diff options
author | Seth Moore <sethmo@google.com> | 2024-04-10 15:51:45 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2024-04-10 15:51:45 +0000 |
commit | 5c5a412b3cff6b1ac349cb1166d490d48ae2f1ff (patch) | |
tree | 726e69e2ac1a0a5bfb845c6a9cae1f7ae3820953 | |
parent | 3acb6db524b3a19989ac809c83ad4ee0ada1d032 (diff) | |
parent | b0914ea70af57f1a79304ea6de144020c123b3eb (diff) | |
download | security-5c5a412b3cff6b1ac349cb1166d490d48ae2f1ff.tar.gz |
Merge "Cope with rkp-only devices in legacy keyblob test" into main
-rw-r--r-- | keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs | 49 |
1 files changed, 24 insertions, 25 deletions
diff --git a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs index 0335159a..3be99ee3 100644 --- a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs +++ b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs @@ -46,6 +46,10 @@ static USER_MANAGER_SERVICE_NAME: &str = "android.security.maintenance"; static AUTH_SERVICE_NAME: &str = "android.security.authorization"; const SELINUX_SHELL_NAMESPACE: i64 = 1; +fn rkp_only() -> bool { + matches!(rustutils::system_properties::read("remote_provisioning.tee.rkp_only"), Ok(Some(v)) if v == "1") +} + fn get_maintenance() -> binder::Strong<dyn IKeystoreMaintenance> { binder::get_interface(USER_MANAGER_SERVICE_NAME).unwrap() } @@ -162,13 +166,13 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> { .getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT) .unwrap(); // Generate Key BLOB and prepare legacy keystore blob files. - let att_challenge: &[u8] = b"foo"; + let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") }; let key_metadata = key_generations::generate_ec_p256_signing_key( &sec_level, Domain::BLOB, SELINUX_SHELL_NAMESPACE, None, - Some(att_challenge), + att_challenge, ) .expect("Failed to generate key blob"); @@ -212,14 +216,12 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> { .unwrap(); } - let mut path_buf = PathBuf::from("/data/misc/keystore/user_99"); - path_buf.push("9910001_CACERT_authbound"); - if !path_buf.as_path().is_file() { - make_cert_blob_file( - path_buf.as_path(), - key_metadata.certificateChain.as_ref().unwrap(), - ) - .unwrap(); + if let Some(chain) = key_metadata.certificateChain.as_ref() { + let mut path_buf = PathBuf::from("/data/misc/keystore/user_99"); + path_buf.push("9910001_CACERT_authbound"); + if !path_buf.as_path().is_file() { + make_cert_blob_file(path_buf.as_path(), chain).unwrap(); + } } // Keystore2 disables the legacy importer when it finds the legacy database empty. @@ -246,7 +248,7 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> { KeygenResult { cert: key_metadata.certificate.unwrap(), - cert_chain: key_metadata.certificateChain.unwrap(), + cert_chain: key_metadata.certificateChain.unwrap_or_default(), key_parameters: key_params, } }) @@ -275,7 +277,7 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> { gen_key_result.cert ); assert_eq!( - key_entry_response.metadata.certificateChain.unwrap(), + key_entry_response.metadata.certificateChain.unwrap_or_default(), gen_key_result.cert_chain ); assert_eq!(key_entry_response.metadata.key.domain, Domain::KEY_ID); @@ -415,13 +417,13 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> { .getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT) .unwrap(); // Generate Key BLOB and prepare legacy keystore blob files. - let att_challenge: &[u8] = b"foo"; + let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") }; let key_metadata = key_generations::generate_ec_p256_signing_key( &sec_level, Domain::BLOB, SELINUX_SHELL_NAMESPACE, None, - Some(att_challenge), + att_challenge, ) .expect("Failed to generate key blob"); @@ -468,15 +470,12 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> { .unwrap(); } - let mut path_buf = PathBuf::from("/data/misc/keystore/user_98"); - path_buf.push("9810001_CACERT_authboundcertenc"); - if !path_buf.as_path().is_file() { - make_encrypted_ca_cert_file( - path_buf.as_path(), - &super_key, - key_metadata.certificateChain.as_ref().unwrap(), - ) - .unwrap(); + if let Some(chain) = key_metadata.certificateChain.as_ref() { + let mut path_buf = PathBuf::from("/data/misc/keystore/user_98"); + path_buf.push("9810001_CACERT_authboundcertenc"); + if !path_buf.as_path().is_file() { + make_encrypted_ca_cert_file(path_buf.as_path(), &super_key, chain).unwrap(); + } } // Keystore2 disables the legacy importer when it finds the legacy database empty. @@ -503,7 +502,7 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> { KeygenResult { cert: key_metadata.certificate.unwrap(), - cert_chain: key_metadata.certificateChain.unwrap(), + cert_chain: key_metadata.certificateChain.unwrap_or_default(), key_parameters: key_params, } }) @@ -532,7 +531,7 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> { gen_key_result.cert ); assert_eq!( - key_entry_response.metadata.certificateChain.unwrap(), + key_entry_response.metadata.certificateChain.unwrap_or_default(), gen_key_result.cert_chain ); |