Merge "Test added to generate a key with specifying cerificate subject and certificate serial number. Test generates a key and verifies the specified key characteristics." into main am: a68eb23f51
Original change: https://android-review.googlesource.com/c/platform/system/security/+/2619159 Change-Id: I1234289746a32bae2134b07274dff1c693b18d93 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
ea60fe79fc
3 changed files with 72 additions and 1 deletions
|
@ -344,6 +344,22 @@ impl AuthSetBuilder {
|
|||
});
|
||||
self
|
||||
}
|
||||
|
||||
/// Add certificate serial number.
|
||||
pub fn cert_serial(mut self, b: Vec<u8>) -> Self {
|
||||
self.0
|
||||
.push(KeyParameter { tag: Tag::CERTIFICATE_SERIAL, value: KeyParameterValue::Blob(b) });
|
||||
self
|
||||
}
|
||||
|
||||
/// Add certificate subject name.
|
||||
pub fn cert_subject_name(mut self, b: Vec<u8>) -> Self {
|
||||
self.0.push(KeyParameter {
|
||||
tag: Tag::CERTIFICATE_SUBJECT,
|
||||
value: KeyParameterValue::Blob(b),
|
||||
});
|
||||
self
|
||||
}
|
||||
}
|
||||
|
||||
impl Deref for AuthSetBuilder {
|
||||
|
|
|
@ -14,6 +14,9 @@
|
|||
|
||||
use std::time::SystemTime;
|
||||
|
||||
use openssl::bn::{BigNum, MsbOption};
|
||||
use openssl::x509::X509NameBuilder;
|
||||
|
||||
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
|
||||
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
|
||||
ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
|
||||
|
@ -39,7 +42,8 @@ use keystore2_test_utils::{
|
|||
|
||||
use crate::keystore2_client_test_utils::{
|
||||
delete_app_key, perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
|
||||
perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
|
||||
perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op,
|
||||
verify_certificate_serial_num, verify_certificate_subject_name, SAMPLE_PLAIN_TEXT,
|
||||
};
|
||||
|
||||
use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
|
||||
|
@ -964,3 +968,39 @@ fn keystore2_flagged_on_get_last_auth_fingerprint_success() {
|
|||
keystore_auth.getLastAuthTime(0, &[HardwareAuthenticatorType::FINGERPRINT]).unwrap() > 0
|
||||
);
|
||||
}
|
||||
|
||||
/// Generate a key with specifying `CERTIFICATE_SUBJECT and CERTIFICATE_SERIAL`. Test should
|
||||
/// generate a key successfully and verify the specified key parameters.
|
||||
#[test]
|
||||
fn keystore2_gen_key_auth_serial_number_subject_test_success() {
|
||||
let keystore2 = get_keystore_service();
|
||||
let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
|
||||
|
||||
let cert_subject = "test cert subject";
|
||||
let mut x509_name = X509NameBuilder::new().unwrap();
|
||||
x509_name.append_entry_by_text("CN", cert_subject).unwrap();
|
||||
let x509_name = x509_name.build().to_der().unwrap();
|
||||
|
||||
let mut serial = BigNum::new().unwrap();
|
||||
serial.rand(159, MsbOption::MAYBE_ZERO, false).unwrap();
|
||||
|
||||
let gen_params = authorizations::AuthSetBuilder::new()
|
||||
.no_auth_required()
|
||||
.algorithm(Algorithm::EC)
|
||||
.purpose(KeyPurpose::SIGN)
|
||||
.purpose(KeyPurpose::VERIFY)
|
||||
.digest(Digest::SHA_2_256)
|
||||
.ec_curve(EcCurve::P_256)
|
||||
.attestation_challenge(b"foo".to_vec())
|
||||
.cert_subject_name(x509_name)
|
||||
.cert_serial(serial.to_vec());
|
||||
|
||||
let alias = "ks_test_auth_tags_test";
|
||||
let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
|
||||
verify_certificate_subject_name(
|
||||
key_metadata.certificate.as_ref().unwrap(),
|
||||
cert_subject.as_bytes(),
|
||||
);
|
||||
verify_certificate_serial_num(key_metadata.certificate.as_ref().unwrap(), &serial);
|
||||
delete_app_key(&keystore2, alias).unwrap();
|
||||
}
|
||||
|
|
|
@ -17,9 +17,11 @@ use serde::{Deserialize, Serialize};
|
|||
|
||||
use std::process::{Command, Output};
|
||||
|
||||
use openssl::bn::BigNum;
|
||||
use openssl::encrypt::Encrypter;
|
||||
use openssl::error::ErrorStack;
|
||||
use openssl::hash::MessageDigest;
|
||||
use openssl::nid::Nid;
|
||||
use openssl::pkey::PKey;
|
||||
use openssl::pkey::Public;
|
||||
use openssl::rsa::Padding;
|
||||
|
@ -534,3 +536,16 @@ pub fn get_attest_id_value(attest_id: Tag, prop_name: &str) -> Option<Vec<u8>> {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub fn verify_certificate_subject_name(cert_bytes: &[u8], expected_subject: &[u8]) {
|
||||
let cert = X509::from_der(cert_bytes).unwrap();
|
||||
let subject = cert.subject_name();
|
||||
let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap();
|
||||
assert_eq!(cn.data().as_slice(), expected_subject);
|
||||
}
|
||||
|
||||
pub fn verify_certificate_serial_num(cert_bytes: &[u8], expected_serial_num: &BigNum) {
|
||||
let cert = X509::from_der(cert_bytes).unwrap();
|
||||
let serial_num = cert.serial_number();
|
||||
assert_eq!(serial_num.to_bn().as_ref().unwrap(), expected_serial_num);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue