Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 6208977a0c4f6700730146c550e3aa62a36a0051 / . / keymaster / 4.1 / vts / functional / DeviceUniqueAttestationTest.cpp
blob: 4a57f44dd9a0b2d7a9d87943e798ecf17411008a [file] [log] [blame]
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]17#define LOG_TAG "keymaster_hidl_hal_test"
18#include <cutils/log.h>
Eran Messericb238ff2021-06-08 11:38:31 +0100[diff] [blame]19#include <vector>
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]20
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]21#include "Keymaster4_1HidlTest.h"
22
23#include <cutils/properties.h>
24
25#include <openssl/x509.h>
26
27#include <keymasterV4_1/attestation_record.h>
28#include <keymasterV4_1/authorization_set.h>
29
David Drysdalee3cdcb22021-06-15 10:11:12 +0100[diff] [blame]30using android::hardware::keymaster::V4_0::test::add_tag_from_prop;
31
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]32// Not to dump the attestation by default. Can enable by specify the parameter
33// "--dump_attestations" on lunching VTS
34static bool dumpAttestations = false;
35
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]36namespace android::hardware::keymaster::V4_0 {
37
38bool operator==(const AuthorizationSet& a, const AuthorizationSet& b) {
39 return std::equal(a.begin(), a.end(), b.begin(), b.end());
40}
41
42} // namespace android::hardware::keymaster::V4_0
43
44namespace android::hardware::keymaster::V4_1 {
45
46inline ::std::ostream& operator<<(::std::ostream& os, Tag tag) {
47 return os << toString(tag);
48}
49
50namespace test {
51
52using std::string;
53using std::tuple;
54
55namespace {
56
57char nibble2hex[16] = {'0', '1', '2', '3', '4', '5', '6', '7',
58 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
59
60string bin2hex(const hidl_vec<uint8_t>& data) {
61 string retval;
62 retval.reserve(data.size() * 2 + 1);
63 for (uint8_t byte : data) {
64 retval.push_back(nibble2hex[0x0F & (byte >> 4)]);
65 retval.push_back(nibble2hex[0x0F & byte]);
66 }
67 return retval;
68}
69
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]70inline void dumpContent(string content) {
71 std::cout << content << std::endl;
72}
73
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]74struct AuthorizationSetDifferences {
75 string aName;
76 string bName;
77 AuthorizationSet aWhackB;
78 AuthorizationSet bWhackA;
79};
80
81std::ostream& operator<<(std::ostream& o, const AuthorizationSetDifferences& diffs) {
82 if (!diffs.aWhackB.empty()) {
83 o << "Set " << diffs.aName << " contains the following that " << diffs.bName << " does not"
84 << diffs.aWhackB;
85 if (!diffs.bWhackA.empty()) o << std::endl;
86 }
87
88 if (!diffs.bWhackA.empty()) {
89 o << "Set " << diffs.bName << " contains the following that " << diffs.aName << " does not"
90 << diffs.bWhackA;
91 }
92 return o;
93}
94
95// Computes and returns a \ b and b \ a ('\' is the set-difference operator, a \ b means all the
96// elements that are in a but not b, i.e. take a and whack all the elements in b) to the provided
97// stream. The sets must be sorted.
98//
99// This provides a simple and clear view of how the two sets differ, generally much
100// easier than scrutinizing printouts of the two sets.
