Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 40e41f10884f96f635668a83345b2f428c8f2919^! / .
commit40e41f10884f96f635668a83345b2f428c8f2919[log] [tgz]
authorDavid Drysdale <drysdale@google.com>Mon Apr 29 10:03:02 2024 +0100
committerDavid Drysdale <drysdale@google.com>Wed May 01 18:16:46 2024 +0100
tree982d69bdb901c83cb0742e4b0914918776645b53
parent98e175b6f8467d31566f90a266bffea39234e2ec [diff]
Adjust keystore2_client_tests

Adjust the keystore2 client tests to cope with a wider variety of
underlying KeyMint / Keymaster devices.

A couple of these changes involve test modifications to match the
behaviour of the KeyMint VTS tests:

- `keystore2_gen_key_device_unique_attest_with_default_sec_level_unimplemented`:
  Allow an extra error code, to match
  `DeviceUniqueAttestationTest.EcdsaNonStrongBoxUnimplemented`.
- `keystore2_import_ec_key_success`: Skip the check that EC keys can be
  imported without an explicitly specified `EC_CURVE` on pre-VSR-V
  devices, to match the equivalent logic in the VTS tests
  (`ImportKeyTest.EcdsaSuccessCurveNotSpecified`).

The other two changes are:

- `keystore2_gen_key_auth_boot_loader_only_op_fail`: Drop this test, as
  it's the first/only place that exercises the optional
  `BOOTLOADER_ONLY` tag. (The KeyMint VTS tests would be the best place
  to exercise this for the first time.)
- `keystore2_ec_25519_generate_key_fail`: For now, skip the check that
  an Ed25519 key should reject use of any digest value other than `NONE`
  (on account of Ed25519 having its own internal digest). That behaviour
  isn't quite right, but which is not currently tested by the KeyMint
  VTS tests and so we can't require existing devices to be modified to
  pass the check.

Bug: 336695416
Test: keystore2_client_tests
Change-Id: I06e90c859f33d8b4125541a67709ec67e8898c60

diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs
index 0fde7af..32be99e 100644
--- a/keystore2/tests/keystore2_client_authorizations_tests.rs
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs

@@ -442,36 +442,6 @@
     delete_app_key(&keystore2, alias).unwrap();
 }
 
-/// Generate a key with `BOOTLOADER_ONLY`. Test should successfully generate
-/// a key and verify the key characteristics. Test should fail with error code `INVALID_KEY_BLOB`
-/// during creation of an operation using this key.
-#[test]
-fn keystore2_gen_key_auth_boot_loader_only_op_fail() {
-    skip_tests_if_keymaster_impl_present!();
-    let keystore2 = get_keystore_service();
-    let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
-
-    let gen_params = authorizations::AuthSetBuilder::new()
-        .no_auth_required()
-        .algorithm(Algorithm::EC)
-        .purpose(KeyPurpose::SIGN)
-        .purpose(KeyPurpose::VERIFY)
-        .digest(Digest::SHA_2_256)
-        .ec_curve(EcCurve::P_256)
-        .attestation_challenge(b"foo".to_vec())
-        .boot_loader_only();
-
-    let alias = "ks_test_auth_tags_test";
-    let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
-        &sec_level,
-        &gen_params,
-        &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
-        alias,
-    ));
-    assert!(result.is_err());
-    assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
-}
-
 /// Generate a key with `EARLY_BOOT_ONLY`. Test should successfully generate
 /// a key and verify the key characteristics. Test should fail with error code `EARLY_BOOT_ENDED`
 /// during creation of an operation using this key.

diff --git a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
index 4f881bc..b784adf 100644
--- a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
+++ b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs

@@ -181,7 +181,10 @@
         alias,
     ));
     assert!(result.is_err());
-    assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err());
+    assert!(matches!(
+        result.unwrap_err(),
+        Error::Km(ErrorCode::INVALID_ARGUMENT) | Error::Km(ErrorCode::UNSUPPORTED_TAG)
+    ));
 }
 
 /// Generate a EC key with `DEVICE_UNIQUE_ATTESTATION` using `STRONGBOX` security level.

diff --git a/keystore2/tests/keystore2_client_ec_key_tests.rs b/keystore2/tests/keystore2_client_ec_key_tests.rs
index 8267140..f2c6d0f 100644
--- a/keystore2/tests/keystore2_client_ec_key_tests.rs
+++ b/keystore2/tests/keystore2_client_ec_key_tests.rs

@@ -30,8 +30,8 @@
 };
 
 use crate::keystore2_client_test_utils::{
-    delete_app_key, execute_op_run_as_child, perform_sample_sign_operation, BarrierReached,
-    ForcedOp, TestOutcome,
+    delete_app_key, execute_op_run_as_child, get_vsr_api_level, perform_sample_sign_operation,
+    BarrierReached, ForcedOp, TestOutcome,
 };
 
 macro_rules! test_ec_sign_key_op_success {
@@ -374,13 +374,18 @@
         )
         .unwrap();
 
-        let result = key_generations::map_ks_error(sec_level.createOperation(
-            &key_metadata.key,
-            &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
-            false,
-        ));
-        assert!(result.is_err());
-        assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_DIGEST), result.unwrap_err());
+        // The KeyMint v2 API added `CURVE_25519` and specified that "Ed25519 keys only support
+        // Digest::NONE".  However, this was not checked at the time so we can only be strict about
+        // checking this for more recent implementations.
+        if get_vsr_api_level() >= 35 {
+            let result = key_generations::map_ks_error(sec_level.createOperation(
+                &key_metadata.key,
+                &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
+                false,
+            ));
+            assert!(result.is_err(), "unexpected success for digest {digest:?}");
+            assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_DIGEST), result.unwrap_err());
+        }
     }
 }
 

diff --git a/keystore2/tests/keystore2_client_import_keys_tests.rs b/keystore2/tests/keystore2_client_import_keys_tests.rs
index 31d57a2..bf787d2 100644
--- a/keystore2/tests/keystore2_client_import_keys_tests.rs
+++ b/keystore2/tests/keystore2_client_import_keys_tests.rs

@@ -37,9 +37,9 @@
 };
 
 use crate::keystore2_client_test_utils::{
-    encrypt_secure_key, encrypt_transport_key, perform_sample_asym_sign_verify_op,
-    perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op,
-    perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
+    encrypt_secure_key, encrypt_transport_key, get_vsr_api_level,
+    perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
+    perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
 };
 
 pub fn import_rsa_sign_key_and_perform_sample_operation(
@@ -306,6 +306,13 @@
 
     let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256);
 
+    if get_vsr_api_level() < 35 {
+        // The KeyMint spec was previously not clear as to whether EC_CURVE was optional on import
+        // of EC keys. However, this was not checked at the time so we can only be strict about
+        // checking this for implementations at VSR-V or later.
+        println!("Skipping EC_CURVE on import only strict >= VSR-V");
+        return;
+    }
     // Don't specify ec-curve.
     let import_params = authorizations::AuthSetBuilder::new()
         .no_auth_required()