Adding tests to verify Device-Unique-Attestation.
1. Test to verify Device-Unique-Attestation is not supported on
`TRUSTED_ENVIRONMENT` security level. Test shoould fail to generate a
key with device-unique-attestation with `INVALID_ARGUMENT` error code.
2. Generate EC/RSA keys with `DEVICE_UNIQUE_ATTESTATION` using `STRONGBOX`
security level. Test should generate akey and verify key
characteristics and cert-chain signatures. Test should be able to
perform an operation using the generated key successfully.
3. Try to generate a device unique attested key with attestation of
invalid device's identifiers. Test should fail to generate a key with
error code `CANNOT_ATTEST_IDS`.
4. Generate a device unique attested key with attestation of the
device's identifiers. Test should succeed in generating a attested
key with attestation of device identifiers. Test might fail on
devices which don't support device id attestation with error response
code `CANNOT_ATTEST_IDS`. Separate test is added for each attestation
id with RSA and EC keys.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I627a01dc44558a4393d14f9931b1708196ee6ff9
diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs
index 02ceb83..61260c7 100644
--- a/keystore2/test_utils/authorizations.rs
+++ b/keystore2/test_utils/authorizations.rs
@@ -335,6 +335,15 @@
self.0.push(KeyParameter { tag: Tag::APPLICATION_ID, value: KeyParameterValue::Blob(b) });
self
}
+
+ /// Set device-unique-attestation.
+ pub fn device_unique_attestation(mut self) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::DEVICE_UNIQUE_ATTESTATION,
+ value: KeyParameterValue::BoolValue(true),
+ });
+ self
+ }
}
impl Deref for AuthSetBuilder {
diff --git a/keystore2/test_utils/ffi_test_utils.rs b/keystore2/test_utils/ffi_test_utils.rs
index 5d6bf46..1ccdcc8 100644
--- a/keystore2/test_utils/ffi_test_utils.rs
+++ b/keystore2/test_utils/ffi_test_utils.rs
@@ -50,7 +50,19 @@
/// Validate given certificate chain.
pub fn validate_certchain(cert_buf: &[u8]) -> Result<bool, Error> {
- if ffi::validateCertChain(cert_buf.to_vec(), cert_buf.len().try_into().unwrap(), true) {
+ validate_certchain_with_strict_issuer_check(cert_buf, true)
+}
+
+/// Validate given certificate chain with an option to validate the issuer.
+pub fn validate_certchain_with_strict_issuer_check(
+ cert_buf: &[u8],
+ strict_issuer_check: bool,
+) -> Result<bool, Error> {
+ if ffi::validateCertChain(
+ cert_buf.to_vec(),
+ cert_buf.len().try_into().unwrap(),
+ strict_issuer_check,
+ ) {
return Ok(true);
}
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index badc480..9ddc87a 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -40,7 +40,7 @@
use crate::ffi_test_utils::{
get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel,
- validate_certchain,
+ validate_certchain_with_strict_issuer_check,
};
/// Shell namespace.
@@ -1426,7 +1426,10 @@
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(key_metadata.certificate.as_ref().unwrap());
cert_chain.extend(key_metadata.certificateChain.as_ref().unwrap());
- validate_certchain(&cert_chain).expect("Error while validating cert chain");
+ let strict_issuer_check =
+ !(gen_params.iter().any(|kp| kp.tag == Tag::DEVICE_UNIQUE_ATTESTATION));
+ validate_certchain_with_strict_issuer_check(&cert_chain, strict_issuer_check)
+ .expect("Error while validating cert chain");
}
if let Some(challenge_param) =