Changes are made in keystore-client-tests to verify CREATION_DATETIME,

ATTESTATION_CHALLENGE and ATTESTATION_APPLICATION_ID. Bug: 279721870 Test: atest keystore2_client_tests Change-Id: I2bf530189e41ede27763ef696ff9a126c4110e24
author: Rajesh Nyamagoud <nyamagoud@google.com> 2023-06-01 17:22:32 +0000
committer: Rajesh Nyamagoud <nyamagoud@google.com> 2023-10-09 21:51:19 +0000
commit: 5f6db2f4429b482a6fdb2e336de2c0b369cef3cb (patch)
tree: 8549dc7d172a1699d2cc804591da016f3f1cb27d
parent: f436a9326c19134f6f7e0a06b7221f64915a6b4b (diff)
download: security-5f6db2f4429b482a6fdb2e336de2c0b369cef3cb.tar.gz
5 files changed, 97 insertions, 14 deletions
diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs
index b73aab51..f50eca62 100644
--- a/keystore2/test_utils/authorizations.rs
+++ b/keystore2/test_utils/authorizations.rs
@@ -305,6 +305,15 @@ impl AuthSetBuilder {
         });
         self
     }
+
+    /// Set creation date-time.
+    pub fn creation_date_time(mut self, date: i64) -> Self {
+        self.0.push(KeyParameter {
+            tag: Tag::CREATION_DATETIME,
+            value: KeyParameterValue::DateTime(date),
+        });
+        self
+    }
 }
 
 impl Deref for AuthSetBuilder {
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index ccf27bc6..0ffc32af 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -26,7 +26,7 @@ use android_hardware_security_keymint::aidl::android::hardware::security::keymin
     Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
     ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
     KeyOrigin::KeyOrigin, KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue,
-    KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, Tag::Tag,
+    KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, SecurityLevel::SecurityLevel, Tag::Tag,
 };
 use android_system_keystore2::aidl::android::system::keystore2::{
     AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization,
@@ -38,7 +38,10 @@ use android_system_keystore2::aidl::android::system::keystore2::{
 use crate::authorizations::AuthSetBuilder;
 use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
 
-use crate::ffi_test_utils::{get_os_patchlevel, get_os_version, get_vendor_patchlevel};
+use crate::ffi_test_utils::{
+    get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel,
+    validate_certchain,
+};
 
 /// Shell namespace.
 pub const SELINUX_SHELL_NAMESPACE: i64 = 1;
@@ -388,6 +391,12 @@ pub fn map_ks_error<T>(r: BinderResult<T>) -> Result<T, Error> {
     })
 }
 
+/// Indicate whether the default device is KeyMint (rather than Keymaster).
+pub fn has_default_keymint() -> bool {
+    binder::is_declared("android.hardware.security.keymint.IKeyMintDevice/default")
+        .expect("Could not check for declared keymint interface")
+}
+
 /// Verify that given key param is listed in given authorizations list.
 pub fn check_key_param(authorizations: &[Authorization], key_param: &KeyParameter) -> bool {
     authorizations.iter().any(|auth| &auth.keyParameter == key_param)
@@ -468,6 +477,13 @@ fn check_common_auths(authorizations: &[Authorization], expected_key_origin: Key
             )
         }
     ));
+
+    if has_default_keymint() {
+        assert!(authorizations
+            .iter()
+            .map(|auth| &auth.keyParameter)
+            .any(|key_param| key_param.tag == Tag::CREATION_DATETIME));
+    }
 }
 
 /// Get the key `Authorization` for the given auth `Tag`.
@@ -1400,6 +1416,32 @@ pub fn generate_key(
         assert!(key_metadata.certificate.is_some());
         if gen_params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) {
             assert!(key_metadata.certificateChain.is_some());
+            let mut cert_chain: Vec<u8> = Vec::new();
+            cert_chain.extend(key_metadata.certificate.as_ref().unwrap());
+            cert_chain.extend(key_metadata.certificateChain.as_ref().unwrap());
+            validate_certchain(&cert_chain).expect("Error while validating cert chain");
+        }
+
+        if let Some(challenge_param) =
+            gen_params.iter().find(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE)
+        {
+            if let KeyParameterValue::Blob(val) = &challenge_param.value {
+                let att_challenge = get_value_from_attest_record(
+                    key_metadata.certificate.as_ref().unwrap(),
+                    challenge_param.tag,
+                    key_metadata.keySecurityLevel,
+                )
+                .expect("Attestation challenge verification failed.");
+                assert_eq!(&att_challenge, val);
+            }
+
+            let att_app_id = get_value_from_attest_record(
+                key_metadata.certificate.as_ref().unwrap(),
+                Tag::ATTESTATION_APPLICATION_ID,
+                SecurityLevel::KEYSTORE,
+            )
+            .expect("Attestation application id verification failed.");
+            assert!(!att_app_id.is_empty());
         }
     }
     check_key_authorizations(&key_metadata.authorizations, gen_params, KeyOrigin::GENERATED);
diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs
index fe48acd6..9df9561a 100644
--- a/keystore2/tests/keystore2_client_authorizations_tests.rs
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs
@@ -21,8 +21,8 @@ use android_hardware_security_keymint::aidl::android::hardware::security::keymin
 };
 
