Merge "Allow RKP-only devices to pass keymint VTS" into main
This commit is contained in:
commit
fae563acb0
7 changed files with 167 additions and 331 deletions
|
@ -20,6 +20,7 @@
|
|||
#include <cutils/log.h>
|
||||
#include <cutils/properties.h>
|
||||
|
||||
#include <keymint_support/authorization_set.h>
|
||||
#include <keymint_support/key_param_output.h>
|
||||
#include <keymint_support/openssl_utils.h>
|
||||
|
||||
|
@ -93,7 +94,7 @@ string get_imei(int slot) {
|
|||
class AttestKeyTest : public KeyMintAidlTestBase {
|
||||
public:
|
||||
void SetUp() override {
|
||||
skipAttestKeyTest();
|
||||
skipAttestKeyTestIfNeeded();
|
||||
KeyMintAidlTestBase::SetUp();
|
||||
}
|
||||
};
|
||||
|
@ -273,7 +274,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyMultiPurposeFail) {
|
|||
/*
|
||||
* AttestKeyTest.RsaAttestedAttestKeys
|
||||
*
|
||||
* This test creates an RSA attestation key signed by factory keys, and varifies it can be
|
||||
* This test creates an RSA attestation key signed by factory keys, and verifies it can be
|
||||
* used to sign other RSA and EC keys.
|
||||
*/
|
||||
TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
|
||||
|
@ -305,9 +306,8 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
|
|||
.SetDefaultValidity(),
|
||||
{} /* attestation signing key */, &attest_key.keyBlob,
|
||||
&attest_key_characteristics, &attest_key_cert_chain);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
||||
if (isRkpOnly() && result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
GTEST_SKIP() << "RKP-only devices do not have a factory key";
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
KeyBlobDeleter attest_deleter(keymint_, attest_key.keyBlob);
|
||||
|
@ -400,30 +400,32 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
|
|||
attest_key_opt = attest_key;
|
||||
}
|
||||
|
||||
auto result = GenerateAttestKey(AuthorizationSetBuilder()
|
||||
AuthorizationSetBuilder auth_set_builder =
|
||||
AuthorizationSetBuilder()
|
||||
.RsaKey(2048, 65537)
|
||||
.AttestKey()
|
||||
.AttestationChallenge("foo")
|
||||
.AttestationApplicationId("bar")
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||
.SetDefaultValidity(),
|
||||
attest_key_opt, &key_blob_list[i],
|
||||
&attested_key_characteristics, &cert_chain_list[i]);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
||||
.SetDefaultValidity();
|
||||
// In RKP-only systems, the first key cannot be attested due to lack of batch key
|
||||
if (!isRkpOnly() || i > 0) {
|
||||
auth_set_builder.AttestationChallenge("foo");
|
||||
}
|
||||
auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
|
||||
&attested_key_characteristics, &cert_chain_list[i]);
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
|
||||
|
||||
if (!isRkpOnly() || i > 0) {
|
||||
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
|
||||
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
|
||||
ASSERT_GT(cert_chain_list[i].size(), 0);
|
||||
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
|
||||
SecLevel(),
|
||||
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
|
||||
hw_enforced, SecLevel(),
|
||||
cert_chain_list[i][0].encodedCertificate));
|
||||
}
|
||||
|
||||
if (i > 0) {
|
||||
/*
|
||||
|
@ -439,7 +441,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
|
|||
}
|
||||
|
||||
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
|
||||
EXPECT_GT(cert_chain_list[i].size(), i + 1);
|
||||
EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
|
||||
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
|
||||
}
|
||||
}
|
||||
|
@ -475,36 +477,34 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
|
|||
attest_key_opt = attest_key;
|
||||
}
|
||||
|
||||
auto result = GenerateAttestKey(AuthorizationSetBuilder()
|
||||
AuthorizationSetBuilder auth_set_builder =
|
||||
AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.AttestationChallenge("foo")
|
||||
.AttestationApplicationId("bar")
|
||||
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.SetDefaultValidity(),
|
||||
attest_key_opt, &key_blob_list[i],
|
||||
&attested_key_characteristics, &cert_chain_list[i]);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
||||
.SetDefaultValidity();
|
||||
// In RKP-only systems, the first key cannot be attested due to lack of batch key
|
||||
if (!isRkpOnly() || i > 0) {
|
||||
auth_set_builder.AttestationChallenge("foo");
|
||||
}
|
||||
auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
|
||||
&attested_key_characteristics, &cert_chain_list[i]);
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
|
||||
|
||||
if (!isRkpOnly() || i > 0) {
|
||||
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
|
||||
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
|
||||
ASSERT_GT(cert_chain_list[i].size(), 0);
|
||||
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
|
||||
SecLevel(),
|
||||
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
|
||||
hw_enforced, SecLevel(),
|
||||
cert_chain_list[i][0].encodedCertificate));
|
||||
}
|
||||
|
||||
if (i > 0) {
|
||||
/*
|
||||
* The first key is attestated with factory chain, but all the rest of the keys are
|
||||
* not supposed to be returned in attestation certificate chains.
