Merge "KeyMint VTS: check INCLUDE_UNIQUE_ID works"

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

@@ -1307,7 +1307,8 @@ bool verify_attestation_record(const string& challenge,                //
                                AuthorizationSet expected_sw_enforced,  //
                                AuthorizationSet expected_hw_enforced,  //
                                SecurityLevel security_level,
-                               const vector<uint8_t>& attestation_cert) {
+                               const vector<uint8_t>& attestation_cert,
+                               vector<uint8_t>* unique_id) {
     X509_Ptr cert(parse_cert_blob(attestation_cert));
     EXPECT_TRUE(!!cert.get());
     if (!cert.get()) return false;
@@ -1472,6 +1473,10 @@ bool verify_attestation_record(const string& challenge,                //
     expected_hw_enforced.Sort();
     EXPECT_EQ(filtered_tags(expected_hw_enforced), filtered_tags(att_hw_enforced));
 
+    if (unique_id != nullptr) {
+        *unique_id = att_unique_id;
+    }
+
     return true;
 }
 

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

@@ -338,7 +338,8 @@ bool verify_attestation_record(const string& challenge,                //
                                AuthorizationSet expected_sw_enforced,  //
                                AuthorizationSet expected_hw_enforced,  //
                                SecurityLevel security_level,
-                               const vector<uint8_t>& attestation_cert);
+                               const vector<uint8_t>& attestation_cert,
+                               vector<uint8_t>* unique_id = nullptr);
 
 string bin2hex(const vector<uint8_t>& data);
 X509_Ptr parse_cert_blob(const vector<uint8_t>& blob);

security/keymint/aidl/vts/functional/KeyMintTest.cpp

@@ -1620,6 +1620,94 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
     }
 }
 
+/*
+ * NewKeyGenerationTest.EcdsaAttestationUniqueId
+ *
+ * Verifies that creation of an attested ECDSA key with a UNIQUE_ID included.
+ */
+TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
+    auto get_unique_id = [this](const std::string& app_id, uint64_t datetime,
+                                vector<uint8_t>* unique_id) {
+        auto challenge = "hello";
+        auto subject = "cert subj 2";
+        vector<uint8_t> subject_der(make_name_from_str(subject));
+        uint64_t serial_int = 0x1010;
+        vector<uint8_t> serial_blob(build_serial_blob(serial_int));
+        const AuthorizationSetBuilder builder =
+                AuthorizationSetBuilder()
+                        .Authorization(TAG_NO_AUTH_REQUIRED)
+                        .Authorization(TAG_INCLUDE_UNIQUE_ID)
+                        .EcdsaSigningKey(EcCurve::P_256)
+                        .Digest(Digest::NONE)
+                        .AttestationChallenge(challenge)
+                        .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
+                        .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
+                        .AttestationApplicationId(app_id)
+                        .Authorization(TAG_CREATION_DATETIME, datetime)
+                        .SetDefaultValidity();
+
+        ASSERT_EQ(ErrorCode::OK, GenerateKey(builder));
+        ASSERT_GT(key_blob_.size(), 0U);
+
+        EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
+        ASSERT_GT(cert_chain_.size(), 0);
+        verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
+
+        AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics_);
+        AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics_);
+
+        // Check that the unique ID field in the extension is non-empty.
+        EXPECT_TRUE(verify_attestation_record(challenge, app_id, sw_enforced, hw_enforced,
+                                              SecLevel(), cert_chain_[0].encodedCertificate,
+                                              unique_id));
+        EXPECT_GT(unique_id->size(), 0);
+        CheckedDeleteKey();
+    };
+
+    // Generate unique ID
+    auto app_id = "foo";
+    uint64_t cert_date = 1619621648000;  // Wed Apr 28 14:54:08 2021 in ms since epoch
+    vector<uint8_t> unique_id;
+    get_unique_id(app_id, cert_date, &unique_id);
+
+    // Generating a new key with the same parameters should give the same unique ID.
+    vector<uint8_t> unique_id2;
+    get_unique_id(app_id, cert_date, &unique_id2);
+    EXPECT_EQ(unique_id, unique_id2);
+
+    // Generating a new key with a slightly different date should give the same unique ID.
+    uint64_t rounded_date = cert_date / 2592000000LLU;
+    uint64_t min_date = rounded_date * 2592000000LLU;
+    uint64_t max_date = ((rounded_date + 1) * 2592000000LLU) - 1;
+
+    vector<uint8_t> unique_id3;
+    get_unique_id(app_id, min_date, &unique_id3);
+    EXPECT_EQ(unique_id, unique_id3);
+
+    vector<uint8_t> unique_id4;
+    get_unique_id(app_id, max_date, &unique_id4);
+    EXPECT_EQ(unique_id, unique_id4);
+
+    // A different attestation application ID should yield a different unique ID.
+    auto app_id2 = "different_foo";
+    vector<uint8_t> unique_id5;
+    get_unique_id(app_id2, cert_date, &unique_id5);
+    EXPECT_NE(unique_id, unique_id5);
+
+    // A radically different date should yield a different unique ID.
+    vector<uint8_t> unique_id6;
+    get_unique_id(app_id, 1611621648000, &unique_id6);
+    EXPECT_NE(unique_id, unique_id6);
+
+    vector<uint8_t> unique_id7;
+    get_unique_id(app_id, max_date + 1, &unique_id7);
+    EXPECT_NE(unique_id, unique_id7);
+
+    vector<uint8_t> unique_id8;
+    get_unique_id(app_id, min_date - 1, &unique_id8);
+    EXPECT_NE(unique_id, unique_id8);
+}
+
 /*
  * NewKeyGenerationTest.EcdsaAttestationTagNoApplicationId
  *