Merge pull request #14 from android/test_788084424

Allow multiple key attestation roots

Author: sethmoo

roots.json

@@ -0,0 +1,4 @@
+[
+  "-----BEGIN CERTIFICATE-----\nMIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\nBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgw\nNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS\nSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7\ntv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj\nnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq\nC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ\noVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O\nJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg\nsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi\nigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M\nRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E\naDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um\nAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud\nIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD\nVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7\n174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGIC\nW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2G\ntkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkx\noSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG\n1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mF\nmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPz\nlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVw\nn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1Eu\nzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHo\nvaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHn\nw1IdYIg2Wxg7yHcQZemFQg==\n-----END CERTIFICATE-----",
+  "-----BEGIN CERTIFICATE-----\nMIICIjCCAaigAwIBAgIRAISp0Cl7DrWK5/8OgN52BgUwCgYIKoZIzj0EAwMwUjEc\nMBoGA1UEAwwTS2V5IEF0dGVzdGF0aW9uIENBMTEQMA4GA1UECwwHQW5kcm9pZDET\nMBEGA1UECgwKR29vZ2xlIExMQzELMAkGA1UEBhMCVVMwHhcNMjUwNzE3MjIzMjE4\nWhcNMzUwNzE1MjIzMjE4WjBSMRwwGgYDVQQDDBNLZXkgQXR0ZXN0YXRpb24gQ0Ex\nMRAwDgYDVQQLDAdBbmRyb2lkMRMwEQYDVQQKDApHb29nbGUgTExDMQswCQYDVQQG\nEwJVUzB2MBAGByqGSM49AgEGBSuBBAAiA2IABCPaI3FO3z5bBQo8cuiEas4HjqCt\nG/mLFfRT0MsIssPBEEU5Cfbt6sH5yOAxqEi5QagpU1yX4HwnGb7OtBYpDTB57uH5\nEczm34A5FNijV3s0/f0UPl7zbJcTx6xwqMIRq6NCMEAwDwYDVR0TAQH/BAUwAwEB\n/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFFIyuyz7RkOb3NaBqQ5lZuA0QepA\nMAoGCCqGSM49BAMDA2gAMGUCMETfjPO/HwqReR2CS7p0ZWoD/LHs6hDi422opifH\nEUaYLxwGlT9SLdjkVpz0UUOR5wIxAIoGyxGKRHVTpqpGRFiJtQEOOTp/+s1GcxeY\nuR2zh/80lQyu9vAFCj6E4AXc+osmRg==\n-----END CERTIFICATE-----"
+]

src/main/kotlin/testing/TestUtils.kt

@@ -38,9 +38,8 @@ import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter
 import org.bouncycastle.openssl.PEMParser
 
 object TestUtils {
-  private const val PROD_ROOT_PATH =
-    "googledata/html/external_content/android_googleapis_com/attestation/root"
-  const val TESTDATA_PATH = "third_party/java/keyattestation/testdata"
+  private const val PROD_ROOT_PATH = "roots.json"
+  const val TESTDATA_PATH = "testdata"
 
   fun readCertPath(subpath: String): KeyAttestationCertPath =
     readCertPath(readFile(Path(base = TESTDATA_PATH, /* subpaths...= */ subpath)))
@@ -60,14 +59,13 @@ object TestUtils {
       .let { KeyAttestationCertPath(it) }
   }
 
-  val prodRoot by lazy {
-    val certs = Gson().fromJson(readFile(PROD_ROOT_PATH), Array<String>::class.java).toSet()
-    check(certs.size == 1) { "Multiple certificates in the root file are not yet supported" }
-    certs.first().asX509Certificate()
+  val prodAnchors by lazy {
+    Gson()
+      .fromJson(readFile(PROD_ROOT_PATH), Array<String>::class.java)
+      .map { TrustAnchor(it.asX509Certificate(), null) }
+      .toSet()
   }
 
