KeyMint VTS: extra unique ID test
Test that specifying RESET_SINCE_ID_ROTATION results in a different unique ID value. Test: VtsAidlKeyMintTargetTest Bug: 202487002 Change-Id: I2aed96514bf9e4802f0ef756f880cac79fa09554
This commit is contained in:
David Drysdale
parent
8d27f7c7da
commit
13f2a40e44
2 changed files with 34 additions and 18 deletions
|
|
@ -78,6 +78,7 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
|
|||
.Digest(Digest::SHA_2_256)
|
||||
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
|
||||
.Authorization(TAG_INCLUDE_UNIQUE_ID)
|
||||
.Authorization(TAG_CREATION_DATETIME, 1619621648000)
|
||||
.AttestationChallenge("challenge")
|
||||
.AttestationApplicationId("foo")
|
||||
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
|
||||
|
|
@ -106,6 +107,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
|
|||
.EcdsaSigningKey(EcCurve::P_256)
|
||||
.Digest(Digest::SHA_2_256)
|
||||
.Authorization(TAG_INCLUDE_UNIQUE_ID)
|
||||
.Authorization(TAG_CREATION_DATETIME, 1619621648000)
|
||||
.AttestationChallenge("challenge")
|
||||
.AttestationApplicationId("foo")
|
||||
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
|
||||
|
|
@ -135,6 +137,7 @@ TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) {
|
|||
.Digest(Digest::SHA_2_256)
|
||||
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
|
||||
.Authorization(TAG_INCLUDE_UNIQUE_ID)
|
||||
.Authorization(TAG_CREATION_DATETIME, 1619621648000)
|
||||
.AttestationChallenge("challenge")
|
||||
.AttestationApplicationId("foo")
|
||||
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
|
||||
|
|
@ -192,6 +195,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) {
|
|||
.EcdsaSigningKey(EcCurve::P_256)
|
||||
.Digest(Digest::SHA_2_256)
|
||||
.Authorization(TAG_INCLUDE_UNIQUE_ID)
|
||||
.Authorization(TAG_CREATION_DATETIME, 1619621648000)
|
||||
.AttestationChallenge("challenge")
|
||||
.AttestationApplicationId("foo")
|
||||
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
|
||||
|
|
@ -252,14 +256,16 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) {
|
|||
|
||||
for (const KeyParameter& tag : attestation_id_tags) {
|
||||
SCOPED_TRACE(testing::Message() << "+tag-" << tag);
|
||||
AuthorizationSetBuilder builder = AuthorizationSetBuilder()
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.EcdsaSigningKey(EcCurve::P_256)
|
||||
.Digest(Digest::SHA_2_256)
|
||||
.Authorization(TAG_INCLUDE_UNIQUE_ID)
|
||||
.AttestationChallenge("challenge")
|
||||
.AttestationApplicationId("foo")
|
||||
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
|
||||
AuthorizationSetBuilder builder =
|
||||
AuthorizationSetBuilder()
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.EcdsaSigningKey(EcCurve::P_256)
|
||||
.Digest(Digest::SHA_2_256)
|
||||
.Authorization(TAG_INCLUDE_UNIQUE_ID)
|
||||
.Authorization(TAG_CREATION_DATETIME, 1619621648000)
|
||||
.AttestationChallenge("challenge")
|
||||
.AttestationApplicationId("foo")
|
||||
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
|
||||
builder.push_back(tag);
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
|
||||
|
|
@ -322,14 +328,16 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) {
|
|||
|
||||
for (const KeyParameter& invalid_tag : attestation_id_tags) {
|
||||
SCOPED_TRACE(testing::Message() << "+tag-" << invalid_tag);
|
||||
AuthorizationSetBuilder builder = AuthorizationSetBuilder()
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.EcdsaSigningKey(EcCurve::P_256)
|
||||
.Digest(Digest::SHA_2_256)
|
||||
.Authorization(TAG_INCLUDE_UNIQUE_ID)
|
||||
.AttestationChallenge("challenge")
|
||||
.AttestationApplicationId("foo")
|
||||
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
|
||||
AuthorizationSetBuilder builder =
|
||||
AuthorizationSetBuilder()
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.EcdsaSigningKey(EcCurve::P_256)
|
||||
.Digest(Digest::SHA_2_256)
|
||||
.Authorization(TAG_INCLUDE_UNIQUE_ID)
|
||||
.Authorization(TAG_CREATION_DATETIME, 1619621648000)
|
||||
.AttestationChallenge("challenge")
|
||||
.AttestationApplicationId("foo")
|
||||
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
|
||||
// Add the tag that doesn't match the local device's real ID.
|
||||
builder.push_back(invalid_tag);
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
|
|
|
|||
|
|
@ -1627,13 +1627,13 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
|
|||
*/
|
||||
TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
|
||||
auto get_unique_id = [this](const std::string& app_id, uint64_t datetime,
|
||||
vector<uint8_t>* unique_id) {
|
||||
vector<uint8_t>* unique_id, bool reset = false) {
|
||||
auto challenge = "hello";
|
||||
auto subject = "cert subj 2";
|
||||
vector<uint8_t> subject_der(make_name_from_str(subject));
|
||||
uint64_t serial_int = 0x1010;
|
||||
vector<uint8_t> serial_blob(build_serial_blob(serial_int));
|
||||
const AuthorizationSetBuilder builder =
|
||||
AuthorizationSetBuilder builder =
|
||||
AuthorizationSetBuilder()
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.Authorization(TAG_INCLUDE_UNIQUE_ID)
|
||||
|
|
@ -1645,6 +1645,9 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
|
|||
.AttestationApplicationId(app_id)
|
||||
.Authorization(TAG_CREATION_DATETIME, datetime)
|
||||
.SetDefaultValidity();
|
||||
if (reset) {
|
||||
builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
|
||||
}
|
||||
|
||||
ASSERT_EQ(ErrorCode::OK, GenerateKey(builder));
|
||||
ASSERT_GT(key_blob_.size(), 0U);
|
||||
|
|
@ -1706,6 +1709,11 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
|
|||
vector<uint8_t> unique_id8;
|
||||
get_unique_id(app_id, min_date - 1, &unique_id8);
|
||||
EXPECT_NE(unique_id, unique_id8);
|
||||
|
||||
// Marking RESET_SINCE_ID_ROTATION should give a different unique ID.
|
||||
vector<uint8_t> unique_id9;
|
||||
get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true);
|
||||
EXPECT_NE(unique_id, unique_id9);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
|||
Loading…
Reference in a new issue