diff options
author | David Drysdale <drysdale@google.com> | 2024-05-03 05:28:28 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2024-05-03 05:28:28 +0000 |
commit | e85693c6039962c5a44a8ef18c71d54fbb5946ba (patch) | |
tree | 982d69bdb901c83cb0742e4b0914918776645b53 | |
parent | 98e175b6f8467d31566f90a266bffea39234e2ec (diff) | |
parent | 40e41f10884f96f635668a83345b2f428c8f2919 (diff) | |
download | security-e85693c6039962c5a44a8ef18c71d54fbb5946ba.tar.gz |
Merge "Adjust keystore2_client_tests" into main
4 files changed, 28 insertions, 43 deletions
diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs index 0fde7aff..32be99e0 100644 --- a/keystore2/tests/keystore2_client_authorizations_tests.rs +++ b/keystore2/tests/keystore2_client_authorizations_tests.rs @@ -442,36 +442,6 @@ fn keystore2_gen_key_auth_usage_expire_datetime_decrypt_op_fail() { delete_app_key(&keystore2, alias).unwrap(); } -/// Generate a key with `BOOTLOADER_ONLY`. Test should successfully generate -/// a key and verify the key characteristics. Test should fail with error code `INVALID_KEY_BLOB` -/// during creation of an operation using this key. -#[test] -fn keystore2_gen_key_auth_boot_loader_only_op_fail() { - skip_tests_if_keymaster_impl_present!(); - let keystore2 = get_keystore_service(); - let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); - - let gen_params = authorizations::AuthSetBuilder::new() - .no_auth_required() - .algorithm(Algorithm::EC) - .purpose(KeyPurpose::SIGN) - .purpose(KeyPurpose::VERIFY) - .digest(Digest::SHA_2_256) - .ec_curve(EcCurve::P_256) - .attestation_challenge(b"foo".to_vec()) - .boot_loader_only(); - - let alias = "ks_test_auth_tags_test"; - let result = key_generations::map_ks_error(key_generations::create_key_and_operation( - &sec_level, - &gen_params, - &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256), - alias, - )); - assert!(result.is_err()); - assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err()); -} - /// Generate a key with `EARLY_BOOT_ONLY`. Test should successfully generate /// a key and verify the key characteristics. Test should fail with error code `EARLY_BOOT_ENDED` /// during creation of an operation using this key. diff --git a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs index 4f881bcd..b784adf4 100644 --- a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs +++ b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs @@ -181,7 +181,10 @@ fn keystore2_gen_key_device_unique_attest_with_default_sec_level_unimplemented() alias, )); assert!(result.is_err()); - assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err()); + assert!(matches!( + result.unwrap_err(), + Error::Km(ErrorCode::INVALID_ARGUMENT) | Error::Km(ErrorCode::UNSUPPORTED_TAG) + )); } /// Generate a EC key with `DEVICE_UNIQUE_ATTESTATION` using `STRONGBOX` security level. diff --git a/keystore2/tests/keystore2_client_ec_key_tests.rs b/keystore2/tests/keystore2_client_ec_key_tests.rs index 82671402..f2c6d0f9 100644 --- a/keystore2/tests/keystore2_client_ec_key_tests.rs +++ b/keystore2/tests/keystore2_client_ec_key_tests.rs @@ -30,8 +30,8 @@ use keystore2_test_utils::{ }; use crate::keystore2_client_test_utils::{ - delete_app_key, execute_op_run_as_child, perform_sample_sign_operation, BarrierReached, - ForcedOp, TestOutcome, + delete_app_key, execute_op_run_as_child, get_vsr_api_level, perform_sample_sign_operation, + BarrierReached, ForcedOp, TestOutcome, }; macro_rules! test_ec_sign_key_op_success { @@ -374,13 +374,18 @@ fn keystore2_ec_25519_generate_key_fail() { ) .unwrap(); - let result = key_generations::map_ks_error(sec_level.createOperation( - &key_metadata.key, - &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest), - false, - )); - assert!(result.is_err()); - assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_DIGEST), result.unwrap_err()); + // The KeyMint v2 API added `CURVE_25519` and specified that "Ed25519 keys only support + // Digest::NONE". However, this was not checked at the time so we can only be strict about + // checking this for more recent implementations. + if get_vsr_api_level() >= 35 { + let result = key_generations::map_ks_error(sec_level.createOperation( + &key_metadata.key, + &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest), + false, + )); + assert!(result.is_err(), "unexpected success for digest {digest:?}"); + assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_DIGEST), result.unwrap_err()); + } } } diff --git a/keystore2/tests/keystore2_client_import_keys_tests.rs b/keystore2/tests/keystore2_client_import_keys_tests.rs index 31d57a2f..bf787d29 100644 --- a/keystore2/tests/keystore2_client_import_keys_tests.rs +++ b/keystore2/tests/keystore2_client_import_keys_tests.rs @@ -37,9 +37,9 @@ use keystore2_test_utils::ffi_test_utils::{ }; use crate::keystore2_client_test_utils::{ - encrypt_secure_key, encrypt_transport_key, perform_sample_asym_sign_verify_op, - perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op, - perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT, + encrypt_secure_key, encrypt_transport_key, get_vsr_api_level, + perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op, + perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT, }; pub fn import_rsa_sign_key_and_perform_sample_operation( @@ -306,6 +306,13 @@ fn keystore2_import_ec_key_success() { let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256); + if get_vsr_api_level() < 35 { + // The KeyMint spec was previously not clear as to whether EC_CURVE was optional on import + // of EC keys. However, this was not checked at the time so we can only be strict about + // checking this for implementations at VSR-V or later. + println!("Skipping EC_CURVE on import only strict >= VSR-V"); + return; + } // Don't specify ec-curve. let import_params = authorizations::AuthSetBuilder::new() .no_auth_required() |