diff options
author | Shawn Willden <swillden@google.com> | 2022-06-20 06:57:38 -0600 |
---|---|---|
committer | Shawn Willden <swillden@google.com> | 2022-06-21 12:48:05 +0000 |
commit | 1bbb8107fffd5f21f184205ac47156f979b8fba7 (patch) | |
tree | f13174db31d13e166c6f02fdd848771a182c631c | |
parent | b493912c9c6d08f7e9e658bd33d592a1e07af9e4 (diff) | |
download | cts-1bbb8107fffd5f21f184205ac47156f979b8fba7.tar.gz |
Adjust KeyAttestation test for RKP
StrongBox tests required every intermediate cert in the attestation
chain to contain "strongbox" in the subject, but this isn't the case
for RKP-issued chains.
This changes the test to require at least one cert with "strongbox".
Bug: 234395804
Test: CtsKeystoreTestCases
Change-Id: I28e7e3d345929853b8fc90fd57021758bb739e03
-rw-r--r-- | tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java b/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java index ae87bdc7d91..f864e52812d 100644 --- a/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java +++ b/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java @@ -1489,6 +1489,7 @@ public class KeyAttestationTest { public static void verifyCertificateChain(Certificate[] certChain, boolean expectStrongBox) throws GeneralSecurityException { assertNotNull(certChain); + boolean strongBoxSubjectFound = false; for (int i = 1; i < certChain.length; ++i) { try { PublicKey pubKey = certChain[i].getPublicKey(); @@ -1515,19 +1516,19 @@ public class KeyAttestationTest { if (i == 1) { // First cert should have subject "CN=Android Keystore Key". assertEquals(signedCertSubject, new X500Name("CN=Android Keystore Key")); - } else { - // Only strongbox implementations should have strongbox in the subject line - assertEquals(expectStrongBox, signedCertSubject.toString() - .toLowerCase() - .contains("strongbox")); + } else if (signedCertSubject.toString().toLowerCase().contains("strongbox")) { + strongBoxSubjectFound = true; } } catch (InvalidKeyException | CertificateException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException e) { throw new GeneralSecurityException("Using StrongBox: " + expectStrongBox + "\n" - + "Failed to verify certificate " - + certChain[i - 1] + " with public key " + certChain[i].getPublicKey(), e); + + "Failed to verify certificate " + certChain[i - 1] + + " with public key " + certChain[i].getPublicKey(), + e); } } + // At least one intermediate in a StrongBox chain must have "strongbox" in the subject. + assertEquals(expectStrongBox, strongBoxSubjectFound); } private void testDeviceIdAttestationFailure(int idType, |