Merge "Test added to generate a key with specifying cerificate subject and certificate serial number. Test generates a key and verifies the specified key characteristics." into main am: a68eb23f51

Original change: https://android-review.googlesource.com/c/platform/system/security/+/2619159

Change-Id: I1234289746a32bae2134b07274dff1c693b18d93
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Eran Messeri 2023-11-15 12:40:34 +00:00 committed by Automerger Merge Worker
commit ea60fe79fc
3 changed files with 72 additions and 1 deletions

View file

@ -344,6 +344,22 @@ impl AuthSetBuilder {
});
self
}
/// Add certificate serial number.
pub fn cert_serial(mut self, b: Vec<u8>) -> Self {
self.0
.push(KeyParameter { tag: Tag::CERTIFICATE_SERIAL, value: KeyParameterValue::Blob(b) });
self
}
/// Add certificate subject name.
pub fn cert_subject_name(mut self, b: Vec<u8>) -> Self {
self.0.push(KeyParameter {
tag: Tag::CERTIFICATE_SUBJECT,
value: KeyParameterValue::Blob(b),
});
self
}
}
impl Deref for AuthSetBuilder {

View file

@ -14,6 +14,9 @@
use std::time::SystemTime;
use openssl::bn::{BigNum, MsbOption};
use openssl::x509::X509NameBuilder;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
@ -39,7 +42,8 @@ use keystore2_test_utils::{
use crate::keystore2_client_test_utils::{
delete_app_key, perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op,
verify_certificate_serial_num, verify_certificate_subject_name, SAMPLE_PLAIN_TEXT,
};
use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
@ -964,3 +968,39 @@ fn keystore2_flagged_on_get_last_auth_fingerprint_success() {
keystore_auth.getLastAuthTime(0, &[HardwareAuthenticatorType::FINGERPRINT]).unwrap() > 0
);
}
/// Generate a key with specifying `CERTIFICATE_SUBJECT and CERTIFICATE_SERIAL`. Test should
/// generate a key successfully and verify the specified key parameters.
#[test]
fn keystore2_gen_key_auth_serial_number_subject_test_success() {
let keystore2 = get_keystore_service();
let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
let cert_subject = "test cert subject";
let mut x509_name = X509NameBuilder::new().unwrap();
x509_name.append_entry_by_text("CN", cert_subject).unwrap();
let x509_name = x509_name.build().to_der().unwrap();
let mut serial = BigNum::new().unwrap();
serial.rand(159, MsbOption::MAYBE_ZERO, false).unwrap();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::EC)
.purpose(KeyPurpose::SIGN)
.purpose(KeyPurpose::VERIFY)
.digest(Digest::SHA_2_256)
.ec_curve(EcCurve::P_256)
.attestation_challenge(b"foo".to_vec())
.cert_subject_name(x509_name)
.cert_serial(serial.to_vec());
let alias = "ks_test_auth_tags_test";
let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
verify_certificate_subject_name(
key_metadata.certificate.as_ref().unwrap(),
cert_subject.as_bytes(),
);
verify_certificate_serial_num(key_metadata.certificate.as_ref().unwrap(), &serial);
delete_app_key(&keystore2, alias).unwrap();
}

View file

@ -17,9 +17,11 @@ use serde::{Deserialize, Serialize};
use std::process::{Command, Output};
use openssl::bn::BigNum;
use openssl::encrypt::Encrypter;
use openssl::error::ErrorStack;
use openssl::hash::MessageDigest;
use openssl::nid::Nid;
use openssl::pkey::PKey;
use openssl::pkey::Public;
use openssl::rsa::Padding;
@ -534,3 +536,16 @@ pub fn get_attest_id_value(attest_id: Tag, prop_name: &str) -> Option<Vec<u8>> {
}
}
}
pub fn verify_certificate_subject_name(cert_bytes: &[u8], expected_subject: &[u8]) {
let cert = X509::from_der(cert_bytes).unwrap();
let subject = cert.subject_name();
let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap();
assert_eq!(cn.data().as_slice(), expected_subject);
}
pub fn verify_certificate_serial_num(cert_bytes: &[u8], expected_serial_num: &BigNum) {
let cert = X509::from_der(cert_bytes).unwrap();
let serial_num = cert.serial_number();
assert_eq!(serial_num.to_bn().as_ref().unwrap(), expected_serial_num);
}