[AVF] Expose patch level check failure code

Bug: 359629878 Test: Unit test Flag: EXEMPT bugfix Ignore-AOSP-First: This hasn't been tested e2e by CDM and XR yet. Releasing this to AOSP directly may not be appropriate. Change-Id: I660689e61a235017f2e969ceb38672ef32b62d10
author: Guojing Yuan <guojing@google.com> 2024-09-19 18:08:35 +0000
committer: Guojing Yuan <guojing@google.com> 2024-09-27 22:12:28 +0000
commit: e855f08496f5d3efc96df3ce51d31f8fc7344274 (patch)
tree: b46e175e06c8e48c3d8bf5600d86833a05cd0727 /tests/AttestationVerificationTest
parent: 21e18dc45c669cf92b90966d36a1ce8ff1c30bd3 (diff)
3 files changed, 56 insertions, 48 deletions
diff --git a/tests/AttestationVerificationTest/src/android/security/attestationverification/PeerDeviceSystemAttestationVerificationTest.kt b/tests/AttestationVerificationTest/src/android/security/attestationverification/PeerDeviceSystemAttestationVerificationTest.kt
index ad95fbc36867..88ebf3edc7ed 100644
--- a/tests/AttestationVerificationTest/src/android/security/attestationverification/PeerDeviceSystemAttestationVerificationTest.kt
+++ b/tests/AttestationVerificationTest/src/android/security/attestationverification/PeerDeviceSystemAttestationVerificationTest.kt
@@ -2,10 +2,11 @@ package android.security.attestationverification
 
 import android.app.Activity
 import android.os.Bundle
+import android.security.attestationverification.AttestationVerificationManager.FLAG_FAILURE_CERTS
+import android.security.attestationverification.AttestationVerificationManager.FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS
 import android.security.attestationverification.AttestationVerificationManager.PARAM_CHALLENGE
 import android.security.attestationverification.AttestationVerificationManager.PARAM_PUBLIC_KEY
 import android.security.attestationverification.AttestationVerificationManager.PROFILE_PEER_DEVICE
-import android.security.attestationverification.AttestationVerificationManager.RESULT_FAILURE
 import android.security.attestationverification.AttestationVerificationManager.TYPE_CHALLENGE
 import android.security.attestationverification.AttestationVerificationManager.TYPE_PUBLIC_KEY
 import android.security.attestationverification.AttestationVerificationManager.TYPE_UNKNOWN
@@ -54,7 +55,7 @@ class PeerDeviceSystemAttestationVerificationTest {
             future.complete(result)
         }
 
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
     }
 
     @Test
@@ -66,7 +67,7 @@ class PeerDeviceSystemAttestationVerificationTest {
             future.complete(result)
         }
 
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
     }
 
     @Test
@@ -80,7 +81,7 @@ class PeerDeviceSystemAttestationVerificationTest {
             future.complete(result)
         }
 
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
 
         val future2 = CompletableFuture<Int>()
         val challengeRequirements = Bundle()
@@ -90,7 +91,7 @@ class PeerDeviceSystemAttestationVerificationTest {
             future2.complete(result)
         }
 
-        assertThat(future2.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future2.getSoon()).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
     }
 
     @Test
@@ -104,7 +105,7 @@ class PeerDeviceSystemAttestationVerificationTest {
             future.complete(result)
         }
 
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
     }
 
     @Test
@@ -118,7 +119,7 @@ class PeerDeviceSystemAttestationVerificationTest {
             future.complete(result)
         }
 
