diff options
author | Treehugger Robot | 2018-08-29 03:06:38 -0500 |
---|---|---|
committer | Gerrit Code Review | 2018-08-29 03:06:38 -0500 |
commit | e101aa87a389fbe45df67ed727a564d6d337fa6c (patch) | |
tree | 0e0551125bc54e3473a26aced6dccfe2d7424b31 | |
parent | 33f79706723b3ca28d3656697de3ef3d4624eff4 (diff) | |
parent | 8414fb8556182a9f03cd230b30258453614a9541 (diff) | |
download | platform-hardware-interfaces-e101aa87a389fbe45df67ed727a564d6d337fa6c.tar.gz platform-hardware-interfaces-e101aa87a389fbe45df67ed727a564d6d337fa6c.tar.xz platform-hardware-interfaces-e101aa87a389fbe45df67ed727a564d6d337fa6c.zip |
Merge changes Ic41afbd0,Ibe264d08 into pie-vts-dev
* changes:
keymaster: spec does not require that update produce output
Fix attestation test.
5 files changed, 63 insertions, 35 deletions
diff --git a/keymaster/4.0/support/attestation_record.cpp b/keymaster/4.0/support/attestation_record.cpp index 8f37d9c8..6de0c1c6 100644 --- a/keymaster/4.0/support/attestation_record.cpp +++ b/keymaster/4.0/support/attestation_record.cpp | |||
@@ -49,12 +49,14 @@ typedef struct km_root_of_trust { | |||
49 | ASN1_OCTET_STRING* verified_boot_key; | 49 | ASN1_OCTET_STRING* verified_boot_key; |
50 | ASN1_BOOLEAN* device_locked; | 50 | ASN1_BOOLEAN* device_locked; |
51 | ASN1_ENUMERATED* verified_boot_state; | 51 | ASN1_ENUMERATED* verified_boot_state; |
52 | ASN1_OCTET_STRING* verified_boot_hash; | ||
52 | } KM_ROOT_OF_TRUST; | 53 | } KM_ROOT_OF_TRUST; |
53 | 54 | ||
54 | ASN1_SEQUENCE(KM_ROOT_OF_TRUST) = { | 55 | ASN1_SEQUENCE(KM_ROOT_OF_TRUST) = { |
55 | ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_key, ASN1_OCTET_STRING), | 56 | ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_key, ASN1_OCTET_STRING), |
56 | ASN1_SIMPLE(KM_ROOT_OF_TRUST, device_locked, ASN1_BOOLEAN), | 57 | ASN1_SIMPLE(KM_ROOT_OF_TRUST, device_locked, ASN1_BOOLEAN), |
57 | ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_state, ASN1_ENUMERATED), | 58 | ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_state, ASN1_ENUMERATED), |
59 | ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_hash, ASN1_OCTET_STRING), | ||
58 | } ASN1_SEQUENCE_END(KM_ROOT_OF_TRUST); | 60 | } ASN1_SEQUENCE_END(KM_ROOT_OF_TRUST); |
59 | IMPLEMENT_ASN1_FUNCTIONS(KM_ROOT_OF_TRUST); | 61 | IMPLEMENT_ASN1_FUNCTIONS(KM_ROOT_OF_TRUST); |
60 | 62 | ||
@@ -77,11 +79,16 @@ typedef struct km_auth_list { | |||
77 | ASN1_OCTET_STRING* application_id; | 79 | ASN1_OCTET_STRING* application_id; |
78 | ASN1_INTEGER* creation_date_time; | 80 | ASN1_INTEGER* creation_date_time; |
79 | ASN1_INTEGER* origin; | 81 | ASN1_INTEGER* origin; |
80 | ASN1_NULL* rollback_resistant; | 82 | ASN1_NULL* rollback_resistance; |
81 | KM_ROOT_OF_TRUST* root_of_trust; | 83 | KM_ROOT_OF_TRUST* root_of_trust; |
82 | ASN1_INTEGER* os_version; | 84 | ASN1_INTEGER* os_version; |
83 | ASN1_INTEGER* os_patchlevel; | 85 | ASN1_INTEGER* os_patchlevel; |
84 | ASN1_OCTET_STRING* attestation_application_id; | 86 | ASN1_OCTET_STRING* attestation_application_id; |
87 | ASN1_NULL* trusted_user_presence_required; | ||
88 | ASN1_NULL* trusted_confirmation_required; | ||
89 | ASN1_NULL* unlocked_device_required; | ||
90 | ASN1_INTEGER* vendor_patchlevel; | ||
91 | ASN1_INTEGER* boot_patchlevel; | ||
85 | } KM_AUTH_LIST; | 92 | } KM_AUTH_LIST; |
86 | 93 | ||
87 | ASN1_SEQUENCE(KM_AUTH_LIST) = { | 94 | ASN1_SEQUENCE(KM_AUTH_LIST) = { |
@@ -93,6 +100,7 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = { | |||
93 | ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()), | 100 | ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()), |
94 | ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER, | 101 | ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER, |
