diff options
| author | David Drysdale <drysdale@google.com> | 2021-03-12 15:49:47 +0000 |
|---|---|---|
| committer | David Drysdale <drysdale@google.com> | 2021-03-29 09:17:18 +0100 |
| commit | cceca9f5f6d5220d5e9572d2d5f7dfe0291c43b6 (patch) | |
| tree | 4087e745bddca1d2f6ca9d484a91d7e89ba7aeaf /security/keymint/aidl/default/RemotelyProvisionedComponent.cpp | |
| parent | c84007725bf3eaa13e7ab14a91ec49013479db1b (diff) | |
Add more EEK variant tests and related fixes
- Test with deliberately-invalid EEK in request:
- corrupt signature
- missing initial self-signed cert
- Test with different sizes of EEK chain.
These tests will only really take effect when we have a valid GEEK to
test with.
Other changes:
- Fix encoding of KeyUsage bitset.
- Add a made-up allowed-root pubkey for prod mode. This needs to be
replaced with the real GEEK when available.
- Fix generateEek() so that the first private key isn't used for
all signing operations.
Test: VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I833894d33cd1757b7a0cfcf18f79b61e4e56a556
Diffstat (limited to 'security/keymint/aidl/default/RemotelyProvisionedComponent.cpp')
| -rw-r--r-- | security/keymint/aidl/default/RemotelyProvisionedComponent.cpp | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp b/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp index 4dbaa05d54..ca06abc48e 100644 --- a/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp +++ b/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp @@ -46,6 +46,14 @@ using namespace keymaster; namespace { +// Hard-coded set of acceptable public keys that can act as roots of EEK chains. +inline const vector<bytevec> kAuthorizedEekRoots = { + // TODO(drysdale): replace this random value with real root pubkey(s). + {0x5c, 0xea, 0x4b, 0xd2, 0x31, 0x27, 0x15, 0x5e, 0x62, 0x94, 0x70, + 0x53, 0x94, 0x43, 0x0f, 0x9a, 0x89, 0xd5, 0xc5, 0x0f, 0x82, 0x9b, + 0xcd, 0x10, 0xe0, 0x79, 0xef, 0xf3, 0xfa, 0x40, 0xeb, 0x0a}, +}; + constexpr auto STATUS_FAILED = RemotelyProvisionedComponent::STATUS_FAILED; constexpr auto STATUS_INVALID_EEK = RemotelyProvisionedComponent::STATUS_INVALID_EEK; constexpr auto STATUS_INVALID_MAC = RemotelyProvisionedComponent::STATUS_INVALID_MAC; @@ -135,6 +143,13 @@ StatusOr<std::pair<bytevec /* EEK pub */, bytevec /* EEK ID */>> validateAndExtr "Failed to validate EEK chain: " + cosePubKey.moveMessage()); } lastPubKey = *std::move(cosePubKey); + + // In prod mode the first pubkey should match a well-known Google public key. + if (!testMode && i == 0 && + std::find(kAuthorizedEekRoots.begin(), kAuthorizedEekRoots.end(), lastPubKey) == + kAuthorizedEekRoots.end()) { + return Status(STATUS_INVALID_EEK, "Unrecognized root of EEK chain"); + } } auto eek = CoseKey::parseX25519(lastPubKey, true /* requireKid */); @@ -417,8 +432,8 @@ RemotelyProvisionedComponent::generateBcc() { .add(1 /* Issuer */, "Issuer") .add(2 /* Subject */, "Subject") .add(-4670552 /* Subject Pub Key */, coseKey) - .add(-4670553 /* Key Usage */, - std::vector<uint8_t>(0x05) /* Big endian order */) + .add(-4670553 /* Key Usage (little-endian order) */, + std::vector<uint8_t>{0x20} /* keyCertSign = 1<<5 */) .canonicalize() .encode(); auto coseSign1 = constructCoseSign1(privKey, /* signing key */ |