tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix Keymint VTS test after adding CERTIFICATE_* tags am: 164bb878d4

Browse source 
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1579254

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I444d8472141dab64ae19a1d1ad1f2bbf74063113
This commit is contained in:
Janis Danisevskis 2021-02-10 01:22:05 +00:00 committed by Automerger Merge Worker
commit 68f64d5bac
3 changed files with 165 additions and 84 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

239
security/keymint/aidl/vts/functional/KeyMintTest.cpp
View file

@ -544,7 +544,8 @@ TEST_P(NewKeyGenerationTest, Rsa) {
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(key_size, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE),
.Padding(PaddingMode::NONE)
.SetDefaultValidity(),
&key_blob, &key_characteristics));
ASSERT_GT(key_blob.size(), 0U);
@ -580,7 +581,8 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_NO_AUTH_REQUIRED),
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
&key_blob, &key_characteristics));
ASSERT_GT(key_blob.size(), 0U);
@ -620,7 +622,8 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsa) {
.RsaSigningKey(key_size, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.Authorization(TAG_USAGE_COUNT_LIMIT, 1),
.Authorization(TAG_USAGE_COUNT_LIMIT, 1)
.SetDefaultValidity(),
&key_blob, &key_characteristics));
ASSERT_GT(key_blob.size(), 0U);
@ -665,7 +668,8 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_USAGE_COUNT_LIMIT, 1),
.Authorization(TAG_USAGE_COUNT_LIMIT, 1)
.SetDefaultValidity(),
&key_blob, &key_characteristics));
ASSERT_GT(key_blob.size(), 0U);
@ -713,7 +717,8 @@ TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(key_size, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE),
.Padding(PaddingMode::NONE)
.SetDefaultValidity(),
&key_blob, &key_characteristics));
}
}
@ -729,7 +734,8 @@ TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_ALGORITHM, Algorithm::RSA)
.Authorization(TAG_RSA_PUBLIC_EXPONENT, 3U)
.SigningKey()));
.SigningKey()
.SetDefaultValidity()));
}
/*
@ -742,10 +748,11 @@ TEST_P(NewKeyGenerationTest, Ecdsa) {
for (auto key_size : ValidKeySizes(Algorithm::EC)) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
ASSERT_EQ(ErrorCode::OK,
GenerateKey(
AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(Digest::NONE),
&key_blob, &key_characteristics));
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(key_size)
.Digest(Digest::NONE)
.SetDefaultValidity(),
&key_blob, &key_characteristics));
ASSERT_GT(key_blob.size(), 0U);
CheckBaseParams(key_characteristics);
@ -772,7 +779,8 @@ TEST_P(NewKeyGenerationTest, LimitedUsageEcdsa) {
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(key_size)
.Digest(Digest::NONE)
.Authorization(TAG_USAGE_COUNT_LIMIT, 1),
.Authorization(TAG_USAGE_COUNT_LIMIT, 1)
.SetDefaultValidity(),
&key_blob, &key_characteristics));
ASSERT_GT(key_blob.size(), 0U);
@ -807,7 +815,8 @@ TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_ALGORITHM, Algorithm::EC)
.SigningKey()
.Digest(Digest::NONE)));
.Digest(Digest::NONE)
.SetDefaultValidity()));
}
/*
@ -820,14 +829,17 @@ TEST_P(NewKeyGenerationTest, EcdsaInvalidSize) {
for (auto key_size : InvalidKeySizes(Algorithm::EC)) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
GenerateKey(
AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(Digest::NONE),
&key_blob, &key_characteristics));
ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(key_size)
.Digest(Digest::NONE)
.SetDefaultValidity(),
&key_blob, &key_characteristics));
}
ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(Digest::NONE)));
ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(190)
.Digest(Digest::NONE)
.SetDefaultValidity()));
}
/*
@ -843,7 +855,8 @@ TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(224)
.Authorization(TAG_EC_CURVE, EcCurve::P_256)
.Digest(Digest::NONE)));
.Digest(Digest::NONE)
.SetDefaultValidity()));
}
/*
@ -854,8 +867,10 @@ TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
TEST_P(NewKeyGenerationTest, EcdsaAllValidSizes) {
auto valid_sizes = ValidKeySizes(Algorithm::EC);
for (size_t size : valid_sizes) {
EXPECT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(Digest::NONE)))
EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(size)
.Digest(Digest::NONE)
.SetDefaultValidity()))
<< "Failed to generate size: " << size;
CheckedDeleteKey();
}
@ -874,8 +889,10 @@ TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
digest = Digest::SHA_2_512;
}
for (auto curve : ValidCurves()) {
EXPECT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(digest)))
EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(curve)
.Digest(digest)
.SetDefaultValidity()))
<< "Failed to generate key on curve: " << curve;
CheckedDeleteKey();
}
@ -1058,7 +1075,8 @@ TEST_P(SigningOperationsTest, RsaSuccess) {
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED)));
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity()));
string message = "12345678901234567890123456789012";
string signature = SignMessage(
message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
@ -1076,7 +1094,8 @@ TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.Authorization(TAG_APPLICATION_ID, "clientid")
.Authorization(TAG_APPLICATION_DATA, "appdata")));
.Authorization(TAG_APPLICATION_DATA, "appdata")
.SetDefaultValidity()));
EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
Begin(KeyPurpose::SIGN,
AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
@ -1112,7 +1131,8 @@ TEST_P(SigningOperationsTest, RsaPssSha256Success) {
.RsaSigningKey(2048, 65537)
.Digest(Digest::SHA_2_256)
.Padding(PaddingMode::RSA_PSS)
.Authorization(TAG_NO_AUTH_REQUIRED)));
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity()));
// Use large message, which won't work without digesting.
