diff options
| author | Eran Messeri <eranm@google.com> | 2021-07-06 12:07:57 +0100 |
|---|---|---|
| committer | Eran Messeri <eranm@google.com> | 2021-07-06 14:32:16 +0100 |
| commit | 03d7a1a4f3982ce3da9ecfb23d7d65fa148f677d (patch) | |
| tree | e4120c42d90a72581b9e9c3f9d4d48d5cae6c4cd /security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp | |
| parent | f4c8ff9bef34092787e97149e38cd1bb052635c8 (diff) | |
KeyMint: Fix device-unique attestation chain specification
Fix the device-unique attestation chain specification: The chain should
have two or three certificates.
In case of two certificates, the device-unique key should be used for
the self-signed root.
In case of three certificates, the device-unique key should be certified
by another key (ideally shared by all StrongBox instances from the same
manufacturer, to ease validation).
Adjust the device-unique attestation tests to accept two or three
certificates in the chain.
Additionally, the current StrongBox KeyMint implementation can not yet
generate fully-valid chains (with matching subjects and issuers), so
relax that check.
Bug: 191361618
Test: m VtsAidlKeyMintTargetTest
Change-Id: I6e6bca33ebb4af67cac8e41a39e9c305d0f1345f
Diffstat (limited to 'security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp')
| -rw-r--r-- | security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp index a3ed3ad4a0..d7abf0790c 100644 --- a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp +++ b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp @@ -40,11 +40,16 @@ class DeviceUniqueAttestationTest : public KeyMintAidlTestBase { AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics); - // The device-unique attestation chain should contain exactly two certificates: + // The device-unique attestation chain should contain exactly three certificates: // * The leaf with the attestation extension. - // * A self-signed root, signed using the device-unique key. - ASSERT_EQ(cert_chain_.size(), 2); - EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); + // * An intermediate, signing the leaf using the device-unique key. + // * A self-signed root, signed using some authority's key, certifying + // the device-unique key. + const size_t chain_length = cert_chain_.size(); + ASSERT_TRUE(chain_length == 2 || chain_length == 3); + // TODO(b/191361618): Once StrongBox implementations use a correctly-issued + // certificate chain, do not skip issuers matching. + EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_, /* strict_issuer_check= */ false)); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics); EXPECT_TRUE(verify_attestation_record("challenge", "foo", sw_enforced, hw_enforced, |