Merge "Adjust keystore2_client_tests" into main am: e85693c603 am: 8ab274bd3c
Original change: https://android-review.googlesource.com/c/platform/system/security/+/3061757
Change-Id: I23beea25f87b922c736494df6698f6138975cd7b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs
index 0fde7af..32be99e 100644
--- a/keystore2/tests/keystore2_client_authorizations_tests.rs
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs
@@ -442,36 +442,6 @@
delete_app_key(&keystore2, alias).unwrap();
}
-/// Generate a key with `BOOTLOADER_ONLY`. Test should successfully generate
-/// a key and verify the key characteristics. Test should fail with error code `INVALID_KEY_BLOB`
-/// during creation of an operation using this key.
-#[test]
-fn keystore2_gen_key_auth_boot_loader_only_op_fail() {
- skip_tests_if_keymaster_impl_present!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
-
- let gen_params = authorizations::AuthSetBuilder::new()
- .no_auth_required()
- .algorithm(Algorithm::EC)
- .purpose(KeyPurpose::SIGN)
- .purpose(KeyPurpose::VERIFY)
- .digest(Digest::SHA_2_256)
- .ec_curve(EcCurve::P_256)
- .attestation_challenge(b"foo".to_vec())
- .boot_loader_only();
-
- let alias = "ks_test_auth_tags_test";
- let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
- &gen_params,
- &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
- alias,
- ));
- assert!(result.is_err());
- assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
-}
-
/// Generate a key with `EARLY_BOOT_ONLY`. Test should successfully generate
/// a key and verify the key characteristics. Test should fail with error code `EARLY_BOOT_ENDED`
/// during creation of an operation using this key.
diff --git a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
index 4f881bc..b784adf 100644
--- a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
+++ b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
@@ -181,7 +181,10 @@
alias,
));
assert!(result.is_err());
- assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err());
+ assert!(matches!(
+ result.unwrap_err(),
+ Error::Km(ErrorCode::INVALID_ARGUMENT) | Error::Km(ErrorCode::UNSUPPORTED_TAG)
+ ));
}
/// Generate a EC key with `DEVICE_UNIQUE_ATTESTATION` using `STRONGBOX` security level.
diff --git a/keystore2/tests/keystore2_client_ec_key_tests.rs b/keystore2/tests/keystore2_client_ec_key_tests.rs
index 8267140..f2c6d0f 100644
--- a/keystore2/tests/keystore2_client_ec_key_tests.rs
+++ b/keystore2/tests/keystore2_client_ec_key_tests.rs
@@ -30,8 +30,8 @@
};
use crate::keystore2_client_test_utils::{
- delete_app_key, execute_op_run_as_child, perform_sample_sign_operation, BarrierReached,
- ForcedOp, TestOutcome,
+ delete_app_key, execute_op_run_as_child, get_vsr_api_level, perform_sample_sign_operation,
+ BarrierReached, ForcedOp, TestOutcome,
};
macro_rules! test_ec_sign_key_op_success {
@@ -374,13 +374,18 @@
)
.unwrap();
- let result = key_generations::map_ks_error(sec_level.createOperation(
- &key_metadata.key,
- &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
- false,
- ));
- assert!(result.is_err());
- assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_DIGEST), result.unwrap_err());
+ // The KeyMint v2 API added `CURVE_25519` and specified that "Ed25519 keys only support
+ // Digest::NONE". However, this was not checked at the time so we can only be strict about
+ // checking this for more recent implementations.
+ if get_vsr_api_level() >= 35 {
+ let result = key_generations::map_ks_error(sec_level.createOperation(
+ &key_metadata.key,
+ &authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
+ false,
+ ));
+ assert!(result.is_err(), "unexpected success for digest {digest:?}");
+ assert_eq!(Error::Km(ErrorCode::UNSUPPORTED_DIGEST), result.unwrap_err());
+ }
}
}
diff --git a/keystore2/tests/keystore2_client_import_keys_tests.rs b/keystore2/tests/keystore2_client_import_keys_tests.rs
index 31d57a2..bf787d2 100644
--- a/keystore2/tests/keystore2_client_import_keys_tests.rs
+++ b/keystore2/tests/keystore2_client_import_keys_tests.rs
@@ -37,9 +37,9 @@
};
use crate::keystore2_client_test_utils::{
- encrypt_secure_key, encrypt_transport_key, perform_sample_asym_sign_verify_op,
- perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op,
- perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
+ encrypt_secure_key, encrypt_transport_key, get_vsr_api_level,
+ perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
+ perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
};
pub fn import_rsa_sign_key_and_perform_sample_operation(
@@ -306,6 +306,13 @@
let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256);
+ if get_vsr_api_level() < 35 {
+ // The KeyMint spec was previously not clear as to whether EC_CURVE was optional on import
+ // of EC keys. However, this was not checked at the time so we can only be strict about
+ // checking this for implementations at VSR-V or later.
+ println!("Skipping EC_CURVE on import only strict >= VSR-V");
+ return;
+ }
// Don't specify ec-curve.
let import_params = authorizations::AuthSetBuilder::new()
.no_auth_required()