Adjust KeyAttestation test for RKP

StrongBox tests required every intermediate cert in the attestation chain to contain "strongbox" in the subject, but this isn't the case for RKP-issued chains. This changes the test to require at least one cert with "strongbox". Bug: 234395804 Test: CtsKeystoreTestCases Change-Id: I28e7e3d345929853b8fc90fd57021758bb739e03
author: Shawn Willden <swillden@google.com> 2022-06-20 06:57:38 -0600
committer: Shawn Willden <swillden@google.com> 2022-06-21 12:48:05 +0000
commit: 1bbb8107fffd5f21f184205ac47156f979b8fba7 (patch)
tree: f13174db31d13e166c6f02fdd848771a182c631c
parent: b493912c9c6d08f7e9e658bd33d592a1e07af9e4 (diff)
download: cts-1bbb8107fffd5f21f184205ac47156f979b8fba7.tar.gz
1 files changed, 8 insertions, 7 deletions
diff --git a/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java b/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java
index ae87bdc7d91..f864e52812d 100644
--- a/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java
+++ b/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java
@@ -1489,6 +1489,7 @@ public class KeyAttestationTest {
     public static void verifyCertificateChain(Certificate[] certChain, boolean expectStrongBox)
             throws GeneralSecurityException {
         assertNotNull(certChain);
+        boolean strongBoxSubjectFound = false;
         for (int i = 1; i < certChain.length; ++i) {
             try {
                 PublicKey pubKey = certChain[i].getPublicKey();
@@ -1515,19 +1516,19 @@ public class KeyAttestationTest {
                 if (i == 1) {
                     // First cert should have subject "CN=Android Keystore Key".
                     assertEquals(signedCertSubject, new X500Name("CN=Android Keystore Key"));
-                } else {
-                    // Only strongbox implementations should have strongbox in the subject line
-                    assertEquals(expectStrongBox, signedCertSubject.toString()
-                                                                   .toLowerCase()
-                                                                   .contains("strongbox"));
+                } else if (signedCertSubject.toString().toLowerCase().contains("strongbox")) {
+                    strongBoxSubjectFound = true;
                 }
             } catch (InvalidKeyException | CertificateException | NoSuchAlgorithmException
                     | NoSuchProviderException | SignatureException e) {
                 throw new GeneralSecurityException("Using StrongBox: " + expectStrongBox + "\n"
-                        + "Failed to verify certificate "
-                        + certChain[i - 1] + " with public key " + certChain[i].getPublicKey(), e);
+                                + "Failed to verify certificate " + certChain[i - 1]
+                                + " with public key " + certChain[i].getPublicKey(),
+                        e);
             }
         }
+        // At least one intermediate in a StrongBox chain must have "strongbox" in the subject.
+        assertEquals(expectStrongBox, strongBoxSubjectFound);
     }
 
     private void testDeviceIdAttestationFailure(int idType,
author	Shawn Willden <swillden@google.com>	2022-06-20 06:57:38 -0600
committer	Shawn Willden <swillden@google.com>	2022-06-21 12:48:05 +0000
commit	1bbb8107fffd5f21f184205ac47156f979b8fba7 (patch)
tree	f13174db31d13e166c6f02fdd848771a182c631c
parent	b493912c9c6d08f7e9e658bd33d592a1e07af9e4 (diff)
download	cts-1bbb8107fffd5f21f184205ac47156f979b8fba7.tar.gz