From 7d9bc46f6f26586492f368a877b339eee56f7ffb Mon Sep 17 00:00:00 2001 From: subrahmanyaman Date: Wed, 16 Mar 2022 01:40:39 +0000 Subject: [PATCH] Updated the vts attestation tests for strongbox implementations which do not support factory attestation. Bug: b/219962281 Test: Run vts tests. Change-Id: Ie3f3f33f773227d879e11f11e2ef0eaee33db648 --- .../security/keymint/KeyCreationResult.aidl | 6 +- .../vts/functional/KeyMintAidlTestBase.cpp | 24 ++ .../aidl/vts/functional/KeyMintAidlTestBase.h | 15 + .../aidl/vts/functional/KeyMintTest.cpp | 303 ++++++++++++------ 4 files changed, 246 insertions(+), 102 deletions(-) diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl index 16bbc5c569..3fe79c5e4e 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl @@ -61,13 +61,15 @@ parcelable KeyCreationResult { * the non-attestation case, whether the key can self-sign. * * 1. Asymmetric key attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided - * and the `attestationKey` parameter on the generate/import call is null, the returned + * and the `attestationKey` parameter on the generate/import call is null, and if the + * KeyMint implementation supports factory-provisioned attestation keys, the returned * certificate chain must contain an attestation certificate signed with a factory- * provisioned attestation key, and the full certificate chain for that factory-provisioned * attestation key. Tag::ATTESTATION_APPLICATION_ID must also be provided when the * ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be * returned. KeyMint implementations are not required to support factory-provisioned - * attestation keys. + * attestation keys. If the KeyMint implementation does not support factory-provisioned + * keys, it must return ATTESTATION_KEYS_NOT_PROVISIONED. * * 2. Asymmetric key attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is * provided and the `attestationKey` parameter on the generate/import call is non-null and diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp index 4ab989bcbc..f9510d3071 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp @@ -312,6 +312,30 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc, return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_); } +ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey( + const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc, + vector* key_blob, vector* key_characteristics, + vector* cert_chain) { + AttestationKey attest_key; + vector attest_cert_chain; + vector attest_key_characteristics; + // Generate a key with self signed attestation. + auto error = GenerateKey(attest_key_desc, std::nullopt, &attest_key.keyBlob, + &attest_key_characteristics, &attest_cert_chain); + if (error != ErrorCode::OK) { + return error; + } + + attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key"); + // Generate a key, by passing the above self signed attestation key as attest key. + error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain); + if (error == ErrorCode::OK) { + // Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain. + cert_chain->push_back(attest_cert_chain[0]); + } + return error; +} + ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format, const string& key_material, vector* key_blob, vector* key_characteristics) { diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h index e59443c44e..602dcaf6a0 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h @@ -96,6 +96,21 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam { ErrorCode GenerateKey(const AuthorizationSet& key_desc, const optional& attest_key = std::nullopt); + // Generate key for implementations which do not support factory attestation. + ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc, + const AuthorizationSet& key_desc, + vector* key_blob, + vector* key_characteristics, + vector* cert_chain); + + ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc, + const AuthorizationSet& key_desc, + vector* key_blob, + vector* key_characteristics) { + return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob, + key_characteristics, &cert_chain_); + } + ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format, const string& key_material, vector* key_blob, vector* key_characteristics); diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index c734c373a7..f273e4d94e 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -1067,22 +1067,30 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector key_blob; vector key_characteristics; - auto result = GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(key_size, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics); + auto builder = AuthorizationSetBuilder() + .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(); + + auto result = GenerateKey(builder, &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .RsaKey(key_size, 65537) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob, &key_characteristics); + } } - + ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); CheckCharacteristics(key_blob, key_characteristics); @@ -1203,19 +1211,27 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { vector key_blob; vector key_characteristics; - auto result = GenerateKey(AuthorizationSetBuilder() - .RsaEncryptionKey(key_size, 65537) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics); + auto builder = AuthorizationSetBuilder() + .RsaEncryptionKey(key_size, 65537) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(); + + auto result = GenerateKey(builder, &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .RsaKey(key_size, 65537) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob, &key_characteristics); + } } ASSERT_EQ(ErrorCode::OK, result); @@ -1319,17 +1335,25 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) { vector key_blob; vector key_characteristics; - auto result = GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(2048, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - &key_blob, &key_characteristics); + auto builder = AuthorizationSetBuilder() + .RsaSigningKey(2048, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(); + + auto result = GenerateKey(builder, &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .RsaKey(2048, 65537) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob, &key_characteristics); + } } ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } @@ -1441,21 +1465,29 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector key_blob; vector key_characteristics; - auto result = GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(key_size, 65537) - .Digest(Digest::NONE) - .Padding(PaddingMode::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_USAGE_COUNT_LIMIT, 1) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics); + auto builder = AuthorizationSetBuilder() + .