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_CERTS)
     }
 
     @Test
@@ -131,7 +132,7 @@ class PeerDeviceSystemAttestationVerificationTest {
             invalidAttestationByteArray, activity.mainExecutor) { result, _ ->
             future.complete(result)
         }
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_CERTS)
     }
 
     private fun <T> CompletableFuture<T>.getSoon(): T {
diff --git a/tests/AttestationVerificationTest/src/android/security/attestationverification/SystemAttestationVerificationTest.kt b/tests/AttestationVerificationTest/src/android/security/attestationverification/SystemAttestationVerificationTest.kt
index 8f06b4a2ea0a..e77364de8747 100644
--- a/tests/AttestationVerificationTest/src/android/security/attestationverification/SystemAttestationVerificationTest.kt
+++ b/tests/AttestationVerificationTest/src/android/security/attestationverification/SystemAttestationVerificationTest.kt
@@ -2,6 +2,9 @@ package android.security.attestationverification
 
 import android.os.Bundle
 import android.app.Activity
+import android.security.attestationverification.AttestationVerificationManager.FLAG_FAILURE_CERTS
+import android.security.attestationverification.AttestationVerificationManager.FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS
+import android.security.attestationverification.AttestationVerificationManager.FLAG_FAILURE_UNSUPPORTED_PROFILE
 import androidx.test.ext.junit.rules.ActivityScenarioRule
 import androidx.test.ext.junit.runners.AndroidJUnit4
 import androidx.test.filters.SmallTest
@@ -14,9 +17,6 @@ import com.google.common.truth.Truth.assertThat
 import android.security.attestationverification.AttestationVerificationManager.PARAM_CHALLENGE
 import android.security.attestationverification.AttestationVerificationManager.PROFILE_SELF_TRUSTED
 import android.security.attestationverification.AttestationVerificationManager.PROFILE_UNKNOWN
-import android.security.attestationverification.AttestationVerificationManager.RESULT_FAILURE
-import android.security.attestationverification.AttestationVerificationManager.RESULT_SUCCESS
-import android.security.attestationverification.AttestationVerificationManager.RESULT_UNKNOWN
 import android.security.attestationverification.AttestationVerificationManager.TYPE_PUBLIC_KEY
 import android.security.attestationverification.AttestationVerificationManager.TYPE_CHALLENGE
 import android.security.keystore.KeyGenParameterSpec
@@ -58,19 +58,19 @@ class SystemAttestationVerificationTest {
             future.complete(result)
         }
 
-        assertThat(future.getSoon()).isEqualTo(RESULT_UNKNOWN)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_UNSUPPORTED_PROFILE)
     }
 
     @Test
     fun verifyAttestation_returnsFailureWithEmptyAttestation() {
         val future = CompletableFuture<Int>()
-        val profile = AttestationProfile(PROFILE_SELF_TRUSTED)
-        avm.verifyAttestation(profile, TYPE_CHALLENGE, Bundle(), ByteArray(0),
-            activity.mainExecutor) { result, _ ->
+        val selfTrusted = TestSelfTrustedAttestation("test", "challengeStr")
+        avm.verifyAttestation(selfTrusted.profile, selfTrusted.localBindingType,
+            selfTrusted.requirements, ByteArray(0), activity.mainExecutor) { result, _ ->
             future.complete(result)
         }
 
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_CERTS)
     }
 
     @Test
@@ -81,7 +81,7 @@ class SystemAttestationVerificationTest {
             Bundle(), selfTrusted.attestation, activity.mainExecutor) { result, _ ->
             future.complete(result)
         }
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
     }
 
     @Test
@@ -92,7 +92,7 @@ class SystemAttestationVerificationTest {
             selfTrusted.requirements, selfTrusted.attestation, activity.mainExecutor) { result, _ ->
             future.complete(result)
         }
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
     }
 
     @Test
@@ -106,7 +106,7 @@ class SystemAttestationVerificationTest {
             wrongKeyRequirements, selfTrusted.attestation, activity.mainExecutor) { result, _ ->
             future.complete(result)
         }
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
     }
 
     @Test
@@ -119,7 +119,7 @@ class SystemAttestationVerificationTest {
             wrongChallengeRequirements, selfTrusted.attestation, activity.mainExecutor) {
                 result, _ -> future.complete(result)
         }
-        assertThat(future.getSoon()).isEqualTo(RESULT_FAILURE)
+        assertThat(future.getSoon()).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
     }
 
