Merge "Adjust keystore2_client_tests" into main am: e85693c603 am: 8ab274bd3c

Original change: https://android-review.googlesource.com/c/platform/system/security/+/3061757 Change-Id: I23beea25f87b922c736494df6698f6138975cd7b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-05-03 06:01:09 +00:00 · 2024-05-03 06:01:09 +00:00 · 89c50e70cc
commit 89c50e70cc
parent c0cf308f1a 8ab274bd3c
4 changed files with 28 additions and 43 deletions
--- a/keystore2/tests/keystore2_client_authorizations_tests.rs
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs
@ -442,36 +442,6 @@ fn keystore2_gen_key_auth_usage_expire_datetime_decrypt_op_fail() {
    delete_app_key(&keystore2, alias).unwrap();
 }

-/// Generate a key with `BOOTLOADER_ONLY`. Test should successfully generate
-/// a key and verify the key characteristics. Test should fail with error code `INVALID_KEY_BLOB`
-/// during creation of an operation using this key.
-#[test]
-fn keystore2_gen_key_auth_boot_loader_only_op_fail() {
-    skip_tests_if_keymaster_impl_present!();
-    let keystore2 = get_keystore_service();
-    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
-
-    let gen_params = authorizations::AuthSetBuilder::new()
-        .no_auth_required()
-        .algorithm(Algorithm::EC)
-        .purpose(KeyPurpose::SIGN)
-        .purpose(KeyPurpose::VERIFY)
-        .digest(Digest::SHA_2_256)
-        .ec_curve(EcCurve::P_256)
-        .attestation_challenge(b"foo".to_vec())
-        .boot_loader_only();
-
-    let alias = "ks_test_auth_tags_test";
-    let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
-        &sec_level,
-        &gen_params,
-        &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
-        alias,
-    ));
-    assert!(result.is_err());
-    assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
-}
-
 /// Generate a key with `EARLY_BOOT_ONLY`. Test should successfully generate
 /// a key and verify the key characteristics. Test should fail with error code `EARLY_BOOT_ENDED`
 /// during creation of an operation using this key.
--- a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
+++ b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
@ -181,7 +181,10 @@ fn keystore2_gen_key_device_unique_attest_with_default_sec_level_unimplemented()
        alias,
    ));
    assert!(result.is_err());
-    assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err());
+    assert!(matches!(
+        result.unwrap_err(),
+        Error::Km(ErrorCode::INVALID_ARGUMENT) | Error::Km(ErrorCode::UNSUPPORTED_TAG)
+    ));
 }

 /// Generate a EC key with `DEVICE_UNIQUE_ATTESTATION` using `STRONGBOX` security level.
--- a/keystore2/tests/keystore2_client_ec_key_tests.rs
+++ b/keystore2/tests/keystore2_client_ec_key_tests.rs
@ -30,8 +30,8 @@ use keystore2_test_utils::{
 };

 use crate::keystore2_client_test_utils::{
-    delete_app_key, execute_op_run_as_child, perform_sample_sign_operation, BarrierReached,
-    ForcedOp, TestOutcome,
+    delete_app_key, execute_op_run_as_child, get_vsr_api_level, perform_sample_sign_operation,
+    BarrierReached, ForcedOp, TestOutcome,
 };

 macro_rules! test_ec_sign_key_op_success {
@ -374,13 +374,18 @@ fn keystore2_ec_25519_generate_key_fail() {
        )
        .unwrap();

-        let result = key_generations::map_ks_error(sec_level.createOperation(
-            &key_metadata.key,
-            &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
-            false,
-        ));
-        assert!(result.is_err());
-        assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_DIGEST), result.unwrap_err());
+        // The KeyMint v2 API added `CURVE_25519` and specified that "Ed25519 keys only support
+        // Digest::NONE".  However, this was not checked at the time so we can only be strict about
+        // checking this for more recent implementations.
+        if get_vsr_api_level() >= 35 {
+            let result = key_generations::map_ks_error(sec_level.createOperation(
+                &key_metadata.key,
+                &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
+                false,
+            ));
+            assert!(result.is_err(), "unexpected success for digest {digest:?}");
+            assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_DIGEST), result.unwrap_err());
+        }
    }
 }

--- a/keystore2/tests/keystore2_client_import_keys_tests.rs
+++ b/keystore2/tests/keystore2_client_import_keys_tests.rs
@ -37,9 +37,9 @@ use keystore2_test_utils::ffi_test_utils::{
 };

 use crate::keystore2_client_test_utils::{
-    encrypt_secure_key, encrypt_transport_key, perform_sample_asym_sign_verify_op,
-    perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op,
-    perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
+    encrypt_secure_key, encrypt_transport_key, get_vsr_api_level,
+    perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
+    perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
 };

 pub fn import_rsa_sign_key_and_perform_sample_operation(
@ -306,6 +306,13 @@ fn keystore2_import_ec_key_success() {

    let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256);

+    if get_vsr_api_level() < 35 {
+        // The KeyMint spec was previously not clear as to whether EC_CURVE was optional on import
+        // of EC keys. However, this was not checked at the time so we can only be strict about
+        // checking this for implementations at VSR-V or later.
+        println!("Skipping EC_CURVE on import only strict >= VSR-V");
+        return;
+    }
    // Don't specify ec-curve.
    let import_params = authorizations::AuthSetBuilder::new()
        .no_auth_required()