diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs index 0fde7aff..32be99e0 100644 --- a/keystore2/tests/keystore2_client_authorizations_tests.rs +++ b/keystore2/tests/keystore2_client_authorizations_tests.rs @@ -442,36 +442,6 @@ fn keystore2_gen_key_auth_usage_expire_datetime_decrypt_op_fail() { delete_app_key(&keystore2, alias).unwrap(); } -/// Generate a key with `BOOTLOADER_ONLY`. Test should successfully generate -/// a key and verify the key characteristics. Test should fail with error code `INVALID_KEY_BLOB` -/// during creation of an operation using this key. -#[test] -fn keystore2_gen_key_auth_boot_loader_only_op_fail() { - skip_tests_if_keymaster_impl_present!(); - let keystore2 = get_keystore_service(); - let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); - - let gen_params = authorizations::AuthSetBuilder::new() - .no_auth_required() - .algorithm(Algorithm::EC) - .purpose(KeyPurpose::SIGN) - .purpose(KeyPurpose::VERIFY) - .digest(Digest::SHA_2_256) - .ec_curve(EcCurve::P_256) - .attestation_challenge(b"foo".to_vec()) - .boot_loader_only(); - - let alias = "ks_test_auth_tags_test"; - let result = key_generations::map_ks_error(key_generations::create_key_and_operation( - &sec_level, - &gen_params, - &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256), - alias, - )); - assert!(result.is_err()); - assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err()); -} - /// Generate a key with `EARLY_BOOT_ONLY`. Test should successfully generate /// a key and verify the key characteristics. Test should fail with error code `EARLY_BOOT_ENDED` /// during creation of an operation using this key. diff --git a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs index 4f881bcd..b784adf4 100644 --- a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs +++ b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs @@ -181,7 +181,10 @@ fn keystore2_gen_key_device_unique_attest_with_default_sec_level_unimplemented() alias, )); assert!(result.is_err()); - assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err()); + assert!(matches!( + result.unwrap_err(), + Error::Km(ErrorCode::INVALID_ARGUMENT) | Error::Km(ErrorCode::UNSUPPORTED_TAG) + )); } /// Generate a EC key with `DEVICE_UNIQUE_ATTESTATION` using `STRONGBOX` security level. diff --git a/keystore2/tests/keystore2_client_ec_key_tests.rs b/keystore2/tests/keystore2_client_ec_key_tests.rs index 82671402..f2c6d0f9 100644 --- a/keystore2/tests/keystore2_client_ec_key_tests.rs +++ b/keystore2/tests/keystore2_client_ec_key_tests.rs @@ -30,8 +30,8 @@ use keystore2_test_utils::{ }; use crate::keystore2_client_test_utils::{ - delete_app_key, execute_op_run_as_child, perform_sample_sign_operation, BarrierReached, - ForcedOp, TestOutcome, + delete_app_key, execute_op_run_as_child, get_vsr_api_level, perform_sample_sign_operation, + BarrierReached, ForcedOp, TestOutcome, }; macro_rules! test_ec_sign_key_op_success { @@ -374,13 +374,18 @@ fn keystore2_ec_25519_generate_key_fail() { ) .unwrap(); - let result = key_generations::map_ks_error(sec_level.createOperation( - &key_metadata.key, - &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest), - false, - )); - assert!(result.is_err()); - assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_DIGEST), result.unwrap_err()); + // The KeyMint v2 API added `CURVE_25519` and specified that "Ed25519 keys only support + // Digest::NONE". However, this was not checked at the time so we can only be strict about + // checking this for more recent implementations. + if get_vsr_api_level() >= 35 { + let result = key_generations::map_ks_error(sec_level.createOperation( + &key_metadata.key, + &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest), + false, + )); + assert!(result.is_err(), "unexpected success for digest {digest:?}"); + assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_DIGEST), result.unwrap_err()); + } } } diff --git a/keystore2/tests/keystore2_client_import_keys_tests.rs b/keystore2/tests/keystore2_client_import_keys_tests.rs index 31d57a2f..bf787d29 100644 --- a/keystore2/tests/keystore2_client_import_keys_tests.rs +++ b/keystore2/tests/keystore2_client_import_keys_tests.rs @@ -37,9 +37,9 @@ use keystore2_test_utils::ffi_test_utils::{ }; use crate::keystore2_client_test_utils::{ - encrypt_secure_key, encrypt_transport_key, perform_sample_asym_sign_verify_op, - perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op, - perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT, + encrypt_secure_key, encrypt_transport_key, get_vsr_api_level, + perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op, + perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT, }; pub fn import_rsa_sign_key_and_perform_sample_operation( @@ -306,6 +306,13 @@ fn keystore2_import_ec_key_success() { let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256); + if get_vsr_api_level() < 35 { + // The KeyMint spec was previously not clear as to whether EC_CURVE was optional on import + // of EC keys. However, this was not checked at the time so we can only be strict about + // checking this for implementations at VSR-V or later. + println!("Skipping EC_CURVE on import only strict >= VSR-V"); + return; + } // Don't specify ec-curve. let import_params = authorizations::AuthSetBuilder::new() .no_auth_required()