From b0914ea70af57f1a79304ea6de144020c123b3eb Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Wed, 10 Apr 2024 12:58:23 +0100 Subject: [PATCH] Cope with rkp-only devices in legacy keyblob test On a rkp-only device it is not possible to generate an attestation on a bare key generation (attestations can only be generated if an ATTEST_KEY is provided). Bug: 329409739 Test: keystore2_legacy_blobs_test Change-Id: Icdc4037466ab32366c34feeb42b58822ea110ebf --- .../keystore2_legacy_blob_tests.rs | 49 +++++++++---------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs index 0335159a..3be99ee3 100644 --- a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs +++ b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs @@ -46,6 +46,10 @@ static USER_MANAGER_SERVICE_NAME: &str = "android.security.maintenance"; static AUTH_SERVICE_NAME: &str = "android.security.authorization"; const SELINUX_SHELL_NAMESPACE: i64 = 1; +fn rkp_only() -> bool { + matches!(rustutils::system_properties::read("remote_provisioning.tee.rkp_only"), Ok(Some(v)) if v == "1") +} + fn get_maintenance() -> binder::Strong { binder::get_interface(USER_MANAGER_SERVICE_NAME).unwrap() } @@ -162,13 +166,13 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> { .getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT) .unwrap(); // Generate Key BLOB and prepare legacy keystore blob files. - let att_challenge: &[u8] = b"foo"; + let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") }; let key_metadata = key_generations::generate_ec_p256_signing_key( &sec_level, Domain::BLOB, SELINUX_SHELL_NAMESPACE, None, - Some(att_challenge), + att_challenge, ) .expect("Failed to generate key blob"); @@ -212,14 +216,12 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> { .unwrap(); } - let mut path_buf = PathBuf::from("/data/misc/keystore/user_99"); - path_buf.push("9910001_CACERT_authbound"); - if !path_buf.as_path().is_file() { - make_cert_blob_file( - path_buf.as_path(), - key_metadata.certificateChain.as_ref().unwrap(), - ) - .unwrap(); + if let Some(chain) = key_metadata.certificateChain.as_ref() { + let mut path_buf = PathBuf::from("/data/misc/keystore/user_99"); + path_buf.push("9910001_CACERT_authbound"); + if !path_buf.as_path().is_file() { + make_cert_blob_file(path_buf.as_path(), chain).unwrap(); + } } // Keystore2 disables the legacy importer when it finds the legacy database empty. @@ -246,7 +248,7 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> { KeygenResult { cert: key_metadata.certificate.unwrap(), - cert_chain: key_metadata.certificateChain.unwrap(), + cert_chain: key_metadata.certificateChain.unwrap_or_default(), key_parameters: key_params, } }) @@ -275,7 +277,7 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> { gen_key_result.cert ); assert_eq!( - key_entry_response.metadata.certificateChain.unwrap(), + key_entry_response.metadata.certificateChain.unwrap_or_default(), gen_key_result.cert_chain ); assert_eq!(key_entry_response.metadata.key.domain, Domain::KEY_ID); @@ -415,13 +417,13 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> { .getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT) .unwrap(); // Generate Key BLOB and prepare legacy keystore blob files. - let att_challenge: &[u8] = b"foo"; + let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") }; let key_metadata = key_generations::generate_ec_p256_signing_key( &sec_level, Domain::BLOB, SELINUX_SHELL_NAMESPACE, None, - Some(att_challenge), + att_challenge, ) .expect("Failed to generate key blob"); @@ -468,15 +470,12 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> { .unwrap(); } - let mut path_buf = PathBuf::from("/data/misc/keystore/user_98"); - path_buf.push("9810001_CACERT_authboundcertenc"); - if !path_buf.as_path().is_file() { - make_encrypted_ca_cert_file( - path_buf.as_path(), - &super_key, - key_metadata.certificateChain.as_ref().unwrap(), - ) - .unwrap(); + if let Some(chain) = key_metadata.certificateChain.as_ref() { + let mut path_buf = PathBuf::from("/data/misc/keystore/user_98"); + path_buf.push("9810001_CACERT_authboundcertenc"); + if !path_buf.as_path().is_file() { + make_encrypted_ca_cert_file(path_buf.as_path(), &super_key, chain).unwrap(); + } } // Keystore2 disables the legacy importer when it finds the legacy database empty. @@ -503,7 +502,7 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> { KeygenResult { cert: key_metadata.certificate.unwrap(), - cert_chain: key_metadata.certificateChain.unwrap(), + cert_chain: key_metadata.certificateChain.unwrap_or_default(), key_parameters: key_params, } }) @@ -532,7 +531,7 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> { gen_key_result.cert ); assert_eq!( - key_entry_response.metadata.certificateChain.unwrap(), + key_entry_response.metadata.certificateChain.unwrap_or_default(), gen_key_result.cert_chain );