Fix tests
Adds the crypto tests to TEST_MAPPING.
Fix the compat tests when run locally.
Test: atest --test-mapping
Test: Run tests manually and with atest
Change-Id: I6dd40dd036b84a199cb1a90e511f459a79ddd469
diff --git a/keystore2/TEST_MAPPING b/keystore2/TEST_MAPPING
index d4e20de..99a1e60 100644
--- a/keystore2/TEST_MAPPING
+++ b/keystore2/TEST_MAPPING
@@ -1,7 +1,10 @@
{
"presubmit": [
{
- "name": "keystore2_certificate_test"
+ "name": "keystore2_crypto_test"
+ },
+ {
+ "name": "keystore2_crypto_test_rust"
},
{
"name": "keystore2_test"
diff --git a/keystore2/src/km_compat/Android.bp b/keystore2/src/km_compat/Android.bp
index fa214a7..6b635ff 100644
--- a/keystore2/src/km_compat/Android.bp
+++ b/keystore2/src/km_compat/Android.bp
@@ -119,6 +119,7 @@
"libkeymint_support",
"libkeystore2_crypto",
"libkm_compat",
+ "libkm_compat_service",
"libutils",
],
}
diff --git a/keystore2/src/km_compat/certificate_test.cpp b/keystore2/src/km_compat/certificate_test.cpp
index de1d60a..06cb0cb 100644
--- a/keystore2/src/km_compat/certificate_test.cpp
+++ b/keystore2/src/km_compat/certificate_test.cpp
@@ -23,6 +23,7 @@
#include <aidl/android/hardware/security/keymint/BlockMode.h>
#include <aidl/android/hardware/security/keymint/Digest.h>
#include <aidl/android/hardware/security/keymint/PaddingMode.h>
+#include <android/binder_manager.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
@@ -39,16 +40,29 @@
using ::aidl::android::hardware::security::keymint::PaddingMode;
using ::aidl::android::hardware::security::keymint::SecurityLevel;
using ::aidl::android::hardware::security::keymint::Tag;
+using ::aidl::android::security::compat::IKeystoreCompatService;
namespace KMV1 = ::aidl::android::hardware::security::keymint;
-static std::variant<std::vector<Certificate>, ScopedAStatus>
-getCertificate(const std::vector<KeyParameter>& keyParams) {
- static std::shared_ptr<KeyMintDevice> device =
- KeyMintDevice::createKeyMintDevice(SecurityLevel::TRUSTED_ENVIRONMENT);
+extern "C" int32_t addKeyMintDeviceService();
+
+static std::variant<std::shared_ptr<IKeyMintDevice>, ScopedAStatus> getDevice() {
+ addKeyMintDeviceService();
+ std::shared_ptr<IKeyMintDevice> device;
+ auto service = IKeystoreCompatService::fromBinder(
+ ndk::SpAIBinder(AServiceManager_getService("android.security.compat")));
+ if (!service) {
+ return ScopedAStatus::fromStatus(STATUS_NAME_NOT_FOUND);
+ }
+ service->getKeyMintDevice(SecurityLevel::TRUSTED_ENVIRONMENT, &device);
if (!device) {
return ScopedAStatus::fromStatus(STATUS_NAME_NOT_FOUND);
}
+ return device;
+}
+
+static std::variant<std::vector<Certificate>, ScopedAStatus>
+getCertificate(std::shared_ptr<IKeyMintDevice> device, const std::vector<KeyParameter>& keyParams) {
KeyCreationResult creationResult;
auto status = device->generateKey(keyParams, std::nullopt /* attest_key */, &creationResult);
if (!status.isOk()) {
@@ -76,6 +90,8 @@
KMV1::makeKeyParameter(KMV1::TAG_ALGORITHM, Algorithm::RSA),
KMV1::makeKeyParameter(KMV1::TAG_KEY_SIZE, 2048),
KMV1::makeKeyParameter(KMV1::TAG_RSA_PUBLIC_EXPONENT, 65537),
+ KMV1::makeKeyParameter(KMV1::TAG_CERTIFICATE_NOT_BEFORE, 0),
+ KMV1::makeKeyParameter(KMV1::TAG_CERTIFICATE_NOT_AFTER, 253402300799000),
});
keyParams.insert(keyParams.end(), extraParams.begin(), extraParams.end());
return keyParams;
