commit a42dee61cefd6083648face2d7fb56ffba0f60dd
author Rajesh Nyamagoud <nyamagoud@google.com> Fri Apr 22 21:15:55 2022 +0000
committer Rajesh Nyamagoud <nyamagoud@google.com> Tue Jun 20 19:07:27 2023 +0000
tree af767f4bb82889c1b70196fa1ce9eb0d2b94bbd5
parent cdeb7302af5a30d62aab712a71b32f0b46a4dcaa

Added tests to attest keys with attestation id.

- Generate an RSA/EC attested keys with attestation of the device's
  identifiers. Test should succeed in generatating a attested key with
  attestation of device identifier. Test might fail on devices which
  doesn't support device id attestation with error response code
  `CANNOT_ATTEST_IDS or INVALID_TAG`.

- Try to generate an attested key with attestation of invalid device's
  identifiers. Test should fail with error response `CANNOT_ATTEST_IDS`

- Test to make sure `CANNOT_ATTEST_IDS` error code is returned while
  trying to generate a key on a device which doesn't support
  `FEATURE_DEVICE_ID_ATTESTATION`.

Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ib57c58d3ea89279eb69db342c3343b8d99ddc639

keystore2/tests/ffi_test_utils.cpp

diff --git a/keystore2/tests/ffi_test_utils.cpp b/keystore2/tests/ffi_test_utils.cpp
index 47dd7a4..7fbfb8b 100644
--- a/keystore2/tests/ffi_test_utils.cpp
+++ b/keystore2/tests/ffi_test_utils.cpp
@@ -18,6 +18,8 @@
 #include <keymaster/km_openssl/openssl_err.h>
 #include <keymaster/km_openssl/openssl_utils.h>
 
+#include <android-base/logging.h>
+
 using aidl::android::hardware::security::keymint::ErrorCode;
 
 #define TAG_SEQUENCE 0x30
@@ -503,3 +505,94 @@
 #endif
     return result;
 }
+
+CxxResult getValueFromAttestRecord(rust::Vec<rust::u8> cert_buf, int32_t tag) {
+    CxxResult cxx_result{};
+    cxx_result.error = KM_ERROR_OK;
+
+    uint8_t* cert_data = cert_buf.data();
+    int cert_data_size = cert_buf.size();
+
+    std::vector<uint8_t> cert_bytes;
+    cert_bytes.insert(cert_bytes.end(), cert_data, (cert_data + cert_data_size));
+
+    aidl::android::hardware::security::keymint::X509_Ptr cert(
+        aidl::android::hardware::security::keymint::test::parse_cert_blob(cert_bytes));
+    if (!cert.get()) {
+        cxx_result.error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
+        return cxx_result;
+    }
+
+    ASN1_OCTET_STRING* attest_rec =
+        aidl::android::hardware::security::keymint::test::get_attestation_record(cert.get());
+    if (!attest_rec) {
+        cxx_result.error = keymaster::TranslateLastOpenSslError();
+        return cxx_result;
+    }
+
+    aidl::android::hardware::security::keymint::AuthorizationSet att_sw_enforced;
+    aidl::android::hardware::security::keymint::AuthorizationSet att_hw_enforced;
+    uint32_t att_attestation_version;
+    uint32_t att_keymint_version;
+    aidl::android::hardware::security::keymint::SecurityLevel att_attestation_security_level;
+    aidl::android::hardware::security::keymint::SecurityLevel att_keymint_security_level;
+    std::vector<uint8_t> att_challenge;
+    std::vector<uint8_t> att_unique_id;
+    std::vector<uint8_t> att_app_id;
+
+    auto error = aidl::android::hardware::security::keymint::parse_attestation_record(
+        attest_rec->data, attest_rec->length, &att_attestation_version,
+        &att_attestation_security_level, &att_keymint_version, &att_keymint_security_level,
+        &att_challenge, &att_sw_enforced, &att_hw_enforced, &att_unique_id);
+    EXPECT_EQ(ErrorCode::OK, error);
+    if (error != ErrorCode::OK) {
+        cxx_result.error = static_cast<int32_t>(error);
+        return cxx_result;
+    }
+
+    aidl::android::hardware::security::keymint::Tag auth_tag =
+        static_cast<aidl::android::hardware::security::keymint::Tag>(tag);
+
+    if (auth_tag == aidl::android::hardware::security::keymint::Tag::ATTESTATION_APPLICATION_ID) {
+        int pos = att_sw_enforced.find(
+            aidl::android::hardware::security::keymint::Tag::ATTESTATION_APPLICATION_ID);
+        if (pos == -1) {
+            cxx_result.error = KM_ERROR_ATTESTATION_APPLICATION_ID_MISSING;
+            return cxx_result;
+        }
+        aidl::android::hardware::security::keymint::KeyParameter param = att_sw_enforced[pos];
+        std::vector<uint8_t> val =
+            param.value.get<aidl::android::hardware::security::keymint::KeyParameterValue::blob>();
+        std::move(val.begin(), val.end(), std::back_inserter(cxx_result.data));
+        return cxx_result;
+    }
+
+    if (auth_tag == aidl::android::hardware::security::keymint::Tag::ATTESTATION_CHALLENGE) {
+        if (att_challenge.size() == 0) {
+            cxx_result.error = KM_ERROR_ATTESTATION_CHALLENGE_MISSING;
+            return cxx_result;
+        }
+        std::move(att_challenge.begin(), att_challenge.end(), std::back_inserter(cxx_result.data));
+        return cxx_result;
+    }
+
+    if (auth_tag == aidl::android::hardware::security::keymint::Tag::UNIQUE_ID) {
+        if (att_unique_id.size() == 0) {
+            cxx_result.error = KM_ERROR_UNSUPPORTED_TAG;
+            return cxx_result;
+        }
+        std::move(att_unique_id.begin(), att_unique_id.end(), std::back_inserter(cxx_result.data));
+        return cxx_result;
+    }
+
+    int pos = att_hw_enforced.find(auth_tag);
+    if (pos == -1) {
+        cxx_result.error = KM_ERROR_UNSUPPORTED_TAG;
+        return cxx_result;
+    }
+    aidl::android::hardware::security::keymint::KeyParameter param = att_hw_enforced[pos];
+    std::vector<uint8_t> val =
+        param.value.get<aidl::android::hardware::security::keymint::KeyParameterValue::blob>();
+    std::move(val.begin(), val.end(), std::back_inserter(cxx_result.data));
+    return cxx_result;
+}