Snap for 7915781 from 10b5d82d1ebf209d98e7d66b4c01c2e7e9bad498 to sc-v2-release
Change-Id: I274669094c6492429a6055ab7ba797bd482b343a
diff --git a/include/keymaster/km_openssl/attestation_record.h b/include/keymaster/km_openssl/attestation_record.h
index 3ae1a10..f484da1 100644
--- a/include/keymaster/km_openssl/attestation_record.h
+++ b/include/keymaster/km_openssl/attestation_record.h
@@ -34,6 +34,9 @@
constexpr KmVersion kCurrentKmVersion = KmVersion::KEYMASTER_4_1;
+// Size (in bytes) of generated UNIQUE_ID values.
+constexpr int UNIQUE_ID_SIZE = 16;
+
constexpr int EAT_CLAIM_PRIVATE_BASE = -80000;
constexpr int EAT_CLAIM_PRIVATE_NON_KM_BASE = EAT_CLAIM_PRIVATE_BASE - 2000;
@@ -343,6 +346,15 @@
const AttestationContext& context, //
std::vector<uint8_t>* eat_token);
+// Builds the input to HMAC-SHA256 for unique ID generation.
+std::vector<uint8_t> build_unique_id_input(uint64_t creation_date_time,
+ const keymaster_blob_t& application_id,
+ bool reset_since_rotation);
+
+// Builds a unique ID of size UNIQUE_ID_SIZE from the given inputs.
+Buffer generate_unique_id(const std::vector<uint8_t>& hbk, uint64_t creation_date_time,
+ const keymaster_blob_t& application_id, bool reset_since_rotation);
+
/**
* Helper functions for attestation record tests. Caller takes ownership of
* |attestation_challenge->data| and |unique_id->data|, deallocate using delete[].
diff --git a/include/keymaster/km_openssl/openssl_utils.h b/include/keymaster/km_openssl/openssl_utils.h
index 402c1f9..e1a39d3 100644
--- a/include/keymaster/km_openssl/openssl_utils.h
+++ b/include/keymaster/km_openssl/openssl_utils.h
@@ -24,6 +24,7 @@
#include <openssl/x509.h>
#include <keymaster/UniquePtr.h>
+#include <keymaster/authorization_set.h>
#include <hardware/keymaster_defs.h>
@@ -102,6 +103,11 @@
keymaster_error_t GenerateRandom(uint8_t* buf, size_t length);
+inline bool IsCertSigningKey(const AuthorizationSet& key_description) {
+ return key_description.Contains(TAG_PURPOSE, KM_PURPOSE_SIGN) ||
+ key_description.Contains(TAG_PURPOSE, KM_PURPOSE_ATTEST_KEY);
+}
+
inline const EVP_MD* KmDigestToEvpDigest(keymaster_digest_t digest) {
switch (digest) {
case KM_DIGEST_MD5:
diff --git a/key_blob_utils/software_keyblobs.cpp b/key_blob_utils/software_keyblobs.cpp
index 764ebcb..475ac36 100644
--- a/key_blob_utils/software_keyblobs.cpp
+++ b/key_blob_utils/software_keyblobs.cpp
@@ -307,7 +307,7 @@
LOG_E("Tag %d not allowed in key generation/import", entry.tag);
break;
- // These are provided to support attesation key generation, but should not be included in
+ // These are provided to support attestation key generation, but should not be included in
// the key characteristics.
