Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / b1c8e833920e45042f7ce1c167757b6e3f9e86c1^! / . / keystore2 / test_utils / key_generations.rs
commitb1c8e833920e45042f7ce1c167757b6e3f9e86c1[log] [tgz]
authorRajesh Nyamagoud <nyamagoud@google.com>Tue Jun 06 01:39:44 2023 +0000
committerRajesh Nyamagoud <nyamagoud@google.com>Tue Nov 14 21:33:19 2023 +0000
tree5f4a6f44502b54082de6f8a53ea46a9ef5003bb8
parent855f23300442c9647c460f35a8025d6fbdf53839 [diff] [blame]
Adding tests to verify Device-Unique-Attestation.

1. Test to verify Device-Unique-Attestation is not supported on
   `TRUSTED_ENVIRONMENT` security level. Test shoould fail to generate a
   key with device-unique-attestation with `INVALID_ARGUMENT` error code.

2. Generate EC/RSA keys with `DEVICE_UNIQUE_ATTESTATION` using `STRONGBOX`
   security level. Test should generate akey and verify key
   characteristics and cert-chain signatures. Test should be able to
   perform an operation using the generated key successfully.

3. Try to generate a device unique attested key with attestation of
   invalid device's identifiers. Test should fail to generate a key with
   error code `CANNOT_ATTEST_IDS`.

4. Generate a device unique attested key with attestation of the
   device's identifiers. Test should succeed in generating a attested
   key with attestation of device identifiers. Test might fail on
   devices which don't support device id attestation with error response
   code `CANNOT_ATTEST_IDS`. Separate test is added for each attestation
   id with RSA and EC keys.

Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I627a01dc44558a4393d14f9931b1708196ee6ff9

diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index badc480..9ddc87a 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs

@@ -40,7 +40,7 @@
 
 use crate::ffi_test_utils::{
     get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel,
-    validate_certchain,
+    validate_certchain_with_strict_issuer_check,
 };
 
 /// Shell namespace.
@@ -1426,7 +1426,10 @@
             let mut cert_chain: Vec<u8> = Vec::new();
             cert_chain.extend(key_metadata.certificate.as_ref().unwrap());
             cert_chain.extend(key_metadata.certificateChain.as_ref().unwrap());
-            validate_certchain(&cert_chain).expect("Error while validating cert chain");
+            let strict_issuer_check =
+                !(gen_params.iter().any(|kp| kp.tag == Tag::DEVICE_UNIQUE_ATTESTATION));
+            validate_certchain_with_strict_issuer_check(&cert_chain, strict_issuer_check)
+                .expect("Error while validating cert chain");
         }
 
         if let Some(challenge_param) =