KeyMint vts: Correct the EC curve parameter and some return code

Strongbox doens't support p-224. Change the curve to p-256 for better
compatibility.
Also update the tags to be filtered on the hw-enforcement list.

Change-Id: I3f587c5471ca68b88a565ee9ec2e27d1e9e11b17

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

@@ -318,10 +318,11 @@ interface IKeyMintDevice {
      * @param attestationKey, if provided, specifies the key that must be used to sign the
      *        attestation certificate.  If `keyParams` does not contain a Tag::ATTESTATION_CHALLENGE
      *        but `attestationKey` is non-null, the IKeyMintDevice must return
-     *        ErrorCode::INVALID_ARGUMENT.  If the provided AttestationKey does not contain a key
-     *        blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must
-     *        return ErrorCode::INCOMPATIBLE_PURPOSE.  If the provided AttestationKey has an empty
-     *        issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
+     *        ErrorCode::ATTESTATION_CHALLENGE_MISSING. If the provided AttestationKey does not
+     *        contain a key blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the
+     *        IKeyMintDevice must return ErrorCode::INCOMPATIBLE_PURPOSE.  If the provided
+     *        AttestationKey has an empty issuer subject name, the IKeyMintDevice must return
+     *        ErrorCode::INVALID_ARGUMENT.
      *
      *        If `attestationKey` is null and `keyParams` contains Tag::ATTESTATION_CHALLENGE but
      *        the KeyMint implementation does not have factory-provisioned attestation keys, it must

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

@@ -361,7 +361,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
 
         EXPECT_EQ(ErrorCode::OK,
                   GenerateKey(AuthorizationSetBuilder()
-                                      .EcdsaSigningKey(224)
+                                      .EcdsaSigningKey(EcCurve::P_256)
                                       .AttestKey()
                                       .AttestationChallenge("foo")
                                       .AttestationApplicationId("bar")
@@ -435,7 +435,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
         if ((i & 0x1) == 1) {
             EXPECT_EQ(ErrorCode::OK,
                       GenerateKey(AuthorizationSetBuilder()
-                                          .EcdsaSigningKey(224)
+                                          .EcdsaSigningKey(EcCurve::P_256)
                                           .AttestKey()
                                           .AttestationChallenge("foo")
                                           .AttestationApplicationId("bar")
@@ -513,7 +513,7 @@ TEST_P(AttestKeyTest, MissingChallenge) {
         vector<uint8_t> attested_key_blob;
         vector<KeyCharacteristics> attested_key_characteristics;
         vector<Certificate> attested_key_cert_chain;
-        EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
+        EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
                   GenerateKey(AuthorizationSetBuilder()
                                       .RsaSigningKey(2048, 65537)
                                       .Authorization(TAG_NO_AUTH_REQUIRED)
@@ -522,7 +522,7 @@ TEST_P(AttestKeyTest, MissingChallenge) {
                               attest_key, &attested_key_blob, &attested_key_characteristics,
                               &attested_key_cert_chain));
 
-        EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
+        EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
                   GenerateKey(AuthorizationSetBuilder()
                                       .EcdsaSigningKey(EcCurve::P_256)
                                       .Authorization(TAG_NO_AUTH_REQUIRED)

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

@@ -119,10 +119,10 @@ char nibble2hex[16] = {'0', '1', '2', '3', '4', '5', '6', '7',
 // Attestations don't contain everything in key authorization lists, so we need to filter the key
 // lists to produce the lists that we expect to match the attestations.
 auto kTagsToFilter = {
-        Tag::CREATION_DATETIME,        //
-        Tag::EC_CURVE,
-        Tag::HARDWARE_TYPE,
-        Tag::INCLUDE_UNIQUE_ID,
+    Tag::CREATION_DATETIME,
+    Tag::EC_CURVE,
+    Tag::HARDWARE_TYPE,
+    Tag::INCLUDE_UNIQUE_ID,
 };
 
 AuthorizationSet filtered_tags(const AuthorizationSet& set) {

security/keymint/aidl/vts/functional/KeyMintTest.cpp

@@ -2261,11 +2261,11 @@ TEST_P(SigningOperationsTest, RsaNonUniqueParams) {
                                               .Padding(PaddingMode::NONE)
                                               .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
 
-    ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
-              Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
-                                              .Digest(Digest::NONE)
-                                              .Digest(Digest::SHA1)
-                                              .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
+    auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
+                                                  .Digest(Digest::NONE)
+                                                  .Digest(Digest::SHA1)
+                                                  .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
+    ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT);
 
     ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
               Begin(KeyPurpose::SIGN,