Merge "Cope with rkp-only devices in legacy keyblob test" into main

2024-04-10 15:51:45 +00:00 · 2024-04-10 15:51:45 +00:00 · 5c5a412b3c
commit 5c5a412b3c
parent 3acb6db524 b0914ea70a
1 changed files with 24 additions and 25 deletions
--- a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
+++ b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
@ -46,6 +46,10 @@ static USER_MANAGER_SERVICE_NAME: &str = "android.security.maintenance";
 static AUTH_SERVICE_NAME: &str = "android.security.authorization";
 const SELINUX_SHELL_NAMESPACE: i64 = 1;

+fn rkp_only() -> bool {
+    matches!(rustutils::system_properties::read("remote_provisioning.tee.rkp_only"), Ok(Some(v)) if v == "1")
+}
+
 fn get_maintenance() -> binder::Strong<dyn IKeystoreMaintenance> {
    binder::get_interface(USER_MANAGER_SERVICE_NAME).unwrap()
 }
@ -162,13 +166,13 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> {
                .getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT)
                .unwrap();
            // Generate Key BLOB and prepare legacy keystore blob files.
-            let att_challenge: &[u8] = b"foo";
+            let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") };
            let key_metadata = key_generations::generate_ec_p256_signing_key(
                &sec_level,
                Domain::BLOB,
                SELINUX_SHELL_NAMESPACE,
                None,
-                Some(att_challenge),
+                att_challenge,
            )
            .expect("Failed to generate key blob");

@ -212,14 +216,12 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> {
                    .unwrap();
            }

-            let mut path_buf = PathBuf::from("/data/misc/keystore/user_99");
-            path_buf.push("9910001_CACERT_authbound");
-            if !path_buf.as_path().is_file() {
-                make_cert_blob_file(
-                    path_buf.as_path(),
-                    key_metadata.certificateChain.as_ref().unwrap(),
-                )
-                .unwrap();
+            if let Some(chain) = key_metadata.certificateChain.as_ref() {
+                let mut path_buf = PathBuf::from("/data/misc/keystore/user_99");
+                path_buf.push("9910001_CACERT_authbound");
+                if !path_buf.as_path().is_file() {
+                    make_cert_blob_file(path_buf.as_path(), chain).unwrap();
+                }
            }

            // Keystore2 disables the legacy importer when it finds the legacy database empty.
@ -246,7 +248,7 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> {

            KeygenResult {
                cert: key_metadata.certificate.unwrap(),
-                cert_chain: key_metadata.certificateChain.unwrap(),
+                cert_chain: key_metadata.certificateChain.unwrap_or_default(),
                key_parameters: key_params,
            }
        })
@ -275,7 +277,7 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> {
                        gen_key_result.cert
                    );
                    assert_eq!(
-                        key_entry_response.metadata.certificateChain.unwrap(),
+                        key_entry_response.metadata.certificateChain.unwrap_or_default(),
                        gen_key_result.cert_chain
                    );
                    assert_eq!(key_entry_response.metadata.key.domain, Domain::KEY_ID);
@ -415,13 +417,13 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> {
                .getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT)
                .unwrap();
            // Generate Key BLOB and prepare legacy keystore blob files.
-            let att_challenge: &[u8] = b"foo";
+            let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") };
            let key_metadata = key_generations::generate_ec_p256_signing_key(
                &sec_level,
                Domain::BLOB,
                SELINUX_SHELL_NAMESPACE,
                None,
-                Some(att_challenge),
+                att_challenge,
            )
            .expect("Failed to generate key blob");

@ -468,15 +470,12 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> {
                .unwrap();
            }

-            let mut path_buf = PathBuf::from("/data/misc/keystore/user_98");
-            path_buf.push("9810001_CACERT_authboundcertenc");
-            if !path_buf.as_path().is_file() {
-                make_encrypted_ca_cert_file(
-                    path_buf.as_path(),
-                    &super_key,
-                    key_metadata.certificateChain.as_ref().unwrap(),
-                )
-                .unwrap();
+            if let Some(chain) = key_metadata.certificateChain.as_ref() {
+                let mut path_buf = PathBuf::from("/data/misc/keystore/user_98");
+                path_buf.push("9810001_CACERT_authboundcertenc");
+                if !path_buf.as_path().is_file() {
+                    make_encrypted_ca_cert_file(path_buf.as_path(), &super_key, chain).unwrap();
+                }
            }

            // Keystore2 disables the legacy importer when it finds the legacy database empty.
@ -503,7 +502,7 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> {

            KeygenResult {
                cert: key_metadata.certificate.unwrap(),
-                cert_chain: key_metadata.certificateChain.unwrap(),
+                cert_chain: key_metadata.certificateChain.unwrap_or_default(),
                key_parameters: key_params,
            }
        })
@ -532,7 +531,7 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> {
                        gen_key_result.cert
                    );
                    assert_eq!(
-                        key_entry_response.metadata.certificateChain.unwrap(),
+                        key_entry_response.metadata.certificateChain.unwrap_or_default(),
                        gen_key_result.cert_chain
                    );