summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>2021-12-01 00:07:56 +0000
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>2021-12-01 00:07:56 +0000
commit2f02e61b244a66e9a3d5563ddbdefde347d96ce7 (patch)
tree237d826e8b054be2a27832a4eea7c09cf5e39c3d
parent87dddd9435a78624cd7f83fe62a4e4a52eee3543 (diff)
parent46d62b92fba8e57cb1764ad39ffdfadc4e59a4b2 (diff)
Snap for 7956453 from 46d62b92fba8e57cb1764ad39ffdfadc4e59a4b2 to sc-v2-release
Change-Id: Ib7a0b60f2f202250941b169bbeaae3936d7b379e
Diffstat
-rw-r--r--security/keymint/aidl/vts/functional/AttestKeyTest.cpp30
-rw-r--r--security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp40
-rw-r--r--security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp7
-rw-r--r--security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h3
-rw-r--r--security/keymint/aidl/vts/functional/KeyMintTest.cpp96
5 files changed, 143 insertions, 33 deletions
diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
index 26ed34427..64550eff2 100644
--- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
+++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
@@ -50,7 +50,7 @@ TEST_P(AttestKeyTest, AllRsaSizes) {
vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain;
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
- .RsaSigningKey(size, 65537)
+ .RsaKey(size, 65537)
.AttestKey()
.SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob,
@@ -200,7 +200,7 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
vector<Certificate> attest_key_cert_chain;
ASSERT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
- .RsaSigningKey(2048, 65537)
+ .RsaKey(2048, 65537)
.AttestKey()
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
@@ -299,7 +299,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
EXPECT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
- .RsaSigningKey(2048, 65537)
+ .RsaKey(2048, 65537)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
@@ -371,7 +371,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
EXPECT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
- .EcdsaSigningKey(EcCurve::P_256)
+ .EcdsaKey(EcCurve::P_256)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
@@ -446,7 +446,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
if ((i & 0x1) == 1) {
EXPECT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
- .EcdsaSigningKey(EcCurve::P_256)
+ .EcdsaKey(EcCurve::P_256)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
@@ -459,7 +459,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
} else {
EXPECT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
- .RsaSigningKey(2048, 65537)
+ .RsaKey(2048, 65537)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
@@ -509,7 +509,7 @@ TEST_P(AttestKeyTest, MissingChallenge) {
vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain;
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
- .RsaSigningKey(size, 65537)
+ .RsaKey(size, 65537)
.AttestKey()
.SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob,
@@ -555,12 +555,12 @@ TEST_P(AttestKeyTest, AllEcCurves) {
AttestationKey attest_key;
vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain;
- ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
- .EcdsaSigningKey(curve)
- .AttestKey()
- .SetDefaultValidity(),
- {} /* attestation signing key */, &attest_key.keyBlob,
- &attest_key_characteristics, &attest_key_cert_chain));
+ ASSERT_EQ(
+ ErrorCode::OK,
+ GenerateKey(
+ AuthorizationSetBuilder().EcdsaKey(curve).AttestKey().SetDefaultValidity(),
+ {} /* attestation signing key */, &attest_key.keyBlob,
+ &attest_key_characteristics, &attest_key_cert_chain));
ASSERT_GT(attest_key_cert_chain.size(), 0);
EXPECT_EQ(attest_key_cert_chain.size(), 1);
@@ -671,7 +671,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) {
vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain;
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
- .EcdsaSigningKey(EcCurve::P_256)
+ .EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob,
@@ -735,7 +735,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) {
vector<KeyCharacteristics> attest_key_characteristics;
vector<Certificate> attest_key_cert_chain;
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
- .EcdsaSigningKey(EcCurve::P_256)
+ .EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob,
diff --git a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
index d7abf0790..79716b135 100644
--- a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
+++ b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
@@ -76,6 +76,7 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
.Digest(Digest::SHA_2_256)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .Authorization(TAG_CREATION_DATETIME, 1619621648000)
.AttestationChallenge("challenge")
.AttestationApplicationId("foo")
