You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
470 lines
21 KiB
470 lines
21 KiB
/*
|
|
* Copyright (C) 2020 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#define LOG_TAG "keymaster_hidl_hal_test"
|
|
#include <cutils/log.h>
|
|
#include <vector>
|
|
|
|
#include "Keymaster4_1HidlTest.h"
|
|
|
|
#include <cutils/properties.h>
|
|
|
|
#include <openssl/x509.h>
|
|
|
|
#include <keymasterV4_1/attestation_record.h>
|
|
#include <keymasterV4_1/authorization_set.h>
|
|
|
|
using android::hardware::keymaster::V4_0::test::add_tag_from_prop;
|
|
|
|
// Not to dump the attestation by default. Can enable by specify the parameter
|
|
// "--dump_attestations" on lunching VTS
|
|
static bool dumpAttestations = false;
|
|
|
|
namespace android::hardware::keymaster::V4_0 {
|
|
|
|
bool operator==(const AuthorizationSet& a, const AuthorizationSet& b) {
|
|
return std::equal(a.begin(), a.end(), b.begin(), b.end());
|
|
}
|
|
|
|
} // namespace android::hardware::keymaster::V4_0
|
|
|
|
namespace android::hardware::keymaster::V4_1 {
|
|
|
|
inline ::std::ostream& operator<<(::std::ostream& os, Tag tag) {
|
|
return os << toString(tag);
|
|
}
|
|
|
|
namespace test {
|
|
|
|
using std::string;
|
|
using std::tuple;
|
|
|
|
namespace {
|
|
|
|
char nibble2hex[16] = {'0', '1', '2', '3', '4', '5', '6', '7',
|
|
'8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
|
|
|
|
string bin2hex(const hidl_vec<uint8_t>& data) {
|
|
string retval;
|
|
retval.reserve(data.size() * 2 + 1);
|
|
for (uint8_t byte : data) {
|
|
retval.push_back(nibble2hex[0x0F & (byte >> 4)]);
|
|
retval.push_back(nibble2hex[0x0F & byte]);
|
|
}
|
|
return retval;
|
|
}
|
|
|
|
inline void dumpContent(string content) {
|
|
std::cout << content << std::endl;
|
|
}
|
|
|
|
struct AuthorizationSetDifferences {
|
|
string aName;
|
|
string bName;
|
|
AuthorizationSet aWhackB;
|
|
AuthorizationSet bWhackA;
|
|
};
|
|
|
|
std::ostream& operator<<(std::ostream& o, const AuthorizationSetDifferences& diffs) {
|
|
if (!diffs.aWhackB.empty()) {
|
|
o << "Set " << diffs.aName << " contains the following that " << diffs.bName << " does not"
|
|
<< diffs.aWhackB;
|
|
if (!diffs.bWhackA.empty()) o << std::endl;
|
|
}
|
|
|
|
if (!diffs.bWhackA.empty()) {
|
|
o << "Set " << diffs.bName << " contains the following that " << diffs.aName << " does not"
|
|
<< diffs.bWhackA;
|
|
}
|
|
return o;
|
|
}
|
|
|
|
// Computes and returns a \ b and b \ a ('\' is the set-difference operator, a \ b means all the
|
|
// elements that are in a but not b, i.e. take a and whack all the elements in b) to the provided
|
|
// stream. The sets must be sorted.
|
|
//
|
|
// This provides a simple and clear view of how the two sets differ, generally much
|
|
// easier than scrutinizing printouts of the two sets.