101AuthorizationSetDifferences difference(string aName, const AuthorizationSet& a, string bName,
102 const AuthorizationSet& b) {
103 AuthorizationSetDifferences diffs = {std::move(aName), std::move(bName), {}, {}};
104 std::set_difference(a.begin(), a.end(), b.begin(), b.end(), std::back_inserter(diffs.aWhackB));
105 std::set_difference(b.begin(), b.end(), a.begin(), a.end(), std::back_inserter(diffs.bWhackA));
106 return diffs;
107}
108
109#define DIFFERENCE(a, b) difference(#a, a, #b, b)
110
111void check_root_of_trust(const RootOfTrust& root_of_trust) {
112 char vb_meta_device_state[PROPERTY_VALUE_MAX];
113 if (property_get("ro.boot.vbmeta.device_state", vb_meta_device_state, "") == 0) return;
114
115 char vb_meta_digest[PROPERTY_VALUE_MAX];
116 EXPECT_GT(property_get("ro.boot.vbmeta.digest", vb_meta_digest, ""), 0);
117 EXPECT_EQ(vb_meta_digest, bin2hex(root_of_trust.verified_boot_hash));
118
119 // Verified boot key should be all 0's if the boot state is not verified or self signed
120 HidlBuf empty_boot_key(string(32, '\0'));
121
122 char vb_meta_bootstate[PROPERTY_VALUE_MAX];
123 auto& verified_boot_key = root_of_trust.verified_boot_key;
124 auto& verified_boot_state = root_of_trust.verified_boot_state;
125 EXPECT_GT(property_get("ro.boot.verifiedbootstate", vb_meta_bootstate, ""), 0);
126 if (!strcmp(vb_meta_bootstate, "green")) {
127 EXPECT_EQ(verified_boot_state, V4_0::KM_VERIFIED_BOOT_VERIFIED);
128 EXPECT_NE(verified_boot_key, empty_boot_key);
129 } else if (!strcmp(vb_meta_bootstate, "yellow")) {
130 EXPECT_EQ(verified_boot_state, V4_0::KM_VERIFIED_BOOT_SELF_SIGNED);
131 EXPECT_NE(verified_boot_key, empty_boot_key);
132 } else if (!strcmp(vb_meta_bootstate, "orange")) {
133 EXPECT_EQ(verified_boot_state, V4_0::KM_VERIFIED_BOOT_UNVERIFIED);
134 EXPECT_EQ(verified_boot_key, empty_boot_key);
135 } else if (!strcmp(vb_meta_bootstate, "red")) {
136 EXPECT_EQ(verified_boot_state, V4_0::KM_VERIFIED_BOOT_FAILED);
137 } else {
138 EXPECT_EQ(verified_boot_state, V4_0::KM_VERIFIED_BOOT_UNVERIFIED);
139 EXPECT_EQ(verified_boot_key, empty_boot_key);
140 }
141}
142
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]143bool tag_in_list(const KeyParameter& entry) {
144 // Attestations don't contain everything in key authorization lists, so we need to filter
145 // the key lists to produce the lists that we expect to match the attestations.
146 auto tag_list = {
147 Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS, Tag::EC_CURVE,
148 Tag::HARDWARE_TYPE, Tag::VENDOR_PATCHLEVEL, Tag::BOOT_PATCHLEVEL,
149 Tag::CREATION_DATETIME,
150 };
151 return std::find(tag_list.begin(), tag_list.end(), (V4_1::Tag)entry.tag) != tag_list.end();
152}
153
154AuthorizationSet filter_tags(const AuthorizationSet& set) {
155 AuthorizationSet filtered;
156 std::remove_copy_if(set.begin(), set.end(), std::back_inserter(filtered), tag_in_list);
157 return filtered;
158}
159
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]160void check_attestation_record(AttestationRecord attestation, const HidlBuf& challenge,
161 AuthorizationSet expected_sw_enforced,
162 AuthorizationSet expected_hw_enforced,
163 SecurityLevel expected_security_level) {
164 EXPECT_EQ(41U, attestation.keymaster_version);
165 EXPECT_EQ(4U, attestation.attestation_version);
166 EXPECT_EQ(expected_security_level, attestation.attestation_security_level);
167 EXPECT_EQ(expected_security_level, attestation.keymaster_security_level);
168 EXPECT_EQ(challenge, attestation.attestation_challenge);
169
170 check_root_of_trust(attestation.root_of_trust);
171
172 // Sort all of the authorization lists, so that equality matching works.
173 expected_sw_enforced.Sort();
174 expected_hw_enforced.Sort();
175 attestation.software_enforced.Sort();
176 attestation.hardware_enforced.Sort();
177
David Drysdalee3cdcb22021-06-15 10:11:12 +0100[diff] [blame]178 expected_sw_enforced = filter_tags(expected_sw_enforced);
179 expected_hw_enforced = filter_tags(expected_hw_enforced);
180 AuthorizationSet attestation_sw_enforced = filter_tags(attestation.software_enforced);
181 AuthorizationSet attestation_hw_enforced = filter_tags(attestation.hardware_enforced);
182
183 EXPECT_EQ(expected_sw_enforced, attestation_sw_enforced)
184 << DIFFERENCE(expected_sw_enforced, attestation_sw_enforced);
185 EXPECT_EQ(expected_hw_enforced, attestation_hw_enforced)
186 << DIFFERENCE(expected_hw_enforced, attestation_hw_enforced);
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]187}
188
Eran Messericb238ff2021-06-08 11:38:31 +0100[diff] [blame]189X509_Ptr parse_cert_blob(const std::vector<uint8_t>& blob) {
190 const uint8_t* p = blob.data();
191 return X509_Ptr(d2i_X509(nullptr /* allocate new */, &p, blob.size()));
192}
193
194bool check_certificate_chain_signatures(const hidl_vec<hidl_vec<uint8_t>>& cert_chain) {
195 // TODO: Check that root is self-signed once b/187803288 is resolved.
