diff options
| author | Eran Messeri <eranm@google.com> | 2021-07-06 12:07:57 +0100 |
|---|---|---|
| committer | Eran Messeri <eranm@google.com> | 2021-07-06 14:32:16 +0100 |
| commit | 03d7a1a4f3982ce3da9ecfb23d7d65fa148f677d (patch) | |
| tree | e4120c42d90a72581b9e9c3f9d4d48d5cae6c4cd /security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp | |
| parent | f4c8ff9bef34092787e97149e38cd1bb052635c8 (diff) | |
KeyMint: Fix device-unique attestation chain specification
Fix the device-unique attestation chain specification: The chain should
have two or three certificates.
In case of two certificates, the device-unique key should be used for
the self-signed root.
In case of three certificates, the device-unique key should be certified
by another key (ideally shared by all StrongBox instances from the same
manufacturer, to ease validation).
Adjust the device-unique attestation tests to accept two or three
certificates in the chain.
Additionally, the current StrongBox KeyMint implementation can not yet
generate fully-valid chains (with matching subjects and issuers), so
relax that check.
Bug: 191361618
Test: m VtsAidlKeyMintTargetTest
Change-Id: I6e6bca33ebb4af67cac8e41a39e9c305d0f1345f
Diffstat (limited to 'security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp')
| -rw-r--r-- | security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp index 5359b3b667..20324117b9 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp @@ -1493,7 +1493,8 @@ AuthorizationSet SwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_ return authList; } -AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain) { +AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain, + bool strict_issuer_check) { std::stringstream cert_data; for (size_t i = 0; i < chain.size(); ++i) { @@ -1520,7 +1521,7 @@ AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain) { string cert_issuer = x509NameToStr(X509_get_issuer_name(key_cert.get())); string signer_subj = x509NameToStr(X509_get_subject_name(signing_cert.get())); - if (cert_issuer != signer_subj) { + if (cert_issuer != signer_subj && strict_issuer_check) { return AssertionFailure() << "Cert " << i << " has wrong issuer.\n" << " Signer subject is " << signer_subj << " Issuer subject is " << cert_issuer << endl |