diff options
author | Tony Marin <tony.marin@thalesgroup.com> | 2023-12-19 23:33:33 -0800 |
---|---|---|
committer | Tony Marin <tony.marin@thalesgroup.com> | 2024-01-12 18:16:52 +0000 |
commit | 95bc5c281fd6c6572e761073c8b8f332b7345eaf (patch) | |
tree | 0b01341f20022526982c740c92d3a3b7b6815d47 | |
parent | 7b6d5ebea10628bc216843a142026b21f5df54f3 (diff) | |
download | wycheproof-android14-tests-dev.tar.gz |
cts: Allow SE vendor exceptionsandroid14-tests-dev
Some SE vendor implementations restrict the usage of certain know
insecure private keys.
This limits the usage of specific values of s that will result in
such kind of keys.
An exception case is added to manage those limitations. Keymint Applet
shall return INVALID_OPERATION = -76
Bug: 312687735
Test: Should be tested on a device with Strongbox implementation.
Test: atest CtsKeystoreWycheproofTestCases:EcdhTest#testNistCurveLargePrivateKey_StrongBox
Change-Id: I7b8ee3cb729a9da97d0d41e3b4a2fb6326b3ec35
-rw-r--r-- | keystore-cts/java/com/google/security/wycheproof/testcases/EcdhTest.java | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/keystore-cts/java/com/google/security/wycheproof/testcases/EcdhTest.java b/keystore-cts/java/com/google/security/wycheproof/testcases/EcdhTest.java index f57ad29..573561c 100644 --- a/keystore-cts/java/com/google/security/wycheproof/testcases/EcdhTest.java +++ b/keystore-cts/java/com/google/security/wycheproof/testcases/EcdhTest.java @@ -44,6 +44,7 @@ import org.junit.After; import org.junit.Test; import org.junit.Ignore; import android.content.Context; +import android.security.KeyStoreException; import android.security.keystore.KeyProtection; import android.security.keystore.KeyProperties; import android.security.keystore.KeyGenParameterSpec; @@ -810,19 +811,31 @@ public static final EcPublicKeyTestVector EC_VALID_PUBLIC_KEY = ECPrivateKeySpec spec1 = new ECPrivateKeySpec(p1, spec); ECPrivateKeySpec spec2 = new ECPrivateKeySpec(order.subtract(p1), spec); PrivateKey priv1 = kf.generatePrivate(spec1); + PrivateKey priv2 = kf.generatePrivate(spec2); // This Public key is not pair of priv1, but it is required to create KeyPair to import into - // AndroidKeyStore, So using dummy public key. + // AndroidKeyStore, So using dummy public key. PublicKey pub1 = kf.generatePublic(EC_VALID_PUBLIC_KEY.getX509EncodedKeySpec()); - ka.init(getKeystorePrivateKey(pub1, priv1, isStrongBox)); - ka.doPhase(pub, true); - byte[] shared1 = ka.generateSecret(); - PrivateKey priv2 = kf.generatePrivate(spec2); - ka.init(getKeystorePrivateKey(pub1, priv2, isStrongBox)); - ka.doPhase(pub, true); - byte[] shared2 = ka.generateSecret(); - // The private keys p1 and p2 are equivalent, since only the x-coordinate of the - // shared point is used to generate the shared secret. - assertEquals(TestUtil.bytesToHex(shared1), TestUtil.bytesToHex(shared2)); + try { + ka.init(getKeystorePrivateKey(pub1, priv1, isStrongBox)); + ka.doPhase(pub, true); + byte[] shared1 = ka.generateSecret(); + ka.init(getKeystorePrivateKey(pub1, priv2, isStrongBox)); + ka.doPhase(pub, true); + byte[] shared2 = ka.generateSecret(); + // The private keys p1 and p2 are equivalent, since only the x-coordinate of the + // shared point is used to generate the shared secret. + assertEquals(TestUtil.bytesToHex(shared1), TestUtil.bytesToHex(shared2)); + } catch (InvalidKeyException e) { + if (i <= 15 && e.getCause() instanceof KeyStoreException && + ((KeyStoreException)e.getCause()).getNumericErrorCode() == + KeyStoreException.ERROR_KEYMINT_FAILURE) { + // Known rejected on some vendor implementations for certain i values. + // Keymint Applet error code is INVALID_OPERATION (-76). + continue; + } else { + throw e; + } + } } } |