Merge changes Ic306bb27,I2aa154a9,Ie4e675ca into main
* changes:
Cope better with errors in child processes
Add tests using real Gatekeeper
Test failure arms for auth-bound keys
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index c297a15..ae3fb18 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -22,25 +22,6 @@
}
aidl_interface {
- name: "android.security.attestationmanager",
- srcs: ["android/security/attestationmanager/*.aidl"],
- imports: ["android.hardware.security.keymint-V3"],
- unstable: true,
- backend: {
- java: {
- platform_apis: true,
- },
- rust: {
- enabled: true,
- },
- ndk: {
- enabled: true,
- apps_enabled: false,
- },
- },
-}
-
-aidl_interface {
name: "android.security.authorization",
srcs: ["android/security/authorization/*.aidl"],
imports: [
diff --git a/keystore2/aidl/android/security/attestationmanager/ByteArray.aidl b/keystore2/aidl/android/security/attestationmanager/ByteArray.aidl
deleted file mode 100644
index dc37b1b..0000000
--- a/keystore2/aidl/android/security/attestationmanager/ByteArray.aidl
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.attestationmanager;
-
-/**
- * Simple data holder for a byte array, allowing for multidimensional arrays in AIDL.
- * @hide
- */
-parcelable ByteArray {
- byte[] data;
-}
\ No newline at end of file
diff --git a/keystore2/aidl/android/security/attestationmanager/IAttestationManager.aidl b/keystore2/aidl/android/security/attestationmanager/IAttestationManager.aidl
deleted file mode 100644
index e77a21e..0000000
--- a/keystore2/aidl/android/security/attestationmanager/IAttestationManager.aidl
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.attestationmanager;
-
-import android.security.attestationmanager.ByteArray;
-import android.hardware.security.keymint.KeyParameter;
-
-/**
- * Internal interface for performing device attestation.
- * @hide
- */
-interface IAttestationManager {
- /**
- * Attest a provided list of device identifiers.
- *
- * @return The signed certificate chain, with each individual certificate encoded as a byte
- * array.
- */
- ByteArray[] attestDevice(
- in KeyParameter[] deviceIdentifiers, boolean useIndividualAttestation,
- in byte[] attestationChallenge, int securityLevel);
-}
\ No newline at end of file
diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs
index 0fd820d..4e83f73 100644
--- a/keystore2/tests/keystore2_client_authorizations_tests.rs
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs
@@ -636,7 +636,7 @@
/// Generate a key with `APPLICATION_DATA` and `APPLICATION_ID`. Test should create an operation
/// successfully using the same `APPLICATION_DATA` and `APPLICATION_ID`.
#[test]
-fn keystore2_gen_key_auth_app_data_test_success() {
+fn keystore2_gen_key_auth_app_data_app_id_test_success() {
let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
@@ -644,7 +644,7 @@
.algorithm(Algorithm::EC)
.purpose(KeyPurpose::SIGN)
.purpose(KeyPurpose::VERIFY)
- .digest(Digest::SHA_2_256)
+ .digest(Digest::NONE)
.ec_curve(EcCurve::P_256)
.app_data(b"app-data".to_vec())
.app_id(b"app-id".to_vec());
@@ -655,7 +655,7 @@
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
- .digest(Digest::SHA_2_256)
+ .digest(Digest::NONE)
.app_data(b"app-data".to_vec())
.app_id(b"app-id".to_vec()),
alias,
@@ -667,7 +667,7 @@
/// Generate a key with `APPLICATION_DATA` and `APPLICATION_ID`. Try to create an operation using
/// the different `APPLICATION_DATA` and `APPLICATION_ID`, test should fail to create an operation.
