Identity Credential: Pass additional information to HAL.
Without this extra information passed upfront it's not practical to
implement a HAL which incrementally builds up cryptographically
authenticated data.
Two new methods are added to facilitate this and the HAL version
number is bumped to 2.
Bug: 154631410
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: Iff63dfa2c4485c8768e06e7f6d70e940cfc8f68e
diff --git a/identity/aidl/vts/VtsHalIdentityEndToEndTest.cpp b/identity/aidl/vts/VtsHalIdentityEndToEndTest.cpp
index 8a4e8a7..807feab 100644
--- a/identity/aidl/vts/VtsHalIdentityEndToEndTest.cpp
+++ b/identity/aidl/vts/VtsHalIdentityEndToEndTest.cpp
@@ -112,6 +112,11 @@
// TODO: set it to something random and check it's in the cert chain
ASSERT_GE(attData.attestationCertificate.size(), 2);
+ // This is kinda of a hack but we need to give the size of
+ // ProofOfProvisioning that we'll expect to receive.
+ const int32_t expectedProofOfProvisioningSize = 262861 - 326 + readerCertificate.value().size();
+ // OK to fail, not available in v1 HAL
+ writableCredential->setExpectedProofOfProvisioningSize(expectedProofOfProvisioningSize);
ASSERT_TRUE(
writableCredential->startPersonalization(testProfiles.size(), testEntriesEntryCounts)
.isOk());
@@ -268,6 +273,8 @@
Certificate signingKeyCertificate;
ASSERT_TRUE(credential->generateSigningKeyPair(&signingKeyBlob, &signingKeyCertificate).isOk());
+ vector<RequestNamespace> requestedNamespaces = test_utils::buildRequestNamespaces(testEntries);
+ ASSERT_TRUE(credential->setRequestedNamespaces(requestedNamespaces).isOk());
ASSERT_TRUE(credential
->startRetrieval(secureProfiles.value(), authToken, itemsRequestBytes,
signingKeyBlob, sessionTranscriptBytes,
diff --git a/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp b/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
index b68fbb5..724aaa1 100644
--- a/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
+++ b/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
@@ -279,14 +279,17 @@
EXPECT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
- const vector<int32_t> entryCounts = {1u};
- writableCredential->startPersonalization(1, entryCounts);
- ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
- << endl;
-
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1);
+ const vector<int32_t> entryCounts = {1u};
+ size_t expectedPoPSize = 186 + readerCertificate1.value().size();
+ // OK to fail, not available in v1 HAL
+ writableCredential->setExpectedProofOfProvisioningSize(expectedPoPSize);
+ result = writableCredential->startPersonalization(1, entryCounts);
+ ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
+ << endl;
+
const vector<test_utils::TestProfile> testProfiles = {{1, readerCertificate1.value(), true, 1}};
optional<vector<SecureAccessControlProfile>> secureProfiles =
@@ -374,7 +377,11 @@
{2, readerCertificate2.value(), true, 2},
};
const vector<int32_t> entryCounts = {1u, 3u, 1u, 1u, 2u};
- writableCredential->startPersonalization(testProfiles.size(), entryCounts);
+ size_t expectedPoPSize =
+ 525021 + readerCertificate1.value().size() + readerCertificate2.value().size();
+ // OK to fail, not available in v1 HAL
+ writableCredential->setExpectedProofOfProvisioningSize(expectedPoPSize);
+ result = writableCredential->startPersonalization(testProfiles.size(), entryCounts);
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
@@ -518,11 +525,6 @@
ASSERT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
- const vector<int32_t> entryCounts = {2u, 2u};
- writableCredential->startPersonalization(3, entryCounts);
- ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
- << endl;
-
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1);
@@ -530,6 +532,16 @@
test_utils::GenerateReaderCertificate("123456987987987987987987");
ASSERT_TRUE(readerCertificate2);
+ const vector<int32_t> entryCounts = {2u, 2u};
+ size_t expectedPoPSize =
+ 377 + readerCertificate1.value().size() + readerCertificate2.value().size();
+ ;
+ // OK to fail, not available in v1 HAL
+ writableCredential->setExpectedProofOfProvisioningSize(expectedPoPSize);
+ writableCredential->startPersonalization(3, entryCounts);
+ ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
+ << endl;
+
const vector<test_utils::TestProfile> testProfiles = {{0, readerCertificate1.value(), false, 0},
{1, readerCertificate2.value(), true, 1},
{2, {}, false, 0}};
diff --git a/identity/aidl/vts/VtsIdentityTestUtils.cpp b/identity/aidl/vts/VtsIdentityTestUtils.cpp
index 3aeebc6..48e47dc 100644
--- a/identity/aidl/vts/VtsIdentityTestUtils.cpp
+++ b/identity/aidl/vts/VtsIdentityTestUtils.cpp
@@ -176,4 +176,28 @@
}
}
+vector<RequestNamespace> buildRequestNamespaces(const vector<TestEntryData> entries) {
+ vector<RequestNamespace> ret;
+ RequestNamespace curNs;
+ for (const TestEntryData& testEntry : entries) {
+ if (testEntry.nameSpace != curNs.namespaceName) {
+ if (curNs.namespaceName.size() > 0) {
+ ret.push_back(curNs);
+ }
+ curNs.namespaceName = testEntry.nameSpace;
+ curNs.items.clear();
+ }
+
+ RequestDataItem item;
+ item.name = testEntry.name;
+ item.size = testEntry.valueCbor.size();
+ item.accessControlProfileIds = testEntry.profileIds;
+ curNs.items.push_back(item);
+ }
+ if (curNs.namespaceName.size() > 0) {
+ ret.push_back(curNs);
+ }
+ return ret;
+}
+
} // namespace android::hardware::identity::test_utils
diff --git a/identity/aidl/vts/VtsIdentityTestUtils.h b/identity/aidl/vts/VtsIdentityTestUtils.h
index 043ccd6..9e1f352 100644
--- a/identity/aidl/vts/VtsIdentityTestUtils.h
+++ b/identity/aidl/vts/VtsIdentityTestUtils.h
@@ -113,6 +113,8 @@
void SetImageData(vector<uint8_t>& image);
+vector<RequestNamespace> buildRequestNamespaces(const vector<TestEntryData> entries);
+
} // namespace android::hardware::identity::test_utils
#endif // VTS_IDENTITY_TEST_UTILS_H