case KM_TAG_ATTESTATION_APPLICATION_ID:
case KM_TAG_ATTESTATION_CHALLENGE:
@@ -323,6 +323,7 @@
case KM_TAG_CERTIFICATE_SUBJECT:
case KM_TAG_CERTIFICATE_NOT_BEFORE:
case KM_TAG_CERTIFICATE_NOT_AFTER:
+ case KM_TAG_INCLUDE_UNIQUE_ID:
case KM_TAG_RESET_SINCE_ID_ROTATION:
break;
@@ -341,7 +342,6 @@
case KM_TAG_DIGEST:
case KM_TAG_EARLY_BOOT_ONLY:
case KM_TAG_EC_CURVE:
- case KM_TAG_INCLUDE_UNIQUE_ID:
case KM_TAG_KEY_SIZE:
case KM_TAG_MAX_BOOT_LEVEL:
case KM_TAG_MAX_USES_PER_BOOT:
diff --git a/km_openssl/attestation_record.cpp b/km_openssl/attestation_record.cpp
index 92aaeae..3162e4a 100644
--- a/km_openssl/attestation_record.cpp
+++ b/km_openssl/attestation_record.cpp
@@ -26,6 +26,7 @@
#include <keymaster/android_keymaster_utils.h>
#include <keymaster/attestation_context.h>
+#include <keymaster/km_openssl/hmac.h>
#include <keymaster/km_openssl/openssl_err.h>
#include <keymaster/km_openssl/openssl_utils.h>
@@ -255,27 +256,6 @@
return (attestation_challenge.data_length <= kMaximumAttestationChallengeLength);
}
-Buffer generate_unique_id(const AttestationContext& context, //
- const AuthorizationSet& sw_enforced,
- const AuthorizationSet& attestation_params, //
- keymaster_error_t* error) {
- uint64_t creation_datetime;
- // Only check sw_enforced for TAG_CREATION_DATETIME, since it shouldn't be in tee_enforced,
- // since this implementation has no secure wall clock.
- if (!sw_enforced.GetTagValue(TAG_CREATION_DATETIME, &creation_datetime)) {
- LOG_E("Unique ID cannot be created without creation datetime", 0);
- *error = KM_ERROR_INVALID_KEY_BLOB;
- return {};
- }
-
- keymaster_blob_t application_id = {nullptr, 0};
- sw_enforced.GetTagValue(TAG_APPLICATION_ID, &application_id);
-
- return context.GenerateUniqueId(creation_datetime, application_id,
- attestation_params.GetTagValue(TAG_RESET_SINCE_ID_ROTATION),
- error);
-}
-
// Put the contents of the keymaster AuthorizationSet auth_list into the EAT record structure.
keymaster_error_t build_eat_submod(const AuthorizationSet& auth_list,
const EatSecurityLevel security_level, cppbor::Map* submod) {
@@ -536,7 +516,6 @@
case KM_TAG_AUTH_TOKEN:
case KM_TAG_MAC_LENGTH:
case KM_TAG_ATTESTATION_CHALLENGE:
- case KM_TAG_RESET_SINCE_ID_ROTATION:
case KM_TAG_KDF:
/* Tags ignored because they're used only to provide for certificate generation */
@@ -544,6 +523,8 @@
case KM_TAG_CERTIFICATE_SUBJECT:
case KM_TAG_CERTIFICATE_NOT_BEFORE:
case KM_TAG_CERTIFICATE_NOT_AFTER:
+ case KM_TAG_INCLUDE_UNIQUE_ID:
+ case KM_TAG_RESET_SINCE_ID_ROTATION:
/* Tags ignored because they have no meaning off-device */
case KM_TAG_USER_ID:
@@ -552,7 +533,6 @@
/* Tags ignored because they're not usable by app keys */
case KM_TAG_BOOTLOADER_ONLY:
- case KM_TAG_INCLUDE_UNIQUE_ID:
case KM_TAG_MAX_BOOT_LEVEL:
case KM_TAG_MAX_USES_PER_BOOT:
case KM_TAG_MIN_SECONDS_BETWEEN_OPS:
@@ -932,9 +912,7 @@
eat_record.add(EatClaim::SUBMODS, std::move(submods));
}
- // Only check tee_enforced for TAG_INCLUDE_UNIQUE_ID. If we don't have hardware we can't
- // generate unique IDs.
- if (tee_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID)) {
+ if (attestation_params.GetTagValue(TAG_INCLUDE_UNIQUE_ID)) {
uint64_t creation_datetime;
// Only check sw_enforced for TAG_CREATION_DATETIME, since it shouldn't be in tee_enforced,
// since this implementation has no secure wall clock.