|
||||
*/
|
||||
EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_list[i]));
|
||||
|
||||
// Appending the attest_key chain to the attested_key_chain should yield a valid chain.
|
||||
|
@ -514,7 +514,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
|
|||
}
|
||||
|
||||
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
|
||||
EXPECT_GT(cert_chain_list[i].size(), i + 1);
|
||||
EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
|
||||
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
|
||||
}
|
||||
}
|
||||
|
@ -576,45 +576,36 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
|
|||
attest_key.keyBlob = key_blob_list[i - 1];
|
||||
attest_key_opt = attest_key;
|
||||
}
|
||||
ErrorCode result;
|
||||
AuthorizationSetBuilder auth_set_builder =
|
||||
AuthorizationSetBuilder()
|
||||
.AttestKey()
|
||||
.AttestationApplicationId("bar")
|
||||
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.SetDefaultValidity();
|
||||
// In RKP-only systems, the first key cannot be attested due to lack of batch key
|
||||
if (!isRkpOnly() || i > 0) {
|
||||
auth_set_builder.AttestationChallenge("foo");
|
||||
}
|
||||
if ((i & 0x1) == 1) {
|
||||
result = GenerateAttestKey(AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.AttestationChallenge("foo")
|
||||
.AttestationApplicationId("bar")
|
||||
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.SetDefaultValidity(),
|
||||
attest_key_opt, &key_blob_list[i],
|
||||
&attested_key_characteristics, &cert_chain_list[i]);
|
||||
auth_set_builder.EcdsaKey(EcCurve::P_256);
|
||||
} else {
|
||||
result = GenerateAttestKey(AuthorizationSetBuilder()
|
||||
.RsaKey(2048, 65537)
|
||||
.AttestKey()
|
||||
.AttestationChallenge("foo")
|
||||
.AttestationApplicationId("bar")
|
||||
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
|
||||
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.SetDefaultValidity(),
|
||||
attest_key_opt, &key_blob_list[i],
|
||||
auth_set_builder.RsaKey(2048, 65537);
|
||||
}
|
||||
ErrorCode result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
|
||||
&attested_key_characteristics, &cert_chain_list[i]);
|
||||
}
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
|
||||
|
||||
if (!isRkpOnly() || i > 0) {
|
||||
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
|
||||
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
|
||||
ASSERT_GT(cert_chain_list[i].size(), 0);
|
||||
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
|
||||
SecLevel(),
|
||||
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
|
||||
hw_enforced, SecLevel(),
|
||||
cert_chain_list[i][0].encodedCertificate));
|
||||
}
|
||||
|
||||
if (i > 0) {
|
||||
/*
|
||||
|
@ -630,7 +621,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
|
|||
}
|
||||
|
||||
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
|
||||
EXPECT_GT(cert_chain_list[i].size(), i + 1);
|
||||
EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
|
||||
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -455,18 +455,7 @@ TEST_P(AuthTest, TimeoutAuthenticationMultiSid) {
|
|||
.Authorization(TAG_AUTH_TIMEOUT, timeout_secs);
|
||||
vector<uint8_t> keyblob;
|
||||
vector<KeyCharacteristics> key_characteristics;
|
||||
vector<Certificate> cert_chain;
|
||||
auto result = GenerateKey(builder, std::nullopt, &keyblob, &key_characteristics, &cert_chain);
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(),
|
||||
builder, &keyblob, &key_characteristics,
|
||||
&cert_chain);
|
||||
}
|
||||
}
|
||||
auto result = GenerateKey(builder, &keyblob, &key_characteristics);
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
|
||||
// Verify first user to get a HAT that should work.
