Fix wrong origin assumption for wrapped KM0 hals
KM0 supports only asymmetric encryption. And for those we cannot
distinguish between imported and generated keys.
This patch adds correct handling for KM0 origin tags.
Test: run vts test with wrapped km0 module from
system/security/softkeymaster
Bug: 67358942
Bug: 67363396
Test: VtsHalKeymasterV3_0TargetTest
Change-Id: I7f5ddd21dde284dbfbd68b3b83fb75c1457dbd59
diff --git a/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
index 02e238a..7948015 100644
--- a/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -898,13 +898,20 @@
}
}
- void CheckOrigin() {
+ void CheckOrigin(bool asymmetric = false) {
SCOPED_TRACE("CheckOrigin");
if (is_secure_ && supports_symmetric_) {
EXPECT_TRUE(
contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED));
} else if (is_secure_) {
- EXPECT_TRUE(contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN));
+ // wrapped KM0
+ if (asymmetric) {
+ EXPECT_TRUE(
+ contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN));
+ } else {
+ EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, TAG_ORIGIN,
+ KeyOrigin::IMPORTED));
+ }
} else {
EXPECT_TRUE(
contains(key_characteristics_.softwareEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED));
@@ -1059,13 +1066,17 @@
class NewKeyGenerationTest : public KeymasterHidlTest {
protected:
- void CheckBaseParams(const KeyCharacteristics& keyCharacteristics) {
+ void CheckBaseParams(const KeyCharacteristics& keyCharacteristics, bool asymmetric = false) {
// TODO(swillden): Distinguish which params should be in which auth list.
AuthorizationSet auths(keyCharacteristics.teeEnforced);
auths.push_back(AuthorizationSet(keyCharacteristics.softwareEnforced));
- EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
+ if (!SupportsSymmetric() && asymmetric) {
+ EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::UNKNOWN));
+ } else {
+ EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
+ }
EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
@@ -1114,7 +1125,7 @@
&key_blob, &key_characteristics));
ASSERT_GT(key_blob.size(), 0U);
- CheckBaseParams(key_characteristics);
+ CheckBaseParams(key_characteristics, true /* asymmetric */);
AuthorizationSet crypto_params;
if (IsSecure()) {
@@ -1160,7 +1171,7 @@
.Authorizations(UserAuths()),
&key_blob, &key_characteristics));
ASSERT_GT(key_blob.size(), 0U);
- CheckBaseParams(key_characteristics);
+ CheckBaseParams(key_characteristics, true /* asymmetric */);
AuthorizationSet crypto_params;
if (IsSecure()) {
@@ -2359,7 +2370,7 @@
CheckKm0CryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
CheckKm1CryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
- CheckOrigin();
+ CheckOrigin(true /* asymmetric */);
string message(1024 / 8, 'a');
auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
@@ -2415,7 +2426,7 @@
CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_256);
- CheckOrigin();
+ CheckOrigin(true /* asymmetric */);
string message(32, 'a');
auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
@@ -2441,7 +2452,7 @@
CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_521);
- CheckOrigin();
+ CheckOrigin(true /* asymmetric */);
string message(32, 'a');
auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);