@@ -943,11 +921,8 @@
return KM_ERROR_INVALID_KEY_BLOB;
}
- keymaster_blob_t application_id = {nullptr, 0};
- sw_enforced.GetTagValue(TAG_APPLICATION_ID, &application_id);
-
Buffer unique_id = context.GenerateUniqueId(
- creation_datetime, application_id,
+ creation_datetime, attestation_app_id,
attestation_params.GetTagValue(TAG_RESET_SINCE_ID_ROTATION), &error);
if (error != KM_ERROR_OK) return error;
@@ -960,6 +935,33 @@
return KM_ERROR_OK;
}
+std::vector<uint8_t> build_unique_id_input(uint64_t creation_date_time,
+ const keymaster_blob_t& application_id,
+ bool reset_since_rotation) {
+ uint64_t rounded_date = creation_date_time / 2592000000LLU;
+ uint8_t* serialized_date = reinterpret_cast<uint8_t*>(&rounded_date);
+
+ std::vector<uint8_t> input;
+ input.insert(input.end(), serialized_date, serialized_date + sizeof(rounded_date));
+ input.insert(input.end(), application_id.data,
+ application_id.data + application_id.data_length);
+ input.push_back(reset_since_rotation ? 1 : 0);
+ return input;
+}
+
+Buffer generate_unique_id(const std::vector<uint8_t>& hbk, uint64_t creation_date_time,
+ const keymaster_blob_t& application_id, bool reset_since_rotation) {
+ HmacSha256 hmac;
+ hmac.Init(hbk.data(), hbk.size());
+
+ std::vector<uint8_t> input =
+ build_unique_id_input(creation_date_time, application_id, reset_since_rotation);
+ Buffer unique_id(UNIQUE_ID_SIZE);
+ hmac.Sign(input.data(), input.size(), unique_id.peek_write(), unique_id.available_write());
+ unique_id.advance_write(UNIQUE_ID_SIZE);
+ return unique_id;
+}
+
// Construct an ASN1.1 DER-encoded attestation record containing the values from sw_enforced and
// tee_enforced.
keymaster_error_t build_attestation_record(const AuthorizationSet& attestation_params, //
@@ -1057,9 +1059,7 @@
error = build_auth_list(tee_enforced, key_desc->tee_enforced);
if (error != KM_ERROR_OK) return error;
- // Only check tee_enforced for TAG_INCLUDE_UNIQUE_ID. If we don't have hardware we can't
- // generate unique IDs.
- if (tee_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID)) {
+ if (attestation_params.GetTagValue(TAG_INCLUDE_UNIQUE_ID)) {
uint64_t creation_datetime;
// Only check sw_enforced for TAG_CREATION_DATETIME, since it shouldn't be in tee_enforced,
// since this implementation has no secure wall clock.
@@ -1068,11 +1068,8 @@
return KM_ERROR_INVALID_KEY_BLOB;
}
- keymaster_blob_t application_id = {nullptr, 0};
- sw_enforced.GetTagValue(TAG_APPLICATION_ID, &application_id);
-
Buffer unique_id = context.GenerateUniqueId(
- creation_datetime, application_id,
+ creation_datetime, attestation_app_id,
attestation_params.GetTagValue(TAG_RESET_SINCE_ID_ROTATION), &error);
if (error != KM_ERROR_OK) return error;
diff --git a/km_openssl/attestation_utils.cpp b/km_openssl/attestation_utils.cpp
index 9a6c7f3..3be84ae 100644
--- a/km_openssl/attestation_utils.cpp
+++ b/km_openssl/attestation_utils.cpp
@@ -293,7 +293,8 @@
if (*error != KM_ERROR_OK) return {};
AuthProxy proxy(tee_enforced, sw_enforced);
- cert_params.is_signing_key = proxy.Contains(TAG_PURPOSE, KM_PURPOSE_SIGN);
