Blame - security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp - android_hardware_interfaces

blob: 7009c6ef149d63a89f74f327970c573750949807 [file] [log] [blame]

Selene Huang	531a72d	2021-04-15 01:09:47 -0700	[diff] [blame^]	1	/*
				2	* Copyright (C) 2021 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#define LOG_TAG "keymint_1_attest_key_test"
				18
				19	#include <cutils/log.h>
				20	#include <cutils/properties.h>
				21	#include <keymint_support/key_param_output.h>
				22	#include <keymint_support/openssl_utils.h>
				23
				24	#include "KeyMintAidlTestBase.h"
				25
				26	namespace aidl::android::hardware::security::keymint::test {
				27
				28	class DeviceUniqueAttestationTest : public KeyMintAidlTestBase {
				29	protected:
				30	void CheckUniqueAttestationResults(const vector<uint8_t>& key_blob,
				31	const vector<KeyCharacteristics>& key_characteristics,
				32	const AuthorizationSet& hw_enforced, int key_size) {
				33	ASSERT_GT(cert_chain_.size(), 0);
				34
				35	if (KeyMintAidlTestBase::dump_Attestations) {
				36	std::cout << bin2hex(cert_chain_[0].encodedCertificate) << std::endl;
				37	}
				38
				39	ASSERT_GT(key_blob.size(), 0U);
				40
				41	AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
				42
				43	EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size)) << "Key size missing";
				44
				45	EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
				46	ASSERT_GT(cert_chain_.size(), 0);
				47
				48	AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
				49	EXPECT_TRUE(verify_attestation_record("challenge", "foo", sw_enforced, hw_enforced,
				50	SecLevel(), cert_chain_[0].encodedCertificate));
				51	}
				52	};
				53
				54	/*
				55	* DeviceUniqueAttestationTest.RsaNonStrongBoxUnimplemented
				56	*
				57	* Verifies that non strongbox implementations do not implement Rsa device unique
				58	* attestation.
				59	*/
				60	TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
				61	if (SecLevel() == SecurityLevel::STRONGBOX) return;
				62
				63	vector<uint8_t> key_blob;
				64	vector<KeyCharacteristics> key_characteristics;
				65
				66	// Check RSA implementation
				67	auto result = GenerateKey(AuthorizationSetBuilder()
				68	.Authorization(TAG_NO_AUTH_REQUIRED)
				69	.RsaSigningKey(2048, 65537)
				70	.Digest(Digest::SHA_2_256)
				71	.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
				72	.Authorization(TAG_INCLUDE_UNIQUE_ID)
				73	.Authorization(TAG_NO_AUTH_REQUIRED)
				74	.AttestationChallenge("challenge")
				75	.AttestationApplicationId("foo")
				76	.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
				77	&key_blob, &key_characteristics);
				78
				79	ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_TAG);
				80	}
				81
				82	/*
				83	* DeviceUniqueAttestationTest.EcdsaNonStrongBoxUnimplemented
				84	*
				85	* Verifies that non strongbox implementations do not implement Ecdsa device unique
				86	* attestation.
				87	*/
				88	TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
				89	if (SecLevel() == SecurityLevel::STRONGBOX) return;
				90
				91	vector<uint8_t> key_blob;
				92	vector<KeyCharacteristics> key_characteristics;
				93
				94	// Check Ecdsa implementation
				95	auto result = GenerateKey(AuthorizationSetBuilder()
				96	.Authorization(TAG_NO_AUTH_REQUIRED)
				97	.EcdsaSigningKey(EcCurve::P_256)
				98	.Digest(Digest::SHA_2_256)
				99	.Authorization(TAG_INCLUDE_UNIQUE_ID)
				100	.AttestationChallenge("challenge")
				101	.AttestationApplicationId("foo")
				102	.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
				103	&key_blob, &key_characteristics);
				104
				105	ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_TAG);
				106	}
				107
				108	/*
				109	* DeviceUniqueAttestationTest.RsaDeviceUniqueAttestation
				110	*
				111	* Verifies that strongbox implementations of Rsa implements device unique
				112	* attestation correctly, if implemented.
