Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / ef7395127f2166dfd0a2bd5cfbb334f3695f2c96^! / . / identity / aidl / vts / VtsIdentityTestUtils.cpp
commitef7395127f2166dfd0a2bd5cfbb334f3695f2c96[log] [tgz]
authorDavid Zeuthen <zeuthen@google.com>Wed Jun 03 13:24:52 2020 -0400
committerDavid Zeuthen <zeuthen@google.com>Thu Jun 04 16:46:54 2020 -0400
treefe189542607488b2207c5ceff3e8d1ff4ef0aea7
parenta2a6a33ea94633d8ab75414e571ae0a71cc6a761 [diff] [blame]
Update Identity Credential VTS tests.

These updates are based on input/experiences implementing this
HAL. There are no API changes.

 - Specify that the validity for credentialKey certificate shall be
   from current time and expire at the same time as the attestation
   batch certificate.

 - Require challenge passed to getAttestationCertificate() is
   non-empty.

 - Fix bug in VTS tests where the startPersonlization() result was not
   checked.

 - Remove verifyStartPersonalizationZero test since it cannot be
   completed.

 - Ensure secureUserId is non-zero if user authentication is needed.

 - Specify format for signingKeyBlob in generateSigningKeyPair() same
   way we do for credentialData in finishAddingEntries().

 - Modify EndToEndTest to decrypt/unpack credentialData to obtain
   credentialPrivKey and storageKey and do cross-checks on these.

 - Modify EndToEndTest to decrypt/unpack signingKeyBlob to obtain
   signingKeyPriv and check it matches the public key in the returned
   certificate.

 - Add new VTS tests for user and reader authentication.

 - Relax unnecessary requirements about SessionTranscript structure -
   just require it has X and Y of the ephemeral key created earlier.

 - Allow calls in VTS tests to v2 HAL to fail - this should allow
   these VTS tests to pass on a compliant v1 HAL.

Bug: 156911917
Bug: 158107945
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: I11b79dbd57b1830609c70301fea9c99f9e5080cb

diff --git a/identity/aidl/vts/VtsIdentityTestUtils.cpp b/identity/aidl/vts/VtsIdentityTestUtils.cpp
index aaebcbe..b6ed80f 100644
--- a/identity/aidl/vts/VtsIdentityTestUtils.cpp
+++ b/identity/aidl/vts/VtsIdentityTestUtils.cpp

@@ -96,9 +96,10 @@
         SecureAccessControlProfile profile;
         Certificate cert;
         cert.encodedCertificate = testProfile.readerCertificate;
+        int64_t secureUserId = testProfile.userAuthenticationRequired ? 66 : 0;
         result = writableCredential->addAccessControlProfile(
                 testProfile.id, cert, testProfile.userAuthenticationRequired,
-                testProfile.timeoutMillis, 0, &profile);
+                testProfile.timeoutMillis, secureUserId, &profile);
 
         // Don't use assert so all errors can be outputed.  Then return
         // instead of exit even on errors so caller can decide.