Merge "Updated the vts attestation tests for strongbox implementations which do not support factory attestation."
This commit is contained in:
commit
950b7b8026
4 changed files with 246 additions and 102 deletions
|
@ -61,13 +61,15 @@ parcelable KeyCreationResult {
|
||||||
* the non-attestation case, whether the key can self-sign.
|
* the non-attestation case, whether the key can self-sign.
|
||||||
*
|
*
|
||||||
* 1. Asymmetric key attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided
|
* 1. Asymmetric key attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided
|
||||||
* and the `attestationKey` parameter on the generate/import call is null, the returned
|
* and the `attestationKey` parameter on the generate/import call is null, and if the
|
||||||
|
* KeyMint implementation supports factory-provisioned attestation keys, the returned
|
||||||
* certificate chain must contain an attestation certificate signed with a factory-
|
* certificate chain must contain an attestation certificate signed with a factory-
|
||||||
* provisioned attestation key, and the full certificate chain for that factory-provisioned
|
* provisioned attestation key, and the full certificate chain for that factory-provisioned
|
||||||
* attestation key. Tag::ATTESTATION_APPLICATION_ID must also be provided when the
|
* attestation key. Tag::ATTESTATION_APPLICATION_ID must also be provided when the
|
||||||
* ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be
|
* ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be
|
||||||
* returned. KeyMint implementations are not required to support factory-provisioned
|
* returned. KeyMint implementations are not required to support factory-provisioned
|
||||||
* attestation keys.
|
* attestation keys. If the KeyMint implementation does not support factory-provisioned
|
||||||
|
* keys, it must return ATTESTATION_KEYS_NOT_PROVISIONED.
|
||||||
*
|
*
|
||||||
* 2. Asymmetric key attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is
|
* 2. Asymmetric key attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is
|
||||||
* provided and the `attestationKey` parameter on the generate/import call is non-null and
|
* provided and the `attestationKey` parameter on the generate/import call is non-null and
|
||||||
|
|
|
@ -312,6 +312,30 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
|
||||||
return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
|
return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
|
||||||
|
vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
|
||||||
|
vector<Certificate>* cert_chain) {
|
||||||
|
AttestationKey attest_key;
|
||||||
|
vector<Certificate> attest_cert_chain;
|
||||||
|
vector<KeyCharacteristics> attest_key_characteristics;
|
||||||
|
// Generate a key with self signed attestation.
|
||||||
|
auto error = GenerateKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
|
||||||
|
&attest_key_characteristics, &attest_cert_chain);
|
||||||
|
if (error != ErrorCode::OK) {
|
||||||
|
return error;
|
||||||
|
}
|
||||||
|
|
||||||
|
attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
|
||||||
|
// Generate a key, by passing the above self signed attestation key as attest key.
|
||||||
|
error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
|
||||||
|
if (error == ErrorCode::OK) {
|
||||||
|
// Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
|
||||||
|
cert_chain->push_back(attest_cert_chain[0]);
|
||||||
|
}
|
||||||
|
return error;
|
||||||
|
}
|
||||||
|
|
||||||
ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
|
ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
|
||||||
const string& key_material, vector<uint8_t>* key_blob,
|
const string& key_material, vector<uint8_t>* key_blob,
|
||||||
vector<KeyCharacteristics>* key_characteristics) {
|
vector<KeyCharacteristics>* key_characteristics) {
|
||||||
|
|
|
@ -96,6 +96,21 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
|
||||||
ErrorCode GenerateKey(const AuthorizationSet& key_desc,
|
ErrorCode GenerateKey(const AuthorizationSet& key_desc,
|
||||||
const optional<AttestationKey>& attest_key = std::nullopt);
|
const optional<AttestationKey>& attest_key = std::nullopt);
|
||||||
|
|
||||||
|
// Generate key for implementations which do not support factory attestation.