+ cert_params.is_signing_key = (proxy.Contains(TAG_PURPOSE, KM_PURPOSE_SIGN) ||
+ proxy.Contains(TAG_PURPOSE, KM_PURPOSE_ATTEST_KEY));
cert_params.is_encryption_key = proxy.Contains(TAG_PURPOSE, KM_PURPOSE_DECRYPT);
cert_params.is_agreement_key = proxy.Contains(TAG_PURPOSE, KM_PURPOSE_AGREE_KEY);
diff --git a/km_openssl/certificate_utils.cpp b/km_openssl/certificate_utils.cpp
index d9419c8..edaaa2d 100644
--- a/km_openssl/certificate_utils.cpp
+++ b/km_openssl/certificate_utils.cpp
@@ -359,7 +359,9 @@
*error = get_certificate_params(params, &cert_params, KmVersion::KEYMINT_1);
if (*error != KM_ERROR_OK) return {};
- cert_params.is_signing_key = key.authorizations().Contains(TAG_PURPOSE, KM_PURPOSE_SIGN);
+ cert_params.is_signing_key =
+ (key.authorizations().Contains(TAG_PURPOSE, KM_PURPOSE_SIGN) ||
+ key.authorizations().Contains(TAG_PURPOSE, KM_PURPOSE_ATTEST_KEY));
cert_params.is_encryption_key = key.authorizations().Contains(TAG_PURPOSE, KM_PURPOSE_DECRYPT);
cert_params.is_agreement_key = key.authorizations().Contains(TAG_PURPOSE, KM_PURPOSE_AGREE_KEY);
diff --git a/km_openssl/ec_key_factory.cpp b/km_openssl/ec_key_factory.cpp
index 80d761f..8bf25dd 100644
--- a/km_openssl/ec_key_factory.cpp
+++ b/km_openssl/ec_key_factory.cpp
@@ -139,8 +139,7 @@
return KM_ERROR_ATTESTATION_CHALLENGE_MISSING;
} else {
*cert_chain = context_.GenerateSelfSignedCertificate(
- key, key_description,
- !key_description.Contains(TAG_PURPOSE, KM_PURPOSE_SIGN) /* fake_signature */, &error);
+ key, key_description, !IsCertSigningKey(key_description) /* fake_signature */, &error);
}
return error;
@@ -185,8 +184,7 @@
return KM_ERROR_ATTESTATION_CHALLENGE_MISSING;
} else {
*cert_chain = context_.GenerateSelfSignedCertificate(
- key, key_description,
- !key_description.Contains(TAG_PURPOSE, KM_PURPOSE_SIGN) /* fake_signature */, &error);
+ key, key_description, !IsCertSigningKey(key_description) /* fake_signature */, &error);
}
return error;
diff --git a/km_openssl/rsa_key_factory.cpp b/km_openssl/rsa_key_factory.cpp
index 114fdab..ed7162d 100644
--- a/km_openssl/rsa_key_factory.cpp
+++ b/km_openssl/rsa_key_factory.cpp
@@ -108,8 +108,7 @@
} else if (attest_key.get() != nullptr) {
return KM_ERROR_ATTESTATION_CHALLENGE_MISSING;
} else {
- bool fake_signature =
- key_size < 1024 || !key_description.Contains(TAG_PURPOSE, KM_PURPOSE_SIGN);
+ bool fake_signature = key_size < 1024 || !IsCertSigningKey(key_description);
*cert_chain =
context_.GenerateSelfSignedCertificate(key, key_description, fake_signature, &error);
}
@@ -156,8 +155,7 @@
} else if (attest_key.get() != nullptr) {
return KM_ERROR_ATTESTATION_CHALLENGE_MISSING;
} else {
- bool fake_signature =
- key_size < 1024 || !key_description.Contains(TAG_PURPOSE, KM_PURPOSE_SIGN);
+ bool fake_signature = key_size < 1024 || !IsCertSigningKey(key_description);
*cert_chain =
context_.GenerateSelfSignedCertificate(key, key_description, fake_signature, &error);
}
diff --git a/ng/AndroidKeyMintDevice.cpp b/ng/AndroidKeyMintDevice.cpp
index f511c3f..89201bd 100644
--- a/ng/AndroidKeyMintDevice.cpp
+++ b/ng/AndroidKeyMintDevice.cpp
@@ -121,6 +121,7 @@
case KM_TAG_CONFIRMATION_TOKEN:
