Merge cherrypicks of ['googleplex-android-review.googlesource.com/24023904', 'googleplex-android-review.googlesource.com/24217382', 'googleplex-android-review.googlesource.com/24149433'] into udc-release.android-vts-14.0_r1android-security-14.0.0_r7android-security-14.0.0_r6android-security-14.0.0_r5android-security-14.0.0_r4android-security-14.0.0_r3android-security-14.0.0_r2android-cts-14.0_r1android-14.0.0_r28android-14.0.0_r2android-14.0.0_r15android-14.0.0_r14android-14.0.0_r13android-14.0.0_r1android14-security-releaseandroid14-s2-releaseandroid14-s1-releaseandroid14-release

Change-Id: I0c27bca6572f19ea2414d240ef3c300e2c7687bc

4 files changed, 40 insertions, 6 deletions

diff --git a/keystore-cts/java/android/keystore/cts/util/KeyStoreUtil.java b/keystore-cts/java/android/keystore/cts/util/KeyStoreUtil.java
index ea5d91b..001ab89 100644
--- a/keystore-cts/java/android/keystore/cts/util/KeyStoreUtil.java
+++ b/keystore-cts/java/android/keystore/cts/util/KeyStoreUtil.java
@@ -13,6 +13,7 @@
  */
 package android.keystore.cts.util;
 
+import static org.junit.Assume.assumeTrue;
 import android.content.Context;
 import android.security.keystore.KeyProtection;
 import android.keystore.cts.util.TestUtils;
@@ -53,6 +54,8 @@ public class KeyStoreUtil {
     public static final int KM_VERSION_KEYMASTER_4 = 40;
     public static final int KM_VERSION_KEYMASTER_4_1 = 41;
     public static final int KM_VERSION_KEYMINT_1 = 100;
+    public static final int KM_VERSION_KEYMINT_2 = 200;
+    public static final int KM_VERSION_KEYMINT_3 = 300;
 
     private static final List kmSupportedDigests = List.of("md5","sha-1","sha-224","sha-384",
                                                         "sha-256","sha-512");
@@ -91,7 +94,11 @@ public class KeyStoreUtil {
         }
     }
 
-    public static int getFeatureVersionKeystore() {
+    public static int getFeatureVersionKeystore(boolean isStrongBox) {
+        if (isStrongBox) {
+            return TestUtils.getFeatureVersionKeystoreStrongBox(
+            ApplicationProvider.getApplicationContext());
+        }
         return TestUtils.getFeatureVersionKeystore(ApplicationProvider.getApplicationContext());
     }
 
@@ -173,4 +180,9 @@ public class KeyStoreUtil {
                                 new ByteArrayInputStream(x509holder.getEncoded()));
         return x509c;
     }
+
+    public static void assumeKeyMintV1OrNewer(boolean isStrongBox) {
+        assumeTrue("Test can only run on KeyMint v1 and above",
+            KeyStoreUtil.getFeatureVersionKeystore(isStrongBox) >= KM_VERSION_KEYMINT_1);
+    }
 }
diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/MacTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/MacTest.java
index 3a42761..81be1bd 100644
--- a/keystore-cts/java/com/google/security/wycheproof/testcases/MacTest.java
+++ b/keystore-cts/java/com/google/security/wycheproof/testcases/MacTest.java
@@ -332,6 +332,9 @@ public class MacTest {
 
   @Test
   public void testLongMacSha1() throws Exception {
+    // b/244609904#comment64
+    KeyStoreUtil.assumeKeyMintV1OrNewer(false);
+
     testLongMac(
         "HMACSHA1",
         "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
@@ -348,6 +351,8 @@ public class MacTest {
 
   @Test
   public void testLongMacSha256() throws Exception {
+    // b/244609904#comment64
+    KeyStoreUtil.assumeKeyMintV1OrNewer(false);
     testLongMacSha256(false);
   }
   @Test
@@ -375,6 +380,9 @@ public class MacTest {
 
   @Test
   public void testLongMacSha384() throws Exception {
+    // b/244609904#comment64
+    KeyStoreUtil.assumeKeyMintV1OrNewer(false);
+
     testLongMac(
         "HMACSHA384",
         "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
@@ -395,6 +403,9 @@ public class MacTest {
 
