KeyMint VTS: extra unique ID test

Test that specifying RESET_SINCE_ID_ROTATION results in a different unique ID value. Test: VtsAidlKeyMintTargetTest Bug: 202487002 Change-Id: I2aed96514bf9e4802f0ef756f880cac79fa09554
author: David Drysdale <drysdale@google.com> 2021-11-01 11:40:08 +0000
committer: David Drysdale <drysdale@google.com> 2021-11-10 15:02:59 +0000
commit: e26fab78ed1ecc6e6360f418201b3c55b7d00d0d (patch)
tree: c20537b4f199030aa62643478ec5399e6b5432aa
parent: 2f361c15718b660957712c2992653af5751da024 (diff)
2 files changed, 34 insertions, 18 deletions
diff --git a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
index d7abf0790..79716b135 100644
--- a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
+++ b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
@@ -76,6 +76,7 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
                                       .Digest(Digest::SHA_2_256)
                                       .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
                                       .Authorization(TAG_INCLUDE_UNIQUE_ID)
+                                      .Authorization(TAG_CREATION_DATETIME, 1619621648000)
                                       .AttestationChallenge("challenge")
                                       .AttestationApplicationId("foo")
                                       .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
@@ -102,6 +103,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
                                       .EcdsaSigningKey(EcCurve::P_256)
                                       .Digest(Digest::SHA_2_256)
                                       .Authorization(TAG_INCLUDE_UNIQUE_ID)
+                                      .Authorization(TAG_CREATION_DATETIME, 1619621648000)
                                       .AttestationChallenge("challenge")
                                       .AttestationApplicationId("foo")
                                       .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
@@ -129,6 +131,7 @@ TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) {
                                       .Digest(Digest::SHA_2_256)
                                       .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
                                       .Authorization(TAG_INCLUDE_UNIQUE_ID)
+                                      .Authorization(TAG_CREATION_DATETIME, 1619621648000)
                                       .AttestationChallenge("challenge")
                                       .AttestationApplicationId("foo")
                                       .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
@@ -184,6 +187,7 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) {
                                       .EcdsaSigningKey(EcCurve::P_256)
                                       .Digest(Digest::SHA_2_256)
                                       .Authorization(TAG_INCLUDE_UNIQUE_ID)
+                                      .Authorization(TAG_CREATION_DATETIME, 1619621648000)
                                       .AttestationChallenge("challenge")
                                       .AttestationApplicationId("foo")
                                       .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
@@ -242,14 +246,16 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) {
 
     for (const KeyParameter& tag : attestation_id_tags) {
         SCOPED_TRACE(testing::Message() << "+tag-" << tag);
-        AuthorizationSetBuilder builder = AuthorizationSetBuilder()
-                                                  .Authorization(TAG_NO_AUTH_REQUIRED)
-                                                  .EcdsaSigningKey(EcCurve::P_256)
-                                                  .Digest(Digest::SHA_2_256)
-                                                  .Authorization(TAG_INCLUDE_UNIQUE_ID)
-                                                  .AttestationChallenge("challenge")
-                                                  .AttestationApplicationId("foo")
-                                                  .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
+        AuthorizationSetBuilder builder =
+                AuthorizationSetBuilder()
+                        .Authorization(TAG_NO_AUTH_REQUIRED)
+                        .EcdsaSigningKey(EcCurve::P_256)
+                        .Digest(Digest::SHA_2_256)
+                        .Authorization(TAG_INCLUDE_UNIQUE_ID)
+                        .Authorization(TAG_CREATION_DATETIME, 1619621648000)
+                        .AttestationChallenge("challenge")
+                        .AttestationApplicationId("foo")
+                        .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
         builder.push_back(tag);
         auto result = GenerateKey(builder, &key_blob, &key_characteristics);
 
@@ -310,14 +316,16 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) {
 
     for (const KeyParameter& invalid_tag : attestation_id_tags) {
         SCOPED_TRACE(testing::Message() << "+tag-" << invalid_tag);
-        AuthorizationSetBuilder builder = AuthorizationSetBuilder()
-                                                  .Authorization(TAG_NO_AUTH_REQUIRED)
-                                                  .EcdsaSigningKey(EcCurve::P_256)
-                                                  .Digest(Digest::SHA_2_256)
-                                                  .Authorization(TAG_INCLUDE_UNIQUE_ID)
-                                                  .AttestationChallenge("challenge")
-                                                  .AttestationApplicationId("foo")
-                                                  .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
+        AuthorizationSetBuilder builder =
+                AuthorizationSetBuilder()
+                        .Authorization(TAG_NO_AUTH_REQUIRED)
+                        .EcdsaSigningKey(EcCurve::P_256)
+                        .Digest(Digest::SHA_2_256)
+                        .Authorization(TAG_INCLUDE_UNIQUE_ID)
+                        .Authorization(TAG_CREATION_DATETIME, 1619621648000)
+                        .AttestationChallenge("challenge")
+                        .AttestationApplicationId("foo")
+                        .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION);
         // Add the tag that doesn't match the local device's real ID.
         builder.push_back(invalid_tag);
         auto result = GenerateKey(builder, &key_blob, &key_characteristics);
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index 5647db6a0..4d7f1b8ee 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -1556,13 +1556,13 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
  */
 TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
     auto get_unique_id = [this](const std::string& app_id, uint64_t datetime,
-                                vector<uint8_t>* unique_id) {
+                                vector<uint8_t>* unique_id, bool reset = false) {
         auto challenge = "hello";
         auto subject = "cert subj 2";
         vector<uint8_t> subject_der(make_name_from_str(subject));
         uint64_t serial_int = 0x1010;
         vector<uint8_t> serial_blob(build_serial_blob(serial_int));
-        const AuthorizationSetBuilder builder =
+        AuthorizationSetBuilder builder =
                 AuthorizationSetBuilder()
                         .Authorization(TAG_NO_AUTH_REQUIRED)
                         .Authorization(TAG_INCLUDE_UNIQUE_ID)
@@ -1574,6 +1574,9 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
                         .AttestationApplicationId(app_id)
                         .Authorization(TAG_CREATION_DATETIME, datetime)
                         .SetDefaultValidity();
+        if (reset) {
+            builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
+        }
 
         ASSERT_EQ(ErrorCode::OK, GenerateKey(builder));
         ASSERT_GT(key_blob_.size(), 0U);
@@ -1635,6 +1638,11 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
     vector<uint8_t> unique_id8;
     get_unique_id(app_id, min_date - 1, &unique_id8);
     EXPECT_NE(unique_id, unique_id8);
+
+    // Marking RESET_SINCE_ID_ROTATION should give a different unique ID.
+    vector<uint8_t> unique_id9;
+    get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true);
+    EXPECT_NE(unique_id, unique_id9);
 }
 
 /*
author	David Drysdale <drysdale@google.com>	2021-11-01 11:40:08 +0000
committer	David Drysdale <drysdale@google.com>	2021-11-10 15:02:59 +0000
commit	e26fab78ed1ecc6e6360f418201b3c55b7d00d0d (patch)
tree	c20537b4f199030aa62643478ec5399e6b5432aa
parent	2f361c15718b660957712c2992653af5751da024 (diff)