commit 89e87d506ca13ce914126170eedc1750f2cba5c0
author David Drysdale <drysdale@google.com> Fri Oct 04 13:07:43 2024 +0100
committer David Drysdale <drysdale@google.com> Mon Oct 14 14:20:09 2024 +0100
tree 63812c2e6850a376b52c9cf4ca303b762d333695
parent 1abb5c38eee76e92fc6bbc0f6a32b40dab085c93

Test failure arms for auth-bound keys

Testing successful operations requires interaction with authenticators
(e.g. Gatekeeper), but it is possible to test various authentication
failure cases.

Test: keystore2_client_tests auth_bound
Test: keystore2_client_tests unlocked_device_required
Change-Id: Ie4e675ca5f19660b9f8efdc70185ba2cf9ea0c23

keystore2/test_utils/authorizations.rs

diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs
index a96d994..d3d6fc4 100644
--- a/keystore2/test_utils/authorizations.rs
+++ b/keystore2/test_utils/authorizations.rs
@@ -18,8 +18,9 @@
 
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
     Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
-    KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue, KeyPurpose::KeyPurpose,
-    PaddingMode::PaddingMode, Tag::Tag,
+    HardwareAuthenticatorType::HardwareAuthenticatorType, KeyParameter::KeyParameter,
+    KeyParameterValue::KeyParameterValue, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
+    Tag::Tag,
 };
 
 /// Helper struct to create set of Authorizations.
@@ -369,6 +370,33 @@
         });
         self
     }
+
+    /// Set user secure ID.
+    pub fn user_secure_id(mut self, sid: i64) -> Self {
+        self.0.push(KeyParameter {
+            tag: Tag::USER_SECURE_ID,
+            value: KeyParameterValue::LongInteger(sid),
+        });
+        self
+    }
+
+    /// Set user auth type.
+    pub fn user_auth_type(mut self, auth_type: HardwareAuthenticatorType) -> Self {
+        self.0.push(KeyParameter {
+            tag: Tag::USER_AUTH_TYPE,
+            value: KeyParameterValue::HardwareAuthenticatorType(auth_type),
+        });
+        self
+    }
+
+    /// Set auth timeout.
+    pub fn auth_timeout(mut self, timeout_secs: i32) -> Self {
+        self.0.push(KeyParameter {
+            tag: Tag::AUTH_TIMEOUT,
+            value: KeyParameterValue::Integer(timeout_secs),
+        });
+        self
+    }
 }
 
 impl Deref for AuthSetBuilder {

keystore2/test_utils/key_generations.rs

diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index e63ee60..c40e944 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -392,6 +392,25 @@
     })
 }
 
+/// Check for a specific KeyMint error.
+pub fn assert_km_error<T: std::fmt::Debug>(result: &BinderResult<T>, want: ErrorCode) {
+    match result {
+        Ok(_) => panic!("Expected KeyMint error {want:?}, found success"),
+        Err(s) => {
+            assert_eq!(
+                s.exception_code(),
+                ExceptionCode::SERVICE_SPECIFIC,
+                "Expected KeyMint service-specific error {want:?}, got {result:?}"
+            );
+            assert_eq!(
+                s.service_specific_error(),
+                want.0,
+                "Expected KeyMint service-specific error {want:?}, got {result:?}"
+            );
+        }
+    }
+}
+
 /// Get the value of the given system property, if the given system property doesn't exist
 /// then returns an empty byte vector.
 pub fn get_system_prop(name: &str) -> Vec<u8> {