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_USAGE_COUNT_LIMIT, 1) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(); + + auto result = GenerateKey(builder, &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .RsaKey(key_size, 65537) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob, &key_characteristics); + } } ASSERT_EQ(ErrorCode::OK, result); @@ -1676,19 +1708,27 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { for (auto curve : ValidCurves()) { vector key_blob; vector key_characteristics; - auto result = GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(curve) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics); + auto builder = AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(curve) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(); + + auto result = GenerateKey(builder, &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .EcdsaKey(curve) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob, &key_characteristics); + } } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); @@ -1826,7 +1866,14 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) { } // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob, &key_characteristics); + } } ASSERT_EQ(result, ErrorCode::OK); ASSERT_GT(key_blob.size(), 0U); @@ -1878,8 +1925,20 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) { .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(); builder.push_back(tag); - ASSERT_EQ(ErrorCode::CANNOT_ATTEST_IDS, - GenerateKey(builder, &key_blob, &key_characteristics)); + + auto error = GenerateKey(builder, &key_blob, &key_characteristics); + // Strongbox may not support factory provisioned attestation key. + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + error = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob, &key_characteristics); + } + } + ASSERT_EQ(error, ErrorCode::CANNOT_ATTEST_IDS); } } @@ -1984,8 +2043,18 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) { if (reset) { builder.Authorization(TAG_RESET_SINCE_ID_ROTATION); } - - ASSERT_EQ(ErrorCode::OK, GenerateKey(builder)); + auto result = GenerateKey(builder); + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob_, &key_characteristics_, &cert_chain_); + } + } + ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob_.size(), 0U); EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); @@ -2072,21 +2141,29 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) { // to confirm that this field never makes it into the attestation extension. vector key_blob; vector key_characteristics; - auto result = GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(EcCurve::P_256) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(attest_app_id) - .Authorization(TAG_APPLICATION_ID, "client_id") - .Authorization(TAG_APPLICATION_DATA, "appdata") - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - &key_blob, &key_characteristics); + auto builder = AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(EcCurve::P_256) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(attest_app_id) + .Authorization(TAG_APPLICATION_ID, "client_id") + .Authorization(TAG_APPLICATION_DATA, "appdata") + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(); + + auto result = GenerateKey(builder, &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob, &key_characteristics); + } } ASSERT_EQ(result, ErrorCode::OK); ASSERT_GT(key_blob.size(), 0U); @@ -2166,16 +2243,23 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) { auto challenge = "hello"; vector key_blob; vector key_characteristics; + auto builder = AuthorizationSetBuilder() + .EcdsaSigningKey(EcCurve::P_256) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .SetDefaultValidity(); - auto result = GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(EcCurve::P_256) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .SetDefaultValidity(), - &key_blob, &key_characteristics); + auto result = GenerateKey(builder, &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob, &key_characteristics); + } } ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } @@ -2234,17 +2318,25 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) { const string app_id(length, 'a'); vector key_blob; vector key_characteristics; - auto result = GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(EcCurve::P_256) - .Digest(Digest::NONE) - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .SetDefaultValidity(), - &key_blob, &key_characteristics); + auto builder = AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(EcCurve::P_256) + .Digest(Digest::NONE) + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .SetDefaultValidity(); + + auto result = GenerateKey(builder, &key_blob, &key_characteristics); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob, &key_characteristics); + } } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob.size(), 0U); @@ -7370,15 +7462,26 @@ class KeyAgreementTest : public KeyMintAidlTestBase { void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) { vector challenge = {0x41, 0x42}; - ErrorCode result = - GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_EC_CURVE, curve) - .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY) - .Authorization(TAG_ALGORITHM, Algorithm::EC) - .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62}) - .Authorization(TAG_ATTESTATION_CHALLENGE, challenge) - .SetDefaultValidity()); + auto builder = AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_EC_CURVE, curve) + .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY) + .Authorization(TAG_ALGORITHM, Algorithm::EC) + .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62}) + .Authorization(TAG_ATTESTATION_CHALLENGE, challenge) + .SetDefaultValidity(); + ErrorCode result = GenerateKey(builder); + + if (SecLevel() == SecurityLevel::STRONGBOX) { + if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + result = GenerateKeyWithSelfSignedAttestKey( + AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), /* attest key params */ + builder, &key_blob_, &key_characteristics_, &cert_chain_); + } + } ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key"; ASSERT_GT(cert_chain_.size(), 0); X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));