Adding tests to verify Device-Unique-Attestation.

1. Test to verify Device-Unique-Attestation is not supported on
   `TRUSTED_ENVIRONMENT` security level. Test shoould fail to generate a
   key with device-unique-attestation with `INVALID_ARGUMENT` error code.

2. Generate EC/RSA keys with `DEVICE_UNIQUE_ATTESTATION` using `STRONGBOX`
   security level. Test should generate akey and verify key
   characteristics and cert-chain signatures. Test should be able to
   perform an operation using the generated key successfully.

3. Try to generate a device unique attested key with attestation of
   invalid device's identifiers. Test should fail to generate a key with
   error code `CANNOT_ATTEST_IDS`.

4. Generate a device unique attested key with attestation of the
   device's identifiers. Test should succeed in generating a attested
   key with attestation of device identifiers. Test might fail on
   devices which don't support device id attestation with error response
   code `CANNOT_ATTEST_IDS`. Separate test is added for each attestation
   id with RSA and EC keys.

Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I627a01dc44558a4393d14f9931b1708196ee6ff9

3 files changed, 27 insertions, 3 deletions

diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs
index 02ceb83e..61260c78 100644
--- a/keystore2/test_utils/authorizations.rs
+++ b/keystore2/test_utils/authorizations.rs
@@ -335,6 +335,15 @@ impl AuthSetBuilder {
         self.0.push(KeyParameter { tag: Tag::APPLICATION_ID, value: KeyParameterValue::Blob(b) });
         self
     }
+
+    /// Set device-unique-attestation.
+    pub fn device_unique_attestation(mut self) -> Self {
+        self.0.push(KeyParameter {
+            tag: Tag::DEVICE_UNIQUE_ATTESTATION,
+            value: KeyParameterValue::BoolValue(true),
+        });
+        self
+    }
 }
 
 impl Deref for AuthSetBuilder {
diff --git a/keystore2/test_utils/ffi_test_utils.rs b/keystore2/test_utils/ffi_test_utils.rs
index 5d6bf46e..1ccdcc81 100644
--- a/keystore2/test_utils/ffi_test_utils.rs
+++ b/keystore2/test_utils/ffi_test_utils.rs
@@ -50,7 +50,19 @@ mod ffi {
 
 /// Validate given certificate chain.
 pub fn validate_certchain(cert_buf: &[u8]) -> Result<bool, Error> {
-    if ffi::validateCertChain(cert_buf.to_vec(), cert_buf.len().try_into().unwrap(), true) {
+    validate_certchain_with_strict_issuer_check(cert_buf, true)
+}
+
+/// Validate given certificate chain with an option to validate the issuer.
+pub fn validate_certchain_with_strict_issuer_check(
+    cert_buf: &[u8],
+    strict_issuer_check: bool,
+) -> Result<bool, Error> {
+    if ffi::validateCertChain(
+        cert_buf.to_vec(),
+        cert_buf.len().try_into().unwrap(),
+        strict_issuer_check,
+    ) {
         return Ok(true);
     }
 
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index badc4806..9ddc87aa 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -40,7 +40,7 @@ use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
 
 use crate::ffi_test_utils::{
     get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel,
-    validate_certchain,
+    validate_certchain_with_strict_issuer_check,
 };
 
 /// Shell namespace.
@@ -1426,7 +1426,10 @@ pub fn generate_key(
             let mut cert_chain: Vec<u8> = Vec::new();
             cert_chain.extend(key_metadata.certificate.as_ref().unwrap());
             cert_chain.extend(key_metadata.certificateChain.as_ref().unwrap());
-            validate_certchain(&cert_chain).expect("Error while validating cert chain");
+            let strict_issuer_check =
+                !(gen_params.iter().any(|kp| kp.tag == Tag::DEVICE_UNIQUE_ATTESTATION));
+            validate_certchain_with_strict_issuer_check(&cert_chain, strict_issuer_check)
+                .expect("Error while validating cert chain");
         }
 
         if let Some(challenge_param) =