|
|
AuthorizationSetDifferences difference(string aName, const AuthorizationSet& a, string bName,
|
|
const AuthorizationSet& b) {
|
|
AuthorizationSetDifferences diffs = {std::move(aName), std::move(bName), {}, {}};
|
|
std::set_difference(a.begin(), a.end(), b.begin(), b.end(), std::back_inserter(diffs.aWhackB));
|
|
std::set_difference(b.begin(), b.end(), a.begin(), a.end(), std::back_inserter(diffs.bWhackA));
|
|
return diffs;
|
|
}
|
|
|
|
#define DIFFERENCE(a, b) difference(#a, a, #b, b)
|
|
|
|
void check_root_of_trust(const RootOfTrust& root_of_trust) {
|
|
char vb_meta_device_state[PROPERTY_VALUE_MAX];
|
|
if (property_get("ro.boot.vbmeta.device_state", vb_meta_device_state, "") == 0) return;
|
|
|
|
char vb_meta_digest[PROPERTY_VALUE_MAX];
|
|
EXPECT_GT(property_get("ro.boot.vbmeta.digest", vb_meta_digest, ""), 0);
|
|
EXPECT_EQ(vb_meta_digest, bin2hex(root_of_trust.verified_boot_hash));
|
|
|
|
// Verified boot key should be all 0's if the boot state is not verified or self signed
|
|
HidlBuf empty_boot_key(string(32, '\0'));
|
|
|
|
char vb_meta_bootstate[PROPERTY_VALUE_MAX];
|
|
auto& verified_boot_key = root_of_trust.verified_boot_key;
|
|
auto& verified_boot_state = root_of_trust.verified_boot_state;
|
|
EXPECT_GT(property_get("ro.boot.verifiedbootstate", vb_meta_bootstate, ""), 0);
|
|
if (!strcmp(vb_meta_bootstate, "green")) {
|
|
EXPECT_EQ(verified_boot_state, V4_0::KM_VERIFIED_BOOT_VERIFIED);
|
|
EXPECT_NE(verified_boot_key, empty_boot_key);
|
|
} else if (!strcmp(vb_meta_bootstate, "yellow")) {
|
|
EXPECT_EQ(verified_boot_state, V4_0::KM_VERIFIED_BOOT_SELF_SIGNED);
|
|
EXPECT_NE(verified_boot_key, empty_boot_key);
|
|
} else if (!strcmp(vb_meta_bootstate, "orange")) {
|
|
EXPECT_EQ(verified_boot_state, V4_0::KM_VERIFIED_BOOT_UNVERIFIED);
|
|
EXPECT_EQ(verified_boot_key, empty_boot_key);
|
|
} else if (!strcmp(vb_meta_bootstate, "red")) {
|
|
EXPECT_EQ(verified_boot_state, V4_0::KM_VERIFIED_BOOT_FAILED);
|
|
} else {
|
|
EXPECT_EQ(verified_boot_state, V4_0::KM_VERIFIED_BOOT_UNVERIFIED);
|
|
EXPECT_EQ(verified_boot_key, empty_boot_key);
|
|
}
|
|
}
|
|
|
|
bool tag_in_list(const KeyParameter& entry) {
|
|
// Attestations don't contain everything in key authorization lists, so we need to filter
|
|
// the key lists to produce the lists that we expect to match the attestations.
|
|
auto tag_list = {
|
|
Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS, Tag::EC_CURVE,
|
|
Tag::HARDWARE_TYPE, Tag::VENDOR_PATCHLEVEL, Tag::BOOT_PATCHLEVEL,
|
|
Tag::CREATION_DATETIME,
|
|
};
|
|
return std::find(tag_list.begin(), tag_list.end(), (V4_1::Tag)entry.tag) != tag_list.end();
|
|
}
|
|
|
|
AuthorizationSet filter_tags(const AuthorizationSet& set) {
|
|
AuthorizationSet filtered;
|
|
std::remove_copy_if(set.begin(), set.end(), std::back_inserter(filtered), tag_in_list);
|
|
return filtered;
|
|
}
|
|
|
|
void check_attestation_record(AttestationRecord attestation, const HidlBuf& challenge,
|
|
AuthorizationSet expected_sw_enforced,
|
|
AuthorizationSet expected_hw_enforced,
|
|
SecurityLevel expected_security_level) {
|
|
EXPECT_EQ(41U, attestation.keymaster_version);
|
|
EXPECT_EQ(4U, attestation.attestation_version);
|
|
EXPECT_EQ(expected_security_level, attestation.attestation_security_level);
|
|
EXPECT_EQ(expected_security_level, attestation.keymaster_security_level);
|
|
EXPECT_EQ(challenge, attestation.attestation_challenge);
|
|
|
|
check_root_of_trust(attestation.root_of_trust);
|
|
|
|
// Sort all of the authorization lists, so that equality matching works.
