From c7de4a237a6730e8ef0d0584900b2e74b808d1ef Mon Sep 17 00:00:00 2001
From: Shawn Willden <swillden@google.com>
Date: Thu, 4 Mar 2021 12:21:17 -0700
Subject: Fix subject in self-signed certificates.

Bug: 180620122
Test: atest -c CtsKeystoreTestCases:android.keystore.cts.KeyPairGeneratorTest#testGenerate_EC_ModernSpec_Defaults
Change-Id: Ib74a3f0cea81faf741d49d868739cbedda77e8df
---
 .../java/android/security/keystore/KeyGenParameterSpec.java    | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'keystore')

diff --git a/keystore/java/android/security/keystore/KeyGenParameterSpec.java b/keystore/java/android/security/keystore/KeyGenParameterSpec.java
index c79c12cd3343..72735a787b7f 100644
--- a/keystore/java/android/security/keystore/KeyGenParameterSpec.java
+++ b/keystore/java/android/security/keystore/KeyGenParameterSpec.java
@@ -279,8 +279,10 @@ import javax.security.auth.x500.X500Principal;
  * }
  */
 public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAuthArgs {
-    private static final X500Principal DEFAULT_CERT_SUBJECT =
+    private static final X500Principal DEFAULT_ATTESTATION_CERT_SUBJECT =
             new X500Principal("CN=Android Keystore Key");
+    private static final X500Principal DEFAULT_SELF_SIGNED_CERT_SUBJECT =
+            new X500Principal("CN=Fake");
     private static final BigInteger DEFAULT_CERT_SERIAL_NUMBER = new BigInteger("1");
     private static final Date DEFAULT_CERT_NOT_BEFORE = new Date(0L); // Jan 1 1970
     private static final Date DEFAULT_CERT_NOT_AFTER = new Date(2461449600000L); // Jan 1 2048
@@ -366,7 +368,11 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
         }
 
         if (certificateSubject == null) {
-            certificateSubject = DEFAULT_CERT_SUBJECT;
+            if (attestationChallenge == null) {
+                certificateSubject = DEFAULT_SELF_SIGNED_CERT_SUBJECT;
+            } else {
+                certificateSubject = DEFAULT_ATTESTATION_CERT_SUBJECT;
+            }
         }
         if (certificateNotBefore == null) {
             certificateNotBefore = DEFAULT_CERT_NOT_BEFORE;
-- 
cgit v1.2.3