|
||||
|
|
|
@ -54,18 +54,6 @@ class BootloaderStateTest : public KeyMintAidlTestBase {
|
|||
.Digest(Digest::NONE)
|
||||
.SetDefaultValidity();
|
||||
auto result = GenerateKey(keyDesc, &key_blob, &key_characteristics);
|
||||
// If factory provisioned attestation key is not supported by Strongbox,
|
||||
// then create a key with self-signed attestation and use it as the
|
||||
// attestation key instead.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX &&
|
||||
result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
keyDesc, &key_blob, &key_characteristics);
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
|
||||
// Parse attested AVB values.
|
||||
|
|
|
@ -73,7 +73,8 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
|
|||
vector<KeyCharacteristics> key_characteristics;
|
||||
|
||||
// Check RSA implementation
|
||||
auto result = GenerateKey(AuthorizationSetBuilder()
|
||||
auto result =
|
||||
GenerateKey(AuthorizationSetBuilder()
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.RsaSigningKey(2048, 65537)
|
||||
.Digest(Digest::SHA_2_256)
|
||||
|
@ -84,9 +85,10 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
|
|||
.AttestationChallenge("challenge")
|
||||
.AttestationApplicationId("foo")
|
||||
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
|
||||
&key_blob, &key_characteristics);
|
||||
/*attest_key=*/std::nullopt, &key_blob, &key_characteristics, &cert_chain_);
|
||||
|
||||
ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG);
|
||||
ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG)
|
||||
<< "Result: " << result;
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -104,7 +106,8 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
|
|||
vector<KeyCharacteristics> key_characteristics;
|
||||
|
||||
// Check Ecdsa implementation
|
||||
auto result = GenerateKey(AuthorizationSetBuilder()
|
||||
auto result =
|
||||
GenerateKey(AuthorizationSetBuilder()
|
||||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.EcdsaSigningKey(EcCurve::P_256)
|
||||
.Digest(Digest::SHA_2_256)
|
||||
|
@ -114,9 +117,10 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
|
|||
.AttestationChallenge("challenge")
|
||||
.AttestationApplicationId("foo")
|
||||
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
|
||||
&key_blob, &key_characteristics);
|
||||
/*attest_key=*/std::nullopt, &key_blob, &key_characteristics, &cert_chain_);
|
||||
|
||||
ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG);
|
||||
ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG)
|
||||
<< "Result: " << result;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -20,6 +20,10 @@
|
|||
#include <fstream>
|
||||
#include <unordered_set>
|
||||
#include <vector>
|
||||
#include "aidl/android/hardware/security/keymint/AttestationKey.h"
|
||||
#include "aidl/android/hardware/security/keymint/ErrorCode.h"
|
||||
#include "keymint_support/authorization_set.h"
|
||||
#include "keymint_support/keymint_tags.h"
|
||||
|
||||
#include <android-base/logging.h>
|
||||
#include <android/binder_manager.h>
|
||||
|
@ -245,6 +249,13 @@ bool KeyMintAidlTestBase::isSecondImeiIdAttestationRequired() {
|
|||
return AidlVersion() >= 3 && property_get_int32("ro.vendor.api_level", 0) > __ANDROID_API_T__;
|
||||
}
|
||||
|
||||
bool KeyMintAidlTestBase::isRkpOnly() {
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
return property_get_bool("remote_provisioning.strongbox.rkp_only", false);
|
||||
}
|
||||
return property_get_bool("remote_provisioning.tee.rkp_only", false);
|
||||
}
|
||||
|
||||
bool KeyMintAidlTestBase::Curve25519Supported() {
|
||||
// Strongbox never supports curve 25519.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
|
@ -295,6 +306,40 @@ void KeyMintAidlTestBase::SetUp() {
|
|||
}
|
||||
}
|
||||
|
||||
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) {
|
||||
return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
|
||||
}
|
||||
|
||||
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
|
||||
vector<uint8_t>* key_blob,
|
||||
vector<KeyCharacteristics>* key_characteristics) {
|
||||
std::optional<AttestationKey> attest_key = std::nullopt;
|
||||
vector<Certificate> attest_cert_chain;
|
||||
// If an attestation is requested, but the system is RKP-only, we need to supply an explicit
|
||||
// attestation key. Else the result is a key without an attestation.