#[test]
-fn keystore2_gen_key_auth_app_data_test_fail() {
+fn keystore2_op_auth_invalid_app_data_app_id_test_fail() {
let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
@@ -675,7 +675,7 @@
.algorithm(Algorithm::EC)
.purpose(KeyPurpose::SIGN)
.purpose(KeyPurpose::VERIFY)
- .digest(Digest::SHA_2_256)
+ .digest(Digest::NONE)
.ec_curve(EcCurve::P_256)
.app_data(b"app-data".to_vec())
.app_id(b"app-id".to_vec());
@@ -686,23 +686,20 @@
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
- .digest(Digest::SHA_2_256)
+ .digest(Digest::NONE)
.app_data(b"invalid-app-data".to_vec())
.app_id(b"invalid-app-id".to_vec()),
alias,
));
assert!(result.is_err());
- assert!(matches!(
- result.unwrap_err(),
- Error::Km(ErrorCode::INVALID_KEY_BLOB) | Error::Km(ErrorCode::INVALID_ARGUMENT)
- ));
+ assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
delete_app_key(&sl.keystore2, alias).unwrap();
}
-/// Generate a key with `APPLICATION_ID`. Test should create an operation using the
-/// same `APPLICATION_ID` successfully.
+/// Generate a key with `APPLICATION_DATA` and `APPLICATION_ID`. Try to create an operation using
+/// only `APPLICATION_ID`, test should fail to create an operation.
#[test]
-fn keystore2_gen_key_auth_app_id_test_success() {
+fn keystore2_op_auth_missing_app_data_test_fail() {
let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
@@ -710,28 +707,31 @@
.algorithm(Algorithm::EC)
.purpose(KeyPurpose::SIGN)
.purpose(KeyPurpose::VERIFY)
- .digest(Digest::SHA_2_256)
+ .digest(Digest::NONE)
.ec_curve(EcCurve::P_256)
- .app_id(b"app-id".to_vec());
+ .app_id(b"app-id".to_vec())
+ .app_data(b"app-data".to_vec());
let alias = "ks_test_auth_tags_test";
- let result = key_generations::create_key_and_operation(
+ let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
&sl,
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
- .digest(Digest::SHA_2_256)
+ .digest(Digest::NONE)
.app_id(b"app-id".to_vec()),
alias,
- );
- assert!(result.is_ok());
+ ));
+
+ assert!(result.is_err());
+ assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
delete_app_key(&sl.keystore2, alias).unwrap();
}
-/// Generate a key with `APPLICATION_ID`. Try to create an operation using the
-/// different `APPLICATION_ID`, test should fail to create an operation.
+/// Generate a key with `APPLICATION_DATA` and `APPLICATION_ID`. Try to create an operation using
+/// only `APPLICATION_DATA`, test should fail to create an operation.
#[test]
-fn keystore2_gen_key_auth_app_id_test_fail() {
+fn keystore2_op_auth_missing_app_id_test_fail() {
let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
@@ -739,8 +739,9 @@
.algorithm(Algorithm::EC)
.purpose(KeyPurpose::SIGN)
.purpose(KeyPurpose::VERIFY)
- .digest(Digest::SHA_2_256)
+ .digest(Digest::NONE)
.ec_curve(EcCurve::P_256)
+ .app_data(b"app-data".to_vec())
.app_id(b"app-id".to_vec());
let alias = "ks_test_auth_tags_test";
@@ -749,15 +750,12 @@
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
- .digest(Digest::SHA_2_256)
- .app_id(b"invalid-app-id".to_vec()),
+ .digest(Digest::NONE)
+ .app_data(b"app-data".to_vec()),
alias,
));
assert!(result.is_err());
- assert!(matches!(
- result.unwrap_err(),
- Error::Km(ErrorCode::INVALID_KEY_BLOB) | Error::Km(ErrorCode::INVALID_ARGUMENT)
- ));
+ assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
delete_app_key(&sl.keystore2, alias).unwrap();
}
@@ -867,10 +865,7 @@
));
assert!(result.is_err());
- assert!(matches!(
- result.unwrap_err(),
- Error::Km(ErrorCode::INVALID_KEY_BLOB) | Error::Km(ErrorCode::INVALID_ARGUMENT)
- ));
+ assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
delete_app_key(&sl.keystore2, attest_alias).unwrap();
}