Merge "Allow extra error code in device ID attestation" am: 1d7447e5d3 am: 013030d9a4

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2627969 Change-Id: I8cc53117a9e47954035498bfb0f98f7450e81c1a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-06-22 07:18:29 +00:00 · 2023-06-22 07:18:29 +00:00 · 36a30021e6
commit 36a30021e6
parent 9912848327 013030d9a4
4 changed files with 25 additions and 14 deletions
--- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
+++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
@ -950,10 +950,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) {
        vector<Certificate> attested_key_cert_chain;
        auto result = GenerateKey(builder, attest_key, &attested_key_blob,
                                  &attested_key_characteristics, &attested_key_cert_chain);
-
-        ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG)
-                << "result = " << result;
-        device_id_attestation_vsr_check(result);
+        device_id_attestation_check_acceptable_error(invalid_tag.tag, result);
    }
 }

@ -1016,8 +1013,6 @@ TEST_P(AttestKeyTest, SecondIMEIAttestationIDSuccess) {
    ASSERT_EQ(result, ErrorCode::OK);
    KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);

-    device_id_attestation_vsr_check(result);
-
    AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
    AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);

@ -1095,8 +1090,6 @@ TEST_P(AttestKeyTest, MultipleIMEIAttestationIDSuccess) {
    ASSERT_EQ(result, ErrorCode::OK);
    KeyBlobDeleter attested_deleter(keymint_, attested_key_blob);

-    device_id_attestation_vsr_check(result);
-
    AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
    AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);

--- a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
+++ b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
@ -374,8 +374,8 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) {
        // Add the tag that doesn't match the local device's real ID.
        builder.push_back(invalid_tag);
        auto result = GenerateKey(builder, &key_blob, &key_characteristics);
-        ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG);
-        device_id_attestation_vsr_check(result);
+
+        device_id_attestation_check_acceptable_error(invalid_tag.tag, result);
    }
 }

--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@ -2162,14 +2162,32 @@ void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey)
    *signingKey = std::move(pubKey);
 }

-void device_id_attestation_vsr_check(const ErrorCode& result) {
-    if (get_vsr_api_level() > __ANDROID_API_T__) {
-        ASSERT_FALSE(result == ErrorCode::INVALID_TAG)
+// Check the error code from an attempt to perform device ID attestation with an invalid value.
+void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result) {
+    // Standard/default error code for ID mismatch.
+    if (result == ErrorCode::CANNOT_ATTEST_IDS) {
+        return;
+    }
+
+    // Depending on the situation, other error codes may be acceptable.  First, allow older
+    // implementations to use INVALID_TAG.
+    if (result == ErrorCode::INVALID_TAG) {
+        ASSERT_FALSE(get_vsr_api_level() > __ANDROID_API_T__)
                << "It is a specification violation for INVALID_TAG to be returned due to ID "
                << "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to "
                << "be used for a case where updateAad() is called after update(). As of "
                << "VSR-14, this is now enforced as an error.";
    }
+
+    // If the device is not a phone, it will not have IMEI/MEID values available.  Allow
+    // ATTESTATION_IDS_NOT_PROVISIONED in this case.
+    if (result == ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED) {
+        ASSERT_TRUE((tag == TAG_ATTESTATION_ID_IMEI || tag == TAG_ATTESTATION_ID_MEID ||
+                     tag == TAG_ATTESTATION_ID_SECOND_IMEI))
+                << "incorrect error code on attestation ID mismatch";
+    }
+    ADD_FAILURE() << "Error code " << result
+                  << " returned on attestation ID mismatch, should be CANNOT_ATTEST_IDS";
 }

 // Check whether the given named feature is available.
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
@ -432,7 +432,7 @@ vector<uint8_t> make_name_from_str(const string& name);
 void check_maced_pubkey(const MacedPublicKey& macedPubKey, bool testMode,
                        vector<uint8_t>* payload_value);
 void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey);
-void device_id_attestation_vsr_check(const ErrorCode& result);
+void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result);
 bool check_feature(const std::string& name);

 AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);