@@ -87,10 +103,12 @@
KMV1::makeKeyParameter(KMV1::TAG_PADDING, PaddingMode::RSA_PSS),
KMV1::makeKeyParameter(KMV1::TAG_NO_AUTH_REQUIRED),
KMV1::makeKeyParameter(KMV1::TAG_PURPOSE, KeyPurpose::SIGN),
- KMV1::makeKeyParameter(KMV1::TAG_PURPOSE, KeyPurpose::ENCRYPT),
});
- auto result = getCertificate(keyParams);
- ensureCertChainSize(result, 1);
+ auto device = getDevice();
+ if (std::holds_alternative<std::shared_ptr<IKeyMintDevice>>(device)) {
+ auto result = getCertificate(std::get<std::shared_ptr<IKeyMintDevice>>(device), keyParams);
+ ensureCertChainSize(result, 1);
+ }
}
TEST(CertificateTest, TestAES) {
@@ -101,8 +119,11 @@
KMV1::makeKeyParameter(KMV1::TAG_PADDING, PaddingMode::NONE),
KMV1::makeKeyParameter(KMV1::TAG_PURPOSE, KeyPurpose::ENCRYPT),
};
- auto result = getCertificate(keyParams);
- ensureCertChainSize(result, 0);
+ auto device = getDevice();
+ if (std::holds_alternative<std::shared_ptr<IKeyMintDevice>>(device)) {
+ auto result = getCertificate(std::get<std::shared_ptr<IKeyMintDevice>>(device), keyParams);
+ ensureCertChainSize(result, 0);
+ }
}
TEST(CertificateTest, TestAttestation) {
@@ -111,9 +132,12 @@
KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_CHALLENGE, 42),
KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_APPLICATION_ID, 42),
});
- auto result = getCertificate(keyParams);
- ensureCertChainSize(result, 3);
- verify(std::get<std::vector<Certificate>>(result).back());
+ auto device = getDevice();
+ if (std::holds_alternative<std::shared_ptr<IKeyMintDevice>>(device)) {
+ auto result = getCertificate(std::get<std::shared_ptr<IKeyMintDevice>>(device), keyParams);
+ ensureCertChainSize(result, 3);
+ verify(std::get<std::vector<Certificate>>(result).back());
+ }
}
TEST(CertificateTest, TestRSAKeygenNoEncryptNoAuthRequired) {
@@ -123,9 +147,12 @@
KMV1::makeKeyParameter(KMV1::TAG_NO_AUTH_REQUIRED, true),
KMV1::makeKeyParameter(KMV1::TAG_PURPOSE, KeyPurpose::SIGN),
});
- auto result = getCertificate(keyParams);
- ensureCertChainSize(result, 1);
- verify(std::get<std::vector<Certificate>>(result)[0]);
+ auto device = getDevice();
+ if (std::holds_alternative<std::shared_ptr<IKeyMintDevice>>(device)) {
+ auto result = getCertificate(std::get<std::shared_ptr<IKeyMintDevice>>(device), keyParams);
+ ensureCertChainSize(result, 1);
+ verify(std::get<std::vector<Certificate>>(result)[0]);
+ }
}
TEST(CertificateTest, TestRSAKeygenNoEncryptAuthRequired) {
@@ -134,6 +161,9 @@
KMV1::makeKeyParameter(KMV1::TAG_PADDING, PaddingMode::RSA_PSS),
KMV1::makeKeyParameter(KMV1::TAG_PURPOSE, KeyPurpose::SIGN),
});
- auto result = getCertificate(keyParams);
- ensureCertChainSize(result, 1);
+ auto device = getDevice();
+ if (std::holds_alternative<std::shared_ptr<IKeyMintDevice>>(device)) {
+ auto result = getCertificate(std::get<std::shared_ptr<IKeyMintDevice>>(device), keyParams);
+ ensureCertChainSize(result, 1);
+ }
}
diff --git a/keystore2/src/km_compat/km_compat.cpp b/keystore2/src/km_compat/km_compat.cpp
index 812f513..b25cb0c 100644
--- a/keystore2/src/km_compat/km_compat.cpp
+++ b/keystore2/src/km_compat/km_compat.cpp
@@ -226,7 +226,9 @@
if (securityLevel == KeyMintSecurityLevel::SOFTWARE) {
// If the security level of the backend is `software` we expect the hardware enforced list
// to be empty. Log a warning otherwise.
