KeyManagementTest: Fix Regression with StrongBox testing
Change-ID I93ed6c934a604566648d1d864e37c221cb4eae64 added testing of key
generation & Device ID attestation using StrongBox.
However that change did not correctly accommodate for devices that do
not have StrongBox in Device Owner mode: Attestation or key generation
failure when StrongBox was requested but unavailable was not handled
correctly.
As a result this test would pass on devices with StrongBox, but fail on
devices without StrongBox (e.g. current Pixel 2 devices).
Change to bail out of assertion checking if the use of StrongBox was
requested, but the key generation attempt failed and StrongBox is not
available on the device.
Merged-In: I25e43902394c39af6caedba0a841caf6f4a57c7d
Test: atest com.android.cts.devicepolicy.MixedProfileOwnerTest#testKeyManagement on a Pixel 2 device
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement on a Pixel 2 device
Bug: 112413875
Change-Id: Iac8e0bce74a8c4691ee56debf36a719676ba3d46
diff --git a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/src/com/android/cts/deviceandprofileowner/KeyManagementTest.java b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/src/com/android/cts/deviceandprofileowner/KeyManagementTest.java
index 214eebb..c11f058 100755
--- a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/src/com/android/cts/deviceandprofileowner/KeyManagementTest.java
+++ b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/src/com/android/cts/deviceandprofileowner/KeyManagementTest.java
@@ -445,6 +445,18 @@
KeyGenParameterSpec spec = specBuilder.build();
AttestedKeyPair generated = mDevicePolicyManager.generateKeyPair(
getWho(), keyAlgorithm, spec, deviceIdAttestationFlags);
+ // Bail out early if StrongBox was requested and generation failed.
+ // Note the underlying assumption that StrongBox supports key attestation _and_
+ // Device ID attestation (i.e. no StrongBox implementations that do not implement
+ // Device ID attestation).
+ // If generation has failed and StrongBox was requested, it is then a failure
+ // regardless of the kind of attestation requested.
+ if (useStrongBox && generated == null) {
+ assertFalse("StrongBox-backed key attestation must not fail if the device " +
+ "declares support for StrongBox", hasStrongBox());
+ return null;
+ }
+
// If Device ID attestation was requested, check it succeeded if and only if device ID
// attestation is supported.
if (isDeviceIdAttestationRequested(deviceIdAttestationFlags)) {
@@ -496,14 +508,10 @@
public void testCanGenerateKeyPairWithKeyAttestationUsingStrongBox() throws Exception {
for (SupportedKeyAlgorithm supportedKey: SUPPORTED_KEY_ALGORITHMS) {
- Certificate attestation = generateKeyAndCheckAttestation(
+ generateKeyAndCheckAttestation(
supportedKey.keyAlgorithm, supportedKey.signatureAlgorithm,
supportedKey.signaturePaddingSchemes, true /* useStrongBox */,
0 /* idAttestationFlags */);
- if (attestation == null) {
- assertFalse("StrongBox-backed key attestation must not fail if the device " +
- "declares support for StrongBox", hasStrongBox());
- }
}
}
@@ -557,6 +565,7 @@
// but StrongBox is not available on the device.
if (attestation == null && useStrongBox) {
assertFalse(hasStrongBox());
+ continue;
}
assertNotNull(String.format(
"Attestation should be valid for key %s with attestation modes %s",