The Done flag of VtsAidlKeyMintTargetTest is false during running
the module with ‘--collect-tests-only’ because it uses standard
output to print logs.
Bug: 340576534
Test: run vts -m VtsAidlKeyMintTargetTest --collect-tests-only
Change-Id: I3d81f7e59b6189fab1b146320263509f2694c11e
Signed-off-by: Huang Rui <rui1.huang@intel.com>
Signed-off-by: Liu Kai <kai1.liu@intel.com>
Add test paths for HALs that are RKP-only so that they may pass tests.
Fix up a few tests that were just being skipped for RKP-only HALs.
Test: ran VTS against cuttlefish with no factory key
Bug: 329409739
Change-Id: I5400874dd2f9885c061970a30ea44985353d23ed
Only applies for devices on VSR API level 35 and above, so that existing
devices which previously passed VTS should not need to pass the new
tests.
Bug: 292534977
Test: VtsAidlKeyMintTargetTest
Change-Id: I8281c3cebf05795e3f9a1ed2b112fc149d8a104c
When dumping attestation certificate chains with the --dump_attestations
option, add a separator between distinct chains to make them easier to
analyze.
Bug: 326564087
Test: VtsAidlKeyMintTargetTest
Change-Id: Ife19edfddef6c8cd26de9f9816c3c9bf65cbb929
2024-02-28 11:32:35 +00:00
Subrahmanya Manikanta Venkateswarlu Bhamidipati Kameswara Sri
Used ASN1_TIME_to_posix API instead of ASN1_TIME_to_time_t
to avoid integer overflow on 32-bit systems.
Bug: 325853206
Test: vts -m VtsAidlKeyMintTarget
Change-Id: I7a01a521d389482a61ad9974b7e40eaa099c3571
KeyMint enforcement of UNLOCKED_DEVICE_REQUIRED is broken, has never
been used, and cannot be fixed. So, document that it does not need to
be implemented. Also remove the VTS test for it, which was disabled.
UNLOCKED_DEVICE_REQUIRED remains supported in Keystore.
Bug: 321100166
Test: Build
Change-Id: If4d47ee49c9d4a595820cfceb0f5f3027f99ee9f
Given that we are not expecting to release a v4 of the KeyMint HAL for
Android V, tweak some spec and test details so that existing v3
implementations do not need to change.
- Soften the requirement to use (1970-01-01, 9999-12-31) as cert dates
when secure-importing an asymmetric to be a suggestion instead.
- Change the version gate for the test of importing an EC key with no
specified `EC_CURVE` to be VSR-gated rather than gated on a putative
future version of the HAL.
Test: VtsAidlKeyMintTargetTest
Bug: 292318194
Bug: 292534977
Change-Id: Ib8d6e79ea948ee77eeb2528d698205179f026fd3
Only police for future versions of KeyMint, so that any existing
implementations that use the full key don't suddenly start to fail
VTS.
Bug: 305103215
Test: VtsAidlKeyMintTargetTest
Change-Id: If6534b84b6eff8cdb281586e17a5f89c7bf5f5d0
Since there were no VTS test to strictly check RSA_OAEP_MGF_DIGEST,
there are released devices with Keymint which do not include this tag in
key characteristics, hence these test fails on such Keymint and UDC
Android framework.
Hence version check is added before asserting MGF digest checks.
Bug: 297306437
Test: atest VtsAidlKeyMintTargetTest
Change-Id: I43054f8dbbd46de53deef5e6771c736e770280e0
Negative test cases should not expect UNKNOWN_ERROR from Keymint since
the exact cause of failure is known.
In general, we should avoid UNKNOWN_ERROR because it makes error
attribution difficult.
To avoid adding retroactive requirements KM implementation, relax the
check to expect any error.
Bug: 298194325
Test: VtsAidlKeyMintTargetTest
Change-Id: I136fb6d36ae92c9e3722ffefe9a067d3515dcbf9
The original change to add this test didn't make it into the Android 13
version of the VTS test, so the version gate needs to be updated to be
v3+
Bug: 292318194
Test: VtsAidlKeyMintTargetTest --gtest_filter="*EcdsaMissingCurve*"
Change-Id: I94bf816688e57c7c04893a23cf0399129de94229
Allow for devices that claim to need external timestamps, but don't.