case KM_TAG_DEVICE_UNIQUE_ATTESTATION:
case KM_TAG_IDENTITY_CREDENTIAL_KEY:
+ case KM_TAG_INCLUDE_UNIQUE_ID:
case KM_TAG_MAC_LENGTH:
case KM_TAG_NONCE:
case KM_TAG_RESET_SINCE_ID_ROTATION:
@@ -140,7 +141,6 @@
case KM_TAG_EARLY_BOOT_ONLY:
case KM_TAG_EC_CURVE:
case KM_TAG_EXPORTABLE:
- case KM_TAG_INCLUDE_UNIQUE_ID:
case KM_TAG_KEY_SIZE:
case KM_TAG_MAX_USES_PER_BOOT:
case KM_TAG_MIN_MAC_LENGTH:
diff --git a/tests/attestation_record_test.cpp b/tests/attestation_record_test.cpp
index 92cd77d..9cf61d8 100644
--- a/tests/attestation_record_test.cpp
+++ b/tests/attestation_record_test.cpp
@@ -83,26 +83,32 @@
};
TEST(AttestAsn1Test, Simple) {
+ const char* fake_app_id = "fake_app_id";
+ const char* fake_app_data = "fake_app_data";
+ const char* fake_challenge = "fake_challenge";
+ const char* fake_attest_app_id = "fake_attest_app_id";
KeymasterTestContext context;
AuthorizationSet hw_set(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_256)
.Digest(KM_DIGEST_SHA_2_384)
.Authorization(TAG_OS_VERSION, 60000)
- .Authorization(TAG_OS_PATCHLEVEL, 201512)
- .Authorization(TAG_INCLUDE_UNIQUE_ID));
- AuthorizationSet sw_set(AuthorizationSetBuilder()
- .Authorization(TAG_ACTIVE_DATETIME, 10)
- .Authorization(TAG_CREATION_DATETIME, 10)
- .Authorization(TAG_APPLICATION_ID, "fake_app_id", 19)
- .Authorization(TAG_APPLICATION_DATA, "fake_app_data", 12));
+ .Authorization(TAG_OS_PATCHLEVEL, 201512));
+ AuthorizationSet sw_set(
+ AuthorizationSetBuilder()
+ .Authorization(TAG_ACTIVE_DATETIME, 10)
+ .Authorization(TAG_CREATION_DATETIME, 10)
+ .Authorization(TAG_APPLICATION_ID, fake_app_id, strlen(fake_app_id))
+ .Authorization(TAG_APPLICATION_DATA, fake_app_data, strlen(fake_app_data)));
UniquePtr<uint8_t[]> asn1;
size_t asn1_len = 0;
AuthorizationSet attest_params(
AuthorizationSetBuilder()
- .Authorization(TAG_ATTESTATION_CHALLENGE, "fake_challenge", 14)
- .Authorization(TAG_ATTESTATION_APPLICATION_ID, "fake_attest_app_id", 18));
+ .Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .Authorization(TAG_ATTESTATION_CHALLENGE, fake_challenge, strlen(fake_challenge))
+ .Authorization(TAG_ATTESTATION_APPLICATION_ID, fake_attest_app_id,
+ strlen(fake_attest_app_id)));
ASSERT_EQ(KM_ERROR_OK,
build_attestation_record(attest_params, sw_set, hw_set, context, &asn1, &asn1_len));
EXPECT_GT(asn1_len, 0U);
@@ -127,16 +133,19 @@
&parsed_sw_set, &parsed_hw_set, &unique_id));
// Check that the challenge is consistent across build and parse.
- EXPECT_EQ("fake_challenge",
- std::string(reinterpret_cast<const char*>(attestation_challenge.data), 14));
+ EXPECT_EQ(std::string(fake_challenge),
+ std::string(reinterpret_cast<const char*>(attestation_challenge.data),
+ attestation_challenge.data_length));
delete[] attestation_challenge.data;
// Check that the unique id was populated as expected.
- EXPECT_EQ("fake_app_id", std::string(reinterpret_cast<const char*>(unique_id.data), 11));
+ EXPECT_EQ(std::string(fake_attest_app_id),
+ std::string(reinterpret_cast<const char*>(unique_id.data), unique_id.data_length));
delete[] unique_id.data;
// The attestation ID is expected to appear in parsed_sw_set.