|
||||
if (isRkpOnly() && key_desc.Contains(TAG_ATTESTATION_CHALLENGE)) {
|
||||
skipAttestKeyTestIfNeeded();
|
||||
AuthorizationSet attest_key_desc =
|
||||
AuthorizationSetBuilder().EcdsaKey(EcCurve::P_256).AttestKey().SetDefaultValidity();
|
||||
attest_key.emplace();
|
||||
vector<KeyCharacteristics> attest_key_characteristics;
|
||||
auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.value().keyBlob,
|
||||
&attest_key_characteristics, &attest_cert_chain);
|
||||
EXPECT_EQ(error, ErrorCode::OK);
|
||||
EXPECT_EQ(attest_cert_chain.size(), 1);
|
||||
attest_key.value().issuerSubjectName = make_name_from_str("Android Keystore Key");
|
||||
}
|
||||
|
||||
ErrorCode error =
|
||||
GenerateKey(key_desc, attest_key, key_blob, key_characteristics, &cert_chain_);
|
||||
|
||||
if (error == ErrorCode::OK && attest_cert_chain.size() > 0) {
|
||||
cert_chain_.push_back(attest_cert_chain[0]);
|
||||
}
|
||||
|
||||
return error;
|
||||
}
|
||||
|
||||
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
|
||||
const optional<AttestationKey>& attest_key,
|
||||
vector<uint8_t>* key_blob,
|
||||
|
@ -335,36 +380,6 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
|
|||
return GetReturnErrorCode(result);
|
||||
}
|
||||
|
||||
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
|
||||
const optional<AttestationKey>& attest_key) {
|
||||
return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
|
||||
}
|
||||
|
||||
ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
|
||||
const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
|
||||
vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
|
||||
vector<Certificate>* cert_chain) {
|
||||
skipAttestKeyTest();
|
||||
AttestationKey attest_key;
|
||||
vector<Certificate> attest_cert_chain;
|
||||
vector<KeyCharacteristics> attest_key_characteristics;
|
||||
// Generate a key with self signed attestation.
|
||||
auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
|
||||
&attest_key_characteristics, &attest_cert_chain);
|
||||
if (error != ErrorCode::OK) {
|
||||
return error;
|
||||
}
|
||||
|
||||
attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
|
||||
// Generate a key, by passing the above self signed attestation key as attest key.
|
||||
error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
|
||||
if (error == ErrorCode::OK) {
|
||||
// Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
|
||||
cert_chain->push_back(attest_cert_chain[0]);
|
||||
}
|
||||
return error;
|
||||
}
|
||||
|
||||
ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
|
||||
const string& key_material, vector<uint8_t>* key_blob,
|
||||
vector<KeyCharacteristics>* key_characteristics) {
|
||||
|
@ -1663,7 +1678,7 @@ bool KeyMintAidlTestBase::shouldSkipAttestKeyTest(void) const {
|
|||
|
||||
// Skip a test that involves use of the ATTEST_KEY feature in specific configurations
|
||||
// where ATTEST_KEY is not supported (for either StrongBox or TEE).
|
||||
void KeyMintAidlTestBase::skipAttestKeyTest(void) const {
|
||||
void KeyMintAidlTestBase::skipAttestKeyTestIfNeeded() const {
|
||||
if (shouldSkipAttestKeyTest()) {
|
||||
GTEST_SKIP() << "Test using ATTEST_KEY is not applicable on waivered device";
|
||||
}
|
||||
|
|
|
@ -104,35 +104,19 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
|
|||
uint32_t boot_patch_level();
|
||||
bool isDeviceIdAttestationRequired();
|
||||
bool isSecondImeiIdAttestationRequired();
|
||||
bool isRkpOnly();
|
||||
|
||||
bool Curve25519Supported();
|
||||
|
||||
ErrorCode GenerateKey(const AuthorizationSet& key_desc);
|
||||
|
||||
ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector<uint8_t>* key_blob,
|
||||
vector<KeyCharacteristics>* key_characteristics) {
|
||||
return GenerateKey(key_desc, std::nullopt /* attest_key */, key_blob, key_characteristics,
|
||||
&cert_chain_);
|
||||
}
|
||||
vector<KeyCharacteristics>* key_characteristics);
|
||||
|
||||
ErrorCode GenerateKey(const AuthorizationSet& key_desc,
|
||||
const optional<AttestationKey>& attest_key, vector<uint8_t>* key_blob,
|
||||
vector<KeyCharacteristics>* key_characteristics,
|
||||
vector<Certificate>* cert_chain);
|
||||
ErrorCode GenerateKey(const AuthorizationSet& key_desc,
|
||||
const optional<AttestationKey>& attest_key = std::nullopt);
|
||||
|
||||
// Generate key for implementations which do not support factory attestation.
