Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 90747ad701e300bf95894f4396e0a7c67b429a65 / . / security / keymint / aidl / vts / functional / DeviceUniqueAttestationTest.cpp
blob: 732d9ebadd370739ad4d93c170b025bf8bea1f79 [file] [log] [blame]
Selene Huang531a72d2021-04-15 01:09:47 -0700[diff] [blame]1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "keymint_1_attest_key_test"
18
19#include <cutils/log.h>
20#include <cutils/properties.h>
21#include <keymint_support/key_param_output.h>
22#include <keymint_support/openssl_utils.h>
23
24#include "KeyMintAidlTestBase.h"
25
26namespace aidl::android::hardware::security::keymint::test {
27
28class DeviceUniqueAttestationTest : public KeyMintAidlTestBase {
29 protected:
30 void CheckUniqueAttestationResults(const vector<uint8_t>& key_blob,
31 const vector<KeyCharacteristics>& key_characteristics,
32 const AuthorizationSet& hw_enforced, int key_size) {
33 ASSERT_GT(cert_chain_.size(), 0);
34
35 if (KeyMintAidlTestBase::dump_Attestations) {
36 std::cout << bin2hex(cert_chain_[0].encodedCertificate) << std::endl;
37 }
38
39 ASSERT_GT(key_blob.size(), 0U);
40
41 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
42
43 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size)) << "Key size missing";
44
Eran Messeri90747ad2021-05-27 15:08:03 +0100[diff] [blame^]45 // The device-unique attestation chain should contain exactly two certificates:
46 // * The leaf with the attestation extension.
47 // * A self-signed root, signed using the device-unique key.
48 ASSERT_EQ(cert_chain_.size(), 2);
Selene Huang531a72d2021-04-15 01:09:47 -0700[diff] [blame]49 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang531a72d2021-04-15 01:09:47 -0700[diff] [blame]50
51 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
52 EXPECT_TRUE(verify_attestation_record("challenge", "foo", sw_enforced, hw_enforced,
53 SecLevel(), cert_chain_[0].encodedCertificate));
54 }
55};
56
57/*
58 * DeviceUniqueAttestationTest.RsaNonStrongBoxUnimplemented
59 *
60 * Verifies that non strongbox implementations do not implement Rsa device unique
61 * attestation.
62 */
63TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
64 if (SecLevel() == SecurityLevel::STRONGBOX) return;
65
66 vector<uint8_t> key_blob;
67 vector<KeyCharacteristics> key_characteristics;
68
69 // Check RSA implementation
70 auto result = GenerateKey(AuthorizationSetBuilder()
71 .Authorization(TAG_NO_AUTH_REQUIRED)
72 .RsaSigningKey(2048, 65537)
73 .Digest(Digest::SHA_2_256)
74 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
75 .Authorization(TAG_INCLUDE_UNIQUE_ID)
Selene Huang531a72d2021-04-15 01:09:47 -0700[diff] [blame]76 .AttestationChallenge("challenge")
77 .AttestationApplicationId("foo")
78 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
79 &key_blob, &key_characteristics);
80
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]81 ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG);
Selene Huang531a72d2021-04-15 01:09:47 -0700[diff] [blame]82}
83
84/*
85 * DeviceUniqueAttestationTest.EcdsaNonStrongBoxUnimplemented
86 *
87 * Verifies that non strongbox implementations do not implement Ecdsa device unique
88 * attestation.
89 */
90TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
91 if (SecLevel() == SecurityLevel::STRONGBOX) return;
92
93 vector<uint8_t> key_blob;
94 vector<KeyCharacteristics> key_characteristics;
95
96 // Check Ecdsa implementation
97 auto result = GenerateKey(AuthorizationSetBuilder()
98 .Authorization(TAG_NO_AUTH_REQUIRED)
99 .EcdsaSigningKey(EcCurve::P_256)
100 .Digest(Digest::SHA_2_256)
101 .Authorization(TAG_INCLUDE_UNIQUE_ID)
102 .AttestationChallenge("challenge")
103 .AttestationApplicationId("foo")
104 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
105 &key_blob, &key_characteristics);
106
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]107 ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG);
Selene Huang531a72d2021-04-15 01:09:47 -0700[diff] [blame]108}
109
110/*
111 * DeviceUniqueAttestationTest.RsaDeviceUniqueAttestation
112 *
113 * Verifies that strongbox implementations of Rsa implements device unique
114 * attestation correctly, if implemented.