- sw_set.push_back(TAG_ATTESTATION_APPLICATION_ID, "fake_attest_app_id", 18);
+ sw_set.push_back(TAG_ATTESTATION_APPLICATION_ID, fake_attest_app_id,
+ strlen(fake_attest_app_id));
// The TAG_INCLUDE_UNIQUE_ID tag is not expected to appear in parsed_hw_set.
hw_set.erase(hw_set.find(TAG_INCLUDE_UNIQUE_ID));
@@ -164,26 +173,34 @@
}
TEST(EatTest, Simple) {
+ const char* fake_imei = "490154203237518";
+ const char* fake_app_id = "fake_app_id";
+ const char* fake_app_data = "fake_app_data";
+ const char* fake_challenge = "fake_challenge";
+ const char* fake_attest_app_id = "fake_attest_app_id";
KeymintTestContext context;
- AuthorizationSet hw_set(AuthorizationSetBuilder()
- .RsaSigningKey(512, 3)
- .Digest(KM_DIGEST_SHA_2_256)
- .Digest(KM_DIGEST_SHA_2_384)
- .Authorization(TAG_OS_VERSION, 60000)
- .Authorization(TAG_OS_PATCHLEVEL, 201512)
- .Authorization(TAG_INCLUDE_UNIQUE_ID)
- .Authorization(TAG_ATTESTATION_ID_IMEI, "490154203237518", 15));
- AuthorizationSet sw_set(AuthorizationSetBuilder()
- .Authorization(TAG_ACTIVE_DATETIME, 10)
- .Authorization(TAG_CREATION_DATETIME, 10)
- .Authorization(TAG_APPLICATION_ID, "fake_app_id", 19)
- .Authorization(TAG_APPLICATION_DATA, "fake_app_data", 12));
+ AuthorizationSet hw_set(
+ AuthorizationSetBuilder()
+ .RsaSigningKey(512, 3)
+ .Digest(KM_DIGEST_SHA_2_256)
+ .Digest(KM_DIGEST_SHA_2_384)
+ .Authorization(TAG_OS_VERSION, 60000)
+ .Authorization(TAG_OS_PATCHLEVEL, 201512)
+ .Authorization(TAG_ATTESTATION_ID_IMEI, fake_imei, strlen(fake_imei)));
+ AuthorizationSet sw_set(
+ AuthorizationSetBuilder()
+ .Authorization(TAG_ACTIVE_DATETIME, 10)
+ .Authorization(TAG_CREATION_DATETIME, 10)
+ .Authorization(TAG_APPLICATION_ID, fake_app_id, strlen(fake_app_id))
+ .Authorization(TAG_APPLICATION_DATA, fake_app_data, strlen(fake_app_data)));
std::vector<uint8_t> eat;
AuthorizationSet attest_params(
AuthorizationSetBuilder()
- .Authorization(TAG_ATTESTATION_CHALLENGE, "fake_challenge", 14)
- .Authorization(TAG_ATTESTATION_APPLICATION_ID, "fake_attest_app_id", 18));
+ .Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .Authorization(TAG_ATTESTATION_CHALLENGE, fake_challenge, strlen(fake_challenge))
+ .Authorization(TAG_ATTESTATION_APPLICATION_ID, fake_attest_app_id,
+ strlen(fake_attest_app_id)));
ASSERT_EQ(KM_ERROR_OK, build_eat_record(attest_params, sw_set, hw_set, context, &eat));
EXPECT_GT(eat.size(), 0U);
@@ -215,16 +232,19 @@
EXPECT_EQ(std::vector<int64_t>(), unexpected_claims);
// Check that the challenge is consistent across build and parse.
- EXPECT_EQ("fake_challenge",
- std::string(reinterpret_cast<const char*>(attestation_challenge.data), 14));
+ EXPECT_EQ(std::string(fake_challenge),
+ std::string(reinterpret_cast<const char*>(attestation_challenge.data),
+ attestation_challenge.data_length));
delete[] attestation_challenge.data;
// Check that the unique id was populated as expected.
