Cope with rkp-only devices in legacy keyblob test
On a rkp-only device it is not possible to generate an attestation
on a bare key generation (attestations can only be generated if an
ATTEST_KEY is provided).
Bug: 329409739
Test: keystore2_legacy_blobs_test
Change-Id: Icdc4037466ab32366c34feeb42b58822ea110ebf
diff --git a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
index 0335159..3be99ee 100644
--- a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
+++ b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
@@ -46,6 +46,10 @@
static AUTH_SERVICE_NAME: &str = "android.security.authorization";
const SELINUX_SHELL_NAMESPACE: i64 = 1;
+fn rkp_only() -> bool {
+ matches!(rustutils::system_properties::read("remote_provisioning.tee.rkp_only"), Ok(Some(v)) if v == "1")
+}
+
fn get_maintenance() -> binder::Strong<dyn IKeystoreMaintenance> {
binder::get_interface(USER_MANAGER_SERVICE_NAME).unwrap()
}
@@ -162,13 +166,13 @@
.getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT)
.unwrap();
// Generate Key BLOB and prepare legacy keystore blob files.
- let att_challenge: &[u8] = b"foo";
+ let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") };
let key_metadata = key_generations::generate_ec_p256_signing_key(
&sec_level,
Domain::BLOB,
SELINUX_SHELL_NAMESPACE,
None,
- Some(att_challenge),
+ att_challenge,
)
.expect("Failed to generate key blob");
@@ -212,14 +216,12 @@
.unwrap();
}
- let mut path_buf = PathBuf::from("/data/misc/keystore/user_99");
- path_buf.push("9910001_CACERT_authbound");
- if !path_buf.as_path().is_file() {
- make_cert_blob_file(
- path_buf.as_path(),
- key_metadata.certificateChain.as_ref().unwrap(),
- )
- .unwrap();
+ if let Some(chain) = key_metadata.certificateChain.as_ref() {
+ let mut path_buf = PathBuf::from("/data/misc/keystore/user_99");
+ path_buf.push("9910001_CACERT_authbound");
+ if !path_buf.as_path().is_file() {
+ make_cert_blob_file(path_buf.as_path(), chain).unwrap();
+ }
}
// Keystore2 disables the legacy importer when it finds the legacy database empty.
@@ -246,7 +248,7 @@
KeygenResult {
cert: key_metadata.certificate.unwrap(),
- cert_chain: key_metadata.certificateChain.unwrap(),
+ cert_chain: key_metadata.certificateChain.unwrap_or_default(),
key_parameters: key_params,
}
})
@@ -275,7 +277,7 @@
gen_key_result.cert
);
assert_eq!(
- key_entry_response.metadata.certificateChain.unwrap(),
+ key_entry_response.metadata.certificateChain.unwrap_or_default(),
gen_key_result.cert_chain
);
assert_eq!(key_entry_response.metadata.key.domain, Domain::KEY_ID);
@@ -415,13 +417,13 @@
.getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT)
.unwrap();
// Generate Key BLOB and prepare legacy keystore blob files.
- let att_challenge: &[u8] = b"foo";
+ let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") };
let key_metadata = key_generations::generate_ec_p256_signing_key(
&sec_level,
Domain::BLOB,
SELINUX_SHELL_NAMESPACE,
None,
- Some(att_challenge),
+ att_challenge,
)
.expect("Failed to generate key blob");
@@ -468,15 +470,12 @@
.unwrap();
}
- let mut path_buf = PathBuf::from("/data/misc/keystore/user_98");
- path_buf.push("9810001_CACERT_authboundcertenc");
- if !path_buf.as_path().is_file() {
- make_encrypted_ca_cert_file(
- path_buf.as_path(),
- &super_key,
- key_metadata.certificateChain.as_ref().unwrap(),
- )
- .unwrap();
+ if let Some(chain) = key_metadata.certificateChain.as_ref() {
+ let mut path_buf = PathBuf::from("/data/misc/keystore/user_98");
+ path_buf.push("9810001_CACERT_authboundcertenc");
+ if !path_buf.as_path().is_file() {
+ make_encrypted_ca_cert_file(path_buf.as_path(), &super_key, chain).unwrap();
+ }
}
// Keystore2 disables the legacy importer when it finds the legacy database empty.
@@ -503,7 +502,7 @@
KeygenResult {
cert: key_metadata.certificate.unwrap(),
- cert_chain: key_metadata.certificateChain.unwrap(),
+ cert_chain: key_metadata.certificateChain.unwrap_or_default(),
key_parameters: key_params,
}
})
@@ -532,7 +531,7 @@
gen_key_result.cert
);
assert_eq!(
- key_entry_response.metadata.certificateChain.unwrap(),
+ key_entry_response.metadata.certificateChain.unwrap_or_default(),
gen_key_result.cert_chain
);