|
||||||
|
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
|
||||||
|
const AuthorizationSet& key_desc,
|
||||||
|
vector<uint8_t>* key_blob,
|
||||||
|
vector<KeyCharacteristics>* key_characteristics,
|
||||||
|
vector<Certificate>* cert_chain);
|
||||||
|
|
||||||
|
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
|
||||||
|
const AuthorizationSet& key_desc,
|
||||||
|
vector<uint8_t>* key_blob,
|
||||||
|
vector<KeyCharacteristics>* key_characteristics) {
|
||||||
|
return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob,
|
||||||
|
key_characteristics, &cert_chain_);
|
||||||
|
}
|
||||||
|
|
||||||
ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
|
ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
|
||||||
const string& key_material, vector<uint8_t>* key_blob,
|
const string& key_material, vector<uint8_t>* key_blob,
|
||||||
vector<KeyCharacteristics>* key_characteristics);
|
vector<KeyCharacteristics>* key_characteristics);
|
||||||
|
|
|
@ -1067,22 +1067,30 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
|
||||||
for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
|
for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
|
||||||
vector<uint8_t> key_blob;
|
vector<uint8_t> key_blob;
|
||||||
vector<KeyCharacteristics> key_characteristics;
|
vector<KeyCharacteristics> key_characteristics;
|
||||||
auto result = GenerateKey(AuthorizationSetBuilder()
|
auto builder = AuthorizationSetBuilder()
|
||||||
.RsaSigningKey(key_size, 65537)
|
.RsaSigningKey(key_size, 65537)
|
||||||
.Digest(Digest::NONE)
|
.Digest(Digest::NONE)
|
||||||
.Padding(PaddingMode::NONE)
|
.Padding(PaddingMode::NONE)
|
||||||
.AttestationChallenge(challenge)
|
.AttestationChallenge(challenge)
|
||||||
.AttestationApplicationId(app_id)
|
.AttestationApplicationId(app_id)
|
||||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||||
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
||||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||||
.SetDefaultValidity(),
|
.SetDefaultValidity();
|
||||||
&key_blob, &key_characteristics);
|
|
||||||
|
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||||
// Strongbox may not support factory provisioned attestation key.
|
// Strongbox may not support factory provisioned attestation key.
|
||||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.RsaKey(key_size, 65537)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob, &key_characteristics);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
ASSERT_EQ(ErrorCode::OK, result);
|
||||||
ASSERT_GT(key_blob.size(), 0U);
|
ASSERT_GT(key_blob.size(), 0U);
|
||||||
CheckBaseParams(key_characteristics);
|
CheckBaseParams(key_characteristics);
|
||||||
CheckCharacteristics(key_blob, key_characteristics);
|
CheckCharacteristics(key_blob, key_characteristics);
|
||||||
|
@ -1203,19 +1211,27 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
|
||||||
|
|
||||||
vector<uint8_t> key_blob;
|
vector<uint8_t> key_blob;
|
||||||
vector<KeyCharacteristics> key_characteristics;
|
vector<KeyCharacteristics> key_characteristics;
|
||||||
auto result = GenerateKey(AuthorizationSetBuilder()
|
auto builder = AuthorizationSetBuilder()
|
||||||
.RsaEncryptionKey(key_size, 65537)
|
.RsaEncryptionKey(key_size, 65537)
|
||||||
.Padding(PaddingMode::NONE)
|
.Padding(PaddingMode::NONE)
|
||||||
.AttestationChallenge(challenge)
|
.AttestationChallenge(challenge)
|
||||||
.AttestationApplicationId(app_id)
|
.AttestationApplicationId(app_id)
|
||||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||||
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
||||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||||
.SetDefaultValidity(),
|
.SetDefaultValidity();
|
||||||
&key_blob, &key_characteristics);
|
|
||||||
|
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||||
// Strongbox may not support factory provisioned attestation key.
|
// Strongbox may not support factory provisioned attestation key.