string message(1024, 'a');
string signature = SignMessage(
@ -1131,7 +1151,8 @@ TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::NONE)));
.Padding(PaddingMode::NONE)
.SetDefaultValidity()));
string message = "12345678901234567890123456789012";
string signature;
@ -1150,13 +1171,13 @@ TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
*/
TEST_P(SigningOperationsTest, NoUserConfirmation) {
if (SecLevel() == SecurityLevel::STRONGBOX) return;
ASSERT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(1024, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)));
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(1024, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
.SetDefaultValidity()));
const string message = "12345678901234567890123456789012";
EXPECT_EQ(ErrorCode::OK,
@ -1176,7 +1197,8 @@ TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
.RsaSigningKey(2048, 65537)
.Digest(Digest::SHA_2_256)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.SetDefaultValidity()));
string message(1024, 'a');
string signature = SignMessage(message, AuthorizationSetBuilder()
.Digest(Digest::SHA_2_256)
@ -1193,7 +1215,8 @@ TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.SetDefaultValidity()));
string message(53, 'a');
string signature = SignMessage(message, AuthorizationSetBuilder()
.Digest(Digest::NONE)
@ -1211,7 +1234,8 @@ TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.SetDefaultValidity()));
string message(257, 'a');
EXPECT_EQ(ErrorCode::OK,
@ -1241,7 +1265,8 @@ TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
.RsaSigningKey(1024, 65537)
.Digest(Digest::SHA_2_512)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::RSA_PSS)));
.Padding(PaddingMode::RSA_PSS)
.SetDefaultValidity()));
EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
.Digest(Digest::SHA_2_512)
@ -1259,7 +1284,8 @@ TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.SetDefaultValidity()));
// One byte too long
string message(2048 / 8 + 1, 'a');
ASSERT_EQ(ErrorCode::OK,
@ -1293,7 +1319,8 @@ TEST_P(SigningOperationsTest, RsaAbort) {
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::NONE)));
.Padding(PaddingMode::NONE)
.SetDefaultValidity()));
ASSERT_EQ(ErrorCode::OK,
Begin(KeyPurpose::SIGN,
@ -1318,7 +1345,8 @@ TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
.RsaSigningKey(2048, 65537)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Digest(Digest::SHA_2_256 /* supported digest */)
.Padding(PaddingMode::PKCS7)));
.Padding(PaddingMode::PKCS7)
.SetDefaultValidity()));
ASSERT_EQ(
ErrorCode::UNSUPPORTED_PADDING_MODE,
Begin(KeyPurpose::SIGN,
@ -1335,7 +1363,8 @@ TEST_P(SigningOperationsTest, RsaNoDigest) {
.RsaSigningKey(2048, 65537)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Digest(Digest::NONE)
.Padding(PaddingMode::RSA_PSS)));
.Padding(PaddingMode::RSA_PSS)
.SetDefaultValidity()));
ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
Begin(KeyPurpose::SIGN,
AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
@ -1356,7 +1385,8 @@ TEST_P(SigningOperationsTest, RsaNoPadding) {
.RsaKey(2048, 65537)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SigningKey()
.Digest(Digest::NONE)));
.Digest(Digest::NONE)
.SetDefaultValidity()));
ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
}
@ -1371,7 +1401,8 @@ TEST_P(SigningOperationsTest, RsaTooShortMessage) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)));
.Padding(PaddingMode::NONE)
.SetDefaultValidity()));
// Barely shorter
string message(2048 / 8 - 1, 'a');
@ -1392,7 +1423,8 @@ TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)));
.Padding(PaddingMode::NONE)
.SetDefaultValidity()));
ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
Begin(KeyPurpose::SIGN,
AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
@ -1409,7 +1441,8 @@ TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)));
.Padding(PaddingMode::NONE)
.SetDefaultValidity()));
// Largest possible message will always be larger than the public modulus.
