Shawn Willden | 7c13039 | 2020-12-21 09:58:22 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2021 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #define LOG_TAG "keymint_1_attest_key_test" |
| 18 | #include <cutils/log.h> |
| 19 | |
| 20 | #include <keymint_support/key_param_output.h> |
| 21 | #include <keymint_support/openssl_utils.h> |
| 22 | |
| 23 | #include "KeyMintAidlTestBase.h" |
| 24 | |
| 25 | namespace aidl::android::hardware::security::keymint::test { |
| 26 | |
| 27 | namespace { |
| 28 | |
Shawn Willden | 7c13039 | 2020-12-21 09:58:22 -0700 | [diff] [blame] | 29 | bool IsSelfSigned(const vector<Certificate>& chain) { |
| 30 | if (chain.size() != 1) return false; |
| 31 | return ChainSignaturesAreValid(chain); |
| 32 | } |
| 33 | |
| 34 | } // namespace |
| 35 | |
| 36 | using AttestKeyTest = KeyMintAidlTestBase; |
| 37 | |
| 38 | TEST_P(AttestKeyTest, AllRsaSizes) { |
| 39 | for (auto size : ValidKeySizes(Algorithm::RSA)) { |
| 40 | /* |
| 41 | * Create attestaton key. |
| 42 | */ |
| 43 | AttestationKey attest_key; |
| 44 | vector<KeyCharacteristics> attest_key_characteristics; |
| 45 | vector<Certificate> attest_key_cert_chain; |
| 46 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
| 47 | .RsaSigningKey(size, 65537) |
| 48 | .AttestKey() |
| 49 | .SetDefaultValidity(), |
| 50 | {} /* attestation signing key */, &attest_key.keyBlob, |
| 51 | &attest_key_characteristics, &attest_key_cert_chain)); |
| 52 | |
| 53 | EXPECT_EQ(attest_key_cert_chain.size(), 1); |
| 54 | EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on size " << size; |
| 55 | |
| 56 | /* |
| 57 | * Use attestation key to sign RSA key |
| 58 | */ |
| 59 | attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key"); |
| 60 | vector<uint8_t> attested_key_blob; |
| 61 | vector<KeyCharacteristics> attested_key_characteristics; |
| 62 | vector<Certificate> attested_key_cert_chain; |
| 63 | EXPECT_EQ(ErrorCode::OK, |
| 64 | GenerateKey(AuthorizationSetBuilder() |
| 65 | .RsaSigningKey(2048, 65537) |
| 66 | .Authorization(TAG_NO_AUTH_REQUIRED) |
| 67 | .AttestationChallenge("foo") |
| 68 | .AttestationApplicationId("bar") |
| 69 | .SetDefaultValidity(), |
| 70 | attest_key, &attested_key_blob, &attested_key_characteristics, |
| 71 | &attested_key_cert_chain)); |
| 72 | |
| 73 | CheckedDeleteKey(&attested_key_blob); |
| 74 | |
| 75 | AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); |
| 76 | AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); |
| 77 | EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), |
| 78 | attested_key_cert_chain[0].encodedCertificate)); |
| 79 | |
| 80 | // Attestation by itself is not valid (last entry is not self-signed). |
| 81 | EXPECT_FALSE(ChainSignaturesAreValid(attested_key_cert_chain)); |
| 82 | |
| 83 | // Appending the attest_key chain to the attested_key_chain should yield a valid chain. |
| 84 | if (attest_key_cert_chain.size() > 0) { |
| 85 | attested_key_cert_chain.push_back(attest_key_cert_chain[0]); |
| 86 | } |
| 87 | EXPECT_TRUE(ChainSignaturesAreValid(attested_key_cert_chain)); |
| 88 | |
| 89 | /* |
| 90 | * Use attestation key to sign EC key |
| 91 | */ |
| 92 | EXPECT_EQ(ErrorCode::OK, |
| 93 | GenerateKey(AuthorizationSetBuilder() |
| 94 | .EcdsaSigningKey(EcCurve::P_256) |
| 95 | .Authorization(TAG_NO_AUTH_REQUIRED) |
