blob: daa3e1871f610b8510b56ce6219bb949e3c04f5d [file] [log] [blame]
Shawn Willden7c130392020-12-21 09:58:22 -07001/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "keymint_1_attest_key_test"
18#include <cutils/log.h>
19
20#include <keymint_support/key_param_output.h>
21#include <keymint_support/openssl_utils.h>
22
23#include "KeyMintAidlTestBase.h"
24
25namespace aidl::android::hardware::security::keymint::test {
26
27namespace {
28
Shawn Willden7c130392020-12-21 09:58:22 -070029bool IsSelfSigned(const vector<Certificate>& chain) {
30 if (chain.size() != 1) return false;
31 return ChainSignaturesAreValid(chain);
32}
33
34} // namespace
35
36using AttestKeyTest = KeyMintAidlTestBase;
37
38TEST_P(AttestKeyTest, AllRsaSizes) {
39 for (auto size : ValidKeySizes(Algorithm::RSA)) {
40 /*
41 * Create attestaton key.
42 */
43 AttestationKey attest_key;
44 vector<KeyCharacteristics> attest_key_characteristics;
45 vector<Certificate> attest_key_cert_chain;
46 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
47 .RsaSigningKey(size, 65537)
48 .AttestKey()
49 .SetDefaultValidity(),
50 {} /* attestation signing key */, &attest_key.keyBlob,
51 &attest_key_characteristics, &attest_key_cert_chain));
52
53 EXPECT_EQ(attest_key_cert_chain.size(), 1);
54 EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on size " << size;
55
56 /*
57 * Use attestation key to sign RSA key
58 */
59 attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
60 vector<uint8_t> attested_key_blob;
61 vector<KeyCharacteristics> attested_key_characteristics;
62 vector<Certificate> attested_key_cert_chain;
63 EXPECT_EQ(ErrorCode::OK,
64 GenerateKey(AuthorizationSetBuilder()
65 .RsaSigningKey(2048, 65537)
66 .Authorization(TAG_NO_AUTH_REQUIRED)
67 .AttestationChallenge("foo")
68 .AttestationApplicationId("bar")
69 .SetDefaultValidity(),
70 attest_key, &attested_key_blob, &attested_key_characteristics,
71 &attested_key_cert_chain));
72
73 CheckedDeleteKey(&attested_key_blob);
74
75 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
76 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
77 EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
78 attested_key_cert_chain[0].encodedCertificate));
79
80 // Attestation by itself is not valid (last entry is not self-signed).
81 EXPECT_FALSE(ChainSignaturesAreValid(attested_key_cert_chain));
82
83 // Appending the attest_key chain to the attested_key_chain should yield a valid chain.
84 if (attest_key_cert_chain.size() > 0) {
85 attested_key_cert_chain.push_back(attest_key_cert_chain[0]);
86 }
87 EXPECT_TRUE(ChainSignaturesAreValid(attested_key_cert_chain));
88
89 /*
90 * Use attestation key to sign EC key
91 */
92 EXPECT_EQ(ErrorCode::OK,
93 GenerateKey(AuthorizationSetBuilder()
94 .EcdsaSigningKey(EcCurve::P_256)
95 .Authorization(TAG_NO_AUTH_REQUIRED)
96 .AttestationChallenge("foo")
97 .AttestationApplicationId("bar")
98 .SetDefaultValidity(),
99 attest_key, &attested_key_blob, &attested_key_characteristics,
100 &attested_key_cert_chain));
101
102 CheckedDeleteKey(&attested_key_blob);
103 CheckedDeleteKey(&attest_key.keyBlob);
104
105 hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
106 sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
107 EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
108 attested_key_cert_chain[0].encodedCertificate));
109
110 // Attestation by itself is not valid (last entry is not self-signed).
111 EXPECT_FALSE(ChainSignaturesAreValid(attested_key_cert_chain));
112
113 // Appending the attest_key chain to the attested_key_chain should yield a valid chain.
114 if (attest_key_cert_chain.size() > 0) {
115 attested_key_cert_chain.push_back(attest_key_cert_chain[0]);
116 }
117 EXPECT_TRUE(ChainSignaturesAreValid(attested_key_cert_chain));
118
119 // Bail early if anything failed.
120 if (HasFailure()) return;
121 }
122}
123
124TEST_P(AttestKeyTest, AllEcCurves) {
125 for (auto curve : ValidCurves()) {
126 /*
127 * Create attestaton key.