string message(2048 / 8, static_cast<char>(0xff));
@ -1432,7 +1465,8 @@ TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) {
ErrorCode error = GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(key_size)
.Digest(digest));
.Digest(digest)
.SetDefaultValidity());
EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with size " << key_size
<< " and digest " << digest;
if (error != ErrorCode::OK) continue;
@ -1455,7 +1489,8 @@ TEST_P(SigningOperationsTest, EcdsaAllCurves) {
ErrorCode error = GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(curve)
.Digest(Digest::SHA_2_256));
.Digest(Digest::SHA_2_256)
.SetDefaultValidity());
EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
if (error != ErrorCode::OK) continue;
@ -1477,7 +1512,8 @@ TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(256)
.Digest(Digest::NONE)));
.Digest(Digest::NONE)
.SetDefaultValidity()));
string message(1 * 1024, 'a');
SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
}
@ -1493,7 +1529,8 @@ TEST_P(SigningOperationsTest, EcUseRequiresCorrectAppIdAppData) {
.EcdsaSigningKey(256)
.Digest(Digest::NONE)
.Authorization(TAG_APPLICATION_ID, "clientid")
.Authorization(TAG_APPLICATION_DATA, "appdata")));
.Authorization(TAG_APPLICATION_DATA, "appdata")
.SetDefaultValidity()));
EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
AbortIfNeeded();
@ -1682,7 +1719,8 @@ TEST_P(VerificationOperationsTest, RsaSuccess) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)));
.Padding(PaddingMode::NONE)
.SetDefaultValidity()));
string message = "12345678901234567890123456789012";
string signature = SignMessage(
message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
@ -1702,7 +1740,8 @@ TEST_P(VerificationOperationsTest, RsaAllPaddingsAndDigests) {
.Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
.Padding(PaddingMode::NONE)
.Padding(PaddingMode::RSA_PSS)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN);
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.SetDefaultValidity();
ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
@ -1799,7 +1838,8 @@ TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndCurves) {
ErrorCode error = GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(curve)
.Digest(digests));
.Digest(digests)
.SetDefaultValidity());
EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
if (error != ErrorCode::OK) {
continue;
@ -1962,7 +2002,8 @@ TEST_P(ImportKeyTest, RsaSuccess) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaSigningKey(1024, 65537)
.Digest(Digest::SHA_2_256)
.Padding(PaddingMode::RSA_PSS),
.Padding(PaddingMode::RSA_PSS)
.SetDefaultValidity(),
KeyFormat::PKCS8, rsa_key));
CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
@ -1989,7 +2030,8 @@ TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
ImportKey(AuthorizationSetBuilder()
.RsaSigningKey(2048 /* Doesn't match key */, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE),
.Padding(PaddingMode::NONE)
.SetDefaultValidity(),
KeyFormat::PKCS8, rsa_key));
}
@ -2004,7 +2046,8 @@ TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
ImportKey(AuthorizationSetBuilder()
.RsaSigningKey(1024, 3 /* Doesn't match key */)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE),
.Padding(PaddingMode::NONE)
.SetDefaultValidity(),
KeyFormat::PKCS8, rsa_key));
}
@ -2017,7 +2060,8 @@ TEST_P(ImportKeyTest, EcdsaSuccess) {
ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(256)
.Digest(Digest::SHA_2_256),
.Digest(Digest::SHA_2_256)
.SetDefaultValidity(),
KeyFormat::PKCS8, ec_256_key));
CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
@ -2043,7 +2087,8 @@ TEST_P(ImportKeyTest, EcdsaP256RFC5915Success) {
ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(256)
.Digest(Digest::SHA_2_256),
.Digest(Digest::SHA_2_256)
.SetDefaultValidity(),
KeyFormat::PKCS8, ec_256_key_rfc5915));
CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
@ -2068,7 +2113,8 @@ TEST_P(ImportKeyTest, EcdsaP256SEC1Success) {
ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(256)
.Digest(Digest::SHA_2_256),
.Digest(Digest::SHA_2_256)
.SetDefaultValidity(),
KeyFormat::PKCS8, ec_256_key_sec1));
CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
@ -2094,7 +2140,8 @@ TEST_P(ImportKeyTest, Ecdsa521Success) {
ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(521)
.Digest(Digest::SHA_2_256),
.Digest(Digest::SHA_2_256)
.SetDefaultValidity(),
KeyFormat::PKCS8, ec_521_key));
CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
@ -2119,7 +2166,8 @@ TEST_P(ImportKeyTest, EcdsaSizeMismatch) {
ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
ImportKey(AuthorizationSetBuilder()
.EcdsaSigningKey(224 /* Doesn't match key */)
.Digest(Digest::NONE),
.Digest(Digest::NONE)
.SetDefaultValidity(),
KeyFormat::PKCS8, ec_256_key));
}
@ -2133,7 +2181,8 @@ TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
ImportKey(AuthorizationSetBuilder()
.EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
.Digest(Digest::NONE),
.Digest(Digest::NONE)
.SetDefaultValidity(),
KeyFormat::PKCS8, ec_256_key));
}
@ -2254,7 +2303,8 @@ TEST_P(ImportWrappedKeyTest, Success) {
.RsaEncryptionKey(2048, 65537)
.Digest(Digest::SHA_2_256)
.Padding(PaddingMode::RSA_OAEP)
.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);
.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
.SetDefaultValidity();
ASSERT_EQ(ErrorCode::OK,
ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
@ -2274,7 +2324,8 @@ TEST_P(ImportWrappedKeyTest, SuccessMasked) {
.RsaEncryptionKey(2048, 65537)
.Digest(Digest::SHA_2_256)
.Padding(PaddingMode::RSA_OAEP)
.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);
.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
.SetDefaultValidity();
ASSERT_EQ(ErrorCode::OK,
ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
@ -2288,7 +2339,8 @@ TEST_P(ImportWrappedKeyTest, WrongMask) {
.RsaEncryptionKey(2048, 65537)
.Digest(Digest::SHA_2_256)
.Padding(PaddingMode::RSA_OAEP)
.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);
.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
.SetDefaultValidity();
ASSERT_EQ(
ErrorCode::VERIFICATION_FAILED,
@ -2302,7 +2354,8 @@ TEST_P(ImportWrappedKeyTest, WrongPurpose) {
auto wrapping_key_desc = AuthorizationSetBuilder()
.RsaEncryptionKey(2048, 65537)
.Digest(Digest::SHA_2_256)
.Padding(PaddingMode::RSA_OAEP);
.Padding(PaddingMode::RSA_OAEP)
.SetDefaultValidity();
ASSERT_EQ(
ErrorCode::INCOMPATIBLE_PURPOSE,
@ -2325,7 +2378,8 @@ TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Padding(PaddingMode::NONE)));
.Padding(PaddingMode::NONE)
.SetDefaultValidity()));
string message = string(2048 / 8, 'a');
auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
@ -2348,7 +2402,8 @@ TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Padding(PaddingMode::NONE)));
.Padding(PaddingMode::NONE)
.SetDefaultValidity()));
string message = "1";
auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
@ -2377,7 +2432,8 @@ TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) {
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Padding(PaddingMode::NONE)));
.Padding(PaddingMode::NONE)
.SetDefaultValidity()));
string message(2048 / 8 + 1, 'a');
@ -2410,7 +2466,8 @@ TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(key_size, 65537)
.Padding(PaddingMode::RSA_OAEP)
.Digest(digests)));
.Digest(digests)
.SetDefaultValidity()));
string message = "Hello";
@ -2458,7 +2515,8 @@ TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Padding(PaddingMode::RSA_OAEP)
.Digest(Digest::NONE)));
.Digest(Digest::NONE)
.SetDefaultValidity()));
string message = "Hello World!";
auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
@ -2478,7 +2536,8 @@ TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(1024, 65537)
.Padding(PaddingMode::RSA_OAEP)
.Digest(Digest::SHA_2_224, Digest::SHA_2_256)));
.Digest(Digest::SHA_2_224, Digest::SHA_2_256)
.SetDefaultValidity()));
string message = "Hello World!";
string ciphertext = EncryptMessage(
message,
@ -2503,7 +2562,8 @@ TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Padding(PaddingMode::RSA_OAEP)
.Digest(Digest::SHA_2_256)));
.Digest(Digest::SHA_2_256)
.SetDefaultValidity()));
constexpr size_t digest_size = 256 /* SHA_2_256 */ / 8;
constexpr size_t oaep_overhead = 2 * digest_size + 2;
string message(2048 / 8 - oaep_overhead + 1, 'a');
@ -2531,7 +2591,8 @@ TEST_P(EncryptionOperationsTest, RsaOaepWithMGFDigestSuccess) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(key_size, 65537)
.Padding(PaddingMode::RSA_OAEP)
.Digest(Digest::SHA_2_256)));