| 96 | .AttestationChallenge("foo") |
| 97 | .AttestationApplicationId("bar") |
| 98 | .SetDefaultValidity(), |
| 99 | attest_key, &attested_key_blob, &attested_key_characteristics, |
| 100 | &attested_key_cert_chain)); |
| 101 | |
| 102 | CheckedDeleteKey(&attested_key_blob); |
| 103 | CheckedDeleteKey(&attest_key.keyBlob); |
| 104 | |
| 105 | hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); |
| 106 | sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); |
| 107 | EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), |
| 108 | attested_key_cert_chain[0].encodedCertificate)); |
| 109 | |
| 110 | // Attestation by itself is not valid (last entry is not self-signed). |
| 111 | EXPECT_FALSE(ChainSignaturesAreValid(attested_key_cert_chain)); |
| 112 | |
| 113 | // Appending the attest_key chain to the attested_key_chain should yield a valid chain. |
| 114 | if (attest_key_cert_chain.size() > 0) { |
| 115 | attested_key_cert_chain.push_back(attest_key_cert_chain[0]); |
| 116 | } |
| 117 | EXPECT_TRUE(ChainSignaturesAreValid(attested_key_cert_chain)); |
| 118 | |
| 119 | // Bail early if anything failed. |
| 120 | if (HasFailure()) return; |
| 121 | } |
| 122 | } |
| 123 | |
| 124 | TEST_P(AttestKeyTest, AllEcCurves) { |
| 125 | for (auto curve : ValidCurves()) { |
| 126 | /* |
| 127 | * Create attestaton key. |
| 128 | */ |
| 129 | AttestationKey attest_key; |
| 130 | vector<KeyCharacteristics> attest_key_characteristics; |
| 131 | vector<Certificate> attest_key_cert_chain; |
| 132 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
| 133 | .EcdsaSigningKey(curve) |
| 134 | .AttestKey() |
| 135 | .SetDefaultValidity(), |
| 136 | {} /* attestation siging key */, &attest_key.keyBlob, |
| 137 | &attest_key_characteristics, &attest_key_cert_chain)); |
| 138 | |
| 139 | EXPECT_EQ(attest_key_cert_chain.size(), 1); |
| 140 | EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on curve " << curve; |
| 141 | |
| 142 | /* |
| 143 | * Use attestation key to sign RSA key |
| 144 | */ |
| 145 | attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key"); |
| 146 | vector<uint8_t> attested_key_blob; |
| 147 | vector<KeyCharacteristics> attested_key_characteristics; |
| 148 | vector<Certificate> attested_key_cert_chain; |
| 149 | EXPECT_EQ(ErrorCode::OK, |
| 150 | GenerateKey(AuthorizationSetBuilder() |
| 151 | .RsaSigningKey(2048, 65537) |
| 152 | .Authorization(TAG_NO_AUTH_REQUIRED) |
| 153 | .AttestationChallenge("foo") |
| 154 | .AttestationApplicationId("bar") |
| 155 | .SetDefaultValidity(), |
| 156 | attest_key, &attested_key_blob, &attested_key_characteristics, |
| 157 | &attested_key_cert_chain)); |
| 158 | |
| 159 | CheckedDeleteKey(&attested_key_blob); |
| 160 | |
| 161 | AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); |
| 162 | AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); |
| 163 | EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), |
| 164 | attested_key_cert_chain[0].encodedCertificate)); |
| 165 | |
| 166 | // Attestation by itself is not valid (last entry is not self-signed). |
| 167 | EXPECT_FALSE(ChainSignaturesAreValid(attested_key_cert_chain)); |
| 168 | |
| 169 | // Appending the attest_key chain to the attested_key_chain should yield a valid chain. |
| 170 | if (attest_key_cert_chain.size() > 0) { |
