diff options
| author | Rajesh Nyamagoud <nyamagoud@google.com> | 2024-02-01 04:45:41 +0000 |
|---|---|---|
| committer | Rajesh Nyamagoud <nyamagoud@google.com> | 2024-02-19 20:24:47 +0000 |
| commit | 7620921a7f5ea7dcbb810573828ebf2efaece521 (patch) | |
| tree | 6fac9a57b5996e19afc97b49d700c4a03a97a88a /keystore2/test_utils/key_generations.rs | |
| parent | 53d2763a23872f63657d01b3d6df9777245e4d3c (diff) | |
| download | security-7620921a7f5ea7dcbb810573828ebf2efaece521.tar.gz | |
Fixes for the issues found while running Keystore2 client tests on a
device with keymaster implementation.
- Ignore INVALID tag in generated key characteristics if keymaster
implementation is present.
- RSA_OAEP_MGF_DIGEST, ATTEST_KEY, USAGE_COUNT_LIMIT are not expected in
generated key characteristics if keymaster implementation is present.
- Corrected device attest ids names.
- Skip device id attestation on device with GSI image and device
first_api_level is less than 34.
- When the DEVICE_UNIQUE_ATTESTATION tag is used in key generation,
root certificate signature verification is ignored during cert-chain
verification.
Bug: 322118247
Test: atest keystore2_client_tests
Change-Id: I42d339a7797114d9139c64bc4d397889b965cb48
Diffstat (limited to 'keystore2/test_utils/key_generations.rs')
| -rw-r--r-- | keystore2/test_utils/key_generations.rs | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs index 9ddc87aa..a733be39 100644 --- a/keystore2/test_utils/key_generations.rs +++ b/keystore2/test_utils/key_generations.rs @@ -410,6 +410,11 @@ pub fn check_key_authorizations( ) { // Make sure key authorizations contains only `ALLOWED_TAGS_IN_KEY_AUTHS` authorizations.iter().all(|auth| { + // Ignore `INVALID` tag if the backend is Keymaster and not KeyMint. + // Keymaster allows INVALID tag for unsupported key parameters. + if !has_default_keymint() && auth.keyParameter.tag == Tag::INVALID { + return true; + } assert!( ALLOWED_TAGS_IN_KEY_AUTHS.contains(&auth.keyParameter.tag), "key authorization is not allowed: {:#?}", @@ -427,6 +432,21 @@ pub fn check_key_authorizations( { return true; } + + // Ignore below parameters if the backend is Keymaster and not KeyMint. + // Keymaster does not support these parameters. These key parameters are introduced in + // KeyMint1.0. + if !has_default_keymint() { + if matches!(key_param.tag, Tag::RSA_OAEP_MGF_DIGEST | Tag::USAGE_COUNT_LIMIT) { + return true; + } + if key_param.tag == Tag::PURPOSE + && key_param.value == KeyParameterValue::KeyPurpose(KeyPurpose::ATTEST_KEY) + { + return true; + } + } + if ALLOWED_TAGS_IN_KEY_AUTHS.contains(&key_param.tag) { assert!( check_key_param(authorizations, key_param), |