Add checks for different size of challenge
RKP allows 0 ~ 64 byte challenge to be provided.
Test it by several different size inputs.
Bug: 272392463
Test: VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I488c75745dc68778ff6d862506a5beeec82f7ac1
diff --git a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index bf40976..e1a0e2c 100644
--- a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -49,6 +49,9 @@
constexpr int32_t VERSION_WITH_UNIQUE_ID_SUPPORT = 2;
constexpr int32_t VERSION_WITHOUT_TEST_MODE = 3;
+constexpr uint8_t MIN_CHALLENGE_SIZE = 0;
+constexpr uint8_t MAX_CHALLENGE_SIZE = 64;
+
#define INSTANTIATE_REM_PROV_AIDL_TEST(name) \
GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(name); \
INSTANTIATE_TEST_SUITE_P( \
@@ -701,32 +704,54 @@
};
/**
- * Generate an empty certificate request, and decrypt and verify the structure and content.
+ * Generate an empty certificate request with all possible length of challenge, and decrypt and
+ * verify the structure and content.
*/
TEST_P(CertificateRequestV2Test, EmptyRequest) {
bytevec csr;
- auto status =
- provisionable_->generateCertificateRequestV2({} /* keysToSign */, challenge_, &csr);
- ASSERT_TRUE(status.isOk()) << status.getMessage();
+ for (auto size = MIN_CHALLENGE_SIZE; size <= MAX_CHALLENGE_SIZE; size++) {
+ SCOPED_TRACE(testing::Message() << "challenge[" << size << "]");
+ auto challenge = randomBytes(size);
+ auto status =
+ provisionable_->generateCertificateRequestV2({} /* keysToSign */, challenge, &csr);
+ ASSERT_TRUE(status.isOk()) << status.getMessage();
- auto result = verifyProductionCsr(cppbor::Array(), csr, provisionable_.get(), challenge_);
- ASSERT_TRUE(result) << result.message();
+ auto result = verifyProductionCsr(cppbor::Array(), csr, provisionable_.get(), challenge);
+ ASSERT_TRUE(result) << result.message();
+ }
}
/**
- * Generate a non-empty certificate request. Decrypt, parse and validate the contents.
+ * Generate a non-empty certificate request with all possible length of challenge. Decrypt, parse
+ * and validate the contents.
*/
TEST_P(CertificateRequestV2Test, NonEmptyRequest) {
generateKeys(false /* testMode */, 1 /* numKeys */);
bytevec csr;
- auto status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge_, &csr);
- ASSERT_TRUE(status.isOk()) << status.getMessage();
+ for (auto size = MIN_CHALLENGE_SIZE; size <= MAX_CHALLENGE_SIZE; size++) {
+ SCOPED_TRACE(testing::Message() << "challenge[" << size << "]");
+ auto challenge = randomBytes(size);
+ auto status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge, &csr);
+ ASSERT_TRUE(status.isOk()) << status.getMessage();
- auto result = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge_);
- ASSERT_TRUE(result) << result.message();
+ auto result = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge);
+ ASSERT_TRUE(result) << result.message();
+ }
+}
+
+/**
+ * Generate an empty certificate request with invalid size of challenge
+ */
+TEST_P(CertificateRequestV2Test, EmptyRequestWithInvalidChallengeFail) {
+ bytevec csr;
+
+ auto status = provisionable_->generateCertificateRequestV2(
+ /* keysToSign */ {}, randomBytes(MAX_CHALLENGE_SIZE + 1), &csr);
+ EXPECT_FALSE(status.isOk()) << status.getMessage();
+ EXPECT_EQ(status.getServiceSpecificError(), BnRemotelyProvisionedComponent::STATUS_FAILED);
}
/**