diff options
| author | David Drysdale <drysdale@google.com> | 2021-03-31 14:48:41 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2021-03-31 14:48:41 +0000 |
| commit | b39baeaa928e645cc6bc15498119caf8f853df81 (patch) | |
| tree | d47392862aabe6aa907f2968dd1f0cc598ea07ce /security/keymint/aidl/default/RemotelyProvisionedComponent.cpp | |
| parent | ae33614d007fd51f0caaadcd3c41b48abd7271d3 (diff) | |
| parent | f0d516d28181eb51b7654ca2a4e7170bdd406a0c (diff) | |
Merge changes I2f5187bf,Icb79e1e0,I833894d3,I54dcaa61,I47a810f2
* changes:
Test that provisioned keys can be used with KeyMint
Add tests with corrupted MAC on keypair
Add more EEK variant tests and related fixes
Commonize MacedPublicKey and ProtectedData checks
Tweak IRemotelyProvisionedComponent AIDL docs
Diffstat (limited to 'security/keymint/aidl/default/RemotelyProvisionedComponent.cpp')
| -rw-r--r-- | security/keymint/aidl/default/RemotelyProvisionedComponent.cpp | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp b/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp index 4dbaa05d54..ca06abc48e 100644 --- a/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp +++ b/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp @@ -46,6 +46,14 @@ using namespace keymaster; namespace { +// Hard-coded set of acceptable public keys that can act as roots of EEK chains. +inline const vector<bytevec> kAuthorizedEekRoots = { + // TODO(drysdale): replace this random value with real root pubkey(s). + {0x5c, 0xea, 0x4b, 0xd2, 0x31, 0x27, 0x15, 0x5e, 0x62, 0x94, 0x70, + 0x53, 0x94, 0x43, 0x0f, 0x9a, 0x89, 0xd5, 0xc5, 0x0f, 0x82, 0x9b, + 0xcd, 0x10, 0xe0, 0x79, 0xef, 0xf3, 0xfa, 0x40, 0xeb, 0x0a}, +}; + constexpr auto STATUS_FAILED = RemotelyProvisionedComponent::STATUS_FAILED; constexpr auto STATUS_INVALID_EEK = RemotelyProvisionedComponent::STATUS_INVALID_EEK; constexpr auto STATUS_INVALID_MAC = RemotelyProvisionedComponent::STATUS_INVALID_MAC; @@ -135,6 +143,13 @@ StatusOr<std::pair<bytevec /* EEK pub */, bytevec /* EEK ID */>> validateAndExtr "Failed to validate EEK chain: " + cosePubKey.moveMessage()); } lastPubKey = *std::move(cosePubKey); + + // In prod mode the first pubkey should match a well-known Google public key. + if (!testMode && i == 0 && + std::find(kAuthorizedEekRoots.begin(), kAuthorizedEekRoots.end(), lastPubKey) == + kAuthorizedEekRoots.end()) { + return Status(STATUS_INVALID_EEK, "Unrecognized root of EEK chain"); + } } auto eek = CoseKey::parseX25519(lastPubKey, true /* requireKid */); @@ -417,8 +432,8 @@ RemotelyProvisionedComponent::generateBcc() { .add(1 /* Issuer */, "Issuer") .add(2 /* Subject */, "Subject") .add(-4670552 /* Subject Pub Key */, coseKey) - .add(-4670553 /* Key Usage */, - std::vector<uint8_t>(0x05) /* Big endian order */) + .add(-4670553 /* Key Usage (little-endian order) */, + std::vector<uint8_t>{0x20} /* keyCertSign = 1<<5 */) .canonicalize() .encode(); auto coseSign1 = constructCoseSign1(privKey, /* signing key */ |