Merge "Test added to generate a key with specifying cerificate subject and certificate serial number. Test generates a key and verifies the specified key characteristics." into main am: a68eb23f51 am: ea60fe79fc am: 84743e9f28

Original change: https://android-review.googlesource.com/c/platform/system/security/+/2619159 Change-Id: If9f8747ff26f63b18b3ee94a212cd47689b8203a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-11-15 13:42:56 +00:00 · 2023-11-15 13:42:56 +00:00 · f126d5ef18
commit f126d5ef18
parent 8eb7326f30 84743e9f28
3 changed files with 72 additions and 1 deletions
--- a/keystore2/test_utils/authorizations.rs
+++ b/keystore2/test_utils/authorizations.rs
@ -344,6 +344,22 @@ impl AuthSetBuilder {
        });
        self
    }
+
+    /// Add certificate serial number.
+    pub fn cert_serial(mut self, b: Vec<u8>) -> Self {
+        self.0
+            .push(KeyParameter { tag: Tag::CERTIFICATE_SERIAL, value: KeyParameterValue::Blob(b) });
+        self
+    }
+
+    /// Add certificate subject name.
+    pub fn cert_subject_name(mut self, b: Vec<u8>) -> Self {
+        self.0.push(KeyParameter {
+            tag: Tag::CERTIFICATE_SUBJECT,
+            value: KeyParameterValue::Blob(b),
+        });
+        self
+    }
 }

 impl Deref for AuthSetBuilder {
--- a/keystore2/tests/keystore2_client_authorizations_tests.rs
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs
@ -14,6 +14,9 @@

 use std::time::SystemTime;

+use openssl::bn::{BigNum, MsbOption};
+use openssl::x509::X509NameBuilder;
+
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
    Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
    ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
@ -39,7 +42,8 @@ use keystore2_test_utils::{

 use crate::keystore2_client_test_utils::{
    delete_app_key, perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
-    perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
+    perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op,
+    verify_certificate_serial_num, verify_certificate_subject_name, SAMPLE_PLAIN_TEXT,
 };

 use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
@ -964,3 +968,39 @@ fn keystore2_flagged_on_get_last_auth_fingerprint_success() {
        keystore_auth.getLastAuthTime(0, &[HardwareAuthenticatorType::FINGERPRINT]).unwrap() > 0
    );
 }
+
+/// Generate a key with specifying `CERTIFICATE_SUBJECT and CERTIFICATE_SERIAL`. Test should
+/// generate a key successfully and verify the specified key parameters.
+#[test]
+fn keystore2_gen_key_auth_serial_number_subject_test_success() {
+    let keystore2 = get_keystore_service();
+    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+    let cert_subject = "test cert subject";
+    let mut x509_name = X509NameBuilder::new().unwrap();
+    x509_name.append_entry_by_text("CN", cert_subject).unwrap();
+    let x509_name = x509_name.build().to_der().unwrap();
+
+    let mut serial = BigNum::new().unwrap();
+    serial.rand(159, MsbOption::MAYBE_ZERO, false).unwrap();
+
+    let gen_params = authorizations::AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::EC)
+        .purpose(KeyPurpose::SIGN)
+        .purpose(KeyPurpose::VERIFY)
+        .digest(Digest::SHA_2_256)
+        .ec_curve(EcCurve::P_256)
+        .attestation_challenge(b"foo".to_vec())
+        .cert_subject_name(x509_name)
+        .cert_serial(serial.to_vec());
+
+    let alias = "ks_test_auth_tags_test";
+    let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+    verify_certificate_subject_name(
+        key_metadata.certificate.as_ref().unwrap(),
+        cert_subject.as_bytes(),
+    );
+    verify_certificate_serial_num(key_metadata.certificate.as_ref().unwrap(), &serial);
+    delete_app_key(&keystore2, alias).unwrap();
+}
--- a/keystore2/tests/keystore2_client_test_utils.rs
+++ b/keystore2/tests/keystore2_client_test_utils.rs
@ -17,9 +17,11 @@ use serde::{Deserialize, Serialize};

 use std::process::{Command, Output};

+use openssl::bn::BigNum;
 use openssl::encrypt::Encrypter;
 use openssl::error::ErrorStack;
 use openssl::hash::MessageDigest;
+use openssl::nid::Nid;
 use openssl::pkey::PKey;
 use openssl::pkey::Public;
 use openssl::rsa::Padding;
@ -534,3 +536,16 @@ pub fn get_attest_id_value(attest_id: Tag, prop_name: &str) -> Option<Vec<u8>> {
        }
    }
 }
+
+pub fn verify_certificate_subject_name(cert_bytes: &[u8], expected_subject: &[u8]) {
+    let cert = X509::from_der(cert_bytes).unwrap();
+    let subject = cert.subject_name();
+    let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap();
+    assert_eq!(cn.data().as_slice(), expected_subject);
+}
+
+pub fn verify_certificate_serial_num(cert_bytes: &[u8], expected_serial_num: &BigNum) {
+    let cert = X509::from_der(cert_bytes).unwrap();
+    let serial_num = cert.serial_number();
+    assert_eq!(serial_num.to_bn().as_ref().unwrap(), expected_serial_num);
+}