 use android_system_keystore2::aidl::android::system::keystore2::{
-    IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyMetadata::KeyMetadata,
-    ResponseCode::ResponseCode,
+    Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
+    KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
 };
 
 use keystore2_test_utils::{
@@ -590,3 +590,41 @@ fn keystore2_gen_non_attested_key_auth_usage_count_limit() {
         false,
     );
 }
+
+/// Try to generate a key with `Tag::CREATION_DATETIME` set to valid value. Test should fail
+/// to generate a key with `INVALID_ARGUMENT` error as Keystore2 backend doesn't allow user to
+/// specify `CREATION_DATETIME`.
+#[test]
+fn keystore2_gen_key_auth_creation_date_time_test_fail_with_invalid_arg_error() {
+    let keystore2 = get_keystore_service();
+    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+    let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
+    let creation_datetime = duration_since_epoch.as_millis();
+    let gen_params = authorizations::AuthSetBuilder::new()
+        .no_auth_required()
+        .algorithm(Algorithm::EC)
+        .purpose(KeyPurpose::SIGN)
+        .purpose(KeyPurpose::VERIFY)
+        .digest(Digest::SHA_2_256)
+        .ec_curve(EcCurve::P_256)
+        .attestation_challenge(b"foo".to_vec())
+        .creation_date_time(creation_datetime.try_into().unwrap());
+
+    let alias = "ks_test_auth_tags_test";
+    let result = key_generations::map_ks_error(sec_level.generateKey(
+        &KeyDescriptor {
+            domain: Domain::APP,
+            nspace: -1,
+            alias: Some(alias.to_string()),
+            blob: None,
+        },
+        None,
+        &gen_params,
+        0,
+        b"entropy",
+    ));
+
+    assert!(result.is_err());
+    assert_eq!(Error::Rc(ResponseCode::INVALID_ARGUMENT), result.unwrap_err());
+}
diff --git a/keystore2/tests/keystore2_client_import_keys_tests.rs b/keystore2/tests/keystore2_client_import_keys_tests.rs
index 3d108fee..31d57a2f 100644
--- a/keystore2/tests/keystore2_client_import_keys_tests.rs
+++ b/keystore2/tests/keystore2_client_import_keys_tests.rs
@@ -37,9 +37,9 @@ use keystore2_test_utils::ffi_test_utils::{
 };
 
 use crate::keystore2_client_test_utils::{
-    encrypt_secure_key, encrypt_transport_key, has_default_keymint,
-    perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
-    perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
+    encrypt_secure_key, encrypt_transport_key, perform_sample_asym_sign_verify_op,
+    perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op,
+    perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
 };
 
 pub fn import_rsa_sign_key_and_perform_sample_operation(
@@ -288,7 +288,7 @@ fn keystore2_rsa_import_key_with_multipurpose_fails_incompt_purpose_error() {
         key_generations::RSA_2048_KEY,
     ));
 
-    if has_default_keymint() {
+    if key_generations::has_default_keymint() {
         assert!(result.is_err());
         assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_PURPOSE), result.unwrap_err());
     } else {
diff --git a/keystore2/tests/keystore2_client_test_utils.rs b/keystore2/tests/keystore2_client_test_utils.rs
index f7e7985f..e76c64b8 100644
--- a/keystore2/tests/keystore2_client_test_utils.rs
+++ b/keystore2/tests/keystore2_client_test_utils.rs
@@ -104,12 +104,6 @@ macro_rules! skip_test_if_no_device_id_attestation_feature {
     };
 }
 
-/// Indicate whether the default device is KeyMint (rather than Keymaster).
-pub fn has_default_keymint() -> bool {
-    binder::is_declared("android.hardware.security.keymint.IKeyMintDevice/default")
-        .expect("Could not check for declared keymint interface")
-}
-
 /// Generate EC key and grant it to the list of users with given access vector.
 /// Returns the list of granted keys `nspace` values in the order of given grantee uids.
 pub fn generate_ec_key_and_grant_to_users(
author	Rajesh Nyamagoud <nyamagoud@google.com>	2023-06-01 17:22:32 +0000
committer	Rajesh Nyamagoud <nyamagoud@google.com>	2023-10-09 21:51:19 +0000
commit	5f6db2f4429b482a6fdb2e336de2c0b369cef3cb (patch)
tree	8549dc7d172a1699d2cc804591da016f3f1cb27d
parent	f436a9326c19134f6f7e0a06b7221f64915a6b4b (diff)
download	security-5f6db2f4429b482a6fdb2e336de2c0b369cef3cb.tar.gz