196 for (size_t i = 0; i < cert_chain.size() - 1; ++i) {
197 X509_Ptr key_cert(parse_cert_blob(cert_chain[i]));
198 X509_Ptr signing_cert(parse_cert_blob(cert_chain[i + 1]));
199
200 if (!key_cert.get() || !signing_cert.get()) {
201 return false;
202 }
203
204 EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
205 if (!signing_pubkey.get()) {
206 return false;
207 }
208
209 if (!X509_verify(key_cert.get(), signing_pubkey.get())) {
210 return false;
211 }
212 }
213 return true;
214}
215
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]216} // namespace
217
218using std::string;
219using DeviceUniqueAttestationTest = Keymaster4_1HidlTest;
220
nagendra modadugu5d531a22020-03-31 15:55:01 -0700[diff] [blame]221TEST_P(DeviceUniqueAttestationTest, NonStrongBoxOnly) {
222 if (SecLevel() == SecurityLevel::STRONGBOX) return;
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]223
224 ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
225 .Authorization(TAG_NO_AUTH_REQUIRED)
226 .RsaSigningKey(2048, 65537)
227 .Digest(Digest::SHA_2_256)
228 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
229 .Authorization(TAG_INCLUDE_UNIQUE_ID))));
230
231 hidl_vec<hidl_vec<uint8_t>> cert_chain;
232 EXPECT_EQ(ErrorCode::UNIMPLEMENTED,
233 convert(AttestKey(
234 AuthorizationSetBuilder()
235 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
236 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
237 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
238 &cert_chain)));
239 CheckedDeleteKey();
240
241 ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
242 .Authorization(TAG_NO_AUTH_REQUIRED)
243 .EcdsaSigningKey(EcCurve::P_256)
244 .Digest(Digest::SHA_2_256)
245 .Authorization(TAG_INCLUDE_UNIQUE_ID))));
246
247 EXPECT_EQ(ErrorCode::UNIMPLEMENTED,
248 convert(AttestKey(
249 AuthorizationSetBuilder()
allen.zhang569a6122020-07-15 09:53:26 +0800[diff] [blame]250 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]251 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
252 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
253 &cert_chain)));
allen.zhang569a6122020-07-15 09:53:26 +0800[diff] [blame]254 CheckedDeleteKey();
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]255}
256
257TEST_P(DeviceUniqueAttestationTest, Rsa) {
258 if (SecLevel() != SecurityLevel::STRONGBOX) return;
Chirag Pathak2f408e52021-02-19 23:10:05 +0000[diff] [blame]259 ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
260 .Authorization(TAG_NO_AUTH_REQUIRED)
261 .RsaSigningKey(2048, 65537)
262 .Digest(Digest::SHA_2_256)
263 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
264 .Authorization(TAG_INCLUDE_UNIQUE_ID))));
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]265
266 hidl_vec<hidl_vec<uint8_t>> cert_chain;
267 HidlBuf challenge("challenge");
268 HidlBuf app_id("foo");
Chirag Pathak2f408e52021-02-19 23:10:05 +0000[diff] [blame]269 ErrorCode result =
270 convert(AttestKey(AuthorizationSetBuilder()
271 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
272 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
273 .Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id),
274 &cert_chain));
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]275
Chirag Pathak2f408e52021-02-19 23:10:05 +0000[diff] [blame]276 // It is optional for Strong box to support DeviceUniqueAttestation.
