Add more EEK variant tests and related fixes

- Test with deliberately-invalid EEK in request: - corrupt signature - missing initial self-signed cert - Test with different sizes of EEK chain. These tests will only really take effect when we have a valid GEEK to test with. Other changes: - Fix encoding of KeyUsage bitset. - Add a made-up allowed-root pubkey for prod mode. This needs to be replaced with the real GEEK when available. - Fix generateEek() so that the first private key isn't used for all signing operations. Test: VtsHalRemotelyProvisionedComponentTargetTest Change-Id: I833894d33cd1757b7a0cfcf18f79b61e4e56a556
author: David Drysdale <drysdale@google.com> 2021-03-12 15:49:47 +0000
committer: David Drysdale <drysdale@google.com> 2021-03-29 09:17:18 +0100
commit: cceca9f5f6d5220d5e9572d2d5f7dfe0291c43b6 (patch)
tree: 4087e745bddca1d2f6ca9d484a91d7e89ba7aeaf /security/keymint/support/remote_prov_utils.cpp
parent: c84007725bf3eaa13e7ab14a91ec49013479db1b (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index 3e4f3f750e..da10eb258d 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@@ -54,6 +54,8 @@ ErrMsgOr<EekChain> generateEekChain(size_t length, const bytevec& eekId) {
                                             {} /* AAD */);
         if (!coseSign1) return coseSign1.moveMessage();
         eekChain.add(coseSign1.moveValue());
+
+        prev_priv_key = priv_key;
     }
 
     bytevec pub_key(X25519_PUBLIC_VALUE_LEN);
author	David Drysdale <drysdale@google.com>	2021-03-12 15:49:47 +0000
committer	David Drysdale <drysdale@google.com>	2021-03-29 09:17:18 +0100
commit	cceca9f5f6d5220d5e9572d2d5f7dfe0291c43b6 (patch)
tree	4087e745bddca1d2f6ca9d484a91d7e89ba7aeaf /security/keymint/support/remote_prov_utils.cpp
parent	c84007725bf3eaa13e7ab14a91ec49013479db1b (diff)