|
||||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.RsaKey(key_size, 65537)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob, &key_characteristics);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
ASSERT_EQ(ErrorCode::OK, result);
|
ASSERT_EQ(ErrorCode::OK, result);
|
||||||
|
|
||||||
|
@ -1319,17 +1335,25 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
|
||||||
vector<uint8_t> key_blob;
|
vector<uint8_t> key_blob;
|
||||||
vector<KeyCharacteristics> key_characteristics;
|
vector<KeyCharacteristics> key_characteristics;
|
||||||
|
|
||||||
auto result = GenerateKey(AuthorizationSetBuilder()
|
auto builder = AuthorizationSetBuilder()
|
||||||
.RsaSigningKey(2048, 65537)
|
.RsaSigningKey(2048, 65537)
|
||||||
.Digest(Digest::NONE)
|
.Digest(Digest::NONE)
|
||||||
.Padding(PaddingMode::NONE)
|
.Padding(PaddingMode::NONE)
|
||||||
.AttestationChallenge(challenge)
|
.AttestationChallenge(challenge)
|
||||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||||
.SetDefaultValidity(),
|
.SetDefaultValidity();
|
||||||
&key_blob, &key_characteristics);
|
|
||||||
|
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||||
// Strongbox may not support factory provisioned attestation key.
|
// Strongbox may not support factory provisioned attestation key.
|
||||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.RsaKey(2048, 65537)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob, &key_characteristics);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
|
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
|
||||||
}
|
}
|
||||||
|
@ -1441,21 +1465,29 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
|
||||||
for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
|
for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
|
||||||
vector<uint8_t> key_blob;
|
vector<uint8_t> key_blob;
|
||||||
vector<KeyCharacteristics> key_characteristics;
|
vector<KeyCharacteristics> key_characteristics;
|
||||||
auto result = GenerateKey(AuthorizationSetBuilder()
|
auto builder = AuthorizationSetBuilder()
|
||||||
.RsaSigningKey(key_size, 65537)
|
.RsaSigningKey(key_size, 65537)
|
||||||
.Digest(Digest::NONE)
|
.Digest(Digest::NONE)
|
||||||
.Padding(PaddingMode::NONE)
|
.Padding(PaddingMode::NONE)
|
||||||
.AttestationChallenge(challenge)
|
.AttestationChallenge(challenge)
|
||||||
.AttestationApplicationId(app_id)
|
.AttestationApplicationId(app_id)
|
||||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||||
.Authorization(TAG_USAGE_COUNT_LIMIT, 1)
|
.Authorization(TAG_USAGE_COUNT_LIMIT, 1)
|
||||||
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
||||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||||
.SetDefaultValidity(),
|
.SetDefaultValidity();
|
||||||
&key_blob, &key_characteristics);
|
|
||||||
|
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||||
// Strongbox may not support factory provisioned attestation key.
|
// Strongbox may not support factory provisioned attestation key.
|
||||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.RsaKey(key_size, 65537)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob, &key_characteristics);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
ASSERT_EQ(ErrorCode::OK, result);
|
ASSERT_EQ(ErrorCode::OK, result);
|
||||||
|
|
||||||
|
@ -1676,19 +1708,27 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
|
||||||
for (auto curve : ValidCurves()) {
|
for (auto curve : ValidCurves()) {
|
||||||
vector<uint8_t> key_blob;
|
vector<uint8_t> key_blob;
|
||||||
vector<KeyCharacteristics> key_characteristics;
|
vector<KeyCharacteristics> key_characteristics;
|
||||||
auto result = GenerateKey(AuthorizationSetBuilder()
|
auto builder = AuthorizationSetBuilder()
|
||||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||||
.EcdsaSigningKey(curve)
|
.EcdsaSigningKey(curve)
|
||||||
.Digest(Digest::NONE)
|
.Digest(Digest::NONE)
|
||||||
.AttestationChallenge(challenge)
|
.AttestationChallenge(challenge)
|
||||||
.AttestationApplicationId(app_id)
|
.AttestationApplicationId(app_id)
|
||||||
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
||||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||||
.SetDefaultValidity(),
|
.SetDefaultValidity();
|
||||||
&key_blob, &key_characteristics);
|
|
||||||
|
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||||
// Strongbox may not support factory provisioned attestation key.
|
// Strongbox may not support factory provisioned attestation key.
|
||||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.EcdsaKey(curve)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob, &key_characteristics);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
ASSERT_EQ(ErrorCode::OK, result);
|
ASSERT_EQ(ErrorCode::OK, result);
|
||||||
ASSERT_GT(key_blob.size(), 0U);
|
ASSERT_GT(key_blob.size(), 0U);
|
||||||
|
@ -1826,7 +1866,14 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
|
||||||
}
|
}
|
||||||
// Strongbox may not support factory provisioned attestation key.
