tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

KeyMint VTS: re-order auth failure arms

Browse source 
Allow for devices that claim to need external timestamps, but don't.

Test: VtsAidlKeyMintTargetTest
Bug: 300211206
(cherry picked from https://android-review.googlesource.com/q/commit:a35699cb5cfef3773afebf51c2dd38530db43bf0)
Merged-In: Ie450d9969c337d5274502f3600e14c0b481e8b34
Change-Id: Ie450d9969c337d5274502f3600e14c0b481e8b34
This commit is contained in:
David Drysdale 2023-09-14 11:16:27 +01:00 committed by Cherrypicker Worker
parent 848650fd00
commit 24e594e05e
1 changed files with 11 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
security/keymint/aidl/vts/functional/AuthTest.cpp
View file

@ -329,14 +329,14 @@ TEST_P(AuthTest, TimeoutAuthentication) {
// Wait for long enough that the hardware auth token expires.
sleep(timeout_secs + 1);
if (!timestamp_token_required_) {
// KeyMint implementation has its own clock, and can immediately detect timeout.
EXPECT_EQ(ErrorCode::KEY_USER_NOT_AUTHENTICATED,
Begin(KeyPurpose::ENCRYPT, keyblob, params, &out_params, hat));
} else {
// KeyMint implementation has no clock, so only detects timeout via timestamp token provided
// on update()/finish().
ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, keyblob, params, &out_params, hat));
auto begin_result = Begin(KeyPurpose::ENCRYPT, keyblob, params, &out_params, hat);
if (begin_result == ErrorCode::OK) {
// If begin() succeeds despite the out-of-date HAT, that must mean that the KeyMint
// device doesn't have its own clock. In that case, it only detects timeout via a
// timestamp token provided on update()/finish()
ASSERT_TRUE(timestamp_token_required_);
secureclock::TimeStampToken time_token;
EXPECT_EQ(ErrorCode::OK,
GetReturnErrorCode(clock_->generateTimeStamp(challenge_, &time_token)));
@ -344,6 +344,9 @@ TEST_P(AuthTest, TimeoutAuthentication) {
string output;
EXPECT_EQ(ErrorCode::KEY_USER_NOT_AUTHENTICATED,
Finish(message, {} /* signature */, &output, hat, time_token));
} else {
// The KeyMint implementation may have its own clock that can immediately detect timeout.
ASSERT_EQ(ErrorCode::KEY_USER_NOT_AUTHENTICATED, begin_result);
}
}