95 | TAG_RSA_PUBLIC_EXPONENT.maskedTag()), | 102 | TAG_RSA_PUBLIC_EXPONENT.maskedTag()), |
103 | ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()), | ||
96 | ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()), | 104 | ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()), |
97 | ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER, | 105 | ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER, |
98 | TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()), | 106 | TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()), |
@@ -102,13 +110,19 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = { | |||
102 | ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()), | 110 | ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()), |
103 | ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()), | 111 | ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()), |
104 | ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL, TAG_ALLOW_WHILE_ON_BODY.maskedTag()), | 112 | ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL, TAG_ALLOW_WHILE_ON_BODY.maskedTag()), |
105 | ASN1_EXP_OPT(KM_AUTH_LIST, application_id, ASN1_OCTET_STRING, TAG_APPLICATION_ID.maskedTag()), | 113 | ASN1_EXP_OPT(KM_AUTH_LIST, trusted_user_presence_required, ASN1_NULL, |
114 | TAG_TRUSTED_USER_PRESENCE_REQUIRED.maskedTag()), | ||
115 | ASN1_EXP_OPT(KM_AUTH_LIST, trusted_confirmation_required, ASN1_NULL, | ||
116 | TAG_TRUSTED_CONFIRMATION_REQUIRED.maskedTag()), | ||
117 | ASN1_EXP_OPT(KM_AUTH_LIST, unlocked_device_required, ASN1_NULL, | ||
118 | TAG_UNLOCKED_DEVICE_REQUIRED.maskedTag()), | ||
106 | ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER, TAG_CREATION_DATETIME.maskedTag()), | 119 | ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER, TAG_CREATION_DATETIME.maskedTag()), |
107 | ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()), | 120 | ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()), |
108 | ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistant, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()), | ||
109 | ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()), | 121 | ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()), |
110 | ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()), | 122 | ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()), |
111 | ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()), | 123 | ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()), |
124 | ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER, TAG_VENDOR_PATCHLEVEL.maskedTag()), | ||
125 | ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()), | ||
112 | ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING, | 126 | ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING, |
113 | TAG_ATTESTATION_APPLICATION_ID.maskedTag()), | 127 | TAG_ATTESTATION_APPLICATION_ID.maskedTag()), |
114 | } ASN1_SEQUENCE_END(KM_AUTH_LIST); | 128 | } ASN1_SEQUENCE_END(KM_AUTH_LIST); |
@@ -237,11 +251,18 @@ static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet* | |||
237 | copyAuthTag(record->os_version, TAG_OS_VERSION, auth_list); | 251 | copyAuthTag(record->os_version, TAG_OS_VERSION, auth_list); |
238 | copyAuthTag(record->padding, TAG_PADDING, auth_list); | 252 | copyAuthTag(record->padding, TAG_PADDING, auth_list); |
239 | copyAuthTag(record->purpose, TAG_PURPOSE, auth_list); | 253 | copyAuthTag(record->purpose, TAG_PURPOSE, auth_list); |
240 | copyAuthTag(record->rollback_resistant, TAG_ROLLBACK_RESISTANCE, auth_list); | 254 | copyAuthTag(record->rollback_resistance, TAG_ROLLBACK_RESISTANCE, auth_list); |
241 | copyAuthTag(record->rsa_public_exponent, TAG_RSA_PUBLIC_EXPONENT, auth_list); | 255 | copyAuthTag(record->rsa_public_exponent, TAG_RSA_PUBLIC_EXPONENT, auth_list); |
