commit 126869a0097a4d87f9f7f5d514da7ee8f973e85c
author Max Bires <jbires@google.com> Sun Feb 21 18:32:59 2021 -0800
committer Max Bires <jbires@google.com> Sun Feb 21 18:38:08 2021 -0800
tree a74e868ac43aa6f9c6afb3d080e63df6f1be853b
parent c3325707a552b8b13a044fed1b5de2888f28f7cd

Fixing VTS tests after IKeyMint breakage

This CL re-enables the IRemotelyProvisionedComponent VTS tests after
updating the IRemotelyProvisionedComponent HAL to generate keys with
PURPOSE_ATTEST_KEY instead of PURPOSE_ATTEST_SIGN to match the new
PURPOSE_* functionality in KeyMint.

Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I70c7918b460898d31e343c060ac07986271148a9

security/keymint/aidl/default/RemotelyProvisionedComponent.cpp

diff --git a/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp b/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp
index f2651fb..2373b26 100644
--- a/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp
+++ b/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp
@@ -259,8 +259,9 @@
 }
 
 static keymaster_key_param_t kKeyMintEcdsaP256Params[] = {
-        Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC),
-        Authorization(TAG_KEY_SIZE, 256), Authorization(TAG_DIGEST, KM_DIGEST_SHA_2_256),
+        Authorization(TAG_PURPOSE, KM_PURPOSE_ATTEST_KEY),
+        Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC), Authorization(TAG_KEY_SIZE, 256),
+        Authorization(TAG_DIGEST, KM_DIGEST_SHA_2_256),
         Authorization(TAG_EC_CURVE, KM_EC_CURVE_P_256), Authorization(TAG_NO_AUTH_REQUIRED),
         // The certificate generated by KM will be discarded, these values don't matter.
         Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0), Authorization(TAG_CERTIFICATE_NOT_AFTER, 0)};

security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp

diff --git a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index 45f9df6..db53a8f 100644
--- a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -80,7 +80,7 @@
 /**
  * Generate and validate a production-mode key.  MAC tag can't be verified.
  */
-TEST_P(GenerateKeyTests, DISABLED_generateEcdsaP256Key_prodMode) {
+TEST_P(GenerateKeyTests, generateEcdsaP256Key_prodMode) {
     MacedPublicKey macedPubKey;
     bytevec privateKeyBlob;
     bool testMode = false;
@@ -133,7 +133,7 @@
 /**
  * Generate and validate a test-mode key.
  */
-TEST_P(GenerateKeyTests, DISABLED_generateEcdsaP256Key_testMode) {
+TEST_P(GenerateKeyTests, generateEcdsaP256Key_testMode) {
     MacedPublicKey macedPubKey;
     bytevec privateKeyBlob;
     bool testMode = true;
@@ -224,7 +224,7 @@
  * Generate an empty certificate request in test mode, and decrypt and verify the structure and
  * content.
  */
-TEST_P(CertificateRequestTest, DISABLED_EmptyRequest_testMode) {
+TEST_P(CertificateRequestTest, EmptyRequest_testMode) {
     bool testMode = true;
     bytevec keysToSignMac;
     ProtectedData protectedData;
@@ -294,7 +294,7 @@
  * TODO(swillden): Get a valid GEEK and use it so the generation can succeed, though we won't be
  * able to decrypt.
  */
-TEST_P(CertificateRequestTest, DISABLED_EmptyRequest_prodMode) {
+TEST_P(CertificateRequestTest, EmptyRequest_prodMode) {
     bool testMode = false;
     bytevec keysToSignMac;
     ProtectedData protectedData;
@@ -309,7 +309,7 @@
 /**
  * Generate a non-empty certificate request in test mode.  Decrypt, parse and validate the contents.
  */
-TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_testMode) {
+TEST_P(CertificateRequestTest, NonEmptyRequest_testMode) {
     bool testMode = true;
     generateKeys(testMode, 4 /* numKeys */);
 
@@ -379,7 +379,7 @@
  * TODO(swillden): Get a valid GEEK and use it so the generation can succeed, though we won't be
  * able to decrypt.
  */
-TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_prodMode) {
+TEST_P(CertificateRequestTest, NonEmptyRequest_prodMode) {
     bool testMode = false;
     generateKeys(testMode, 4 /* numKeys */);
 
@@ -396,7 +396,7 @@
  * Generate a non-empty certificate request in test mode, with prod keys.  Must fail with
  * STATUS_PRODUCTION_KEY_IN_TEST_REQUEST.
  */
-TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_prodKeyInTestCert) {
+TEST_P(CertificateRequestTest, NonEmptyRequest_prodKeyInTestCert) {
     generateKeys(false /* testMode */, 2 /* numKeys */);
 
     bytevec keysToSignMac;
@@ -414,7 +414,7 @@
  * Generate a non-empty certificate request in prod mode, with test keys.  Must fail with
  * STATUS_TEST_KEY_IN_PRODUCTION_REQUEST.
  */
-TEST_P(CertificateRequestTest, DISABLED_NonEmptyRequest_testKeyInProdCert) {
+TEST_P(CertificateRequestTest, NonEmptyRequest_testKeyInProdCert) {
     generateKeys(true /* testMode */, 2 /* numKeys */);
 
     bytevec keysToSignMac;