-  val prodAnchor = TrustAnchor(prodRoot, null)
-
   private fun readFile(path: Path) = path.reader()
   private fun readFile(path: String) = path.reader()
 }

src/test/kotlin/VerifierTest.kt

@@ -17,11 +17,10 @@
 package com.android.keyattestation.verifier
 
 import com.android.keyattestation.verifier.testing.CertLists
-import com.android.keyattestation.verifier.testing.TestUtils.prodRoot
+import com.android.keyattestation.verifier.testing.TestUtils.prodAnchors
 import com.android.keyattestation.verifier.testing.TestUtils.readCertPath
 import com.google.common.truth.Truth.assertThat
 import com.google.protobuf.ByteString
-import java.security.cert.TrustAnchor
 import java.time.Instant
 import kotlin.test.assertIs
 import org.junit.Test
@@ -31,12 +30,7 @@ import org.junit.runners.JUnit4
 /** Unit tests for [Verifier]. */
 @RunWith(JUnit4::class)
 class VerifierTest {
-  private val verifier =
-    Verifier(
-      { setOf(TrustAnchor(prodRoot, /* nameConstraints= */ null)) },
-      { setOf<String>() },
-      { Instant.now() },
-    )
+  private val verifier = Verifier({ prodAnchors }, { setOf<String>() }, { Instant.now() })
 
   @Test
   fun verify_validChain_returnsSuccess() {

src/test/kotlin/provider/KeyAttestationCertPathValidatorTest.kt

@@ -19,7 +19,7 @@ package com.android.keyattestation.verifier.provider
 import com.android.keyattestation.verifier.testing.Certs.rootAnchor as testAnchor
 import com.android.keyattestation.verifier.testing.Chains
 import com.android.keyattestation.verifier.testing.FakeCalendar
-import com.android.keyattestation.verifier.testing.TestUtils.prodAnchor
+import com.android.keyattestation.verifier.testing.TestUtils.prodAnchors
 import com.google.common.truth.Truth.assertThat
 import java.security.InvalidAlgorithmParameterException
 import java.security.Security
@@ -42,7 +42,7 @@ import org.junit.runners.JUnit4
 class KeyAttestationCertPathValidatorTest {
   private val certPathValidator = CertPathValidator.getInstance("KeyAttestation")
   private val pkixCertPathValidator = CertPathValidator.getInstance("PKIX")
-  private val prodParams = PKIXParameters(setOf(prodAnchor))
+  private val prodParams = PKIXParameters(prodAnchors)
   private val testParams =
     PKIXParameters(setOf(testAnchor)).apply { date = FakeCalendar.DEFAULT.today() }
 
@@ -116,10 +116,10 @@ class KeyAttestationCertPathValidatorTest {
   }
 
   @Test
-  fun multipleAnchors_returnsSuccess() {
+  fun additionalAnchors_returnsSuccess() {
     val certPath = Chains.validFactoryProvisioned
-    val params =
-      PKIXParameters(setOf(prodAnchor, testAnchor)).apply { date = FakeCalendar.DEFAULT.today() }
+    val moreAnchors = prodAnchors.union(setOf(testAnchor))
+    val params = PKIXParameters(moreAnchors).apply { date = FakeCalendar.DEFAULT.today() }
     val result = certPathValidator.validate(certPath, params) as PKIXCertPathValidatorResult
     assertThat(result.trustAnchor).isEqualTo(testAnchor)
     assertThat(result.policyTree).isNull()
@@ -136,7 +136,7 @@ class KeyAttestationCertPathValidatorTest {
   }
 
   @Test
-  fun wrongAnchor_throwsCertPathValidatorException() {
+  fun multipleWrongAnchors_throwsCertPathValidatorException() {
     val certPath = Chains.validFactoryProvisioned
     val exception =
       assertFailsWith<CertPathValidatorException> {
@@ -146,14 +146,15 @@ class KeyAttestationCertPathValidatorTest {
       assertFailsWith<CertPathValidatorException> {
         pkixCertPathValidator.validate(certPath, prodParams)
       }
+    assertThat(prodParams.trustAnchors.size).isAtLeast(2)
     assertThat(exception.reason).isEqualTo(PKIXReason.NO_TRUST_ANCHOR)
     assertThat(pkixException.reason).isEqualTo(PKIXReason.NO_TRUST_ANCHOR)
   }
 
   @Test
-  fun multipleWrongAnchors_throwsCertPathValidatorException() {
+  fun singleWrongAnchor_throwsCertPathValidatorException() {
     val params =
-      PKIXParameters(setOf(prodAnchor, prodAnchor)).apply { date = FakeCalendar.DEFAULT.today() }
+      PKIXParameters(setOf(prodAnchors.first())).apply { date = FakeCalendar.DEFAULT.today() }
     val exception =
       assertFailsWith<CertPathValidatorException> {
         certPathValidator.validate(Chains.validFactoryProvisioned, params)