|
||||
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
|
||||
const AuthorizationSet& key_desc,
|
||||
vector<uint8_t>* key_blob,
|
||||
vector<KeyCharacteristics>* key_characteristics,
|
||||
vector<Certificate>* cert_chain);
|
||||
|
||||
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
|
||||
const AuthorizationSet& key_desc,
|
||||
vector<uint8_t>* key_blob,
|
||||
vector<KeyCharacteristics>* key_characteristics) {
|
||||
return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob,
|
||||
key_characteristics, &cert_chain_);
|
||||
}
|
||||
|
||||
ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
|
||||
const string& key_material, vector<uint8_t>* key_blob,
|
||||
|
@ -372,7 +356,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
|
|||
bool is_strongbox_enabled(void) const;
|
||||
bool is_chipset_allowed_km4_strongbox(void) const;
|
||||
bool shouldSkipAttestKeyTest(void) const;
|
||||
void skipAttestKeyTest(void) const;
|
||||
void skipAttestKeyTestIfNeeded() const;
|
||||
|
||||
void assert_mgf_digests_present_or_not_in_key_characteristics(
|
||||
const vector<KeyCharacteristics>& key_characteristics,
|
||||
|
|
|
@ -37,6 +37,7 @@
|
|||
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
|
||||
#include <aidl/android/hardware/security/keymint/KeyFormat.h>
|
||||
|
||||
#include <keymint_support/authorization_set.h>
|
||||
#include <keymint_support/key_param_output.h>
|
||||
#include <keymint_support/openssl_utils.h>
|
||||
|
||||
|
@ -1146,17 +1147,6 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
|
|||
.SetDefaultValidity();
|
||||
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.RsaKey(key_size, 65537)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob, &key_characteristics);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
KeyBlobDeleter deleter(keymint_, key_blob);
|
||||
ASSERT_GT(key_blob.size(), 0U);
|
||||
|
@ -1369,17 +1359,6 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
|
|||
.SetDefaultValidity();
|
||||
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.RsaKey(key_size, 65537)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob, &key_characteristics);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
KeyBlobDeleter deleter(keymint_, key_blob);
|
||||
|
||||
|
@ -1490,17 +1469,6 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
|
|||
.SetDefaultValidity();
|
||||
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.RsaKey(2048, 65537)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob, &key_characteristics);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
|
||||
}
|
||||
|
||||
|
@ -1625,17 +1593,6 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
|
|||
.SetDefaultValidity();
|
||||
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.RsaKey(key_size, 65537)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob, &key_characteristics);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
KeyBlobDeleter deleter(keymint_, key_blob);
|
||||
|
||||
|
@ -1877,17 +1834,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
|
|||
.SetDefaultValidity();
|
||||
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.EcdsaKey(curve)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob, &key_characteristics);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
KeyBlobDeleter deleter(keymint_, key_blob);
|
||||
ASSERT_GT(key_blob.size(), 0U);
|
||||
|
@ -2020,17 +1966,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
|
|||
// Tag not required to be supported by all KeyMint implementations.
|
||||
continue;
|
||||
}
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob, &key_characteristics);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(result, ErrorCode::OK);
|
||||
KeyBlobDeleter deleter(keymint_, key_blob);
|
||||
ASSERT_GT(key_blob.size(), 0U);
|
||||
|
@ -2082,18 +2017,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
|
|||
builder.push_back(tag);
|
||||
|
||||
auto error = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
error = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob, &key_characteristics);
|
||||
}
|
||||
}
|
||||
|
||||
device_id_attestation_check_acceptable_error(tag.tag, error);
|
||||
}
|
||||
}
|
||||
|
@ -2138,10 +2061,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
|
|||
AuthorizationSetBuilder builder = base_builder;
|
||||
builder.push_back(tag);
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
|
||||
}
|
||||
if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
|
||||
// ID attestation was optional till api level 32, from api level 33 it is mandatory.