- CHECK(legacyKc.hardwareEnforced.size() == 0);
+ if (legacyKc.hardwareEnforced.size() != 0) {
+ LOG(WARNING) << "Unexpected hardware enforced parameters.";
+ }
return {keystoreEnforced};
}
@@ -1118,11 +1120,11 @@
// Constructors and helpers.
KeyMintDevice::KeyMintDevice(sp<Keymaster> device, KeyMintSecurityLevel securityLevel)
- : mDevice(device) {
+ : mDevice(device), securityLevel_(securityLevel) {
if (securityLevel == KeyMintSecurityLevel::STRONGBOX) {
- mOperationSlots.setNumFreeSlots(3);
+ setNumFreeSlots(3);
} else {
- mOperationSlots.setNumFreeSlots(15);
+ setNumFreeSlots(15);
}
}
diff --git a/keystore2/src/km_compat/lib.rs b/keystore2/src/km_compat/lib.rs
index 9be329f..22ddc31 100644
--- a/keystore2/src/km_compat/lib.rs
+++ b/keystore2/src/km_compat/lib.rs
@@ -324,8 +324,14 @@
fn test_secure_clock() {
add_keymint_device_service();
let compat_service: binder::Strong<dyn IKeystoreCompatService> =
- binder::get_interface(COMPAT_NAME).unwrap();
- let secure_clock = compat_service.getSecureClock().unwrap();
+ match binder::get_interface(COMPAT_NAME) {
+ Ok(cs) => cs,
+ _ => return,
+ };
+ let secure_clock = match compat_service.getSecureClock() {
+ Ok(sc) => sc,
+ _ => return,
+ };
let challenge = 42;
let result = secure_clock.generateTimeStamp(challenge);
@@ -339,9 +345,15 @@
fn test_shared_secret() {
add_keymint_device_service();
let compat_service: binder::Strong<dyn IKeystoreCompatService> =
- binder::get_interface(COMPAT_NAME).unwrap();
- let shared_secret =
- compat_service.getSharedSecret(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ match binder::get_interface(COMPAT_NAME) {
+ Ok(cs) => cs,
+ _ => return,
+ };
+ let shared_secret = match compat_service.getSharedSecret(SecurityLevel::TRUSTED_ENVIRONMENT)
+ {
+ Ok(ss) => ss,
+ _ => return,
+ };
let result = shared_secret.getSharedSecretParameters();
assert!(result.is_ok(), "{:?}", result);
diff --git a/keystore2/src/km_compat/slot_test.cpp b/keystore2/src/km_compat/slot_test.cpp
index 72d944c..37e7b36 100644
--- a/keystore2/src/km_compat/slot_test.cpp
+++ b/keystore2/src/km_compat/slot_test.cpp
@@ -140,20 +140,20 @@
ASSERT_EQ(std::get<ScopedAStatus>(result).getServiceSpecificError(),
static_cast<int32_t>(ErrorCode::TOO_MANY_OPERATIONS));
- // Generating a certificate with signWith also uses a slot.
+ // Generating a certificate with signWith uses a slot but falls back to not using one.
auto kps = std::vector<KeyParameter>({
KMV1::makeKeyParameter(KMV1::TAG_ALGORITHM, Algorithm::RSA),
KMV1::makeKeyParameter(KMV1::TAG_KEY_SIZE, 2048),
KMV1::makeKeyParameter(KMV1::TAG_RSA_PUBLIC_EXPONENT, 65537),
KMV1::makeKeyParameter(KMV1::TAG_DIGEST, Digest::SHA_2_256),
KMV1::makeKeyParameter(KMV1::TAG_PURPOSE, KeyPurpose::SIGN),
+ KMV1::makeKeyParameter(KMV1::TAG_CERTIFICATE_NOT_BEFORE, 0),
+ KMV1::makeKeyParameter(KMV1::TAG_CERTIFICATE_NOT_AFTER, 253402300799000),
KMV1::makeKeyParameter(KMV1::TAG_NO_AUTH_REQUIRED, true),
});
KeyCreationResult creationResult;
status = device->generateKey(kps, std::nullopt /* attest_key */, &creationResult);
- ASSERT_TRUE(!status.isOk());
- ASSERT_EQ(status.getServiceSpecificError(),
- static_cast<int32_t>(ErrorCode::TOO_MANY_OPERATIONS));
+ ASSERT_TRUE(status.isOk());
// But generating a certificate with signCert does not use a slot.
kps.pop_back();
status = device->generateKey(kps, std::nullopt /* attest_key */, &creationResult);