Test added to generate a key with specifying cerificate subject and
certificate serial number. Test generates a key and verifies the
specified key characteristics.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I3ea356da8ca3404a94081a680210a9f426a2b908
diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs
index 61260c7..2cb2aaf 100644
--- a/keystore2/test_utils/authorizations.rs
+++ b/keystore2/test_utils/authorizations.rs
@@ -344,6 +344,22 @@
});
self
}
+
+ /// Add certificate serial number.
+ pub fn cert_serial(mut self, b: Vec<u8>) -> Self {
+ self.0
+ .push(KeyParameter { tag: Tag::CERTIFICATE_SERIAL, value: KeyParameterValue::Blob(b) });
+ self
+ }
+
+ /// Add certificate subject name.
+ pub fn cert_subject_name(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter {
+ tag: Tag::CERTIFICATE_SUBJECT,
+ value: KeyParameterValue::Blob(b),
+ });
+ self
+ }
}
impl Deref for AuthSetBuilder {
diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs
index 279ecd7..2291a08 100644
--- a/keystore2/tests/keystore2_client_authorizations_tests.rs
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs
@@ -14,6 +14,9 @@
use std::time::SystemTime;
+use openssl::bn::{BigNum, MsbOption};
+use openssl::x509::X509NameBuilder;
+
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
@@ -39,7 +42,8 @@
use crate::keystore2_client_test_utils::{
delete_app_key, perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
- perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
+ perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op,
+ verify_certificate_serial_num, verify_certificate_subject_name, SAMPLE_PLAIN_TEXT,
};
use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
@@ -964,3 +968,39 @@
keystore_auth.getLastAuthTime(0, &[HardwareAuthenticatorType::FINGERPRINT]).unwrap() > 0
);
}
+
+/// Generate a key with specifying `CERTIFICATE_SUBJECT and CERTIFICATE_SERIAL`. Test should
+/// generate a key successfully and verify the specified key parameters.
+#[test]
+fn keystore2_gen_key_auth_serial_number_subject_test_success() {
+ let keystore2 = get_keystore_service();
+ let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+
+ let cert_subject = "test cert subject";
+ let mut x509_name = X509NameBuilder::new().unwrap();
+ x509_name.append_entry_by_text("CN", cert_subject).unwrap();
+ let x509_name = x509_name.build().to_der().unwrap();
+
+ let mut serial = BigNum::new().unwrap();
+ serial.rand(159, MsbOption::MAYBE_ZERO, false).unwrap();
+
+ let gen_params = authorizations::AuthSetBuilder::new()
+ .no_auth_required()
+ .algorithm(Algorithm::EC)
+ .purpose(KeyPurpose::SIGN)
+ .purpose(KeyPurpose::VERIFY)
+ .digest(Digest::SHA_2_256)
+ .ec_curve(EcCurve::P_256)
+ .attestation_challenge(b"foo".to_vec())
+ .cert_subject_name(x509_name)
+ .cert_serial(serial.to_vec());
+
+ let alias = "ks_test_auth_tags_test";
+ let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ verify_certificate_subject_name(
+ key_metadata.certificate.as_ref().unwrap(),
+ cert_subject.as_bytes(),
+ );
+ verify_certificate_serial_num(key_metadata.certificate.as_ref().unwrap(), &serial);
+ delete_app_key(&keystore2, alias).unwrap();
+}
diff --git a/keystore2/tests/keystore2_client_test_utils.rs b/keystore2/tests/keystore2_client_test_utils.rs
index 364cec4..037482a 100644
--- a/keystore2/tests/keystore2_client_test_utils.rs
+++ b/keystore2/tests/keystore2_client_test_utils.rs
@@ -17,9 +17,11 @@
use std::process::{Command, Output};
+use openssl::bn::BigNum;
use openssl::encrypt::Encrypter;
use openssl::error::ErrorStack;
use openssl::hash::MessageDigest;
+use openssl::nid::Nid;
use openssl::pkey::PKey;
use openssl::pkey::Public;
use openssl::rsa::Padding;
@@ -534,3 +536,16 @@
}
}
}
+
+pub fn verify_certificate_subject_name(cert_bytes: &[u8], expected_subject: &[u8]) {
+ let cert = X509::from_der(cert_bytes).unwrap();
+ let subject = cert.subject_name();
+ let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap();
+ assert_eq!(cn.data().as_slice(), expected_subject);
+}
+
+pub fn verify_certificate_serial_num(cert_bytes: &[u8], expected_serial_num: &BigNum) {
+ let cert = X509::from_der(cert_bytes).unwrap();
+ let serial_num = cert.serial_number();
+ assert_eq!(serial_num.to_bn().as_ref().unwrap(), expected_serial_num);
+}