diff options
author | Rajesh Nyamagoud <nyamagoud@google.com> | 2023-06-01 17:22:32 +0000 |
---|---|---|
committer | Rajesh Nyamagoud <nyamagoud@google.com> | 2023-10-09 21:51:19 +0000 |
commit | 5f6db2f4429b482a6fdb2e336de2c0b369cef3cb (patch) | |
tree | 8549dc7d172a1699d2cc804591da016f3f1cb27d | |
parent | f436a9326c19134f6f7e0a06b7221f64915a6b4b (diff) | |
download | security-5f6db2f4429b482a6fdb2e336de2c0b369cef3cb.tar.gz |
Changes are made in keystore-client-tests to verify CREATION_DATETIME,
ATTESTATION_CHALLENGE and ATTESTATION_APPLICATION_ID.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I2bf530189e41ede27763ef696ff9a126c4110e24
-rw-r--r-- | keystore2/test_utils/authorizations.rs | 9 | ||||
-rw-r--r-- | keystore2/test_utils/key_generations.rs | 46 | ||||
-rw-r--r-- | keystore2/tests/keystore2_client_authorizations_tests.rs | 42 | ||||
-rw-r--r-- | keystore2/tests/keystore2_client_import_keys_tests.rs | 8 | ||||
-rw-r--r-- | keystore2/tests/keystore2_client_test_utils.rs | 6 |
5 files changed, 97 insertions, 14 deletions
diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs index b73aab51..f50eca62 100644 --- a/keystore2/test_utils/authorizations.rs +++ b/keystore2/test_utils/authorizations.rs @@ -305,6 +305,15 @@ impl AuthSetBuilder { }); self } + + /// Set creation date-time. + pub fn creation_date_time(mut self, date: i64) -> Self { + self.0.push(KeyParameter { + tag: Tag::CREATION_DATETIME, + value: KeyParameterValue::DateTime(date), + }); + self + } } impl Deref for AuthSetBuilder { diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs index ccf27bc6..0ffc32af 100644 --- a/keystore2/test_utils/key_generations.rs +++ b/keystore2/test_utils/key_generations.rs @@ -26,7 +26,7 @@ use android_hardware_security_keymint::aidl::android::hardware::security::keymin Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType, KeyOrigin::KeyOrigin, KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue, - KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, Tag::Tag, + KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, SecurityLevel::SecurityLevel, Tag::Tag, }; use android_system_keystore2::aidl::android::system::keystore2::{ AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization, @@ -38,7 +38,10 @@ use android_system_keystore2::aidl::android::system::keystore2::{ use crate::authorizations::AuthSetBuilder; use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult}; -use crate::ffi_test_utils::{get_os_patchlevel, get_os_version, get_vendor_patchlevel}; +use crate::ffi_test_utils::{ + get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel, + validate_certchain, +}; /// Shell namespace. pub const SELINUX_SHELL_NAMESPACE: i64 = 1; @@ -388,6 +391,12 @@ pub fn map_ks_error<T>(r: BinderResult<T>) -> Result<T, Error> { }) } +/// Indicate whether the default device is KeyMint (rather than Keymaster). +pub fn has_default_keymint() -> bool { + binder::is_declared("android.hardware.security.keymint.IKeyMintDevice/default") + .expect("Could not check for declared keymint interface") +} + /// Verify that given key param is listed in given authorizations list. pub fn check_key_param(authorizations: &[Authorization], key_param: &KeyParameter) -> bool { authorizations.iter().any(|auth| &auth.keyParameter == key_param) @@ -468,6 +477,13 @@ fn check_common_auths(authorizations: &[Authorization], expected_key_origin: Key ) } )); + + if has_default_keymint() { + assert!(authorizations + .iter() + .map(|auth| &auth.keyParameter) + .any(|key_param| key_param.tag == Tag::CREATION_DATETIME)); + } } /// Get the key `Authorization` for the given auth `Tag`. @@ -1400,6 +1416,32 @@ pub fn generate_key( assert!(key_metadata.certificate.is_some()); if gen_params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) { assert!(key_metadata.certificateChain.is_some()); + let mut cert_chain: Vec<u8> = Vec::new(); + cert_chain.extend(key_metadata.certificate.as_ref().unwrap()); + cert_chain.extend(key_metadata.certificateChain.as_ref().unwrap()); + validate_certchain(&cert_chain).expect("Error while validating cert chain"); + } + + if let Some(challenge_param) = + gen_params.iter().find(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) + { + if let KeyParameterValue::Blob(val) = &challenge_param.value { + let att_challenge = get_value_from_attest_record( + key_metadata.certificate.as_ref().unwrap(), + challenge_param.tag, + key_metadata.keySecurityLevel, + ) + .expect("Attestation challenge verification failed."); + assert_eq!