|
|
expected_sw_enforced.Sort();
|
|
expected_hw_enforced.Sort();
|
|
attestation.software_enforced.Sort();
|
|
attestation.hardware_enforced.Sort();
|
|
|
|
expected_sw_enforced = filter_tags(expected_sw_enforced);
|
|
expected_hw_enforced = filter_tags(expected_hw_enforced);
|
|
AuthorizationSet attestation_sw_enforced = filter_tags(attestation.software_enforced);
|
|
AuthorizationSet attestation_hw_enforced = filter_tags(attestation.hardware_enforced);
|
|
|
|
EXPECT_EQ(expected_sw_enforced, attestation_sw_enforced)
|
|
<< DIFFERENCE(expected_sw_enforced, attestation_sw_enforced);
|
|
EXPECT_EQ(expected_hw_enforced, attestation_hw_enforced)
|
|
<< DIFFERENCE(expected_hw_enforced, attestation_hw_enforced);
|
|
}
|
|
|
|
X509_Ptr parse_cert_blob(const std::vector<uint8_t>& blob) {
|
|
const uint8_t* p = blob.data();
|
|
return X509_Ptr(d2i_X509(nullptr /* allocate new */, &p, blob.size()));
|
|
}
|
|
|
|
bool check_certificate_chain_signatures(const hidl_vec<hidl_vec<uint8_t>>& cert_chain) {
|
|
// TODO: Check that root is self-signed once b/187803288 is resolved.
|
|
for (size_t i = 0; i < cert_chain.size() - 1; ++i) {
|
|
X509_Ptr key_cert(parse_cert_blob(cert_chain[i]));
|
|
X509_Ptr signing_cert(parse_cert_blob(cert_chain[i + 1]));
|
|
|
|
if (!key_cert.get() || !signing_cert.get()) {
|
|
return false;
|
|
}
|
|
|
|
EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
|
|
if (!signing_pubkey.get()) {
|
|
return false;
|
|
}
|
|
|
|
if (!X509_verify(key_cert.get(), signing_pubkey.get())) {
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
} // namespace
|
|
|
|
using std::string;
|
|
using DeviceUniqueAttestationTest = Keymaster4_1HidlTest;
|
|
|
|
TEST_P(DeviceUniqueAttestationTest, NonStrongBoxOnly) {
|
|
if (SecLevel() == SecurityLevel::STRONGBOX) return;
|
|
|
|
ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
|
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
|
.RsaSigningKey(2048, 65537)
|
|
.Digest(Digest::SHA_2_256)
|
|
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
|
|
.Authorization(TAG_INCLUDE_UNIQUE_ID))));
|
|
|
|
hidl_vec<hidl_vec<uint8_t>> cert_chain;
|
|
EXPECT_EQ(ErrorCode::UNIMPLEMENTED,
|
|
convert(AttestKey(
|
|
AuthorizationSetBuilder()
|
|
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
|
|
.Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
|
|
.Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
|
|
&cert_chain)));
|
|
CheckedDeleteKey();
|
|
|
|
ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
|
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
|
.EcdsaSigningKey(EcCurve::P_256)
|
|
.Digest(Digest::SHA_2_256)
|
|
.Authorization(TAG_INCLUDE_UNIQUE_ID))));
|
|
|
|
EXPECT_EQ(ErrorCode::UNIMPLEMENTED,
|
|
convert(AttestKey(
|
|
AuthorizationSetBuilder()
|
|
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
|
|
.Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
|
|
.Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
|
|
&cert_chain)));
|
|
CheckedDeleteKey();
|
|
}
|
|
|
|
TEST_P(DeviceUniqueAttestationTest, Rsa) {
|
|
if (SecLevel() != SecurityLevel::STRONGBOX) return;
|
|
ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
|
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
|
.RsaSigningKey(2048, 65537)
|
|
.Digest(Digest::SHA_2_256)
|
|
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
|
|
.Authorization(TAG_INCLUDE_UNIQUE_ID))));
|
|
|
|
hidl_vec<hidl_vec<uint8_t>> cert_chain;
|
|
HidlBuf challenge("challenge");
|
|
HidlBuf app_id("foo");
|
|
ErrorCode result =
|
|
convert(AttestKey(AuthorizationSetBuilder()
|
|
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
|
|
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
|
|
.Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id),
|
|
&cert_chain));
|
|
|
|
// It is optional for Strong box to support DeviceUniqueAttestation.