Test: VtsAidlKeyMintTargetTest
Bug: 300211206
Change-Id: Ie450d9969c337d5274502f3600e14c0b481e8b34
Earlier, attestation properties didn't match on GSI images, hence
EcdsaAttestationIdTags VTS test case was skipped on GSI images.
Recently attestation properties reading priority changed as
ro.product.*_for_attestation -> ro.product.vendor.* -> ro.product.*
that means on GSI images ro.product.vendor.* properties could be used
and hence attestation should work. Incase ro.product.vendor.* properties
are not same as provisioned values to KM. They should be set as
ro.product.*_for_attestation on base build.
Bug: 298586194
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Change-Id: Ie945bd8f7060e0e768daf9681d121ea5f170a6e1
It turns out we had a bug (b/263844771) in how RKP support was
detected, and that was fixed. However, due to this bug, some S chipests
shipped without RKP support which is now required by the tests.
This change drops the RKP requirement from S chipsets. There should be
no new S chipsets, so this effectively grandfathers in the previous
ones that were skipped by the RKP VTS tests.
T+ tests (both VTS and other suites) will verify that RKP support is
there, so there is no gap introduced by this change.
Bug: 297139913
Test: VtsAidlKeyMintTargetTest
Change-Id: I387e5f058ada698747aac103c1745682291f2d1c
The test case for an auth-per-operation HAT with an invalid HMAC
is wrong -- it is re-using the previous HAT, which fails for a
different reason (has an old challenge).
Fix the test to use the HAT that's wrong in the intended way.
Bug: 297333975
Test: VtsAidlKeyMintTargetTest
Change-Id: I15fe9b0c1b53452df0f67dd44534fdb80a6c2a9c
Update TimeoutAuthenticationMultiSid test to support
generateKey for Strongbox implementations without
factory attestation.
Bug: 293211157
Test: run vts -m VtsAidlKeyMintTarget
Change-Id: I27bf08d2fd2d9e0217a90ee8ccb789adfd9d5f7f
The invalid value used for the second IMEI attestation test is
potentially wrong in two ways:
- It doesn't match the provisioned value.
- It's not a valid IMEI, not least because it is longer than 16 bytes.
Make the test value shorter so the second failure doesn't apply and
the test can reliably expect CANNOT_ATTEST_IDS.
Bug: 292959871
Test: VtsAidlKeyMintTargetTest
Change-Id: If8c6b9e08b48e6caf5c767578e1ac43964214619
continuing the execution of the test.
If generateKey fails and execution continues then it leads to issues
while verifying the attest records and causing the crash.
Test: atest VtsAidlKeyMintTargetTest
Bug: 292300030
Change-Id: I66bd650423e9e5bbbfe8411a1455c4ea5846f1ff
Some of the SE Javacard OS implementations does not fulfill all of the
expectations as to when cipher text is to be generated. However, the
implementations are compliant with Javacard Specifications. This patch
skips the known VTS failures till U.
Bug: 290850651
Test: run vts -m VtsAidlKeyMintTarget
Change-Id: Id3746adc7385b41f4b4b2ebc8e7583972769134d
Removed the check to skip the attest-id tests on GSI, modified the
attest-id tests to support this.
Bug: 290643623
Test: atest VtsAidlKeyMintTargetTest
Change-Id: Id79d7fb4c70ed94ed76bc57f3d66ce47e9b67b48
When deliberately testing invalid ID attestation, use the helper
function (which checks the error return code is correct) in one more
place.
Test: VtsAidlKeyMintTargetTest
Bug: 286733800
Change-Id: I6ea5bd7ee19b3b172330117bfde1b16745debba7
Avoid the ADD_FAILURE at the end if attestion ID failure uses an allowed
return code.
Test: VtsAidlKeyMintTargetTest
Bug: 286733800
Change-Id: I0dcac312ac4516a078b2742721e3a19074da52b1
