From c93c439ad3c7553badc21e9e9f6dc10e5b13b970 Mon Sep 17 00:00:00 2001 From: Tommy Chiu Date: Tue, 11 May 2021 18:36:50 +0800 Subject: [PATCH] KeyMint vts: Correct the EC curve parameter and some return code Strongbox doens't support p-224. Change the curve to p-256 for better compatibility. Also update the tags to be filtered on the hw-enforcement list. Change-Id: I3f587c5471ca68b88a565ee9ec2e27d1e9e11b17 --- .../hardware/security/keymint/IKeyMintDevice.aidl | 9 +++++---- security/keymint/aidl/vts/functional/AttestKeyTest.cpp | 8 ++++---- .../aidl/vts/functional/KeyMintAidlTestBase.cpp | 8 ++++---- security/keymint/aidl/vts/functional/KeyMintTest.cpp | 10 +++++----- 4 files changed, 18 insertions(+), 17 deletions(-) diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl index b6af8138c0..9cc795d582 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl @@ -318,10 +318,11 @@ interface IKeyMintDevice { * @param attestationKey, if provided, specifies the key that must be used to sign the * attestation certificate. If `keyParams` does not contain a Tag::ATTESTATION_CHALLENGE * but `attestationKey` is non-null, the IKeyMintDevice must return - * ErrorCode::INVALID_ARGUMENT. If the provided AttestationKey does not contain a key - * blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must - * return ErrorCode::INCOMPATIBLE_PURPOSE. If the provided AttestationKey has an empty - * issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT. + * ErrorCode::ATTESTATION_CHALLENGE_MISSING. If the provided AttestationKey does not + * contain a key blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the + * IKeyMintDevice must return ErrorCode::INCOMPATIBLE_PURPOSE. If the provided + * AttestationKey has an empty issuer subject name, the IKeyMintDevice must return + * ErrorCode::INVALID_ARGUMENT. * * If `attestationKey` is null and `keyParams` contains Tag::ATTESTATION_CHALLENGE but * the KeyMint implementation does not have factory-provisioned attestation keys, it must diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp index 881354d41d..e4a877c0cb 100644 --- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp +++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp @@ -361,7 +361,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(224) + .EcdsaSigningKey(EcCurve::P_256) .AttestKey() .AttestationChallenge("foo") .AttestationApplicationId("bar") @@ -435,7 +435,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { if ((i & 0x1) == 1) { EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(224) + .EcdsaSigningKey(EcCurve::P_256) .AttestKey() .AttestationChallenge("foo") .AttestationApplicationId("bar") @@ -513,7 +513,7 @@ TEST_P(AttestKeyTest, MissingChallenge) { vector attested_key_blob; vector attested_key_characteristics; vector attested_key_cert_chain; - EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, + EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING, GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(2048, 65537) .Authorization(TAG_NO_AUTH_REQUIRED) @@ -522,7 +522,7 @@ TEST_P(AttestKeyTest, MissingChallenge) { attest_key, &attested_key_blob, &attested_key_characteristics, &attested_key_cert_chain)); - EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, + EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING, GenerateKey(AuthorizationSetBuilder() .EcdsaSigningKey(EcCurve::P_256) .Authorization(TAG_NO_AUTH_REQUIRED) diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp index 47892042e7..675e01d54f 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp @@ -119,10 +119,10 @@ char nibble2hex[16] = {'0', '1', '2', '3', '4', '5', '6', '7', // Attestations don't contain everything in key authorization lists, so we need to filter the key // lists to produce the lists that we expect to match the attestations. auto kTagsToFilter = { - Tag::CREATION_DATETIME, // - Tag::EC_CURVE, - Tag::HARDWARE_TYPE, - Tag::INCLUDE_UNIQUE_ID, + Tag::CREATION_DATETIME, + Tag::EC_CURVE, + Tag::HARDWARE_TYPE, + Tag::INCLUDE_UNIQUE_ID, }; AuthorizationSet filtered_tags(const AuthorizationSet& set) { diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index cd7d603a09..5775f8b78c 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -2261,11 +2261,11 @@ TEST_P(SigningOperationsTest, RsaNonUniqueParams) { .Padding(PaddingMode::NONE) .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); - ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST, - Begin(KeyPurpose::SIGN, AuthorizationSetBuilder() - .Digest(Digest::NONE) - .Digest(Digest::SHA1) - .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); + auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder() + .Digest(Digest::NONE) + .Digest(Digest::SHA1) + .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)); + ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT); ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST, Begin(KeyPurpose::SIGN,