[RESTRICT AUTOMERGE] Allow extra error code in device ID attestation
Generalize the existing helper function to allow more variants.
Manual cherry-pick of aosp/2627969 combined with aosp/2648423 to avoid
merge conflicts
Bug: 286733800
Test: VtsAidlKeyMintTargetTest
Merged-In: Ic01c53cbe79f55c2d403a66acbfd04029395c287
Merged-In: I0dcac312ac4516a078b2742721e3a19074da52b1
Change-Id: I328f7b3195d4b4dd1ed1da17377696261094ea76
diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
index b9968f8..3e37a5c 100644
--- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
+++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
@@ -952,9 +952,7 @@
vector<Certificate> attested_key_cert_chain;
auto result = GenerateKey(builder, attest_key, &attested_key_blob,
&attested_key_characteristics, &attested_key_cert_chain);
-
- ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG)
- << "result = " << result;
+ device_id_attestation_check_acceptable_error(invalid_tag.tag, result);
}
CheckedDeleteKey(&attest_key.keyBlob);
}
diff --git a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
index 1dc5df3..c91e4e8 100644
--- a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
+++ b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
@@ -349,7 +349,7 @@
builder.push_back(invalid_tag);
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- ASSERT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG);
+ device_id_attestation_check_acceptable_error(invalid_tag.tag, result);
}
}
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index 20c0bf5..d2d964a 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -1924,6 +1924,24 @@
*signingKey = std::move(pubKey);
}
+// Check the error code from an attempt to perform device ID attestation with an invalid value.
+void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result) {
+ if (result == ErrorCode::CANNOT_ATTEST_IDS) {
+ // Standard/default error code for ID mismatch.
+ } else if (result == ErrorCode::INVALID_TAG) {
+ // Depending on the situation, other error codes may be acceptable. First, allow older
+ // implementations to use INVALID_TAG.
+ } else if (result == ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED) {
+ // If the device is not a phone, it will not have IMEI/MEID values available. Allow
+ // ATTESTATION_IDS_NOT_PROVISIONED in this case.
+ ASSERT_TRUE((tag == TAG_ATTESTATION_ID_IMEI || tag == TAG_ATTESTATION_ID_MEID))
+ << "incorrect error code on attestation ID mismatch";
+ } else {
+ ADD_FAILURE() << "Error code " << result
+ << " returned on attestation ID mismatch, should be CANNOT_ATTEST_IDS";
+ }
+}
+
// Check whether the given named feature is available.
bool check_feature(const std::string& name) {
::android::sp<::android::IServiceManager> sm(::android::defaultServiceManager());
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
index 7d3bc30..129c737 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
@@ -386,6 +386,7 @@
void check_maced_pubkey(const MacedPublicKey& macedPubKey, bool testMode,
vector<uint8_t>* payload_value);
void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey);
+void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result);
bool check_feature(const std::string& name);
AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);