| 171 | attested_key_cert_chain.push_back(attest_key_cert_chain[0]); |
| 172 | } |
| 173 | EXPECT_TRUE(ChainSignaturesAreValid(attested_key_cert_chain)); |
| 174 | |
| 175 | /* |
| 176 | * Use attestation key to sign EC key |
| 177 | */ |
| 178 | EXPECT_EQ(ErrorCode::OK, |
| 179 | GenerateKey(AuthorizationSetBuilder() |
| 180 | .EcdsaSigningKey(EcCurve::P_256) |
| 181 | .Authorization(TAG_NO_AUTH_REQUIRED) |
| 182 | .AttestationChallenge("foo") |
| 183 | .AttestationApplicationId("bar") |
| 184 | .SetDefaultValidity(), |
| 185 | attest_key, &attested_key_blob, &attested_key_characteristics, |
| 186 | &attested_key_cert_chain)); |
| 187 | |
| 188 | CheckedDeleteKey(&attested_key_blob); |
| 189 | CheckedDeleteKey(&attest_key.keyBlob); |
| 190 | |
| 191 | hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); |
| 192 | sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); |
| 193 | EXPECT_TRUE(verify_attestation_record("foo", "bar", sw_enforced, hw_enforced, SecLevel(), |
| 194 | attested_key_cert_chain[0].encodedCertificate)); |
| 195 | |
| 196 | // Attestation by itself is not valid (last entry is not self-signed). |
| 197 | EXPECT_FALSE(ChainSignaturesAreValid(attested_key_cert_chain)); |
| 198 | |
| 199 | // Appending the attest_key chain to the attested_key_chain should yield a valid chain. |
| 200 | if (attest_key_cert_chain.size() > 0) { |
| 201 | attested_key_cert_chain.push_back(attest_key_cert_chain[0]); |
| 202 | } |
| 203 | EXPECT_TRUE(ChainSignaturesAreValid(attested_key_cert_chain)); |
| 204 | |
| 205 | // Bail early if anything failed. |
| 206 | if (HasFailure()) return; |
| 207 | } |
| 208 | } |
| 209 | |
Shawn Willden | 7bbf629 | 2021-04-01 12:57:21 -0600 | [diff] [blame] | 210 | TEST_P(AttestKeyTest, AttestWithNonAttestKey) { |
| 211 | // Create non-attestaton key. |
| 212 | AttestationKey non_attest_key; |
| 213 | vector<KeyCharacteristics> non_attest_key_characteristics; |
| 214 | vector<Certificate> non_attest_key_cert_chain; |
| 215 | ASSERT_EQ( |
| 216 | ErrorCode::OK, |
| 217 | GenerateKey( |
| 218 | AuthorizationSetBuilder().EcdsaSigningKey(EcCurve::P_256).SetDefaultValidity(), |
| 219 | {} /* attestation siging key */, &non_attest_key.keyBlob, |
| 220 | &non_attest_key_characteristics, &non_attest_key_cert_chain)); |
| 221 | |
| 222 | EXPECT_EQ(non_attest_key_cert_chain.size(), 1); |
| 223 | EXPECT_TRUE(IsSelfSigned(non_attest_key_cert_chain)); |
| 224 | |
| 225 | // Attempt to sign attestation with non-attest key. |
| 226 | vector<uint8_t> attested_key_blob; |
| 227 | vector<KeyCharacteristics> attested_key_characteristics; |
| 228 | vector<Certificate> attested_key_cert_chain; |
| 229 | EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, |
| 230 | GenerateKey(AuthorizationSetBuilder() |
| 231 | .EcdsaSigningKey(EcCurve::P_256) |
| 232 | .Authorization(TAG_NO_AUTH_REQUIRED) |
| 233 | .AttestationChallenge("foo") |
| 234 | .AttestationApplicationId("bar") |
| 235 | .SetDefaultValidity(), |
| 236 | non_attest_key, &attested_key_blob, &attested_key_characteristics, |
| 237 | &attested_key_cert_chain)); |
| 238 | } |
| 239 | |
Shawn Willden | 7c13039 | 2020-12-21 09:58:22 -0700 | [diff] [blame] | 240 | INSTANTIATE_KEYMINT_AIDL_TEST(AttestKeyTest); |
| 241 | |
| 242 | } // namespace aidl::android::hardware::security::keymint::test |