diff --git a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp index 6f2f189ab7..3cbffbfb63 100644 --- a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp +++ b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp @@ -78,6 +78,7 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) { .Digest(Digest::SHA_2_256) .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN) .Authorization(TAG_INCLUDE_UNIQUE_ID) + .Authorization(TAG_CREATION_DATETIME, 1619621648000) .AttestationChallenge("challenge") .AttestationApplicationId("foo") .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION), @@ -106,6 +107,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) { .EcdsaSigningKey(EcCurve::P_256) .Digest(Digest::SHA_2_256) .Authorization(TAG_INCLUDE_UNIQUE_ID) + .Authorization(TAG_CREATION_DATETIME, 1619621648000) .AttestationChallenge("challenge") .AttestationApplicationId("foo") .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION), @@ -135,6 +137,7 @@ TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) { .Digest(Digest::SHA_2_256) .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN) .Authorization(TAG_INCLUDE_UNIQUE_ID) + .Authorization(TAG_CREATION_DATETIME, 1619621648000) .AttestationChallenge("challenge") .AttestationApplicationId("foo") .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION), @@ -192,6 +195,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) { .EcdsaSigningKey(EcCurve::P_256) .Digest(Digest::SHA_2_256) .Authorization(TAG_INCLUDE_UNIQUE_ID) + .Authorization(TAG_CREATION_DATETIME, 1619621648000) .AttestationChallenge("challenge") .AttestationApplicationId("foo") .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION), @@ -252,14 +256,16 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) { for (const KeyParameter& tag : attestation_id_tags) { SCOPED_TRACE(testing::Message() << "+tag-" << tag); - AuthorizationSetBuilder builder = AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(EcCurve::P_256) - .Digest(Digest::SHA_2_256) - .Authorization(TAG_INCLUDE_UNIQUE_ID) - .AttestationChallenge("challenge") - .AttestationApplicationId("foo") - .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION); + AuthorizationSetBuilder builder = + AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(EcCurve::P_256) + .Digest(Digest::SHA_2_256) + .Authorization(TAG_INCLUDE_UNIQUE_ID) + .Authorization(TAG_CREATION_DATETIME, 1619621648000) + .AttestationChallenge("challenge") + .AttestationApplicationId("foo") + .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION); builder.push_back(tag); auto result = GenerateKey(builder, &key_blob, &key_characteristics); @@ -322,14 +328,16 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) { for (const KeyParameter& invalid_tag : attestation_id_tags) { SCOPED_TRACE(testing::Message() << "+tag-" << invalid_tag); - AuthorizationSetBuilder builder = AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(EcCurve::P_256) - .Digest(Digest::SHA_2_256) - .Authorization(TAG_INCLUDE_UNIQUE_ID) - .AttestationChallenge("challenge") - .AttestationApplicationId("foo") - .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION); + AuthorizationSetBuilder builder = + AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(EcCurve::P_256) + .Digest(Digest::SHA_2_256) + .Authorization(TAG_INCLUDE_UNIQUE_ID) + .Authorization(TAG_CREATION_DATETIME, 1619621648000) + .AttestationChallenge("challenge") + .AttestationApplicationId("foo") + .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION); // Add the tag that doesn't match the local device's real ID. builder.push_back(invalid_tag); auto result = GenerateKey(builder, &key_blob, &key_characteristics); diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index 670043d0dd..92aa2ac64b 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -1627,13 +1627,13 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) { */ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) { auto get_unique_id = [this](const std::string& app_id, uint64_t datetime, - vector* unique_id) { + vector* unique_id, bool reset = false) { auto challenge = "hello"; auto subject = "cert subj 2"; vector subject_der(make_name_from_str(subject)); uint64_t serial_int = 0x1010; vector serial_blob(build_serial_blob(serial_int)); - const AuthorizationSetBuilder builder = + AuthorizationSetBuilder builder = AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_INCLUDE_UNIQUE_ID) @@ -1645,6 +1645,9 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) { .AttestationApplicationId(app_id) .Authorization(TAG_CREATION_DATETIME, datetime) .SetDefaultValidity(); + if (reset) { + builder.Authorization(TAG_RESET_SINCE_ID_ROTATION); + } ASSERT_EQ(ErrorCode::OK, GenerateKey(builder)); ASSERT_GT(key_blob_.size(), 0U); @@ -1706,6 +1709,11 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) { vector unique_id8; get_unique_id(app_id, min_date - 1, &unique_id8); EXPECT_NE(unique_id, unique_id8); + + // Marking RESET_SINCE_ID_ROTATION should give a different unique ID. + vector unique_id9; + get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true); + EXPECT_NE(unique_id, unique_id9); } /*