Merge "Correct error code in attest_key docs." am: b21b4a3663
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1662620
Change-Id: Ia0f1df2713a35026bcd89bd4fac72aead650146b
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index 17aab25..5aa3070 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -321,8 +321,8 @@
* but `attestationKey` is non-null, the IKeyMintDevice must return
* ErrorCode::INVALID_ARGUMENT. If the provided AttestationKey does not contain a key
* blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must
- * return ErrorCode::INVALID_PURPOSE. If the provided AttestationKey has an empty issuer
- * subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
+ * return ErrorCode::INCOMPATIBLE_PURPOSE. If the provided AttestationKey has an empty
+ * issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
*
* @return The result of key creation. See KeyCreationResult.aidl.
*/
@@ -360,8 +360,8 @@
* but `attestationKey` is non-null, the IKeyMintDevice must return
* ErrorCode::INVALID_ARGUMENT. If the provided AttestationKey does not contain a key
* blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must
- * return ErrorCode::INVALID_PURPOSE. If the provided AttestationKey has an empty issuer
- * subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
+ * return ErrorCode::INCOMPATIBLE_PURPOSE. If the provided AttestationKey has an empty
+ * issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
*
* @return The result of key creation. See KeyCreationResult.aidl.
*/
diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
index 1e907db..daa3e18 100644
--- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
+++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
@@ -207,6 +207,36 @@
}
}
+TEST_P(AttestKeyTest, AttestWithNonAttestKey) {
+ // Create non-attestaton key.
+ AttestationKey non_attest_key;
+ vector<KeyCharacteristics> non_attest_key_characteristics;
+ vector<Certificate> non_attest_key_cert_chain;
+ ASSERT_EQ(
+ ErrorCode::OK,
+ GenerateKey(
+ AuthorizationSetBuilder().EcdsaSigningKey(EcCurve::P_256).SetDefaultValidity(),
+ {} /* attestation siging key */, &non_attest_key.keyBlob,
+ &non_attest_key_characteristics, &non_attest_key_cert_chain));
+
+ EXPECT_EQ(non_attest_key_cert_chain.size(), 1);
+ EXPECT_TRUE(IsSelfSigned(non_attest_key_cert_chain));
+
+ // Attempt to sign attestation with non-attest key.
+ vector<uint8_t> attested_key_blob;
+ vector<KeyCharacteristics> attested_key_characteristics;
+ vector<Certificate> attested_key_cert_chain;
+ EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
+ GenerateKey(AuthorizationSetBuilder()
+ .EcdsaSigningKey(EcCurve::P_256)
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .AttestationChallenge("foo")
+ .AttestationApplicationId("bar")
+ .SetDefaultValidity(),
+ non_attest_key, &attested_key_blob, &attested_key_characteristics,
+ &attested_key_cert_chain));
+}
+
INSTANTIATE_KEYMINT_AIDL_TEST(AttestKeyTest);
} // namespace aidl::android::hardware::security::keymint::test