Merge "Correct error code in attest_key docs." am: b21b4a3663 am: 741884a363

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1662620

Change-Id: I728cc24ae0d0bb6deb26b8e1fd4008668a5bc30b

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

@@ -321,8 +321,8 @@ interface IKeyMintDevice {
      *        but `attestationKey` is non-null, the IKeyMintDevice must return
      *        ErrorCode::INVALID_ARGUMENT.  If the provided AttestationKey does not contain a key
      *        blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must
-     *        return ErrorCode::INVALID_PURPOSE.  If the provided AttestationKey has an empty issuer
-     *        subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
+     *        return ErrorCode::INCOMPATIBLE_PURPOSE.  If the provided AttestationKey has an empty
+     *        issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
      *
      * @return The result of key creation.  See KeyCreationResult.aidl.
      */
@@ -360,8 +360,8 @@ interface IKeyMintDevice {
      *        but `attestationKey` is non-null, the IKeyMintDevice must return
      *        ErrorCode::INVALID_ARGUMENT.  If the provided AttestationKey does not contain a key
      *        blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must
-     *        return ErrorCode::INVALID_PURPOSE.  If the provided AttestationKey has an empty issuer
-     *        subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
+     *        return ErrorCode::INCOMPATIBLE_PURPOSE.  If the provided AttestationKey has an empty
+     *        issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
      *
      * @return The result of key creation.  See KeyCreationResult.aidl.
      */

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

@@ -207,6 +207,36 @@ TEST_P(AttestKeyTest, AllEcCurves) {
     }
 }
 
+TEST_P(AttestKeyTest, AttestWithNonAttestKey) {
+    // Create non-attestaton key.
+    AttestationKey non_attest_key;
+    vector<KeyCharacteristics> non_attest_key_characteristics;
+    vector<Certificate> non_attest_key_cert_chain;
+    ASSERT_EQ(
+            ErrorCode::OK,
+            GenerateKey(
+                    AuthorizationSetBuilder().EcdsaSigningKey(EcCurve::P_256).SetDefaultValidity(),
+                    {} /* attestation siging key */, &non_attest_key.keyBlob,
+                    &non_attest_key_characteristics, &non_attest_key_cert_chain));
+
+    EXPECT_EQ(non_attest_key_cert_chain.size(), 1);
+    EXPECT_TRUE(IsSelfSigned(non_attest_key_cert_chain));
+
+    // Attempt to sign attestation with non-attest key.
+    vector<uint8_t> attested_key_blob;
+    vector<KeyCharacteristics> attested_key_characteristics;
+    vector<Certificate> attested_key_cert_chain;
+    EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
+              GenerateKey(AuthorizationSetBuilder()
+                                  .EcdsaSigningKey(EcCurve::P_256)
+                                  .Authorization(TAG_NO_AUTH_REQUIRED)
+                                  .AttestationChallenge("foo")
+                                  .AttestationApplicationId("bar")
+                                  .SetDefaultValidity(),
+                          non_attest_key, &attested_key_blob, &attested_key_characteristics,
+                          &attested_key_cert_chain));
+}
+
 INSTANTIATE_KEYMINT_AIDL_TEST(AttestKeyTest);
 
 }  // namespace aidl::android::hardware::security::keymint::test