|
// Strongbox may not support factory provisioned attestation key.
|
||||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.EcdsaKey(EcCurve::P_256)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob, &key_characteristics);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
ASSERT_EQ(result, ErrorCode::OK);
|
ASSERT_EQ(result, ErrorCode::OK);
|
||||||
ASSERT_GT(key_blob.size(), 0U);
|
ASSERT_GT(key_blob.size(), 0U);
|
||||||
|
@ -1878,8 +1925,20 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
|
||||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||||
.SetDefaultValidity();
|
.SetDefaultValidity();
|
||||||
builder.push_back(tag);
|
builder.push_back(tag);
|
||||||
ASSERT_EQ(ErrorCode::CANNOT_ATTEST_IDS,
|
|
||||||
GenerateKey(builder, &key_blob, &key_characteristics));
|
auto error = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||||
|
// Strongbox may not support factory provisioned attestation key.
|
||||||
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
|
if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
error = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.EcdsaKey(EcCurve::P_256)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob, &key_characteristics);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ASSERT_EQ(error, ErrorCode::CANNOT_ATTEST_IDS);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1984,8 +2043,18 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
|
||||||
if (reset) {
|
if (reset) {
|
||||||
builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
|
builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
|
||||||
}
|
}
|
||||||
|
auto result = GenerateKey(builder);
|
||||||
ASSERT_EQ(ErrorCode::OK, GenerateKey(builder));
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.EcdsaKey(EcCurve::P_256)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob_, &key_characteristics_, &cert_chain_);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ASSERT_EQ(ErrorCode::OK, result);
|
||||||
ASSERT_GT(key_blob_.size(), 0U);
|
ASSERT_GT(key_blob_.size(), 0U);
|
||||||
|
|
||||||
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
|
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
|
||||||
|
@ -2072,21 +2141,29 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
|
||||||
// to confirm that this field never makes it into the attestation extension.
|
// to confirm that this field never makes it into the attestation extension.
|
||||||
vector<uint8_t> key_blob;
|
vector<uint8_t> key_blob;
|
||||||
vector<KeyCharacteristics> key_characteristics;
|
vector<KeyCharacteristics> key_characteristics;
|
||||||
auto result = GenerateKey(AuthorizationSetBuilder()
|
auto builder = AuthorizationSetBuilder()
|
||||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||||
.EcdsaSigningKey(EcCurve::P_256)
|
.EcdsaSigningKey(EcCurve::P_256)
|
||||||
.Digest(Digest::NONE)
|
.Digest(Digest::NONE)
|
||||||
.AttestationChallenge(challenge)
|
.AttestationChallenge(challenge)
|
||||||
.AttestationApplicationId(attest_app_id)
|
.AttestationApplicationId(attest_app_id)
|
||||||
.Authorization(TAG_APPLICATION_ID, "client_id")
|
.Authorization(TAG_APPLICATION_ID, "client_id")
|
||||||
.Authorization(TAG_APPLICATION_DATA, "appdata")
|
.Authorization(TAG_APPLICATION_DATA, "appdata")
|
||||||
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
||||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||||
.SetDefaultValidity(),
|
.SetDefaultValidity();
|
||||||
&key_blob, &key_characteristics);
|
|
||||||
|
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||||
// Strongbox may not support factory provisioned attestation key.
|
// Strongbox may not support factory provisioned attestation key.
|
||||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.EcdsaKey(EcCurve::P_256)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob, &key_characteristics);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
ASSERT_EQ(result, ErrorCode::OK);
|
ASSERT_EQ(result, ErrorCode::OK);
|
||||||
ASSERT_GT(key_blob.size(), 0U);
|
ASSERT_GT(key_blob.size(), 0U);
|
||||||
|
@ -2166,16 +2243,23 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
|
||||||
auto challenge = "hello";
|
auto challenge = "hello";
|
||||||
vector<uint8_t> key_blob;
|
vector<uint8_t> key_blob;
|
||||||
vector<KeyCharacteristics> key_characteristics;
|
vector<KeyCharacteristics> key_characteristics;
|
||||||
|
auto builder = AuthorizationSetBuilder()
|
||||||
|
.EcdsaSigningKey(EcCurve::P_256)
|
||||||
|
.Digest(Digest::NONE)
|
||||||
|
.AttestationChallenge(challenge)
|
||||||
|
.SetDefaultValidity();
|
||||||
|
|
||||||
auto result = GenerateKey(AuthorizationSetBuilder()
|
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||||
.EcdsaSigningKey(EcCurve::P_256)
|
|
||||||
.Digest(Digest::NONE)
|
|
||||||
.AttestationChallenge(challenge)
|
|
||||||
.SetDefaultValidity(),
|
|
||||||
&key_blob, &key_characteristics);
|
|
||||||
// Strongbox may not support factory provisioned attestation key.