128 */
129 AttestationKey attest_key;
130 vector<KeyCharacteristics> attest_key_characteristics;
131 vector<Certificate> attest_key_cert_chain;
132 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
133 .EcdsaSigningKey(curve)
134 .AttestKey()
135 .SetDefaultValidity(),
136 {} /* attestation siging key */, &attest_key.keyBlob,
137 &attest_key_characteristics, &attest_key_cert_chain));
138
139 EXPECT_EQ(attest_key_cert_chain.size(), 1);
140 EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on curve " << curve;
141
142 /*
143 * Use attestation key to sign RSA key
144 */
145 attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
146 vector<uint8_t> attested_key_blob;
147 vector<KeyCharacteristics> attested_key_characteristics;
148 vector<Certificate> attested_key_cert_chain;
149 EXPECT_EQ(ErrorCode::OK,
150 GenerateKey(AuthorizationSetBuilder()
151 .RsaSigningKey(2048, 65537)
152 .Authorization(TAG_NO_AUTH_REQUIRED)
153 .AttestationChallenge("foo")
154 .AttestationApplicationId("bar")
155 .SetDefaultValidity(),
156 attest_key, &attested_key_blob, &attested_key_characteristics,
157 &attested_key_cert_chain));
158
159 CheckedDeleteKey(&attested_key_blob);
160
161 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
162 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
163 EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
164 attested_key_cert_chain[0].encodedCertificate));
165
166 // Attestation by itself is not valid (last entry is not self-signed).
167 EXPECT_FALSE(ChainSignaturesAreValid(attested_key_cert_chain));
168
169 // Appending the attest_key chain to the attested_key_chain should yield a valid chain.
170 if (attest_key_cert_chain.size() > 0) {
171 attested_key_cert_chain.push_back(attest_key_cert_chain[0]);
172 }
173 EXPECT_TRUE(ChainSignaturesAreValid(attested_key_cert_chain));
174
175 /*
176 * Use attestation key to sign EC key
177 */
178 EXPECT_EQ(ErrorCode::OK,
179 GenerateKey(AuthorizationSetBuilder()
180 .EcdsaSigningKey(EcCurve::P_256)
181 .Authorization(TAG_NO_AUTH_REQUIRED)
182 .AttestationChallenge("foo")
183 .AttestationApplicationId("bar")
184 .SetDefaultValidity(),
185 attest_key, &attested_key_blob, &attested_key_characteristics,
186 &attested_key_cert_chain));
187
188 CheckedDeleteKey(&attested_key_blob);
189 CheckedDeleteKey(&attest_key.keyBlob);
190
191 hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
192 sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
193 EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(),
194 attested_key_cert_chain[0].encodedCertificate));
195
196 // Attestation by itself is not valid (last entry is not self-signed).
197 EXPECT_FALSE(ChainSignaturesAreValid(attested_key_cert_chain));
198
199 // Appending the attest_key chain to the attested_key_chain should yield a valid chain.
200 if (attest_key_cert_chain.size() > 0) {
201 attested_key_cert_chain.push_back(attest_key_cert_chain[0]);
202 }
203 EXPECT_TRUE(ChainSignaturesAreValid(attested_key_cert_chain));
204
205 // Bail early if anything failed.
206 if (HasFailure()) return;
207 }
208}
209
Shawn Willden7bbf6292021-04-01 12:57:21 -0600210TEST_P(AttestKeyTest, AttestWithNonAttestKey) {
211 // Create non-attestaton key.
212 AttestationKey non_attest_key;
213 vector<KeyCharacteristics> non_attest_key_characteristics;
214 vector<Certificate> non_attest_key_cert_chain;
215 ASSERT_EQ(
216 ErrorCode::OK,
217 GenerateKey(
218 AuthorizationSetBuilder().EcdsaSigningKey(EcCurve::P_256).SetDefaultValidity(),
219 {} /* attestation siging key */, &non_attest_key.keyBlob,
220 &non_attest_key_characteristics, &non_attest_key_cert_chain));
221
222 EXPECT_EQ(non_attest_key_cert_chain.size(), 1);
223 EXPECT_TRUE(IsSelfSigned(non_attest_key_cert_chain));
224
225 // Attempt to sign attestation with non-attest key.
226 vector<uint8_t> attested_key_blob;
227 vector<KeyCharacteristics> attested_key_characteristics;
228 vector<Certificate> attested_key_cert_chain;
229 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
230 GenerateKey(AuthorizationSetBuilder()
231 .EcdsaSigningKey(EcCurve::P_256)
232 .Authorization(TAG_NO_AUTH_REQUIRED)
233 .AttestationChallenge("foo")
234 .AttestationApplicationId("bar")
235 .SetDefaultValidity(),
236 non_attest_key, &attested_key_blob, &attested_key_characteristics,
237 &attested_key_cert_chain));
238}
239
Shawn Willden7c130392020-12-21 09:58:22 -0700240INSTANTIATE_KEYMINT_AIDL_TEST(AttestKeyTest);
241
242} // namespace aidl::android::hardware::security::keymint::test