Merge changes I5c55bae2,If418dcdd,I5aff41ac into sc-dev am: 87527e238d
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/14526696
Change-Id: Ief98c2e4220e66d608411fcefa467e2080764cc5
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index b6af813..9cc795d 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -318,10 +318,11 @@
* @param attestationKey, if provided, specifies the key that must be used to sign the
* attestation certificate. If `keyParams` does not contain a Tag::ATTESTATION_CHALLENGE
* but `attestationKey` is non-null, the IKeyMintDevice must return
- * ErrorCode::INVALID_ARGUMENT. If the provided AttestationKey does not contain a key
- * blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the IKeyMintDevice must
- * return ErrorCode::INCOMPATIBLE_PURPOSE. If the provided AttestationKey has an empty
- * issuer subject name, the IKeyMintDevice must return ErrorCode::INVALID_ARGUMENT.
+ * ErrorCode::ATTESTATION_CHALLENGE_MISSING. If the provided AttestationKey does not
+ * contain a key blob containing an asymmetric key with KeyPurpose::ATTEST_KEY, the
+ * IKeyMintDevice must return ErrorCode::INCOMPATIBLE_PURPOSE. If the provided
+ * AttestationKey has an empty issuer subject name, the IKeyMintDevice must return
+ * ErrorCode::INVALID_ARGUMENT.
*
* If `attestationKey` is null and `keyParams` contains Tag::ATTESTATION_CHALLENGE but
* the KeyMint implementation does not have factory-provisioned attestation keys, it must
diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyParameterValue.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyParameterValue.aidl
index 59016f2..924f402 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyParameterValue.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyParameterValue.aidl
@@ -48,7 +48,7 @@
boolean boolValue; // Always true, if present.
int integer;
long longInteger;
- long dateTime;
+ long dateTime; // In milliseconds from epoch
byte[] blob;
}
diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
index 8fbc91a..66f79ce 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
@@ -935,15 +935,15 @@
/**
* Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch
- * time in seconds. This value is used when generating attestation or self signed certificates.
- * ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if this tag is not
- * provided to generateKey or importKey.
+ * time in milliseconds. This value is used when generating attestation or self signed
+ * certificates. ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if
+ * this tag is not provided to generateKey or importKey.
*/
CERTIFICATE_NOT_BEFORE = (6 << 28) /* TagType:DATE */ | 1008,
/**
* Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch time in
- * seconds. This value is used when generating attestation or self signed certificates.
+ * milliseconds. This value is used when generating attestation or self signed certificates.
* ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey or
* importKey.
*/
diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
index 881354d..e4a877c 100644
--- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
+++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
@@ -361,7 +361,7 @@
EXPECT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
- .EcdsaSigningKey(224)
+ .EcdsaSigningKey(EcCurve::P_256)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
@@ -435,7 +435,7 @@
if ((i & 0x1) == 1) {
EXPECT_EQ(ErrorCode::OK,
GenerateKey(AuthorizationSetBuilder()
- .EcdsaSigningKey(224)
+ .EcdsaSigningKey(EcCurve::P_256)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
@@ -513,7 +513,7 @@
vector<uint8_t> attested_key_blob;
vector<KeyCharacteristics> attested_key_characteristics;
vector<Certificate> attested_key_cert_chain;
- EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
+ EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(2048, 65537)
.Authorization(TAG_NO_AUTH_REQUIRED)
@@ -522,7 +522,7 @@
attest_key, &attested_key_blob, &attested_key_characteristics,
&attested_key_cert_chain));
- EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
+ EXPECT_EQ(ErrorCode::ATTESTATION_CHALLENGE_MISSING,
GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(EcCurve::P_256)
.Authorization(TAG_NO_AUTH_REQUIRED)
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index 4789204..675e01d 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -119,10 +119,10 @@
// Attestations don't contain everything in key authorization lists, so we need to filter the key
// lists to produce the lists that we expect to match the attestations.
auto kTagsToFilter = {
- Tag::CREATION_DATETIME, //
- Tag::EC_CURVE,
- Tag::HARDWARE_TYPE,
- Tag::INCLUDE_UNIQUE_ID,
+ Tag::CREATION_DATETIME,
+ Tag::EC_CURVE,
+ Tag::HARDWARE_TYPE,
+ Tag::INCLUDE_UNIQUE_ID,
};
AuthorizationSet filtered_tags(const AuthorizationSet& set) {
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index bcf8b95..22d26a5 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -2261,11 +2261,11 @@
.Padding(PaddingMode::NONE)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
- ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
- Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
- .Digest(Digest::NONE)
- .Digest(Digest::SHA1)
- .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
+ auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
+ .Digest(Digest::NONE)
+ .Digest(Digest::SHA1)
+ .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
+ ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT);
ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
Begin(KeyPurpose::SIGN,