Added tests to attest keys with attestation id.
- Generate an RSA/EC attested keys with attestation of the device's
identifiers. Test should succeed in generatating a attested key with
attestation of device identifier. Test might fail on devices which
doesn't support device id attestation with error response code
`CANNOT_ATTEST_IDS or INVALID_TAG`.
- Try to generate an attested key with attestation of invalid device's
identifiers. Test should fail with error response `CANNOT_ATTEST_IDS`
- Test to make sure `CANNOT_ATTEST_IDS` error code is returned while
trying to generate a key on a device which doesn't support
`FEATURE_DEVICE_ID_ATTESTATION`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ib57c58d3ea89279eb69db342c3343b8d99ddc639
diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs
index 4608bc5..514cbd3 100644
--- a/keystore2/test_utils/authorizations.rs
+++ b/keystore2/test_utils/authorizations.rs
@@ -161,6 +161,87 @@
.push(KeyParameter { tag: Tag::MIN_MAC_LENGTH, value: KeyParameterValue::Integer(l) });
self
}
+
+ /// Add Attestation-Device-Brand.
+ pub fn attestation_device_brand(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::ATTESTATION_ID_BRAND,
+ value: KeyParameterValue::Blob(b),
+ });
+ self
+ }
+
+ /// Add Attestation-Device-name.
+ pub fn attestation_device_name(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::ATTESTATION_ID_DEVICE,
+ value: KeyParameterValue::Blob(b),
+ });
+ self
+ }
+
+ /// Add Attestation-Device-Product-Name.
+ pub fn attestation_device_product_name(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::ATTESTATION_ID_PRODUCT,
+ value: KeyParameterValue::Blob(b),
+ });
+ self
+ }
+
+ /// Add Attestation-Device-Serial.
+ pub fn attestation_device_serial(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::ATTESTATION_ID_SERIAL,
+ value: KeyParameterValue::Blob(b),
+ });
+ self
+ }
+
+ /// Add Attestation-Device-IMEI.
+ pub fn attestation_device_imei(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::ATTESTATION_ID_IMEI,
+ value: KeyParameterValue::Blob(b),
+ });
+ self
+ }
+
+ /// Add Attestation-Device-IMEI.
+ pub fn attestation_device_second_imei(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::ATTESTATION_ID_SECOND_IMEI,
+ value: KeyParameterValue::Blob(b),
+ });
+ self
+ }
+
+ /// Add Attestation-Device-MEID.
+ pub fn attestation_device_meid(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::ATTESTATION_ID_MEID,
+ value: KeyParameterValue::Blob(b),
+ });
+ self
+ }
+
+ /// Add Attestation-Device-Manufacturer.
+ pub fn attestation_device_manufacturer(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::ATTESTATION_ID_MANUFACTURER,
+ value: KeyParameterValue::Blob(b),
+ });
+ self
+ }
+
+ /// Add Attestation-Device-Model.
+ pub fn attestation_device_model(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::ATTESTATION_ID_MODEL,
+ value: KeyParameterValue::Blob(b),
+ });
+ self
+ }
}
impl Deref for AuthSetBuilder {
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index ff40aa1..0a1ffb1 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -306,6 +306,12 @@
/// Error code to indicate error while using keystore-engine API.
#[error("Failed to perform crypto op using keystore-engine APIs.")]
Keystore2EngineOpFailed,
+ /// Error code to indicate error in attestation-id validation.
+ #[error("Failed to validate attestation-id.")]
+ ValidateAttestIdFailed,
+ /// Error code to indicate error in getting value from attest record.
+ #[error("Failed to get value from attest record.")]
+ AttestRecordGetValueFailed,
}
/// Keystore2 error mapping.
@@ -1109,3 +1115,77 @@
Ok(imported_key_aliases)
}
+
+/// Generate attested EC-P_256 key with device id attestation.
+pub fn generate_key_with_attest_id(
+ sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ algorithm: Algorithm,
+ alias: Option<String>,
+ att_challenge: &[u8],
+ attest_key: &KeyDescriptor,
+ attest_id: Tag,
+ value: Vec<u8>,
+) -> binder::Result<KeyMetadata> {
+ assert!(algorithm == Algorithm::RSA || algorithm == Algorithm::EC);
+
+ let mut ec_gen_params;
+ if algorithm == Algorithm::EC {
+ ec_gen_params = AuthSetBuilder::new()
+ .no_auth_required()
+ .algorithm(Algorithm::EC)
+ .purpose(KeyPurpose::SIGN)
+ .purpose(KeyPurpose::VERIFY)
+ .digest(Digest::SHA_2_256)
+ .ec_curve(EcCurve::P_256)
+ .attestation_challenge(att_challenge.to_vec());
+ } else {
+ ec_gen_params = AuthSetBuilder::new()
+ .no_auth_required()
+ .algorithm(Algorithm::RSA)
+ .rsa_public_exponent(65537)
+ .key_size(2048)
+ .purpose(KeyPurpose::SIGN)
+ .purpose(KeyPurpose::VERIFY)
+ .digest(Digest::SHA_2_256)
+ .padding_mode(PaddingMode::RSA_PKCS1_1_5_SIGN)
+ .attestation_challenge(att_challenge.to_vec());
+ }
+
+ match attest_id {
+ Tag::ATTESTATION_ID_BRAND => {
+ ec_gen_params = ec_gen_params.attestation_device_brand(value);
+ }
+ Tag::ATTESTATION_ID_DEVICE => {
+ ec_gen_params = ec_gen_params.attestation_device_name(value);
+ }
+ Tag::ATTESTATION_ID_PRODUCT => {
+ ec_gen_params = ec_gen_params.attestation_device_product_name(value);
+ }
+ Tag::ATTESTATION_ID_SERIAL => {
+ ec_gen_params = ec_gen_params.attestation_device_serial(value);
+ }
+ Tag::ATTESTATION_ID_MANUFACTURER => {
+ ec_gen_params = ec_gen_params.attestation_device_manufacturer(value);
+ }
+ Tag::ATTESTATION_ID_MODEL => {
+ ec_gen_params = ec_gen_params.attestation_device_model(value);
+ }
+ Tag::ATTESTATION_ID_IMEI => {
+ ec_gen_params = ec_gen_params.attestation_device_imei(value);
+ }
+ Tag::ATTESTATION_ID_SECOND_IMEI => {
+ ec_gen_params = ec_gen_params.attestation_device_second_imei(value);
+ }
+ _ => {
+ panic!("Unknown attestation id");
+ }
+ }
+
+ sec_level.generateKey(
+ &KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
+ Some(attest_key),
+ &ec_gen_params,
+ 0,
+ b"entropy",
+ )
+}