277 if (result == ErrorCode::CANNOT_ATTEST_IDS) return;
278
279 EXPECT_EQ(ErrorCode::OK, result);
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]280 EXPECT_EQ(2U, cert_chain.size());
Eran Messericb238ff2021-06-08 11:38:31 +0100[diff] [blame]281 EXPECT_TRUE(check_certificate_chain_signatures(cert_chain));
Tommy Chiu566d1cb2021-05-11 18:09:26 +0800[diff] [blame]282 if (dumpAttestations) {
283 for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
284 }
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]285 auto [err, attestation] = parse_attestation_record(cert_chain[0]);
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]286 ASSERT_EQ(ErrorCode::OK, err);
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]287
Chirag Pathak2f408e52021-02-19 23:10:05 +0000[diff] [blame]288 check_attestation_record(
289 attestation, challenge,
290 /* sw_enforced */
291 AuthorizationSetBuilder().Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id),
292 /* hw_enforced */
293 AuthorizationSetBuilder()
294 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
295 .Authorization(TAG_NO_AUTH_REQUIRED)
296 .RsaSigningKey(2048, 65537)
297 .Digest(Digest::SHA_2_256)
298 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
299 .Authorization(TAG_ORIGIN, KeyOrigin::GENERATED)
300 .Authorization(TAG_OS_VERSION, os_version())
301 .Authorization(TAG_OS_PATCHLEVEL, os_patch_level()),
302 SecLevel());
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]303}
304
305TEST_P(DeviceUniqueAttestationTest, Ecdsa) {
306 if (SecLevel() != SecurityLevel::STRONGBOX) return;
Chirag Pathak2f408e52021-02-19 23:10:05 +0000[diff] [blame]307 ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
308 .Authorization(TAG_NO_AUTH_REQUIRED)
309 .EcdsaSigningKey(256)
310 .Digest(Digest::SHA_2_256)
311 .Authorization(TAG_INCLUDE_UNIQUE_ID))));
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]312
313 hidl_vec<hidl_vec<uint8_t>> cert_chain;
314 HidlBuf challenge("challenge");
315 HidlBuf app_id("foo");
Chirag Pathak2f408e52021-02-19 23:10:05 +0000[diff] [blame]316 ErrorCode result =
317 convert(AttestKey(AuthorizationSetBuilder()
318 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
319 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
320 .Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id),
321 &cert_chain));
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]322
Chirag Pathak2f408e52021-02-19 23:10:05 +0000[diff] [blame]323 // It is optional for Strong box to support DeviceUniqueAttestation.
324 if (result == ErrorCode::CANNOT_ATTEST_IDS) return;
325
326 EXPECT_EQ(ErrorCode::OK, result);
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]327 EXPECT_EQ(2U, cert_chain.size());
Eran Messericb238ff2021-06-08 11:38:31 +0100[diff] [blame]328 EXPECT_TRUE(check_certificate_chain_signatures(cert_chain));
Tommy Chiu566d1cb2021-05-11 18:09:26 +0800[diff] [blame]329 if (dumpAttestations) {
330 for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
331 }
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]332 auto [err, attestation] = parse_attestation_record(cert_chain[0]);
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]333 ASSERT_EQ(ErrorCode::OK, err);
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]334
Chirag Pathak2f408e52021-02-19 23:10:05 +0000[diff] [blame]335 check_attestation_record(
336 attestation, challenge,
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]337 /* sw_enforced */
338 AuthorizationSetBuilder().Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id),
339 /* hw_enforced */
340 AuthorizationSetBuilder()
341 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
342 .Authorization(TAG_NO_AUTH_REQUIRED)
343 .EcdsaSigningKey(256)
344 .Digest(Digest::SHA_2_256)
345 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
346 .Authorization(TAG_ORIGIN, KeyOrigin::GENERATED)
347 .Authorization(TAG_OS_VERSION, os_version())
348 .Authorization(TAG_OS_PATCHLEVEL, os_patch_level()),
349 SecLevel());
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]350}
351
David Drysdalee3cdcb22021-06-15 10:11:12 +0100[diff] [blame]352TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) {
353 if (SecLevel() != SecurityLevel::STRONGBOX) return;
354
355 ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
356 .Authorization(TAG_NO_AUTH_REQUIRED)
357 .EcdsaSigningKey(256)
358 .Digest(Digest::SHA_2_256)
359 .Authorization(TAG_INCLUDE_UNIQUE_ID))));
360
361 // Collection of valid attestation ID tags.
362 auto attestation_id_tags = AuthorizationSetBuilder();
363 add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_BRAND, "ro.product.brand");
364 add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_DEVICE, "ro.product.device");
365 add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_PRODUCT, "ro.product.name");
366 add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_SERIAL, "ro.serial");
367 add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_MANUFACTURER,
368 "ro.product.manufacturer");
369 add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_MODEL, "ro.product.model");
370
371 for (const KeyParameter& tag : attestation_id_tags) {
372 hidl_vec<hidl_vec<uint8_t>> cert_chain;
373 HidlBuf challenge("challenge");
374 HidlBuf app_id("foo");
375 AuthorizationSetBuilder builder =
376 AuthorizationSetBuilder()
377 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
378 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
379 .Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id);
380 builder.push_back(tag);
381 ErrorCode result = convert(AttestKey(builder, &cert_chain));
382
383 // It is optional for Strong box to support DeviceUniqueAttestation.
