diff options
author | Rajesh Nyamagoud <nyamagoud@google.com> | 2023-02-06 21:00:11 +0000 |
---|---|---|
committer | Rajesh Nyamagoud <nyamagoud@google.com> | 2023-02-20 23:56:53 +0000 |
commit | 2249b2d2506476636f6351bf4daad09e44eb9fb6 (patch) | |
tree | 4ece4c466bb5f36ec457176278321f815d9e77ba /keystore2/tests | |
parent | 3f5694a01cef5b9a5bc6682834c474827169db2f (diff) | |
download | security-2249b2d2506476636f6351bf4daad09e44eb9fb6.tar.gz |
Adding tests to update cert-chain or public key of the non existing
keystore entry using `updateSubcomponent` API.
1. Try to update only the certificate-chain of the non existing
asymmetric key, test should succeed in creating a new keystore
entry with the given certificate-chain only.
2. Try to update only the public key of the non existing asymmetric
key, test should fail to update non-existing key certificate with
error response `KEY_NOT_FOUND`.
Bug: 267183713
Test: atest keystore2_client_tests
Change-Id: Iaf5c9b0e29eb59873493b330c0f1d36ec8337f88
Diffstat (limited to 'keystore2/tests')
-rw-r--r-- | keystore2/tests/keystore2_client_update_subcomponent_tests.rs | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/keystore2/tests/keystore2_client_update_subcomponent_tests.rs b/keystore2/tests/keystore2_client_update_subcomponent_tests.rs index c987f226..0be092f8 100644 --- a/keystore2/tests/keystore2_client_update_subcomponent_tests.rs +++ b/keystore2/tests/keystore2_client_update_subcomponent_tests.rs @@ -80,6 +80,71 @@ fn keystore2_update_subcomponent_fail() { assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err()); } +/// Try to update non-existing asymmetric key public cert only. Test should fail +/// to update with error response code `KEY_NOT_FOUND`. +#[test] +fn keystore2_update_subcomponent_no_key_entry_cert_fail() { + let alias = "update_no_key_entry_cert_only_component_fail_key"; + let keystore2 = get_keystore_service(); + let other_cert: [u8; 32] = [123; 32]; + + let result = key_generations::map_ks_error(keystore2.updateSubcomponent( + &KeyDescriptor { + domain: Domain::APP, + nspace: -1, + alias: Some(alias.to_string()), + blob: None, + }, + Some(&other_cert), + None, + )); + assert!(result.is_err()); + assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err()); +} + +/// Try to update non existing key with the only given certificate-chain, test should succeed +/// in creating a new keystore entry with the given certificate-chain. +#[test] +fn keystore2_update_subcomponent_no_key_entry_cert_chain_success() { + let alias = "update_no_key_entry_cert_chain_only_component_success"; + let keystore2 = get_keystore_service(); + let cert_entries = + vec![(Domain::SELINUX, key_generations::SELINUX_SHELL_NAMESPACE), (Domain::APP, -1)]; + let other_cert_chain: [u8; 32] = [12; 32]; + + for (domain, nspace) in cert_entries { + keystore2 + .updateSubcomponent( + &KeyDescriptor { domain, nspace, alias: Some(alias.to_string()), blob: None }, + None, + Some(&other_cert_chain), + ) + .expect("updateSubcomponent should have succeeded."); + + let key_entry_response = keystore2 + .getKeyEntry(&KeyDescriptor { + domain, + nspace, + alias: Some(alias.to_string()), + blob: None, + }) + .unwrap(); + assert_eq!(Some(other_cert_chain.to_vec()), key_entry_response.metadata.certificateChain); + assert!(key_entry_response.metadata.certificate.is_none(), "Unexpected certificate entry"); + assert!(key_entry_response.metadata.authorizations.is_empty(), "Unexpected authorizations"); + assert_eq!(key_entry_response.metadata.keySecurityLevel, SecurityLevel::SOFTWARE); + + keystore2 + .deleteKey(&KeyDescriptor { + domain, + nspace, + alias: Some(alias.to_string()), + blob: None, + }) + .unwrap(); + } +} + /// Generate a key and grant it to two users. For one user grant it with only `GET_INFO` access /// permission and for another user grant it with GET_INFO and UPDATE access permissions. In a /// grantee context where key is granted with only GET_INFO access permission, try to update |