|
// Strongbox may not support factory provisioned attestation key.
|
||||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.EcdsaKey(EcCurve::P_256)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob, &key_characteristics);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
|
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
|
||||||
}
|
}
|
||||||
|
@ -2234,17 +2318,25 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
|
||||||
const string app_id(length, 'a');
|
const string app_id(length, 'a');
|
||||||
vector<uint8_t> key_blob;
|
vector<uint8_t> key_blob;
|
||||||
vector<KeyCharacteristics> key_characteristics;
|
vector<KeyCharacteristics> key_characteristics;
|
||||||
auto result = GenerateKey(AuthorizationSetBuilder()
|
auto builder = AuthorizationSetBuilder()
|
||||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||||
.EcdsaSigningKey(EcCurve::P_256)
|
.EcdsaSigningKey(EcCurve::P_256)
|
||||||
.Digest(Digest::NONE)
|
.Digest(Digest::NONE)
|
||||||
.AttestationChallenge(challenge)
|
.AttestationChallenge(challenge)
|
||||||
.AttestationApplicationId(app_id)
|
.AttestationApplicationId(app_id)
|
||||||
.SetDefaultValidity(),
|
.SetDefaultValidity();
|
||||||
&key_blob, &key_characteristics);
|
|
||||||
|
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||||
// Strongbox may not support factory provisioned attestation key.
|
// Strongbox may not support factory provisioned attestation key.
|
||||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.EcdsaKey(EcCurve::P_256)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob, &key_characteristics);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
ASSERT_EQ(ErrorCode::OK, result);
|
ASSERT_EQ(ErrorCode::OK, result);
|
||||||
ASSERT_GT(key_blob.size(), 0U);
|
ASSERT_GT(key_blob.size(), 0U);
|
||||||
|
@ -7384,15 +7476,26 @@ class KeyAgreementTest : public KeyMintAidlTestBase {
|
||||||
|
|
||||||
void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) {
|
void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) {
|
||||||
vector<uint8_t> challenge = {0x41, 0x42};
|
vector<uint8_t> challenge = {0x41, 0x42};
|
||||||
ErrorCode result =
|
auto builder = AuthorizationSetBuilder()
|
||||||
GenerateKey(AuthorizationSetBuilder()
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
.Authorization(TAG_EC_CURVE, curve)
|
||||||
.Authorization(TAG_EC_CURVE, curve)
|
.Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
|
||||||
.Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
|
.Authorization(TAG_ALGORITHM, Algorithm::EC)
|
||||||
.Authorization(TAG_ALGORITHM, Algorithm::EC)
|
.Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
|
||||||
.Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
|
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
|
||||||
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
|
.SetDefaultValidity();
|
||||||
.SetDefaultValidity());
|
ErrorCode result = GenerateKey(builder);
|
||||||
|
|
||||||
|
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||||
|
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||||
|
result = GenerateKeyWithSelfSignedAttestKey(
|
||||||
|
AuthorizationSetBuilder()
|
||||||
|
.EcdsaKey(EcCurve::P_256)
|
||||||
|
.AttestKey()
|
||||||
|
.SetDefaultValidity(), /* attest key params */
|
||||||
|
builder, &key_blob_, &key_characteristics_, &cert_chain_);
|
||||||
|
}
|
||||||
|
}
|
||||||
ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
|
ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
|
||||||
ASSERT_GT(cert_chain_.size(), 0);
|
ASSERT_GT(cert_chain_.size(), 0);
|
||||||
X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
|
X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
|
||||||
|
|
Loading…
Reference in a new issue