KeyMint vts: Correct the EC curve parameter and some return code
Strongbox doens't support p-224. Change the curve to p-256 for better
compatibility.
Also update the tags to be filtered on the hw-enforcement list.
Bug: 186735514
Test: VtsAidlKeyMintTargetTest
Change-Id: I3f587c5471ca68b88a565ee9ec2e27d1e9e11b17
Merged-In: Ia8eb4c8e28810de5f37295abd8baed6f01b19a3c
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index b6af813..9cc795d 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -318,10 +318,11 @@
* @param attestationKey, if provided, specifies the key that must be used to sign the
* attestation certificate. If `keyParams` does not contain a Tag::ATTESTATION_CHALLENGE
* but `attestationKey` is non-null, the IKeyMintDevice must return
- * ErrorCode::INVALID_ARGUMENT. If the provided AttestationKey does not contain a key
- * blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must
- * return ErrorCode::INCOMPATIBLE_PURPOSE. If the provided AttestationKey has an empty
- * issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
+ * ErrorCode::ATTESTATION_CHALLENGE_MISSING. If the provided AttestationKey does not
+ * contain a key blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the
+ * IKeyMintDevice must return ErrorCode::INCOMPATIBLE_PURPOSE. If the provided
+ * AttestationKey has an empty issuer subject name, the IKeyMintDevice must return
+ * ErrorCode::INVALID_ARGUMENT.
*
* If `attestationKey` is null and `keyParams` contains Tag::ATTESTATION_CHALLENGE but
* the KeyMint implementation does not have factory-provisioned attestation keys, it must
diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
index 881354d..e4a877c 100644
--- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
+++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
@@ -361,7 +361,7 @@
EXPECT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
- .EcdsaSigningKey(224)
+ .EcdsaSigningKey(EcCurve::P_256)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
@@ -435,7 +435,7 @@
if ((i & 0x1) == 1) {
EXPECT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
- .EcdsaSigningKey(224)
+ .EcdsaSigningKey(EcCurve::P_256)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
@@ -513,7 +513,7 @@
vector<uint8_t> attested_key_blob;
vector<KeyCharacteristics> attested_key_characteristics;
vector<Certificate> attested_key_cert_chain;
- EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
+ EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(2048, 65537)
.Authorization(TAG_NO_AUTH_REQUIRED)
@@ -522,7 +522,7 @@
attest_key, &attested_key_blob, &attested_key_characteristics,
&attested_key_cert_chain));
- EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
+ EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(EcCurve::P_256)
.Authorization(TAG_NO_AUTH_REQUIRED)
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index 4789204..675e01d 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -119,10 +119,10 @@
// Attestations don't contain everything in key authorization lists, so we need to filter the key
// lists to produce the lists that we expect to match the attestations.
auto kTagsToFilter = {
- Tag::CREATION_DATETIME, //
- Tag::EC_CURVE,
- Tag::HARDWARE_TYPE,
- Tag::INCLUDE_UNIQUE_ID,
+ Tag::CREATION_DATETIME,
+ Tag::EC_CURVE,
+ Tag::HARDWARE_TYPE,
+ Tag::INCLUDE_UNIQUE_ID,
};
AuthorizationSet filtered_tags(const AuthorizationSet& set) {
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index bcf8b95..22d26a5 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -2261,11 +2261,11 @@
.Padding(PaddingMode::NONE)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
- ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
- Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
- .Digest(Digest::NONE)
- .Digest(Digest::SHA1)
- .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
+ auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
+ .Digest(Digest::NONE)
+ .Digest(Digest::SHA1)
+ .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
+ ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT);
ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
Begin(KeyPurpose::SIGN,