242 | copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list); | 256 | copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list); |
243 | copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list); | 257 | copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list); |
244 | copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list); | 258 | copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list); |
259 | copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list); | ||
260 | copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list); | ||
261 | copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED, | ||
262 | auth_list); | ||
263 | copyAuthTag(record->trusted_confirmation_required, TAG_TRUSTED_CONFIRMATION_REQUIRED, | ||
264 | auth_list); | ||
265 | copyAuthTag(record->unlocked_device_required, TAG_UNLOCKED_DEVICE_REQUIRED, auth_list); | ||
245 | 266 | ||
246 | return ErrorCode::OK; | 267 | return ErrorCode::OK; |
247 | } | 268 | } |
diff --git a/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h b/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h index 74be3436..6e2b691c 100644 --- a/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h +++ b/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h | |||
@@ -53,6 +53,10 @@ inline ::std::ostream& operator<<(::std::ostream& os, PaddingMode value) { | |||
53 | return os << toString(value); | 53 | return os << toString(value); |
54 | } | 54 | } |
55 | 55 | ||
56 | inline ::std::ostream& operator<<(::std::ostream& os, SecurityLevel value) { | ||
57 | return os << toString(value); | ||
58 | } | ||
59 | |||
56 | template <typename ValueT> | 60 | template <typename ValueT> |
57 | ::std::ostream& operator<<(::std::ostream& os, const NullOr<ValueT>& value) { | 61 | ::std::ostream& operator<<(::std::ostream& os, const NullOr<ValueT>& value) { |
58 | if (!value.isOk()) { | 62 | if (!value.isOk()) { |
diff --git a/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h b/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h index ce213bc1..9e7d2522 100644 --- a/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h +++ b/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h | |||
@@ -116,6 +116,7 @@ DECLARE_TYPED_TAG(AUTH_TIMEOUT); | |||
116 | DECLARE_TYPED_TAG(BLOB_USAGE_REQUIREMENTS); | 116 | DECLARE_TYPED_TAG(BLOB_USAGE_REQUIREMENTS); |
117 | DECLARE_TYPED_TAG(BLOCK_MODE); | 117 | DECLARE_TYPED_TAG(BLOCK_MODE); |
118 | DECLARE_TYPED_TAG(BOOTLOADER_ONLY); | 118 | DECLARE_TYPED_TAG(BOOTLOADER_ONLY); |
119 | DECLARE_TYPED_TAG(BOOT_PATCHLEVEL); | ||
119 | DECLARE_TYPED_TAG(CALLER_NONCE); | 120 | DECLARE_TYPED_TAG(CALLER_NONCE); |
120 | DECLARE_TYPED_TAG(CONFIRMATION_TOKEN); | 121 | DECLARE_TYPED_TAG(CONFIRMATION_TOKEN); |
121 | DECLARE_TYPED_TAG(CREATION_DATETIME); | 122 | DECLARE_TYPED_TAG(CREATION_DATETIME); |
@@ -141,12 +142,14 @@ DECLARE_TYPED_TAG(ROLLBACK_RESISTANCE); | |||
141 | DECLARE_TYPED_TAG(ROOT_OF_TRUST); | 142 | DECLARE_TYPED_TAG(ROOT_OF_TRUST); |
142 | DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT); | 143 | DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT); |
143 | DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED); | 144 | DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED); |
145 | DECLARE_TYPED_TAG(TRUSTED_USER_PRESENCE_REQUIRED); | ||
144 | DECLARE_TYPED_TAG(UNIQUE_ID); | 146 | DECLARE_TYPED_TAG(UNIQUE_ID); |
145 | DECLARE_TYPED_TAG(UNLOCKED_DEVICE_REQUIRED); | 147 | DECLARE_TYPED_TAG(UNLOCKED_DEVICE_REQUIRED); |
146 | DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME); | 148 | DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME); |
147 | DECLARE_TYPED_TAG(USER_AUTH_TYPE); | 149 | DECLARE_TYPED_TAG(USER_AUTH_TYPE); |
148 | DECLARE_TYPED_TAG(USER_ID); | 150 | DECLARE_TYPED_TAG(USER_ID); |
