diff options
author | Rajesh Nyamagoud <nyamagoud@google.com> | 2023-06-06 01:39:44 +0000 |
---|---|---|
committer | Rajesh Nyamagoud <nyamagoud@google.com> | 2023-11-14 21:33:19 +0000 |
commit | b1c8e833920e45042f7ce1c167757b6e3f9e86c1 (patch) | |
tree | 5f4a6f44502b54082de6f8a53ea46a9ef5003bb8 /keystore2/test_utils | |
parent | 855f23300442c9647c460f35a8025d6fbdf53839 (diff) | |
download | security-b1c8e833920e45042f7ce1c167757b6e3f9e86c1.tar.gz |
Adding tests to verify Device-Unique-Attestation.
1. Test to verify Device-Unique-Attestation is not supported on
`TRUSTED_ENVIRONMENT` security level. Test shoould fail to generate a
key with device-unique-attestation with `INVALID_ARGUMENT` error code.
2. Generate EC/RSA keys with `DEVICE_UNIQUE_ATTESTATION` using `STRONGBOX`
security level. Test should generate akey and verify key
characteristics and cert-chain signatures. Test should be able to
perform an operation using the generated key successfully.
3. Try to generate a device unique attested key with attestation of
invalid device's identifiers. Test should fail to generate a key with
error code `CANNOT_ATTEST_IDS`.
4. Generate a device unique attested key with attestation of the
device's identifiers. Test should succeed in generating a attested
key with attestation of device identifiers. Test might fail on
devices which don't support device id attestation with error response
code `CANNOT_ATTEST_IDS`. Separate test is added for each attestation
id with RSA and EC keys.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I627a01dc44558a4393d14f9931b1708196ee6ff9
Diffstat (limited to 'keystore2/test_utils')
-rw-r--r-- | keystore2/test_utils/authorizations.rs | 9 | ||||
-rw-r--r-- | keystore2/test_utils/ffi_test_utils.rs | 14 | ||||
-rw-r--r-- | keystore2/test_utils/key_generations.rs | 7 |
3 files changed, 27 insertions, 3 deletions
diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs index 02ceb83e..61260c78 100644 --- a/keystore2/test_utils/authorizations.rs +++ b/keystore2/test_utils/authorizations.rs @@ -335,6 +335,15 @@ impl AuthSetBuilder { self.0.push(KeyParameter { tag: Tag::APPLICATION_ID, value: KeyParameterValue::Blob(b) }); self } + + /// Set device-unique-attestation. + pub fn device_unique_attestation(mut self) -> Self { + self.0.push(KeyParameter { + tag: Tag::DEVICE_UNIQUE_ATTESTATION, + value: KeyParameterValue::BoolValue(true), + }); + self + } } impl Deref for AuthSetBuilder { diff --git a/keystore2/test_utils/ffi_test_utils.rs b/keystore2/test_utils/ffi_test_utils.rs index 5d6bf46e..1ccdcc81 100644 --- a/keystore2/test_utils/ffi_test_utils.rs +++ b/keystore2/test_utils/ffi_test_utils.rs @@ -50,7 +50,19 @@ mod ffi { /// Validate given certificate chain. pub fn validate_certchain(cert_buf: &[u8]) -> Result<bool, Error> { - if ffi::validateCertChain(cert_buf.to_vec(), cert_buf.len().try_into().unwrap(), true) { + validate_certchain_with_strict_issuer_check(cert_buf, true) +} + +/// Validate given certificate chain with an option to validate the issuer. +pub fn validate_certchain_with_strict_issuer_check( + cert_buf: &[u8], + strict_issuer_check: bool, +) -> Result<bool, Error> { + if ffi::validateCertChain( + cert_buf.to_vec(), + cert_buf.len().try_into().unwrap(), + strict_issuer_check, + ) { return Ok(true); } diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs index badc4806..9ddc87aa 100644 --- a/keystore2/test_utils/key_generations.rs +++ b/keystore2/test_utils/key_generations.rs @@ -40,7 +40,7 @@ use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult}; use crate::ffi_test_utils::{ get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel, - validate_certchain, + validate_certchain_with_strict_issuer_check, }; /// Shell namespace. @@ -1426,7 +1426,10 @@ pub fn generate_key( let mut cert_chain: Vec<u8> = Vec::new(); cert_chain.extend(key_metadata.certificate.as_ref().unwrap()); cert_chain.extend(key_metadata.certificateChain.as_ref().unwrap()); - validate_certchain(&cert_chain).expect("Error while validating cert chain"); + let strict_issuer_check = + !(gen_params.iter().any(|kp| kp.tag == Tag::DEVICE_UNIQUE_ATTESTATION)); + validate_certchain_with_strict_issuer_check(&cert_chain, strict_issuer_check) + .expect("Error while validating cert chain"); } if let Some(challenge_param) = |