   @Test
   public void testLongMacSha512() throws Exception {
+    // b/244609904#comment64
+    KeyStoreUtil.assumeKeyMintV1OrNewer(false);
+
     testLongMac(
         "HMACSHA512",
         "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaOaepTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/RsaOaepTest.java
index 5eb47e5..0a82423 100644
--- a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaOaepTest.java
+++ b/keystore-cts/java/com/google/security/wycheproof/testcases/RsaOaepTest.java
@@ -192,14 +192,17 @@ public class RsaOaepTest {
   }
 
   protected static OAEPParameterSpec getOaepParameters(JsonObject group,
-    JsonObject test) throws Exception {
+    JsonObject test, boolean isStrongBox) throws Exception {
     String sha = getString(group, "sha");
     String mgf = getString(group, "mgf");
     String mgfSha = getString(group, "mgfSha");
-    // mgfDigest other than SHA-1 are supported from KeyMint V1 and above.
+    // mgfDigest other than SHA-1 are supported from KeyMint V1 and above but some implementations
+    // of keymint V1 and V2 (notably the C++ reference implementation) does not include MGF_DIGEST
+    // tag in key characteriestics hence issue b/287532460 introduced. So non-default MGF_DIGEST is
+    // tested on Keymint V3 and above.
     if (!mgfSha.equalsIgnoreCase("SHA-1")) {
-      assumeTrue("This test is valid for KeyMint version 1 and above.",
-              KeyStoreUtil.getFeatureVersionKeystore() >= KeyStoreUtil.KM_VERSION_KEYMINT_1);
+      assumeTrue("This test is valid for KeyMint version 3 and above.",
+          KeyStoreUtil.getFeatureVersionKeystore(isStrongBox) >= KeyStoreUtil.KM_VERSION_KEYMINT_3);
     }
     PSource p = PSource.PSpecified.DEFAULT;
     if (test.has("label") && !TextUtils.isEmpty(getString(test, "label"))) {
@@ -305,7 +308,7 @@ public class RsaOaepTest {
         String messageHex = TestUtil.bytesToHex(getBytes(testcase, "msg"));
         OAEPParameterSpec params;
         try {
-          params = getOaepParameters(group, testcase);
+          params = getOaepParameters(group, testcase, isStrongBox);
         } catch (UnsupportedKeyParametersException e) {
           // TODO This try catch block should be removed once issue b/229183581 is fixed.
           continue;
@@ -362,6 +365,8 @@ public class RsaOaepTest {
 
   @Test
   public void testRsaOaep2048Sha1Mgf1Sha1() throws Exception {
+    // b/244609904#comment64
+    KeyStoreUtil.assumeKeyMintV1OrNewer(false);
    testOaep("rsa_oaep_2048_sha1_mgf1sha1_test.json", false);
   }
 
@@ -420,6 +425,8 @@ public class RsaOaepTest {
 
   @Test
   public void testRsaOaep3072Sha256Mgf1Sha1() throws Exception {
+    // b/244609904#comment64
+    KeyStoreUtil.assumeKeyMintV1OrNewer(false);
    testOaep("rsa_oaep_3072_sha256_mgf1sha1_test.json", false);
   }
 
@@ -440,6 +447,8 @@ public class RsaOaepTest {
 
   @Test
   public void testRsaOaep4096Sha256Mgf1Sha1() throws Exception {
+    // b/244609904#comment64
+    KeyStoreUtil.assumeKeyMintV1OrNewer(false);
    testOaep("rsa_oaep_4096_sha256_mgf1sha1_test.json", false);
   }
 
diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaSignatureTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/RsaSignatureTest.java
index d41bb98..de86dc5 100644
--- a/keystore-cts/java/com/google/security/wycheproof/testcases/RsaSignatureTest.java
+++ b/keystore-cts/java/com/google/security/wycheproof/testcases/RsaSignatureTest.java
@@ -1265,6 +1265,8 @@ public class RsaSignatureTest {
    */
   @Test
   public void testFaultySigner() throws Exception {
+    // b/244609904#comment64
+    KeyStoreUtil.assumeKeyMintV1OrNewer(false);
     testFaultySigner(false);
   }
   @Test