384 if (result == ErrorCode::CANNOT_ATTEST_IDS) return;
385
386 ASSERT_EQ(ErrorCode::OK, result);
387 EXPECT_EQ(2U, cert_chain.size());
388 if (dumpAttestations) {
389 for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
390 }
391 auto [err, attestation] = parse_attestation_record(cert_chain[0]);
392 ASSERT_EQ(ErrorCode::OK, err);
393
394 AuthorizationSetBuilder hw_enforced =
395 AuthorizationSetBuilder()
396 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
397 .Authorization(TAG_NO_AUTH_REQUIRED)
398 .EcdsaSigningKey(256)
399 .Digest(Digest::SHA_2_256)
400 .Authorization(TAG_ORIGIN, KeyOrigin::GENERATED)
401 .Authorization(TAG_OS_VERSION, os_version())
402 .Authorization(TAG_OS_PATCHLEVEL, os_patch_level());
403 hw_enforced.push_back(tag);
404 check_attestation_record(
405 attestation, challenge,
406 /* sw_enforced */
407 AuthorizationSetBuilder().Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id),
408 hw_enforced, SecLevel());
409 }
410}
411
412TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) {
413 if (SecLevel() != SecurityLevel::STRONGBOX) return;
414
415 ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
416 .Authorization(TAG_NO_AUTH_REQUIRED)
417 .EcdsaSigningKey(256)
418 .Digest(Digest::SHA_2_256)
419 .Authorization(TAG_INCLUDE_UNIQUE_ID))));
420
421 // Collection of invalid attestation ID tags.
422 std::string invalid = "completely-invalid";
423 auto attestation_id_tags =
424 AuthorizationSetBuilder()
425 .Authorization(V4_0::TAG_ATTESTATION_ID_BRAND, invalid.data(), invalid.size())
426 .Authorization(V4_0::TAG_ATTESTATION_ID_DEVICE, invalid.data(), invalid.size())
427 .Authorization(V4_0::TAG_ATTESTATION_ID_PRODUCT, invalid.data(), invalid.size())
428 .Authorization(V4_0::TAG_ATTESTATION_ID_SERIAL, invalid.data(), invalid.size())
429 .Authorization(V4_0::TAG_ATTESTATION_ID_IMEI, invalid.data(), invalid.size())
430 .Authorization(V4_0::TAG_ATTESTATION_ID_MEID, invalid.data(), invalid.size())
431 .Authorization(V4_0::TAG_ATTESTATION_ID_MANUFACTURER, invalid.data(),
432 invalid.size())
433 .Authorization(V4_0::TAG_ATTESTATION_ID_MODEL, invalid.data(), invalid.size());
434
435 for (const KeyParameter& invalid_tag : attestation_id_tags) {
436 hidl_vec<hidl_vec<uint8_t>> cert_chain;
437 HidlBuf challenge("challenge");
438 HidlBuf app_id("foo");
439 AuthorizationSetBuilder builder =
440 AuthorizationSetBuilder()
441 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
442 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
443 .Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id);
444 builder.push_back(invalid_tag);
445 ErrorCode result = convert(AttestKey(builder, &cert_chain));
446
447 EXPECT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG)
448 << "result: " << static_cast<int32_t>(result);
449 }
450}
451
Shawn Willden3f7c80a2020-01-15 19:09:50 -0700[diff] [blame]452INSTANTIATE_KEYMASTER_4_1_HIDL_TEST(DeviceUniqueAttestationTest);
453
454} // namespace test
455} // namespace android::hardware::keymaster::V4_1
nagendra modadugueb7f3522020-04-01 02:40:59 -0700[diff] [blame]456
457int main(int argc, char** argv) {
458 ::testing::InitGoogleTest(&argc, argv);
459 for (int i = 1; i < argc; ++i) {
460 if (argv[i][0] == '-') {
461 if (std::string(argv[i]) == "--dump_attestations") {
462 dumpAttestations = true;
463 }
464 }
465 }
466 int status = RUN_ALL_TESTS();
467 ALOGI("Test result = %d", status);
468 return status;
469}