- EXPECT_EQ("fake_app_id", std::string(reinterpret_cast<const char*>(unique_id.data), 11));
+ EXPECT_EQ(std::string(fake_attest_app_id),
+ std::string(reinterpret_cast<const char*>(unique_id.data), unique_id.data_length));
delete[] unique_id.data;
// The attestation ID is expected to appear in parsed_sw_set.
- sw_set.push_back(TAG_ATTESTATION_APPLICATION_ID, "fake_attest_app_id", 18);
+ sw_set.push_back(TAG_ATTESTATION_APPLICATION_ID, fake_attest_app_id,
+ strlen(fake_attest_app_id));
// The TAG_INCLUDE_UNIQUE_ID tag is not expected to appear in parsed_hw_set.
hw_set.erase(hw_set.find(TAG_INCLUDE_UNIQUE_ID));
@@ -247,13 +267,17 @@
}
TEST(BadImeiTest, Simple) {
+ const char* fake_challenge = "fake_challenge";
+ const char* fake_attest_app_id = "fake_attest_app_id";
+ const char* invalid_imei = "1234567890123456";
KeymintTestContext context;
- AuthorizationSet hw_set(
- AuthorizationSetBuilder().Authorization(TAG_ATTESTATION_ID_IMEI, "1234567890123456", 16));
+ AuthorizationSet hw_set(AuthorizationSetBuilder().Authorization(
+ TAG_ATTESTATION_ID_IMEI, invalid_imei, strlen(invalid_imei)));
AuthorizationSet attest_params(
AuthorizationSetBuilder()
- .Authorization(TAG_ATTESTATION_CHALLENGE, "fake_challenge", 14)
- .Authorization(TAG_ATTESTATION_APPLICATION_ID, "fake_attest_app_id", 18));
+ .Authorization(TAG_ATTESTATION_CHALLENGE, fake_challenge, strlen(fake_challenge))
+ .Authorization(TAG_ATTESTATION_APPLICATION_ID, fake_attest_app_id,
+ strlen(fake_attest_app_id)));
AuthorizationSet sw_set;
std::vector<uint8_t> eat;
@@ -261,10 +285,11 @@
}
TEST(MissingAuthChallengeTest, Simple) {
+ const char* fake_attest_app_id = "fake_attest_app_id";
KeymintTestContext context;
AuthorizationSet hw_set(AuthorizationSetBuilder().Authorization(TAG_OS_PATCHLEVEL, 201512));
AuthorizationSet attest_params(AuthorizationSetBuilder().Authorization(
- TAG_ATTESTATION_APPLICATION_ID, "fake_attest_app_id", 18));
+ TAG_ATTESTATION_APPLICATION_ID, fake_attest_app_id, strlen(fake_attest_app_id)));
AuthorizationSet sw_set;
std::vector<uint8_t> eat;
@@ -273,6 +298,8 @@
}
TEST(UnknownTagTest, Simple) {
+ const char* fake_challenge = "fake_challenge";
+ const char* fake_attest_app_id = "fake_attest_app_id";
KeymintTestContext context;
AuthorizationSet unknown_tag_set(
AuthorizationSetBuilder().Authorization(UNKNOWN_TAG_T, UNKNOWN_TAG_VALUE));
@@ -282,8 +309,9 @@
std::vector<uint8_t> eat;
AuthorizationSet attest_params(
AuthorizationSetBuilder()
- .Authorization(TAG_ATTESTATION_CHALLENGE, "fake_challenge", 14)
- .Authorization(TAG_ATTESTATION_APPLICATION_ID, "fake_attest_app_id", 18));
+ .Authorization(TAG_ATTESTATION_CHALLENGE, fake_challenge, strlen(fake_challenge))
+ .Authorization(TAG_ATTESTATION_APPLICATION_ID, fake_attest_app_id,
+ strlen(fake_attest_app_id)));
ASSERT_EQ(KM_ERROR_OK,
build_eat_record(attest_params, unknown_tag_set, unknown_tag_set, context, &eat));
EXPECT_GT(eat.size(), 0U);