run cts --subplan CtsKeystoreTestCases-android.keystore.cts.KeyAttestationTest#testEcAttestation
log报android.security.KeyStoreException: -10003 at android.security.KeyStore.getKeyStoreException(KeyStore.java:839)
Error : -10003 means attestation key is not provisioned.
CtsKeystoreTestCases 没有设置Attestation key
https://www.jianshu.com/p/959be78c985e
3、CtsKeystoreTestCases android.keystore.cts.KeyAttestationTest#testEcAttestation
该项测试需要申请google key
QCOM文档:
MTK文档:
https://online.mediatek.com/FAQ#/SW/FAQ20625
什么是认证密钥?
对于Android O,必须进行密钥认证,并将在CTS/GTS中进行检查。
密钥认证旨在提供一种强有力地确定非对称密钥对是否由硬件支持(如果来自HW keymaster)的方法。
认证密钥是如何工作的?
在应用程序ask keymaster gen密钥对之后,
应用程序可以要求keymaster提供证书链(证书由认证密钥签名,而根证书来自Google),并验证证书链是否有效。
应用程序应该自己进行证书验证。
谷歌网站上的更多信息,你应该要知道:
在提供关键条款之前,最好从谷歌网站获取知识,请参考以下链接:
https://source.android.com/security/keystore/
https://developer.android.com/training/articles/security-key-attestation.html#verifying
https://source.android.com/compatibility/android-cdd#9_security_model_compatibility(CCD chapter 9.11)
如何认证关键条款?
step1: Apply the attestation key keybox from google, detail pls refer to Q1
step2: Split and encrypt the keybox with the splitter tool, splitter tool you can get from the MOL, you can find splitter tool together with SN Writer tool.
stpe3: config the decrypt/verify key to tee file in Android codebase, re-build and update image to phone.
step4: install attestation key keybox into phone with SN writer or sp meta tool.
Q&A
Q1:我如何应用谷歌的认证密钥?
A:你应该用你的谷歌ID登录谷歌的网站,
并使用带有“设备ID”的认证密钥。更多信息请登录以下谷歌网站:
https://accounts.google.com/signin/v2/identifier?service=androidpartner&passive=1209600&continue=https%3a%2f%2fpartner.android.com%2f&followup=https%3a%2f%2fpartner.android.com%2f&flowname=glifwebsignin&flowntry=servicelogin
https://developers.google.com/android-partner/guide/keybox
Q2:如果我没有安装keymaster的认证密钥呢?
A:CTS/GTS将失败
Q3:为什么10W台设备共享一个密钥?如果少于或超过10W台设备共享一个密钥,或者不同的项目共享相同的密钥,该怎么办?
A:为了避免认证密钥涉及到设备的唯一ID,谷歌没有要求认证密钥的编号必须是10W,这只是一个建议。
Q4:设备ID会被注入keymaster吗?
A:在MTK的解决方案中,设备ID不会被注入到keymaster中。谷歌不要求将设备ID注入keymaster。
Q5:如何检查密钥安装是否成功和有效?
A:运行CTS检查密钥是否有效,密钥认证功能是否有效。
运行cts –m ctskeystoretestcases –t android.keystore.cts.keystationtest
Q6:为什么the Keysplitter tool显示错误“内存不足”?
A:keybox文件太大,keybox的最大尺寸是500M,当文件大于500M时,客户需要在使用keysplitter工具之前对文件进行拆分。
测试报告:
Test | Result | Details |
---|---|---|
android.keystore.cts.KeyAttestationTest#testEcAttestation | fail | java.lang.Exception: Failed on curve 0 and challege 0 at android.keystore.cts.KeyAttestationTest.testEcAttestation(KeyAttestationTest.java:169) at java.lang.reflect.Method.invoke(Native Method) at junit.framework.TestCase.runTest(TestCase.java:168) at junit.framework.TestCase.runBare(TestCase.java:134) at junit.framework.TestResult$1.protect(TestResult.java:115) at android.support.test.internal.runner.junit3.AndroidTestResult.runProtected(AndroidTestResult.java:73) at junit.framework.TestResult.run(TestResult.java:118) at android.support.test.internal.runner.junit3.AndroidTestResult.run(AndroidTestResult.java:51) at junit.framework.TestCase.run(TestCase.java:124) at android.support.test.internal.runner.junit3.NonLeakyTestSuite$NonLeakyTest.run(NonLeakyTestSuite.java:62) at android.support.test.internal.runner.junit3.AndroidTestSuite$2.run(AndroidTestSuite.java:101) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:458) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) at java.lang.Thread.run(Thread.java:764) Caused by: java.security.ProviderException: Failed to generate attestation certificate chain at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.getAttestationChain(AndroidKeyStoreKeyPairGeneratorSpi.java:610) at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.createCertificateChain(AndroidKeyStoreKeyPairGeneratorSpi.java:497) at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:474) at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:727) at android.keystore.cts.KeyAttestationTest.generateKeyPair(KeyAttestationTest.java:881) at android.keystore.cts.KeyAttestationTest.testEcAttestation(KeyAttestationTest.java:476) at android.keystore.cts.KeyAttestationTest.testEcAttestation(KeyAttestationTest.java:162) ... 15 more Caused by: android.security.KeyStoreException: -10003 at android.security.KeyStore.getKeyStoreException(KeyStore.java:839) ... 22 more |
android.keystore.cts.KeyAttestationTest#testRsaAttestation | fail | java.lang.Exception: Failed on key size 512 challenge [], purposes [2, 3] and paddings [PKCS1] at android.keystore.cts.KeyAttestationTest.testRsaAttestations(KeyAttestationTest.java:382) at android.keystore.cts.KeyAttestationTest.testRsaAttestation(KeyAttestationTest.java:289) at java.lang.reflect.Method.invoke(Native Method) at junit.framework.TestCase.runTest(TestCase.java:168) at junit.framework.TestCase.runBare(TestCase.java:134) at junit.framework.TestResult$1.protect(TestResult.java:115) at android.support.test.internal.runner.junit3.AndroidTestResult.runProtected(AndroidTestResult.java:73) at junit.framework.TestResult.run(TestResult.java:118) at android.support.test.internal.runner.junit3.AndroidTestResult.run(AndroidTestResult.java:51) at junit.framework.TestCase.run(TestCase.java:124) at android.support.test.internal.runner.junit3.NonLeakyTestSuite$NonLeakyTest.run(NonLeakyTestSuite.java:62) at android.support.test.internal.runner.junit3.AndroidTestSuite$2.run(AndroidTestSuite.java:101) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:458) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) at java.lang.Thread.run(Thread.java:764) Caused by: java.security.ProviderException: Failed to generate attestation certificate chain at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.getAttestationChain(AndroidKeyStoreKeyPairGeneratorSpi.java:610) at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.createCertificateChain(AndroidKeyStoreKeyPairGeneratorSpi.java:497) at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:474) at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:727) at android.keystore.cts.KeyAttestationTest.generateKeyPair(KeyAttestationTest.java:881) at android.keystore.cts.KeyAttestationTest.testRsaAttestation(KeyAttestationTest.java:422) at android.keystore.cts.KeyAttestationTest.testRsaAttestations(KeyAttestationTest.java:374) ... 16 more Caused by: android.security.KeyStoreException: -10003 at android.security.KeyStore.getKeyStoreException(KeyStore.java:839) ... 23 more |