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
@@ -102,6 +103,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::SHA_2_256)
.Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .Authorization(TAG_CREATION_DATETIME, 1619621648000)
.AttestationChallenge("challenge")
.AttestationApplicationId("foo")
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
@@ -129,6 +131,7 @@ TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) {
.Digest(Digest::SHA_2_256)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .Authorization(TAG_CREATION_DATETIME, 1619621648000)
.AttestationChallenge("challenge")
.AttestationApplicationId("foo")
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
@@ -184,6 +187,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) {
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::SHA_2_256)
.Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .Authorization(TAG_CREATION_DATETIME, 1619621648000)
.AttestationChallenge("challenge")
.AttestationApplicationId("foo")
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
@@ -242,14 +246,16 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) {
for (const KeyParameter& tag : attestation_id_tags) {
SCOPED_TRACE(testing::Message() << "+tag-" << tag);
- AuthorizationSetBuilder builder = AuthorizationSetBuilder()
- .Authorization(TAG_NO_AUTH_REQUIRED)
- .EcdsaSigningKey(EcCurve::P_256)
- .Digest(Digest::SHA_2_256)
- .Authorization(TAG_INCLUDE_UNIQUE_ID)
- .AttestationChallenge("challenge")
- .AttestationApplicationId("foo")
- .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
+ AuthorizationSetBuilder builder =
+ AuthorizationSetBuilder()
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .EcdsaSigningKey(EcCurve::P_256)
+ .Digest(Digest::SHA_2_256)
+ .Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .Authorization(TAG_CREATION_DATETIME, 1619621648000)
+ .AttestationChallenge("challenge")
+ .AttestationApplicationId("foo")
+ .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
builder.push_back(tag);
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
@@ -310,14 +316,16 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) {
for (const KeyParameter& invalid_tag : attestation_id_tags) {
SCOPED_TRACE(testing::Message() << "+tag-" << invalid_tag);
- AuthorizationSetBuilder builder = AuthorizationSetBuilder()
- .Authorization(TAG_NO_AUTH_REQUIRED)
- .EcdsaSigningKey(EcCurve::P_256)
- .Digest(Digest::SHA_2_256)
- .Authorization(TAG_INCLUDE_UNIQUE_ID)
- .AttestationChallenge("challenge")
- .AttestationApplicationId("foo")
- .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
+ AuthorizationSetBuilder builder =
+ AuthorizationSetBuilder()
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .EcdsaSigningKey(EcCurve::P_256)
+ .Digest(Digest::SHA_2_256)
+ .Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .Authorization(TAG_CREATION_DATETIME, 1619621648000)
+ .AttestationChallenge("challenge")
+ .AttestationApplicationId("foo")
+ .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
// Add the tag that doesn't match the local device's real ID.
builder.push_back(invalid_tag);
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index 20324117b..8e35c91b6 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -1298,7 +1298,8 @@ bool verify_attestation_record(const string& challenge, //
AuthorizationSet expected_sw_enforced, //
AuthorizationSet expected_hw_enforced, //
SecurityLevel security_level,
- const vector<uint8_t>& attestation_cert) {
+ const vector<uint8_t>& attestation_cert,
+ vector<uint8_t>* unique_id) {
X509_Ptr cert(parse_cert_blob(attestation_cert));
EXPECT_TRUE(!!cert.get());
if (!cert.get()) return false;
@@ -1458,6 +1459,10 @@ bool verify_attestation_record(const string& challenge, //
expected_hw_enforced.Sort();
EXPECT_EQ(filtered_tags(expected_hw_enforced), filtered_tags(att_hw_enforced));
+ if (unique_id != nullptr) {
+ *unique_id = att_unique_id;
+ }
+
return true;
}
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
index ec3fcf6a3..7b3b9d4b4 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
@@ -338,7 +338,8 @@ bool verify_attestation_record(const string& challenge, //
AuthorizationSet expected_sw_enforced, //
AuthorizationSet expected_hw_enforced, //
SecurityLevel security_level,
- const vector<uint8_t>& attestation_cert);
+ const vector<uint8_t>& attestation_cert,
+ vector<uint8_t>* unique_id = nullptr);
string bin2hex(const vector<uint8_t>& data);
X509_Ptr parse_cert_blob(const vector<uint8_t>& blob);
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index 2a0ee7fd3..4d7f1b8ee 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -1550,6 +1550,102 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
}
/*
+ * NewKeyGenerationTest.EcdsaAttestationUniqueId
+ *
+ * Verifies that creation of an attested ECDSA key with a UNIQUE_ID included.
