DPM: Implement Device ID attestation
Enable requesting inclusion of device identifiers in the attestation record issued for keys generated by generateKeyPair. This is done by passing an array of flags with values indicating which identifiers should be included. Since the attestation record will include sensitive identifiers, it can only be requested by the DPC in Device Owner mode or by the Delegated Cert Installer in Device Owner mode. Design note: DevicePolicyManager defines its own set of constants for the different identifier types (ID_TYPE_*) and prior to calling DevicePolicyManagerService it translates them to the values defined by AttestationUtils (which is not a public class). The reason is to allow re-use of code in AttestationUtils for preparing the attestation arguments. In theory, these constants could be moved from AttestationUtils to DevicePolicyManager, however that would create a dependency on DPM from Keystore, which logically does not make sense as Keystore is independent of the DPM (and in a lower level of the system, conceptually). Bug: 63388672 Test: cts-tradefed run commandAndExit cts-dev -a armeabi-v7a -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement; runtest frameworks-services -c com.android.server.devicepolicy.DevicePolicyManagerTest#testTranslationOfIdAttestationFlag Change-Id: Ifb42e8e813fa812a08203b4a81d15b1f91152354
Loading
Please register or sign in to comment
