test with keymint v3.
Test: atest VtsAidlKeyMintTargetTest
Change-Id: Ia4feb8ce4b7fd1e47a5c6c9b06ddb12276a9c5ee
The key validity can be ignored when generatKey on Android-12 (S).
Bug: 257445538
Test: Pass on S builds
Change-Id: Iafd8d080f324c7d8d6affbb9d28d4f265f13e2ab
"ImportWrappedKeyTest.WrongDigest" tried to wrap a keyBlob by one digest
type and unwrap it by another digest type.
It's been OK for KeyMint implementations to allow unsupported
parameters/characteristics at key generation time, and only police their
use, at begin() time. However if an implementation wants to secure it at
the key generation/importing time the first digest type must be
supported by all implementation.
Bug: 249276913
Test: VtsAidlKeyMintTargetTest
Change-Id: I6bc000026e9e4aec0aa82078a98c75e2d7c56847
Test size requirements for symmetric (Stream and Block) ciphers.
These tests are similar to CTS tests of symmetric ciphers.
For reference CTS test BlockCipherTestBase#testKatEncryptOneByteAtATime
for all its derived classes eg. AES128CBCNoPaddingCipherTest,
AES128CBCPKCS7PaddingCipherTest etc.
Bug: 226899425
Test: run vts -m VtsAidlKeyMintTargetTest
Change-Id: I78408071fbf5a360d89c5bbae479faffd7c6d935
KeyMint supports the specification of a separate MGF digest when
performing RSA-OAEP decryption, with a default value of SHA-1.
Test the expected behaviour here:
- SHA-1 is used if nothing specified in key characteristics.
- If something is specified in key characteristics, the operation
parameter value has to be one of those values.
Bug: 203688354
Test: VtsAidlKeyMintTargetTest
Change-Id: Ic2dd3641be732a273724faa20cf4edf8a1752506
Check if the zero input data with AES-CBC-[NONE|PKCS7] padding mode
generates correct output data and length.
Bug: 200553873
Test: VtsHalKeymasterV4_0TargetTest, VtsAidlKeyMintTargetTest
Merged-In: I729c2bad65e9d8b194422032346e5ee3c4b0dce5
Change-Id: I729c2bad65e9d8b194422032346e5ee3c4b0dce5
The data for a key agreement operation should always send in the
SubjectPublicKeyInfo structure, not a raw key for X25519.
Test: VtsAidlKeyMintTargetTest
Bug: 231959070
Change-Id: Ib5157da6a986d957162fab60dbe927017cfdd703
The AesEcbPkcs7PaddingCorrupted test has been incorrect since it was
originally introduced -- it was feeding the original message as input to
the decryption operation, rather than the corrupted ciphertext. As a
result, the expected error code was also wrong -- INVALID_INPUT_LENGTH
is appropriate for a too-short cipher text (length 1 in this case),
whereas a corrupt-but-correct-length cipher text should give
INVALID_ARGUMENT.
Fix the test, and add a separate test to cover what was inadvertently
being tested before. Add a sentence to the HAL spec to describe what
expected and tested by CTS/VTS.
Bug: 194126736
Test: VtsAidlKeyMintTargetTest, VtsHalKeymasterV4_0TargetTest
Change-Id: Iaa5e42768814197f373797831093cf344d342b77
Added new VTS EcdsaMissingCurve to test if EC_CURVE not specified while
generating new EC Key, keyGeneration should fail.
Bug: 225135360
Test: run vts -m VtsAidlKeyMintTargetTest
Change-Id: I32bbba05ed5203690292f7150d14f9644c4be6df
Updated VTS testcases where Device IDs Attestation expected as optional
and made it mandatory if KeyMint version >= 2 or device first shipped
with api_level 33.
Bug: 221190197
Test: run vts -m VtsAidlKeyMintTargetTest
Change-Id: I8870a9301d36abdc4fa6585b9f8d62cc1cfd3d96
A VTS testcase is added to validate Asymmetric key generation fails if TAG_CERTIFICATE_NOT_(BEFORE/AFTER) is missing.