+ */
+TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
+ auto get_unique_id = [this](const std::string& app_id, uint64_t datetime,
+ vector<uint8_t>* unique_id, bool reset = false) {
+ auto challenge = "hello";
+ auto subject = "cert subj 2";
+ vector<uint8_t> subject_der(make_name_from_str(subject));
+ uint64_t serial_int = 0x1010;
+ vector<uint8_t> serial_blob(build_serial_blob(serial_int));
+ AuthorizationSetBuilder builder =
+ AuthorizationSetBuilder()
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .EcdsaSigningKey(EcCurve::P_256)
+ .Digest(Digest::NONE)
+ .AttestationChallenge(challenge)
+ .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
+ .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
+ .AttestationApplicationId(app_id)
+ .Authorization(TAG_CREATION_DATETIME, datetime)
+ .SetDefaultValidity();
+ if (reset) {
+ builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
+ }
+
+ ASSERT_EQ(ErrorCode::OK, GenerateKey(builder));
+ ASSERT_GT(key_blob_.size(), 0U);
+
+ EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
+ ASSERT_GT(cert_chain_.size(), 0);
+ verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
+
+ AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics_);
+ AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics_);
+
+ // Check that the unique ID field in the extension is non-empty.
+ EXPECT_TRUE(verify_attestation_record(challenge, app_id, sw_enforced, hw_enforced,
+ SecLevel(), cert_chain_[0].encodedCertificate,
+ unique_id));
+ EXPECT_GT(unique_id->size(), 0);
+ CheckedDeleteKey();
+ };
+
+ // Generate unique ID
+ auto app_id = "foo";
+ uint64_t cert_date = 1619621648000; // Wed Apr 28 14:54:08 2021 in ms since epoch
+ vector<uint8_t> unique_id;
+ get_unique_id(app_id, cert_date, &unique_id);
+
+ // Generating a new key with the same parameters should give the same unique ID.
+ vector<uint8_t> unique_id2;
+ get_unique_id(app_id, cert_date, &unique_id2);
+ EXPECT_EQ(unique_id, unique_id2);
+
+ // Generating a new key with a slightly different date should give the same unique ID.
+ uint64_t rounded_date = cert_date / 2592000000LLU;
+ uint64_t min_date = rounded_date * 2592000000LLU;
+ uint64_t max_date = ((rounded_date + 1) * 2592000000LLU) - 1;
+
+ vector<uint8_t> unique_id3;
+ get_unique_id(app_id, min_date, &unique_id3);
+ EXPECT_EQ(unique_id, unique_id3);
+
+ vector<uint8_t> unique_id4;
+ get_unique_id(app_id, max_date, &unique_id4);
+ EXPECT_EQ(unique_id, unique_id4);
+
+ // A different attestation application ID should yield a different unique ID.
+ auto app_id2 = "different_foo";
+ vector<uint8_t> unique_id5;
+ get_unique_id(app_id2, cert_date, &unique_id5);
+ EXPECT_NE(unique_id, unique_id5);
+
+ // A radically different date should yield a different unique ID.
+ vector<uint8_t> unique_id6;
+ get_unique_id(app_id, 1611621648000, &unique_id6);
+ EXPECT_NE(unique_id, unique_id6);
+
+ vector<uint8_t> unique_id7;
+ get_unique_id(app_id, max_date + 1, &unique_id7);
+ EXPECT_NE(unique_id, unique_id7);
+
+ vector<uint8_t> unique_id8;
+ get_unique_id(app_id, min_date - 1, &unique_id8);
+ EXPECT_NE(unique_id, unique_id8);
+
+ // Marking RESET_SINCE_ID_ROTATION should give a different unique ID.
+ vector<uint8_t> unique_id9;
+ get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true);
+ EXPECT_NE(unique_id, unique_id9);
+}
+
+/*
* NewKeyGenerationTest.EcdsaAttestationTagNoApplicationId
*
* Verifies that creation of an attested ECDSA key does not include APPLICATION_ID.
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 00:07:43 +0000