Merge "identity: Add tests to check that implementations support 32 bytes for challenges."

identity/aidl/android/hardware/identity/IIdentityCredential.aidl

@@ -438,8 +438,9 @@ interface IIdentityCredential {
      * If the method is called on an instance obtained via IPresentationSession.getCredential(),
      * STATUS_FAILED must be returned.
      *
-     * @param challenge a challenge set by the issuer to ensure freshness. Maximum size is 32 bytes
-     *     and it may be empty. Fails with STATUS_INVALID_DATA if bigger than 32 bytes.
+     * @param challenge a challenge set by the issuer to ensure freshness. Implementations must
+     *   support challenges that are at least 32 bytes. Fails with STATUS_INVALID_DATA if bigger
+     *   than 32 bytes.
      * @return a COSE_Sign1 signature described above.
      */
     byte[] deleteCredentialWithChallenge(in byte[] challenge);
@@ -463,8 +464,9 @@ interface IIdentityCredential {
      * If the method is called on an instance obtained via IPresentationSession.getCredential(),
      * STATUS_FAILED must be returned.
      *
-     * @param challenge a challenge set by the issuer to ensure freshness. Maximum size is 32 bytes
-     *     and it may be empty. Fails with STATUS_INVALID_DATA if bigger than 32 bytes.
+     * @param challenge a challenge set by the issuer to ensure freshness. Implementations must
+     *   support challenges that are at least 32 bytes. Fails with STATUS_INVALID_DATA if bigger
+     *   than 32 bytes.
      * @return a COSE_Sign1 signature described above.
      */
     byte[] proveOwnership(in byte[] challenge);

identity/aidl/android/hardware/identity/IWritableIdentityCredential.aidl

@@ -127,7 +127,8 @@ interface IWritableIdentityCredential {
      *     https://developer.android.com/training/articles/security-key-attestation#certificate_schema_attestationid
      *
      * @param attestationChallenge a challenge set by the issuer to ensure freshness. If
-     *    this is empty, the call fails with STATUS_INVALID_DATA.
+     *    this is empty, the call fails with STATUS_INVALID_DATA. Implementations must
+     *    support challenges of at least 32 bytes.
      *
      * @return the X.509 certificate chain for the credentialKey
      */

identity/aidl/vts/DeleteCredentialTests.cpp

@@ -146,7 +146,9 @@ TEST_P(DeleteCredentialTests, DeleteWithChallenge) {
                                 credentialData_, &credential)
                         .isOk());
 
-    vector<uint8_t> challenge = {65, 66, 67};
+    // Implementations must support at least 32 bytes.
+    string challengeString = "0123456789abcdef0123456789abcdef";
+    vector<uint8_t> challenge(challengeString.begin(), challengeString.end());
     vector<uint8_t> proofOfDeletionSignature;
     ASSERT_TRUE(
             credential->deleteCredentialWithChallenge(challenge, &proofOfDeletionSignature).isOk());
@@ -154,8 +156,13 @@ TEST_P(DeleteCredentialTests, DeleteWithChallenge) {
             support::coseSignGetPayload(proofOfDeletionSignature);
     ASSERT_TRUE(proofOfDeletion);
     string cborPretty = cppbor::prettyPrint(proofOfDeletion.value(), 32, {});
-    EXPECT_EQ("['ProofOfDeletion', 'org.iso.18013-5.2019.mdl', {0x41, 0x42, 0x43}, true, ]",
-              cborPretty);
+    EXPECT_EQ(
+            "['ProofOfDeletion', 'org.iso.18013-5.2019.mdl', {"
+            "0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, "
+            "0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, "
+            "0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, "
+            "0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66}, true, ]",
+            cborPretty);
     EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfDeletionSignature, {},  // Additional data
                                                  credentialPubKey_));
 }

identity/aidl/vts/ProveOwnershipTests.cpp

@@ -125,14 +125,22 @@ TEST_P(ProveOwnershipTests, proveOwnership) {
                                 credentialData_, &credential)
                         .isOk());
 
-    vector<uint8_t> challenge = {17, 18};
+    // Implementations must support at least 32 bytes.
+    string challengeString = "0123456789abcdef0123456789abcdef";
+    vector<uint8_t> challenge(challengeString.begin(), challengeString.end());
     vector<uint8_t> proofOfOwnershipSignature;
     ASSERT_TRUE(credential->proveOwnership(challenge, &proofOfOwnershipSignature).isOk());
     optional<vector<uint8_t>> proofOfOwnership =
             support::coseSignGetPayload(proofOfOwnershipSignature);
     ASSERT_TRUE(proofOfOwnership);
     string cborPretty = cppbor::prettyPrint(proofOfOwnership.value(), 32, {});
-    EXPECT_EQ("['ProofOfOwnership', 'org.iso.18013-5.2019.mdl', {0x11, 0x12}, true, ]", cborPretty);
+    EXPECT_EQ(
+            "['ProofOfOwnership', 'org.iso.18013-5.2019.mdl', {"
+            "0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, "
+            "0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, "
+            "0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, "
+            "0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66}, true, ]",
+            cborPretty);
     EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfOwnershipSignature, {},  // Additional data
                                                  credentialPubKey_));
 }

identity/aidl/vts/VtsAttestationTests.cpp

@@ -66,7 +66,8 @@ TEST_P(VtsAttestationTests, verifyAttestationWithNonemptyChallengeNonemptyId) {
     ASSERT_TRUE(setupWritableCredential(writableCredential, credentialStore_,
                                         false /* testCredential */));
 
-    string challenge = "NotSoRandomChallenge1NotSoRandomChallenge1NotSoRandomChallenge1";
+    // Must support at least 32 bytes.
+    string challenge = "0123456789abcdef0123456789abcdef";
     vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end());
     vector<Certificate> attestationCertificate;
     string applicationId = "Attestation Verification";