				113	*/
				114	TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) {
				115	if (SecLevel() != SecurityLevel::STRONGBOX) return;
				116
				117	vector<uint8_t> key_blob;
				118	vector<KeyCharacteristics> key_characteristics;
				119	int key_size = 2048;
				120
				121	auto result = GenerateKey(AuthorizationSetBuilder()
				122	.Authorization(TAG_NO_AUTH_REQUIRED)
				123	.RsaSigningKey(key_size, 65537)
				124	.Digest(Digest::SHA_2_256)
				125	.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
				126	.Authorization(TAG_INCLUDE_UNIQUE_ID)
				127	.Authorization(TAG_NO_AUTH_REQUIRED)
				128	.AttestationChallenge("challenge")
				129	.AttestationApplicationId("foo")
				130	.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
				131	&key_blob, &key_characteristics);
				132
				133	// It is optional for Strong box to support DeviceUniqueAttestation.
				134	if (result == ErrorCode::CANNOT_ATTEST_IDS) return;
				135
				136	ASSERT_EQ(ErrorCode::OK, result);
				137
				138	AuthorizationSet hw_enforced = AuthorizationSetBuilder()
				139	.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
				140	.Authorization(TAG_NO_AUTH_REQUIRED)
				141	.RsaSigningKey(2048, 65537)
				142	.Digest(Digest::SHA_2_256)
				143	.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
				144	.Authorization(TAG_ORIGIN, KeyOrigin::GENERATED)
				145	.Authorization(TAG_OS_VERSION, os_version())
				146	.Authorization(TAG_OS_PATCHLEVEL, os_patch_level());
				147
				148	CheckUniqueAttestationResults(key_blob, key_characteristics, hw_enforced, key_size);
				149	}
				150
				151	/*
				152	* DeviceUniqueAttestationTest.EcdsaDeviceUniqueAttestation
				153	*
				154	* Verifies that strongbox implementations of Rsa implements device unique
				155	* attestation correctly, if implemented.
				156	*/
				157	TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) {
				158	if (SecLevel() != SecurityLevel::STRONGBOX) return;
				159
				160	vector<uint8_t> key_blob;
				161	vector<KeyCharacteristics> key_characteristics;
				162	int key_size = 256;
				163
				164	auto result = GenerateKey(AuthorizationSetBuilder()
				165	.Authorization(TAG_NO_AUTH_REQUIRED)
				166	.EcdsaSigningKey(256)
				167	.Digest(Digest::SHA_2_256)
				168	.Authorization(TAG_INCLUDE_UNIQUE_ID)
				169	.AttestationChallenge("challenge")
				170	.AttestationApplicationId("foo")
				171	.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
				172	&key_blob, &key_characteristics);
				173
				174	// It is optional for Strong box to support DeviceUniqueAttestation.
				175	if (result == ErrorCode::CANNOT_ATTEST_IDS) return;
				176	ASSERT_EQ(ErrorCode::OK, result);
				177
				178	AuthorizationSet hw_enforced = AuthorizationSetBuilder()
				179	.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
				180	.Authorization(TAG_NO_AUTH_REQUIRED)
				181	.EcdsaSigningKey(EcCurve::P_256)
				182	.Digest(Digest::SHA_2_256)
				183	.Authorization(TAG_EC_CURVE, EcCurve::P_256)
				184	.Authorization(TAG_ORIGIN, KeyOrigin::GENERATED)
				185	.Authorization(TAG_OS_VERSION, os_version())
				186	.Authorization(TAG_OS_PATCHLEVEL, os_patch_level());
				187
				188	CheckUniqueAttestationResults(key_blob, key_characteristics, hw_enforced, key_size);
				189	}
				190
				191	INSTANTIATE_KEYMINT_AIDL_TEST(DeviceUniqueAttestationTest);
				192
				193	} // namespace aidl::android::hardware::security::keymint::test