|
||||
continue;
|
||||
|
@ -2199,16 +2118,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
|
|||
builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
|
||||
}
|
||||
auto result = GenerateKey(builder);
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob_, &key_characteristics_, &cert_chain_);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
ASSERT_GT(key_blob_.size(), 0U);
|
||||
|
||||
|
@ -2309,17 +2218,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
|
|||
.SetDefaultValidity();
|
||||
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob, &key_characteristics);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(result, ErrorCode::OK);
|
||||
KeyBlobDeleter deleter(keymint_, key_blob);
|
||||
ASSERT_GT(key_blob.size(), 0U);
|
||||
|
@ -2404,17 +2302,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
|
|||
.SetDefaultValidity();
|
||||
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob, &key_characteristics);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
|
||||
}
|
||||
|
||||
|
@ -2482,17 +2369,6 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
|
|||
.SetDefaultValidity();
|
||||
|
||||
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
|
||||
// Strongbox may not support factory provisioned attestation key.
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob, &key_characteristics);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::OK, result);
|
||||
KeyBlobDeleter deleter(keymint_, key_blob);
|
||||
ASSERT_GT(key_blob.size(), 0U);
|
||||
|
@ -2718,7 +2594,8 @@ TEST_P(NewKeyGenerationTest, HmacNoAttestation) {
|
|||
.AttestationChallenge(challenge)
|
||||
.AttestationApplicationId(app_id)
|
||||
.Authorization(TAG_MIN_MAC_LENGTH, 128),
|
||||
&key_blob, &key_characteristics));
|
||||
/*attest_key=*/std::nullopt, &key_blob,
|
||||
&key_characteristics, &cert_chain_));
|
||||
KeyBlobDeleter deleter(keymint_, key_blob);
|
||||
|
||||
ASSERT_GT(key_blob.size(), 0U);
|
||||
|
@ -2907,7 +2784,9 @@ TEST_P(NewKeyGenerationTest, AesNoAttestation) {
|
|||
.EcbMode()
|
||||
.Padding(PaddingMode::PKCS7)
|
||||
.AttestationChallenge(challenge)
|
||||
.AttestationApplicationId(app_id)));
|
||||
.AttestationApplicationId(app_id),
|
||||
/*attest_key=*/std::nullopt, &key_blob_,
|
||||
&key_characteristics_, &cert_chain_));
|
||||
|
||||
ASSERT_EQ(cert_chain_.size(), 0);
|
||||
}
|
||||
|
@ -2928,7 +2807,9 @@ TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) {
|
|||
.Authorization(TAG_NO_AUTH_REQUIRED)
|
||||
.Padding(PaddingMode::NONE)
|
||||
.AttestationChallenge(challenge)
|
||||
.AttestationApplicationId(app_id)));
|
||||
.AttestationApplicationId(app_id),
|
||||
/*attest_key=*/std::nullopt, &key_blob_,
|
||||
&key_characteristics_, &cert_chain_));
|
||||
ASSERT_EQ(cert_chain_.size(), 0);
|
||||
}
|
||||
|
||||
|
@ -8510,17 +8391,6 @@ class KeyAgreementTest : public KeyMintAidlTestBase {
|
|||
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
|
||||
.SetDefaultValidity();
|
||||
ErrorCode result = GenerateKey(builder);
|
||||
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX) {
|
||||
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
|
||||
result = GenerateKeyWithSelfSignedAttestKey(
|
||||
AuthorizationSetBuilder()
|
||||
.EcdsaKey(EcCurve::P_256)
|
||||
.AttestKey()
|
||||
.SetDefaultValidity(), /* attest key params */
|
||||
builder, &key_blob_, &key_characteristics_, &cert_chain_);
|
||||
}
|
||||
}
|
||||
ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
|
||||
ASSERT_GT(cert_chain_.size(), 0);
|
||||
X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
|
||||
|
@ -8811,11 +8681,6 @@ TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
|
|||
KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
|
||||
|
||||
for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
|
||||
// Strongbox may not support factory attestation. Key creation might fail with
|
||||
// ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
|
||||
if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
|
||||
continue;
|
||||
}
|
||||
ASSERT_GT(keyData.blob.size(), 0U);
|
||||
AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
|
||||
EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
|
||||
|
|
Loading…
Reference in a new issue