149 | DECLARE_TYPED_TAG(USER_SECURE_ID); | 151 | DECLARE_TYPED_TAG(USER_SECURE_ID); |
152 | DECLARE_TYPED_TAG(VENDOR_PATCHLEVEL); | ||
150 | 153 | ||
151 | template <typename... Elems> | 154 | template <typename... Elems> |
152 | struct MetaList {}; | 155 | struct MetaList {}; |
@@ -163,7 +166,8 @@ using all_tags_t = | |||
163 | TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t, | 166 | TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t, |
164 | TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t, | 167 | TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t, |
165 | TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t, | 168 | TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t, |
166 | TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t>; | 169 | TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t, |
170 | TAG_BOOT_PATCHLEVEL_t, TAG_VENDOR_PATCHLEVEL_t, TAG_TRUSTED_USER_PRESENCE_REQUIRED_t>; | ||
167 | 171 | ||
168 | template <typename TypedTagType> | 172 | template <typename TypedTagType> |
169 | struct TypedTag2ValueType; | 173 | struct TypedTag2ValueType; |
diff --git a/keymaster/4.0/vts/functional/VerificationTokenTest.cpp b/keymaster/4.0/vts/functional/VerificationTokenTest.cpp index 6afba0c4..3876b16f 100644 --- a/keymaster/4.0/vts/functional/VerificationTokenTest.cpp +++ b/keymaster/4.0/vts/functional/VerificationTokenTest.cpp | |||
@@ -111,8 +111,9 @@ TEST_F(VerificationTokenTest, TestCreation) { | |||
111 | 111 | ||
112 | EXPECT_GE(host_time_delta, time_to_sleep) | 112 | EXPECT_GE(host_time_delta, time_to_sleep) |
113 | << "We slept for " << time_to_sleep << " ms, the clock must have advanced by that much"; | 113 | << "We slept for " << time_to_sleep << " ms, the clock must have advanced by that much"; |
114 | EXPECT_LE(host_time_delta, time_to_sleep + 10) | 114 | EXPECT_LE(host_time_delta, time_to_sleep + 20) |
115 | << "The verifyAuthorization call took more than 10 ms? That's awful!"; | 115 | << "The verifyAuthorization call took " << (host_time_delta - time_to_sleep) |
116 | << " ms? That's awful!"; | ||
116 | 117 | ||
117 | auto km_time_delta = result2.token.timestamp - result1.token.timestamp; | 118 | auto km_time_delta = result2.token.timestamp - result1.token.timestamp; |
118 | 119 | ||
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp index 450b3eb4..5dc0c7fa 100644 --- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp +++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp | |||
@@ -182,7 +182,7 @@ X509* parse_cert_blob(const hidl_vec<uint8_t>& blob) { | |||
182 | } | 182 | } |
183 | 183 | ||
184 | bool verify_chain(const hidl_vec<hidl_vec<uint8_t>>& chain) { | 184 | bool verify_chain(const hidl_vec<hidl_vec<uint8_t>>& chain) { |
185 | for (size_t i = 0; i < chain.size() - 1; ++i) { | 185 | for (size_t i = 0; i < chain.size(); ++i) { |
186 | X509_Ptr key_cert(parse_cert_blob(chain[i])); | 186 | X509_Ptr key_cert(parse_cert_blob(chain[i])); |
187 | X509_Ptr signing_cert; | 187 | X509_Ptr signing_cert; |
188 | if (i < chain.size() - 1) { | 188 | if (i < chain.size() - 1) { |
@@ -246,8 +246,7 @@ bool tag_in_list(const KeyParameter& entry) { | |||
246 | // Attestations don't contain everything in key authorization lists, so we need to filter | 246 | // Attestations don't contain everything in key authorization lists, so we need to filter |
247 | // the key lists to produce the lists that we expect to match the attestations. | 247 | // the key lists to produce the lists that we expect to match the attestations. |
248 | auto tag_list = { | 248 | auto tag_list = { |
249 | Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS, | 249 | Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS, Tag::EC_CURVE, Tag::HARDWARE_TYPE, |
