tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Updated the vts attestation tests for strongbox implementations which do not support factory attestation."

Browse source
This commit is contained in:
Treehugger Robot 2022-03-24 16:35:47 +00:00 committed by Gerrit Code Review
commit 950b7b8026
4 changed files with 246 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
View file

@ -61,13 +61,15 @@ parcelable KeyCreationResult {
* the non-attestation case, whether the key can self-sign.
*
* 1. Asymmetric key attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided
* and the `attestationKey` parameter on the generate/import call is null, the returned
* and the `attestationKey` parameter on the generate/import call is null, and if the
* KeyMint implementation supports factory-provisioned attestation keys, the returned
* certificate chain must contain an attestation certificate signed with a factory-
* provisioned attestation key, and the full certificate chain for that factory-provisioned
* attestation key. Tag::ATTESTATION_APPLICATION_ID must also be provided when the
* ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be
* returned. KeyMint implementations are not required to support factory-provisioned
* attestation keys.
* attestation keys. If the KeyMint implementation does not support factory-provisioned
* keys, it must return ATTESTATION_KEYS_NOT_PROVISIONED.
*
* 2. Asymmetric key attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is
* provided and the `attestationKey` parameter on the generate/import call is non-null and

24
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
View file

@ -312,6 +312,30 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
}
ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain) {
AttestationKey attest_key;
vector<Certificate> attest_cert_chain;
vector<KeyCharacteristics> attest_key_characteristics;
// Generate a key with self signed attestation.
auto error = GenerateKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
&attest_key_characteristics, &attest_cert_chain);
if (error != ErrorCode::OK) {
return error;
}
attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
// Generate a key, by passing the above self signed attestation key as attest key.
error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
if (error == ErrorCode::OK) {
// Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
cert_chain->push_back(attest_cert_chain[0]);
}
return error;
}
ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
const string& key_material, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {

15
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
View file

@ -96,6 +96,21 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
ErrorCode GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key = std::nullopt);
// Generate key for implementations which do not support factory attestation.
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain);
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {
return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob,
key_characteristics, &cert_chain_);
}
ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
const string& key_material, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics);

187
security/keymint/aidl/vts/functional/KeyMintTest.cpp
View file

@ -1067,7 +1067,7 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
auto builder = AuthorizationSetBuilder()
.RsaSigningKey(key_size, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
@ -1076,13 +1076,21 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob.size(), 0U);
CheckBaseParams(key_characteristics);
CheckCharacteristics(key_blob, key_characteristics);
@ -1203,7 +1211,7 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
auto builder = AuthorizationSetBuilder()
.RsaEncryptionKey(key_size, 65537)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
@ -1211,11 +1219,19 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
@ -1319,17 +1335,25 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
auto builder = AuthorizationSetBuilder()
.RsaSigningKey(2048, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(2048, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
}
@ -1441,7 +1465,7 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
auto builder = AuthorizationSetBuilder()
.RsaSigningKey(key_size, 65537)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
@ -1451,11 +1475,19 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
.Authorization(TAG_USAGE_COUNT_LIMIT, 1)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
@ -1676,7 +1708,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
for (auto curve : ValidCurves()) {
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
auto builder = AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(curve)
.Digest(Digest::NONE)
@ -1684,11 +1716,19 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
.AttestationApplicationId(app_id)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(curve)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob.size(), 0U);
@ -1826,7 +1866,14 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
}
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(result, ErrorCode::OK);
ASSERT_GT(key_blob.size(), 0U);
@ -1878,8 +1925,20 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity();
builder.push_back(tag);
ASSERT_EQ(ErrorCode::CANNOT_ATTEST_IDS,
GenerateKey(builder, &key_blob, &key_characteristics));
auto error = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
error = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(error, ErrorCode::CANNOT_ATTEST_IDS);
}
}
@ -1984,8 +2043,18 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
if (reset) {
builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
}
ASSERT_EQ(ErrorCode::OK, GenerateKey(builder));
auto result = GenerateKey(builder);
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob_, &key_characteristics_, &cert_chain_);
}
}
ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob_.size(), 0U);
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
@ -2072,7 +2141,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
// to confirm that this field never makes it into the attestation extension.
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
auto builder = AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::NONE)
@ -2082,11 +2151,19 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
.Authorization(TAG_APPLICATION_DATA, "appdata")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(result, ErrorCode::OK);
ASSERT_GT(key_blob.size(), 0U);
@ -2166,16 +2243,23 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
auto challenge = "hello";
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
auto builder = AuthorizationSetBuilder()
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::NONE)
.AttestationChallenge(challenge)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
}
@ -2234,17 +2318,25 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
const string app_id(length, 'a');
vector<uint8_t> key_blob;
vector<KeyCharacteristics> key_characteristics;
auto result = GenerateKey(AuthorizationSetBuilder()
auto builder = AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.SetDefaultValidity(),
&key_blob, &key_characteristics);
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob.size(), 0U);
@ -7384,15 +7476,26 @@ class KeyAgreementTest : public KeyMintAidlTestBase {
void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) {
vector<uint8_t> challenge = {0x41, 0x42};
ErrorCode result =
GenerateKey(AuthorizationSetBuilder()
auto builder = AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_EC_CURVE, curve)
.Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
.Authorization(TAG_ALGORITHM, Algorithm::EC)
.Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
.SetDefaultValidity());
.SetDefaultValidity();
ErrorCode result = GenerateKey(builder);
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob_, &key_characteristics_, &cert_chain_);
}
}
ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
ASSERT_GT(cert_chain_.size(), 0);
X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));