     // TODO(b/216144791): Add more failure tests for PROFILE_SELF_TRUSTED.
@@ -131,20 +131,7 @@ class SystemAttestationVerificationTest {
             selfTrusted.requirements, selfTrusted.attestation, activity.mainExecutor) { result, _ ->
             future.complete(result)
         }
-        assertThat(future.getSoon()).isEqualTo(RESULT_SUCCESS)
-    }
-
-    @Test
-    fun verifyToken_returnsUnknown() {
-        val future = CompletableFuture<Int>()
-        val profile = AttestationProfile(PROFILE_SELF_TRUSTED)
-        avm.verifyAttestation(profile, TYPE_PUBLIC_KEY, Bundle(), ByteArray(0),
-                activity.mainExecutor) { _, token ->
-            val result = avm.verifyToken(profile, TYPE_PUBLIC_KEY, Bundle(), token, null)
-            future.complete(result)
-        }
-
-        assertThat(future.getSoon()).isEqualTo(RESULT_UNKNOWN)
+        assertThat(future.getSoon()).isEqualTo(0)
     }
 
     @Test
diff --git a/tests/AttestationVerificationTest/src/com/android/server/security/AttestationVerificationPeerDeviceVerifierTest.kt b/tests/AttestationVerificationTest/src/com/android/server/security/AttestationVerificationPeerDeviceVerifierTest.kt
index 4712d6b51bd5..4d1a1a55af74 100644
--- a/tests/AttestationVerificationTest/src/com/android/server/security/AttestationVerificationPeerDeviceVerifierTest.kt
+++ b/tests/AttestationVerificationTest/src/com/android/server/security/AttestationVerificationPeerDeviceVerifierTest.kt
@@ -3,11 +3,12 @@ package com.android.server.security
 import android.app.Activity
 import android.content.Context
 import android.os.Bundle
+import android.security.attestationverification.AttestationVerificationManager.FLAG_FAILURE_CERTS
+import android.security.attestationverification.AttestationVerificationManager.FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS
+import android.security.attestationverification.AttestationVerificationManager.FLAG_FAILURE_PATCH_LEVEL_DIFF
 import android.security.attestationverification.AttestationVerificationManager.PARAM_CHALLENGE
 import android.security.attestationverification.AttestationVerificationManager.PARAM_MAX_PATCH_LEVEL_DIFF_MONTHS
 import android.security.attestationverification.AttestationVerificationManager.PARAM_PUBLIC_KEY
-import android.security.attestationverification.AttestationVerificationManager.RESULT_FAILURE
-import android.security.attestationverification.AttestationVerificationManager.RESULT_SUCCESS
 import android.security.attestationverification.AttestationVerificationManager.TYPE_CHALLENGE
 import android.security.attestationverification.AttestationVerificationManager.TYPE_PUBLIC_KEY
 import android.util.IndentingPrintWriter
@@ -72,7 +73,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
             TYPE_CHALLENGE, challengeRequirements,
             TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
         )
-        assertThat(result).isEqualTo(RESULT_SUCCESS)
+        assertThat(result).isEqualTo(0)
     }
 
     @Test
@@ -88,7 +89,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
             TYPE_CHALLENGE, challengeRequirements,
             TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
         )
-        assertThat(result).isEqualTo(RESULT_SUCCESS)
+        assertThat(result).isEqualTo(0)
     }
 
     @Test
@@ -108,7 +109,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
             TYPE_PUBLIC_KEY, pkRequirements,
             TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
         )
-        assertThat(result).isEqualTo(RESULT_SUCCESS)
+        assertThat(result).isEqualTo(0)
     }
 
     @Test
@@ -126,7 +127,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
             TEST_OWNED_BY_SYSTEM_FILENAME.fromPEMFileToByteArray()
         )
 
-        assertThat(result).isEqualTo(RESULT_SUCCESS)
+        assertThat(result).isEqualTo(0)
     }
 
     @Test
@@ -143,7 +144,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
             TYPE_CHALLENGE, challengeRequirements,
             TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
         )
-        assertThat(result).isEqualTo(RESULT_FAILURE)
+        assertThat(result).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
     }
 