250 | Tag::EC_CURVE /* Tag::EC_CURVE will be included by KM2 implementations */, | ||
251 | }; | 250 | }; |
252 | return std::find(tag_list.begin(), tag_list.end(), entry.tag) != tag_list.end(); | 251 | return std::find(tag_list.begin(), tag_list.end(), entry.tag) != tag_list.end(); |
253 | } | 252 | } |
@@ -271,7 +270,7 @@ std::string make_string(const uint8_t (&a)[N]) { | |||
271 | 270 | ||
272 | bool verify_attestation_record(const string& challenge, const string& app_id, | 271 | bool verify_attestation_record(const string& challenge, const string& app_id, |
273 | AuthorizationSet expected_sw_enforced, | 272 | AuthorizationSet expected_sw_enforced, |
274 | AuthorizationSet expected_tee_enforced, | 273 | AuthorizationSet expected_tee_enforced, SecurityLevel security_level, |
275 | const hidl_vec<uint8_t>& attestation_cert) { | 274 | const hidl_vec<uint8_t>& attestation_cert) { |
276 | X509_Ptr cert(parse_cert_blob(attestation_cert)); | 275 | X509_Ptr cert(parse_cert_blob(attestation_cert)); |
277 | EXPECT_TRUE(!!cert.get()); | 276 | EXPECT_TRUE(!!cert.get()); |
@@ -290,29 +289,27 @@ bool verify_attestation_record(const string& challenge, const string& app_id, | |||
290 | HidlBuf att_challenge; | 289 | HidlBuf att_challenge; |
291 | HidlBuf att_unique_id; | 290 | HidlBuf att_unique_id; |
292 | HidlBuf att_app_id; | 291 | HidlBuf att_app_id; |
293 | EXPECT_EQ(ErrorCode::OK, | 292 | |
294 | parse_attestation_record(attest_rec->data, // | 293 | auto error = parse_attestation_record(attest_rec->data, // |
295 | attest_rec->length, // | 294 | attest_rec->length, // |
296 | &att_attestation_version, // | 295 | &att_attestation_version, // |
297 | &att_attestation_security_level, // | 296 | &att_attestation_security_level, // |
298 | &att_keymaster_version, // | 297 | &att_keymaster_version, // |
299 | &att_keymaster_security_level, // | 298 | &att_keymaster_security_level, // |
300 | &att_challenge, // | 299 | &att_challenge, // |
301 | &att_sw_enforced, // | 300 | &att_sw_enforced, // |
302 | &att_tee_enforced, // | 301 | &att_tee_enforced, // |
303 | &att_unique_id)); | 302 | &att_unique_id); |
304 | 303 | EXPECT_EQ(ErrorCode::OK, error); | |
305 | EXPECT_TRUE(att_attestation_version == 1 || att_attestation_version == 2); | 304 | if (error != ErrorCode::OK) return false; |
305 | |||
306 | EXPECT_TRUE(att_attestation_version == 3); | ||
306 | 307 | ||
307 | expected_sw_enforced.push_back(TAG_ATTESTATION_APPLICATION_ID, HidlBuf(app_id)); | 308 | expected_sw_enforced.push_back(TAG_ATTESTATION_APPLICATION_ID, HidlBuf(app_id)); |
308 | 309 | ||
309 | EXPECT_GE(att_keymaster_version, 3U); | 310 | EXPECT_GE(att_keymaster_version, 3U); |
310 | EXPECT_EQ(KeymasterHidlTest::IsSecure() ? SecurityLevel::TRUSTED_ENVIRONMENT | 311 | EXPECT_EQ(security_level, att_keymaster_security_level); |
311 | : SecurityLevel::SOFTWARE, | 312 | EXPECT_EQ(security_level, att_attestation_security_level); |
312 | att_keymaster_security_level); | ||
313 | EXPECT_EQ(KeymasterHidlTest::IsSecure() ? SecurityLevel::TRUSTED_ENVIRONMENT | ||
314 | : SecurityLevel::SOFTWARE, | ||
315 | att_attestation_security_level); | ||
316 | 313 | ||
317 | EXPECT_EQ(challenge.length(), att_challenge.size()); | 314 | EXPECT_EQ(challenge.length(), att_challenge.size()); |
318 | EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data(), challenge.length())); | 315 | EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data(), challenge.length())); |
@@ -3008,6 +3005,7 @@ TEST_F(EncryptionOperationsTest, AesGcmAadNoData) { | |||
3008 | * Verifies that AES GCM mode works when provided additional authenticated data in multiple chunks. | 3005 | * Verifies that AES GCM mode works when provided additional authenticated data in multiple chunks. |
3009 | */ | 3006 | */ |