115 */
116TEST_P(DeviceUniqueAttestationTest, RsaDeviceUniqueAttestation) {
117 if (SecLevel() != SecurityLevel::STRONGBOX) return;
118
119 vector<uint8_t> key_blob;
120 vector<KeyCharacteristics> key_characteristics;
121 int key_size = 2048;
122
123 auto result = GenerateKey(AuthorizationSetBuilder()
124 .Authorization(TAG_NO_AUTH_REQUIRED)
125 .RsaSigningKey(key_size, 65537)
126 .Digest(Digest::SHA_2_256)
127 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
128 .Authorization(TAG_INCLUDE_UNIQUE_ID)
Selene Huang531a72d2021-04-15 01:09:47 -0700[diff] [blame]129 .AttestationChallenge("challenge")
130 .AttestationApplicationId("foo")
131 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
132 &key_blob, &key_characteristics);
133
134 // It is optional for Strong box to support DeviceUniqueAttestation.
135 if (result == ErrorCode::CANNOT_ATTEST_IDS) return;
136
137 ASSERT_EQ(ErrorCode::OK, result);
138
139 AuthorizationSet hw_enforced = AuthorizationSetBuilder()
140 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
141 .Authorization(TAG_NO_AUTH_REQUIRED)
142 .RsaSigningKey(2048, 65537)
143 .Digest(Digest::SHA_2_256)
144 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
145 .Authorization(TAG_ORIGIN, KeyOrigin::GENERATED)
146 .Authorization(TAG_OS_VERSION, os_version())
147 .Authorization(TAG_OS_PATCHLEVEL, os_patch_level());
148
149 CheckUniqueAttestationResults(key_blob, key_characteristics, hw_enforced, key_size);
150}
151
152/*
153 * DeviceUniqueAttestationTest.EcdsaDeviceUniqueAttestation
154 *
155 * Verifies that strongbox implementations of Rsa implements device unique
156 * attestation correctly, if implemented.
157 */
158TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestation) {
159 if (SecLevel() != SecurityLevel::STRONGBOX) return;
160
161 vector<uint8_t> key_blob;
162 vector<KeyCharacteristics> key_characteristics;
163 int key_size = 256;
164
165 auto result = GenerateKey(AuthorizationSetBuilder()
166 .Authorization(TAG_NO_AUTH_REQUIRED)
167 .EcdsaSigningKey(256)
168 .Digest(Digest::SHA_2_256)
169 .Authorization(TAG_INCLUDE_UNIQUE_ID)
170 .AttestationChallenge("challenge")
171 .AttestationApplicationId("foo")
172 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
173 &key_blob, &key_characteristics);
174
175 // It is optional for Strong box to support DeviceUniqueAttestation.
176 if (result == ErrorCode::CANNOT_ATTEST_IDS) return;
177 ASSERT_EQ(ErrorCode::OK, result);
178
179 AuthorizationSet hw_enforced = AuthorizationSetBuilder()
180 .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
181 .Authorization(TAG_NO_AUTH_REQUIRED)
182 .EcdsaSigningKey(EcCurve::P_256)
183 .Digest(Digest::SHA_2_256)
184 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
185 .Authorization(TAG_ORIGIN, KeyOrigin::GENERATED)
186 .Authorization(TAG_OS_VERSION, os_version())
187 .Authorization(TAG_OS_PATCHLEVEL, os_patch_level());
188
189 CheckUniqueAttestationResults(key_blob, key_characteristics, hw_enforced, key_size);
190}
191
192INSTANTIATE_KEYMINT_AIDL_TEST(DeviceUniqueAttestationTest);
193
194} // namespace aidl::android::hardware::security::keymint::test