(&att_challenge, val); + } + + let att_app_id = get_value_from_attest_record( + key_metadata.certificate.as_ref().unwrap(), + Tag::ATTESTATION_APPLICATION_ID, + SecurityLevel::KEYSTORE, + ) + .expect("Attestation application id verification failed."); + assert!(!att_app_id.is_empty()); } } check_key_authorizations(&key_metadata.authorizations, gen_params, KeyOrigin::GENERATED); diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs index fe48acd6..9df9561a 100644 --- a/keystore2/tests/keystore2_client_authorizations_tests.rs +++ b/keystore2/tests/keystore2_client_authorizations_tests.rs @@ -21,8 +21,8 @@ use android_hardware_security_keymint::aidl::android::hardware::security::keymin }; use android_system_keystore2::aidl::android::system::keystore2::{ - IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyMetadata::KeyMetadata, - ResponseCode::ResponseCode, + Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor, + KeyMetadata::KeyMetadata, ResponseCode::ResponseCode, }; use keystore2_test_utils::{ @@ -590,3 +590,41 @@ fn keystore2_gen_non_attested_key_auth_usage_count_limit() { false, ); } + +/// Try to generate a key with `Tag::CREATION_DATETIME` set to valid value. Test should fail +/// to generate a key with `INVALID_ARGUMENT` error as Keystore2 backend doesn't allow user to +/// specify `CREATION_DATETIME`. +#[test] +fn keystore2_gen_key_auth_creation_date_time_test_fail_with_invalid_arg_error() { + let keystore2 = get_keystore_service(); + let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap(); + + let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap(); + let creation_datetime = duration_since_epoch.as_millis(); + let gen_params = authorizations::AuthSetBuilder::new() + .no_auth_required() + .algorithm(Algorithm::EC) + .purpose(KeyPurpose::SIGN) + .purpose(KeyPurpose::VERIFY) + .digest(Digest::SHA_2_256) + .ec_curve(EcCurve::P_256) + .attestation_challenge(b"foo".to_vec()) + .creation_date_time(creation_datetime.try_into().unwrap()); + + let alias = "ks_test_auth_tags_test"; + let result = key_generations::map_ks_error(sec_level.generateKey( + &KeyDescriptor { + domain: Domain::APP, + nspace: -1, + alias: Some(alias.to_string()), + blob: None, + }, + None, + &gen_params, + 0, + b"entropy", + )); + + assert!(result.is_err()); + assert_eq!(Error::Rc(ResponseCode::INVALID_ARGUMENT), result.unwrap_err()); +} diff --git a/keystore2/tests/keystore2_client_import_keys_tests.rs b/keystore2/tests/keystore2_client_import_keys_tests.rs index 3d108fee..31d57a2f 100644 --- a/keystore2/tests/keystore2_client_import_keys_tests.rs +++ b/keystore2/tests/keystore2_client_import_keys_tests.rs @@ -37,9 +37,9 @@ use keystore2_test_utils::ffi_test_utils::{ }; use crate::keystore2_client_test_utils::{ - encrypt_secure_key, encrypt_transport_key, has_default_keymint, - perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op, - perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT, + encrypt_secure_key, encrypt_transport_key, perform_sample_asym_sign_verify_op, + perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op, + perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT, }; pub fn import_rsa_sign_key_and_perform_sample_operation( @@ -288,7 +288,7 @@ fn keystore2_rsa_import_key_with_multipurpose_fails_incompt_purpose_error() { key_generations::RSA_2048_KEY, )); - if has_default_keymint() { + if key_generations::has_default_keymint() { assert!(result.is_err()); assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_PURPOSE), result.unwrap_err()); } else { diff --git a/keystore2/tests/keystore2_client_test_utils.rs b/keystore2/tests/keystore2_client_test_utils.rs index f7e7985f..e76c64b8 100644 --- a/keystore2/tests/keystore2_client_test_utils.rs +++ b/keystore2/tests/keystore2_client_test_utils.rs @@ -104,12 +104,6 @@ macro_rules! skip_test_if_no_device_id_attestation_feature { }; } -/// Indicate whether the default device is KeyMint (rather than Keymaster). -pub fn has_default_keymint() -> bool { - binder::is_declared("android.hardware.security.keymint.IKeyMintDevice/default") - .expect("Could not check for declared keymint interface") -} - /// Generate EC key and grant it to the list of users with given access vector. /// Returns the list of granted keys `nspace` values in the order of given grantee uids. pub fn generate_ec_key_and_grant_to_users( |