3010 | TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) { | 3007 | TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) { |
3008 | const size_t tag_bits = 128; | ||
3011 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 3009 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
3012 | .Authorization(TAG_NO_AUTH_REQUIRED) | 3010 | .Authorization(TAG_NO_AUTH_REQUIRED) |
3013 | .AesEncryptionKey(128) | 3011 | .AesEncryptionKey(128) |
@@ -3019,7 +3017,7 @@ TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) { | |||
3019 | auto begin_params = AuthorizationSetBuilder() | 3017 | auto begin_params = AuthorizationSetBuilder() |
3020 | .BlockMode(BlockMode::GCM) | 3018 | .BlockMode(BlockMode::GCM) |
3021 | .Padding(PaddingMode::NONE) | 3019 | .Padding(PaddingMode::NONE) |
3022 | .Authorization(TAG_MAC_LENGTH, 128); | 3020 | .Authorization(TAG_MAC_LENGTH, tag_bits); |
3023 | AuthorizationSet begin_out_params; | 3021 | AuthorizationSet begin_out_params; |
3024 | 3022 | ||
3025 | auto update_params = | 3023 | auto update_params = |
@@ -3041,10 +3039,11 @@ TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) { | |||
3041 | EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params, | 3039 | EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params, |
3042 | &ciphertext, &input_consumed)); | 3040 | &ciphertext, &input_consumed)); |
3043 | EXPECT_EQ(message.size(), input_consumed); | 3041 | EXPECT_EQ(message.size(), input_consumed); |
3044 | EXPECT_EQ(message.size(), ciphertext.size()); | ||
3045 | EXPECT_TRUE(update_out_params.empty()); | 3042 | EXPECT_TRUE(update_out_params.empty()); |
3046 | 3043 | ||
3047 | EXPECT_EQ(ErrorCode::OK, Finish("" /* input */, &ciphertext)); | 3044 | EXPECT_EQ(ErrorCode::OK, Finish("" /* input */, &ciphertext)); |
3045 | // Expect 128-bit (16-byte) tag appended to ciphertext. | ||
3046 | EXPECT_EQ(message.size() + (tag_bits >> 3), ciphertext.size()); | ||
3048 | 3047 | ||
3049 | // Grab nonce. | 3048 | // Grab nonce. |
3050 | begin_params.push_back(begin_out_params); | 3049 | begin_params.push_back(begin_out_params); |
@@ -3100,7 +3099,6 @@ TEST_F(EncryptionOperationsTest, AesGcmAadOutOfOrder) { | |||
3100 | EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params, | 3099 | EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params, |
3101 | &ciphertext, &input_consumed)); | 3100 | &ciphertext, &input_consumed)); |
3102 | EXPECT_EQ(message.size(), input_consumed); | 3101 | EXPECT_EQ(message.size(), input_consumed); |
3103 | EXPECT_EQ(message.size(), ciphertext.size()); | ||
3104 | EXPECT_TRUE(update_out_params.empty()); | 3102 | EXPECT_TRUE(update_out_params.empty()); |
3105 | 3103 | ||
3106 | // More AAD | 3104 | // More AAD |
@@ -3827,7 +3825,7 @@ TEST_F(AttestationTest, RsaAttestation) { | |||
3827 | EXPECT_TRUE(verify_attestation_record("challenge", "foo", // | 3825 | EXPECT_TRUE(verify_attestation_record("challenge", "foo", // |
3828 | key_characteristics_.softwareEnforced, // | 3826 | key_characteristics_.softwareEnforced, // |
3829 | key_characteristics_.hardwareEnforced, // | 3827 | key_characteristics_.hardwareEnforced, // |
3830 | cert_chain[0])); | 3828 | SecLevel(), cert_chain[0])); |
3831 | } | 3829 | } |
3832 | 3830 | ||
3833 | /* | 3831 | /* |
@@ -3874,7 +3872,7 @@ TEST_F(AttestationTest, EcAttestation) { | |||
3874 | EXPECT_TRUE(verify_attestation_record("challenge", "foo", // | 3872 | EXPECT_TRUE(verify_attestation_record("challenge", "foo", // |
3875 | key_characteristics_.softwareEnforced, // | 3873 | key_characteristics_.softwareEnforced, // |
3876 | key_characteristics_.hardwareEnforced, // | 3874 | key_characteristics_.hardwareEnforced, // |
3877 | cert_chain[0])); | 3875 | SecLevel(), cert_chain[0])); |
3878 | } | 3876 | } |
3879 | 3877 | ||
3880 | /* | 3878 | /* |