|
|
if (result == ErrorCode::CANNOT_ATTEST_IDS) return;
|
|
|
|
EXPECT_EQ(ErrorCode::OK, result);
|
|
EXPECT_EQ(2U, cert_chain.size());
|
|
EXPECT_TRUE(check_certificate_chain_signatures(cert_chain));
|
|
if (dumpAttestations) {
|
|
for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
|
|
}
|
|
auto [err, attestation] = parse_attestation_record(cert_chain[0]);
|
|
ASSERT_EQ(ErrorCode::OK, err);
|
|
|
|
check_attestation_record(
|
|
attestation, challenge,
|
|
/* sw_enforced */
|
|
AuthorizationSetBuilder().Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id),
|
|
/* hw_enforced */
|
|
AuthorizationSetBuilder()
|
|
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
|
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
|
.RsaSigningKey(2048, 65537)
|
|
.Digest(Digest::SHA_2_256)
|
|
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
|
|
.Authorization(TAG_ORIGIN, KeyOrigin::GENERATED)
|
|
.Authorization(TAG_OS_VERSION, os_version())
|
|
.Authorization(TAG_OS_PATCHLEVEL, os_patch_level()),
|
|
SecLevel());
|
|
}
|
|
|
|
TEST_P(DeviceUniqueAttestationTest, Ecdsa) {
|
|
if (SecLevel() != SecurityLevel::STRONGBOX) return;
|
|
ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
|
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
|
.EcdsaSigningKey(256)
|
|
.Digest(Digest::SHA_2_256)
|
|
.Authorization(TAG_INCLUDE_UNIQUE_ID))));
|
|
|
|
hidl_vec<hidl_vec<uint8_t>> cert_chain;
|
|
HidlBuf challenge("challenge");
|
|
HidlBuf app_id("foo");
|
|
ErrorCode result =
|
|
convert(AttestKey(AuthorizationSetBuilder()
|
|
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
|
|
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
|
|
.Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id),
|
|
&cert_chain));
|
|
|
|
// It is optional for Strong box to support DeviceUniqueAttestation.
|
|
if (result == ErrorCode::CANNOT_ATTEST_IDS) return;
|
|
|
|
EXPECT_EQ(ErrorCode::OK, result);
|
|
EXPECT_EQ(2U, cert_chain.size());
|
|
EXPECT_TRUE(check_certificate_chain_signatures(cert_chain));
|
|
if (dumpAttestations) {
|
|
for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
|
|
}
|
|
auto [err, attestation] = parse_attestation_record(cert_chain[0]);
|
|
ASSERT_EQ(ErrorCode::OK, err);
|
|
|
|
check_attestation_record(
|
|
attestation, challenge,
|
|
/* sw_enforced */
|
|
AuthorizationSetBuilder().Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id),
|
|
/* hw_enforced */
|
|
AuthorizationSetBuilder()
|
|
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
|
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
|
.EcdsaSigningKey(256)
|
|
.Digest(Digest::SHA_2_256)
|
|
.Authorization(TAG_EC_CURVE, EcCurve::P_256)
|
|
.Authorization(TAG_ORIGIN, KeyOrigin::GENERATED)
|
|
.Authorization(TAG_OS_VERSION, os_version())
|
|
.Authorization(TAG_OS_PATCHLEVEL, os_patch_level()),
|
|
SecLevel());
|
|
}
|
|
|
|
TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationID) {
|
|
if (SecLevel() != SecurityLevel::STRONGBOX) return;
|
|
|
|
ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
|
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
|
.EcdsaSigningKey(256)
|
|
.Digest(Digest::SHA_2_256)
|
|
.Authorization(TAG_INCLUDE_UNIQUE_ID))));
|
|
|
|
// Collection of valid attestation ID tags.
|
|
auto attestation_id_tags = AuthorizationSetBuilder();
|
|
add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_BRAND, "ro.product.brand");
|
|
add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_DEVICE, "ro.product.device");
|
|
add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_PRODUCT, "ro.product.name");
|
|
add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_SERIAL, "ro.serial");
|
|
add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_MANUFACTURER,
|
|
"ro.product.manufacturer");
|
|
add_tag_from_prop(&attestation_id_tags, V4_0::TAG_ATTESTATION_ID_MODEL, "ro.product.model");
|
|
|
|
for (const KeyParameter& tag : attestation_id_tags) {
|
|
hidl_vec<hidl_vec<uint8_t>> cert_chain;
|
|
HidlBuf challenge("challenge");
|
|
HidlBuf app_id("foo");
|
|
AuthorizationSetBuilder builder =
|
|
AuthorizationSetBuilder()
|
|
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
|
|
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
|
|
.Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id);
|
|
builder.push_back(tag);
|
|
ErrorCode result = convert(AttestKey(builder, &cert_chain));
|
|
|
|
// It is optional for Strong box to support DeviceUniqueAttestation.