Also updated DeviceUniqueAttestationTest to set validity in
AuthorizationSetBuilder using .SetDefaultValidity().
Bug: 205679495
Test: run vts -m VtsAidlKeyMintTargetTest
Change-Id: Ibf63a6c8e173326502c7bf1b8f3af8666ecb1caf
Ed25519 signing operations require the secure world to accumulate the
entirety of the message; consequently, impose a limit on message size
for this operation.
Bug: 194358913
Test: VtsAidlKeyMintTargetTest
Change-Id: Ibfb6a54c1d546b5b4e51f42795d2bb4660add772
Various block cipher testing fixups. Some of these changes reflect edge
cases I encountered when running local GSC builds.
Change:
* Extend ciphertext lengths.
* Add SCOPED_TRACE() within for loops.
* Use '\t' instead of 'a' for PKCS7 padding.
Test: CTS/VTS
Signed-off-by: Brian J Murray <brianjmurray@google.com>
Change-Id: I4555519787e0133367ad3f40609d43a7bc71c36e
- Add CURVE_25519 as a supported curve for EC operations.
- Add a helper that checks whether the HAL is of a version that is
expected to support curve 25519, and skip relevant tests if not.
- Ed25519 support
- Update KeyMintAidlTestBase::LocalVerifyMessage to cope with a public
key of type EVP_PKEY_ED25519.
- Add a test key pair generated with openssl command line.
- Key generation test
- Key import test for raw format
- Key import test for PKCS#8 format
- Key import failures tests
- Signature test
- Check that purposes cannot be combined (Ed25519 != X25519)
- Check that Ed25519 key can be attested to
- Implicitly check that an Ed25519 key can be used for attestation
(as it is in ValidCurves())
- Force Digest::NONE for Ed25519 throughout.
- X25519 support
- Add a test key pair generated with openssl command line.
- Key generation test
- Key import test for raw format
- Key import test for PKCS#8 format
- Key import failures tests
- Key agreement test, including...
- Refactoring of existing key agreement test for re-use
- Update key agreement checks to cope with a public key of type
EVP_PLEY_X25519.
- Key agreement test using imported key
- Check that purposes cannot be combined (Ed25519 != X25519)
Bug: 194358913
Test: VtsAidlKeyMintTargetTest
Change-Id: Ifa0f95fdfba4387843c8e821c2ca977da0488fa6
For the time being, allow the version number in the attestation record
to be 100 even if the AIDL version is 2, so that implementations don't
have to update both versions simultaneously.
Bug: 194358913
Test: TreeHugger, VtsAidlKeyMintTargetTest
Change-Id: I9aae69327a62014e286ce30ca2a4d91c4c280714
Revert "Bump keystore2 AIDL API version 1->2"
Revert "Advertise support of KeyMint V2"
Revert submission 1900930-version-bump
Reason for revert: Broken build on sc-qpr1-dev-plus-aosp, b/210450339
Reverted Changes:
I42a9b854f:keystore2: cope with new curve25519 enum
I167d568d6:Bump keystore2 AIDL API version 1->2
I3a16d072e:Advertise support of KeyMint V2
Ibf2325329:KeyMint HAL: add curve 25519, bump version
Change-Id: I78d4b07c41aa6bfeb367b56a58deeac6adb6ec46
Marked as required for TRUSTED_ENVIRONMENT impls but not STRONGBOX.
Bump keymint HAL version 1->2 in defaults and in current compatibility
matrix.
Bug: 194358913
Test: build
Change-Id: Ibf2325329f0656a2d1fc416c2f9a74d505d0bf20
A VTS test case to verify HMAC signature verification fails if data or
signature is currupted.
Bug: 209452930
Test: run vts -m VtsAidlKeyMintTargetTest
Change-Id: I2177fd99cfab4ef4a347d50461db0d2e3ad8c612