     @Test
@@ -159,7 +160,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
             TYPE_CHALLENGE, challengeRequirements,
             TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
         )
-        assertThat(result).isEqualTo(RESULT_FAILURE)
+        assertThat(result).isEqualTo(FLAG_FAILURE_PATCH_LEVEL_DIFF)
     }
 
     @Test
@@ -176,7 +177,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
             TYPE_CHALLENGE, challengeRequirements,
             TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
         )
-        assertThat(result).isEqualTo(RESULT_SUCCESS)
+        assertThat(result).isEqualTo(0)
     }
 
     @Test
@@ -191,10 +192,28 @@ class AttestationVerificationPeerDeviceVerifierTest {
 
         val result = verifier.verifyAttestation(
             TYPE_CHALLENGE, challengeRequirements,
-            // The patch date of this file is early 2022
             TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
         )
-        assertThat(result).isEqualTo(RESULT_FAILURE)
+        assertThat(result).isEqualTo(FLAG_FAILURE_PATCH_LEVEL_DIFF)
+    }
+
+    @Test
+    fun verifyAttestation_returnsFailureOwnedBySystemAndPatchDataNotWithinMaxPatchDiff() {
+        val verifier = AttestationVerificationPeerDeviceVerifier(
+            context, dumpLogger, trustAnchors, false, LocalDate.of(2024, 10, 1),
+            LocalDate.of(2024, 9, 1)
+        )
+        val challengeRequirements = Bundle()
+        challengeRequirements.putByteArray(PARAM_CHALLENGE, "player456".encodeToByteArray())
+        challengeRequirements.putBoolean("android.key_owned_by_system", true)
+        challengeRequirements.putInt(PARAM_MAX_PATCH_LEVEL_DIFF_MONTHS, 24)
+
+        val result = verifier.verifyAttestation(
+            TYPE_CHALLENGE, challengeRequirements,
+            TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
+        )
+        // Both "owned by system" and "patch level diff" checks should fail.
+        assertThat(result).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS or FLAG_FAILURE_PATCH_LEVEL_DIFF)
     }
 
     @Test
@@ -210,7 +229,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
             TYPE_CHALLENGE, challengeRequirements,
             TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
         )
-        assertThat(result).isEqualTo(RESULT_FAILURE)
+        assertThat(result).isEqualTo(FLAG_FAILURE_CERTS)
     }
 
     @Test
@@ -232,7 +251,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
             TYPE_CHALLENGE, challengeRequirements,
             TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
         )
-        assertThat(result).isEqualTo(RESULT_FAILURE)
+        assertThat(result).isEqualTo(FLAG_FAILURE_CERTS)
     }
 
     fun verifyAttestation_returnsFailureChallenge() {
@@ -247,7 +266,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
             TYPE_CHALLENGE, challengeRequirements,
             TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME.fromPEMFileToByteArray()
         )
-        assertThat(result).isEqualTo(RESULT_FAILURE)
+        assertThat(result).isEqualTo(FLAG_FAILURE_LOCAL_BINDING_REQUIREMENTS)
     }
 
     private fun String.fromPEMFileToCerts(): Collection<Certificate> {
@@ -281,6 +300,7 @@ class AttestationVerificationPeerDeviceVerifierTest {
     companion object {
         private const val TAG = "AVFTest"
         private const val TEST_ROOT_CERT_FILENAME = "test_root_certs.pem"
+        // Local patch date is 20220105
         private const val TEST_ATTESTATION_WITH_ROOT_CERT_FILENAME =
             "test_attestation_with_root_certs.pem"
         private const val TEST_ATTESTATION_CERT_FILENAME = "test_attestation_wrong_root_certs.pem"
author	Guojing Yuan <guojing@google.com>	2024-09-19 18:08:35 +0000
committer	Guojing Yuan <guojing@google.com>	2024-09-27 22:12:28 +0000
commit	e855f08496f5d3efc96df3ce51d31f8fc7344274 (patch)
tree	b46e175e06c8e48c3d8bf5600d86833a05cd0727 /tests/AttestationVerificationTest
parent	21e18dc45c669cf92b90966d36a1ce8ff1c30bd3 (diff)