.Digest(Digest::SHA_2_256)
.SetDefaultValidity()));
string message = "Hello";
@ -2584,7 +2645,8 @@ TEST_P(EncryptionOperationsTest, RsaOaepWithMGFIncompatibleDigest) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Padding(PaddingMode::RSA_OAEP)
.Digest(Digest::SHA_2_256)));
.Digest(Digest::SHA_2_256)
.SetDefaultValidity()));
string message = "Hello World!";
auto params = AuthorizationSetBuilder()
@ -2607,7 +2669,8 @@ TEST_P(EncryptionOperationsTest, RsaOaepWithMGFUnsupportedDigest) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Padding(PaddingMode::RSA_OAEP)
.Digest(Digest::SHA_2_256)));
.Digest(Digest::SHA_2_256)
.SetDefaultValidity()));
string message = "Hello World!";
auto params = AuthorizationSetBuilder()
@ -2626,7 +2689,8 @@ TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)));
.Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
.SetDefaultValidity()));
string message = "Hello World!";
auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
@ -2665,7 +2729,8 @@ TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) {
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)));
.Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
.SetDefaultValidity()));
string message(2048 / 8 - 10, 'a');
auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
@ -2685,7 +2750,8 @@ TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(256)
.Digest(Digest::NONE)));
.Digest(Digest::NONE)
.SetDefaultValidity()));
auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
@ -4333,7 +4399,8 @@ TEST_P(MaxOperationsTest, TestLimitRsa) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaSigningKey(1024, 65537)
.NoDigestOrPadding()
.Authorization(TAG_MAX_USES_PER_BOOT, 3)));
.Authorization(TAG_MAX_USES_PER_BOOT, 3)
.SetDefaultValidity()));
string message = "1234567890123456";
@ -4452,7 +4519,8 @@ TEST_P(UsageCountLimitTest, TestSingleUseRsa) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaSigningKey(1024, 65537)
.NoDigestOrPadding()
.Authorization(TAG_USAGE_COUNT_LIMIT, 1)));
.Authorization(TAG_USAGE_COUNT_LIMIT, 1)
.SetDefaultValidity()));
// Check the usage count limit tag appears in the authorizations.
AuthorizationSet auths;
@ -4495,7 +4563,8 @@ TEST_P(UsageCountLimitTest, TestLimitUseRsa) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaSigningKey(1024, 65537)
.NoDigestOrPadding()
.Authorization(TAG_USAGE_COUNT_LIMIT, 3)));
.Authorization(TAG_USAGE_COUNT_LIMIT, 3)
.SetDefaultValidity()));
// Check the usage count limit tag appears in the authorizations.
AuthorizationSet auths;
@ -4704,7 +4773,8 @@ TEST_P(ClearOperationsTest, TooManyOperations) {
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaEncryptionKey(2048, 65537)
.Padding(PaddingMode::NONE)));
.Padding(PaddingMode::NONE)
.SetDefaultValidity()));
auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
constexpr size_t max_operations = 100; // set to arbituary large number
@ -4835,7 +4905,8 @@ TEST_P(KeyAgreementTest, Ecdh) {
.Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
.Authorization(TAG_ALGORITHM, Algorithm::EC)
.Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)))
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
.SetDefaultValidity()))
<< "Failed to generate key";
ASSERT_GT(cert_chain_.size(), 0);
X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));

8
security/keymint/support/authorization_set.cpp
View file

@ -243,4 +243,12 @@ AuthorizationSetBuilder& AuthorizationSetBuilder::Padding(
return *this;
}
AuthorizationSetBuilder& AuthorizationSetBuilder::SetDefaultValidity() {
// Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
// GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0);
return Authorization(TAG_CERTIFICATE_NOT_AFTER, kUndefinedExpirationDateTime);
}
} // namespace aidl::android::hardware::security::keymint

2
security/keymint/support/include/keymint_support/authorization_set.h
View file

@ -300,6 +300,8 @@ class AuthorizationSetBuilder : public AuthorizationSet {
AuthorizationSetBuilder& Digest(std::vector<Digest> digests);
AuthorizationSetBuilder& Padding(std::initializer_list<PaddingMode> paddings);
AuthorizationSetBuilder& SetDefaultValidity();
AuthorizationSetBuilder& AttestationChallenge(const std::string& challenge) {
return Authorization(TAG_ATTESTATION_CHALLENGE, challenge);
}