|
|
if (result == ErrorCode::CANNOT_ATTEST_IDS) return;
|
|
|
|
ASSERT_EQ(ErrorCode::OK, result);
|
|
EXPECT_EQ(2U, cert_chain.size());
|
|
if (dumpAttestations) {
|
|
for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
|
|
}
|
|
auto [err, attestation] = parse_attestation_record(cert_chain[0]);
|
|
ASSERT_EQ(ErrorCode::OK, err);
|
|
|
|
AuthorizationSetBuilder hw_enforced =
|
|
AuthorizationSetBuilder()
|
|
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
|
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
|
.EcdsaSigningKey(256)
|
|
.Digest(Digest::SHA_2_256)
|
|
.Authorization(TAG_ORIGIN, KeyOrigin::GENERATED)
|
|
.Authorization(TAG_OS_VERSION, os_version())
|
|
.Authorization(TAG_OS_PATCHLEVEL, os_patch_level());
|
|
hw_enforced.push_back(tag);
|
|
check_attestation_record(
|
|
attestation, challenge,
|
|
/* sw_enforced */
|
|
AuthorizationSetBuilder().Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id),
|
|
hw_enforced, SecLevel());
|
|
}
|
|
}
|
|
|
|
TEST_P(DeviceUniqueAttestationTest, EcdsaDeviceUniqueAttestationMismatchID) {
|
|
if (SecLevel() != SecurityLevel::STRONGBOX) return;
|
|
|
|
ASSERT_EQ(ErrorCode::OK, convert(GenerateKey(AuthorizationSetBuilder()
|
|
.Authorization(TAG_NO_AUTH_REQUIRED)
|
|
.EcdsaSigningKey(256)
|
|
.Digest(Digest::SHA_2_256)
|
|
.Authorization(TAG_INCLUDE_UNIQUE_ID))));
|
|
|
|
// Collection of invalid attestation ID tags.
|
|
std::string invalid = "completely-invalid";
|
|
auto attestation_id_tags =
|
|
AuthorizationSetBuilder()
|
|
.Authorization(V4_0::TAG_ATTESTATION_ID_BRAND, invalid.data(), invalid.size())
|
|
.Authorization(V4_0::TAG_ATTESTATION_ID_DEVICE, invalid.data(), invalid.size())
|
|
.Authorization(V4_0::TAG_ATTESTATION_ID_PRODUCT, invalid.data(), invalid.size())
|
|
.Authorization(V4_0::TAG_ATTESTATION_ID_SERIAL, invalid.data(), invalid.size())
|
|
.Authorization(V4_0::TAG_ATTESTATION_ID_IMEI, invalid.data(), invalid.size())
|
|
.Authorization(V4_0::TAG_ATTESTATION_ID_MEID, invalid.data(), invalid.size())
|
|
.Authorization(V4_0::TAG_ATTESTATION_ID_MANUFACTURER, invalid.data(),
|
|
invalid.size())
|
|
.Authorization(V4_0::TAG_ATTESTATION_ID_MODEL, invalid.data(), invalid.size());
|
|
|
|
for (const KeyParameter& invalid_tag : attestation_id_tags) {
|
|
hidl_vec<hidl_vec<uint8_t>> cert_chain;
|
|
HidlBuf challenge("challenge");
|
|
HidlBuf app_id("foo");
|
|
AuthorizationSetBuilder builder =
|
|
AuthorizationSetBuilder()
|
|
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION)
|
|
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
|
|
.Authorization(TAG_ATTESTATION_APPLICATION_ID, app_id);
|
|
builder.push_back(invalid_tag);
|
|
ErrorCode result = convert(AttestKey(builder, &cert_chain));
|
|
|
|
EXPECT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG)
|
|
<< "result: " << static_cast<int32_t>(result);
|
|
}
|
|
}
|
|
|
|
INSTANTIATE_KEYMASTER_4_1_HIDL_TEST(DeviceUniqueAttestationTest);
|
|
|
|
} // namespace test
|
|
} // namespace android::hardware::keymaster::V4_1
|
|
|
|
int main(int argc, char** argv) {
|
|
::testing::InitGoogleTest(&argc, argv);
|
|
for (int i = 1; i < argc; ++i) {
|
|
if (argv[i][0] == '-') {
|
|
if (std::string(argv[i]) == "--dump_attestations") {
|
|
dumpAttestations = true;
|
|
}
|
|
}
|
|
}
|
|
int status = RUN_ALL_TESTS();
|
|
ALOGI("Test result = %d", status);
|
|
return status;
|
|
}
|