Remove creation time checks.
We should not be relying on the HAL service to add CREATION_TIME to
keys. It was always intended to be an optional tag that could be
added by keystore, or maybe the caller of keystore. One widespread
Keymaster implementation started adding it (somewhat erroneously) if
it wasn't provided, and it appears that this implementation's behavior
became assumed to be the required behavior.
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I34267c4e1f59fd8ee5f898f8c746a7b49f4d74a5
diff --git a/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp b/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp
index 07409f6..7241984 100644
--- a/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp
+++ b/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp
@@ -201,22 +201,6 @@
CheckedDeleteKey(&key_blob_);
}
-void KeymasterHidlTest::CheckCreationDateTime(
- const AuthorizationSet& sw_enforced,
- std::chrono::time_point<std::chrono::system_clock> creation) {
- for (int i = 0; i < sw_enforced.size(); i++) {
- if (sw_enforced[i].tag == TAG_CREATION_DATETIME) {
- std::chrono::time_point<std::chrono::system_clock> now =
- std::chrono::system_clock::now();
- std::chrono::time_point<std::chrono::system_clock> reported_time{
- std::chrono::milliseconds(sw_enforced[i].f.dateTime)};
- // The test is flaky for EC keys, so a buffer time of 120 seconds will be added.
- EXPECT_LE(creation - std::chrono::seconds(120), reported_time);
- EXPECT_LE(reported_time, now + std::chrono::seconds(1));
- }
- }
-}
-
void KeymasterHidlTest::CheckGetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id,
const HidlBuf& app_data,
KeyCharacteristics* key_characteristics) {
diff --git a/keymaster/4.0/vts/functional/KeymasterHidlTest.h b/keymaster/4.0/vts/functional/KeymasterHidlTest.h
index adceead..4bd8b26 100644
--- a/keymaster/4.0/vts/functional/KeymasterHidlTest.h
+++ b/keymaster/4.0/vts/functional/KeymasterHidlTest.h
@@ -113,9 +113,6 @@
void CheckedDeleteKey(HidlBuf* key_blob, bool keep_key_blob = false);
void CheckedDeleteKey();
- static void CheckCreationDateTime(const AuthorizationSet& sw_enforced,
- std::chrono::time_point<std::chrono::system_clock> creation);
-
void CheckGetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id,
const HidlBuf& app_data, KeyCharacteristics* key_characteristics);
ErrorCode GetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id,
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index 35a2fb1..d2dfebf 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -320,8 +320,7 @@
bool verify_attestation_record(const string& challenge, const string& app_id,
AuthorizationSet expected_sw_enforced,
AuthorizationSet expected_hw_enforced, SecurityLevel security_level,
- const hidl_vec<uint8_t>& attestation_cert,
- std::chrono::time_point<std::chrono::system_clock> creation_time) {
+ const hidl_vec<uint8_t>& attestation_cert) {
X509_Ptr cert(parse_cert_blob(attestation_cert));
EXPECT_TRUE(!!cert.get());
if (!cert.get()) return false;
@@ -405,8 +404,6 @@
EXPECT_FALSE(expected_hw_enforced.Contains(TAG_TRUSTED_USER_PRESENCE_REQUIRED));
EXPECT_FALSE(att_hw_enforced.Contains(TAG_TRUSTED_USER_PRESENCE_REQUIRED));
- KeymasterHidlTest::CheckCreationDateTime(att_sw_enforced, creation_time);
-
if (att_hw_enforced.Contains(TAG_ALGORITHM, Algorithm::EC)) {
// For ECDSA keys, either an EC_CURVE or a KEY_SIZE can be specified, but one must be.
EXPECT_TRUE(att_hw_enforced.Contains(TAG_EC_CURVE) ||
@@ -553,24 +550,6 @@
}
/*
- * NewKeyGenerationTest.RsaCheckCreationDateTime
- *
- * Verifies that creation date time is correct.
- */
-TEST_P(NewKeyGenerationTest, RsaCheckCreationDateTime) {
- KeyCharacteristics key_characteristics;
- auto creation_time = std::chrono::system_clock::now();
- ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
- .Authorization(TAG_NO_AUTH_REQUIRED)
- .RsaSigningKey(2048, 3)
- .Digest(Digest::NONE)
- .Padding(PaddingMode::NONE)));
- GetCharacteristics(key_blob_, &key_characteristics);
- AuthorizationSet sw_enforced = key_characteristics.softwareEnforced;
- CheckCreationDateTime(sw_enforced, creation_time);
-}
-
-/*
* NewKeyGenerationTest.NoInvalidRsaSizes
*
* Verifies that keymaster cannot generate any RSA key sizes that are designated as invalid.
@@ -635,23 +614,6 @@
}
/*
- * NewKeyGenerationTest.EcCheckCreationDateTime
- *
- * Verifies that creation date time is correct.
- */
-TEST_P(NewKeyGenerationTest, EcCheckCreationDateTime) {
- KeyCharacteristics key_characteristics;
- auto creation_time = std::chrono::system_clock::now();
- ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
- .Authorization(TAG_NO_AUTH_REQUIRED)
- .EcdsaSigningKey(256)
- .Digest(Digest::NONE)));
- GetCharacteristics(key_blob_, &key_characteristics);
- AuthorizationSet sw_enforced = key_characteristics.softwareEnforced;
- CheckCreationDateTime(sw_enforced, creation_time);
-}
-
-/*
* NewKeyGenerationTest.EcdsaDefaultSize
*
* Verifies that failing to specify a key size for EC key generation returns UNSUPPORTED_KEY_SIZE.
@@ -4232,7 +4194,6 @@
* Verifies that attesting to RSA keys works and generates the expected output.
*/
TEST_P(AttestationTest, RsaAttestation) {
- auto creation_time = std::chrono::system_clock::now();
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaSigningKey(2048, 65537)
@@ -4257,7 +4218,7 @@
EXPECT_TRUE(verify_attestation_record("challenge", "foo", //
key_characteristics_.softwareEnforced, //
key_characteristics_.hardwareEnforced, //
- SecLevel(), cert_chain[0], creation_time));
+ SecLevel(), cert_chain[0]));
}
/*
@@ -4286,7 +4247,6 @@
* Verifies that attesting to EC keys works and generates the expected output.
*/
TEST_P(AttestationTest, EcAttestation) {
- auto creation_time = std::chrono::system_clock::now();
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(EcCurve::P_256)
@@ -4308,7 +4268,7 @@
EXPECT_TRUE(verify_attestation_record("challenge", "foo", //
key_characteristics_.softwareEnforced, //
key_characteristics_.hardwareEnforced, //
- SecLevel(), cert_chain[0], creation_time));
+ SecLevel(), cert_chain[0]));
}
/*
@@ -4341,7 +4301,6 @@
TEST_P(AttestationTest, AttestationApplicationIDLengthProperlyEncoded) {
std::vector<uint32_t> app_id_lengths{143, 258};
for (uint32_t length : app_id_lengths) {
- auto creation_time = std::chrono::system_clock::now();
ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(EcCurve::P_256)
@@ -4359,7 +4318,7 @@
EXPECT_TRUE(verify_attestation_record("challenge", app_id, //
key_characteristics_.softwareEnforced, //
key_characteristics_.hardwareEnforced, //
- SecLevel(), cert_chain[0], creation_time));
+ SecLevel(), cert_chain[0]));
CheckedDeleteKey();
}
}