Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2d5941a5 authored by Tri Vo's avatar Tri Vo Committed by Automerger Merge Worker
Browse files

Merge "Add an implementation defined limit on number of keys in CSR" am: 2ac50663 

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2275693



Change-Id: I24b6cf6e126721343aa9c4fffa29a7df69336c8d
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents ef8b8b95 2ac50663

security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp

+14 −2
Original line number Diff line number Diff line
@@ -251,6 +251,19 @@ TEST_P(GetHardwareInfoTests, uniqueId) { 
    EXPECT_LE(hwInfo.uniqueId->size(), 32);

}



/**

 * Verify implementation supports at least MIN_SUPPORTED_NUM_KEYS_IN_CSR keys in a CSR.

 */

TEST_P(GetHardwareInfoTests, supportedNumKeysInCsr) {

    if (rpcHardwareInfo.versionNumber < VERSION_WITHOUT_TEST_MODE) {

        return;

    }



    RpcHardwareInfo hwInfo;

    ASSERT_TRUE(provisionable_->getHardwareInfo(&hwInfo).isOk());

    ASSERT_GE(hwInfo.supportedNumKeysInCsr, RpcHardwareInfo::MIN_SUPPORTED_NUM_KEYS_IN_CSR);

}



using GenerateKeyTests = VtsRemotelyProvisionedComponentTests;



INSTANTIATE_REM_PROV_AIDL_TEST(GenerateKeyTests);
@@ -728,8 +741,7 @@ TEST_P(CertificateRequestV2Test, NonEmptyRequestReproducible) { 
 * Generate a non-empty certificate request with multiple keys.

 */

TEST_P(CertificateRequestV2Test, NonEmptyRequestMultipleKeys) {

    // TODO(b/254137722): define a minimum number of keys that must be supported.

    generateKeys(false /* testMode */, 5 /* numKeys */);

    generateKeys(false /* testMode */, rpcHardwareInfo.supportedNumKeysInCsr /* numKeys */);



    bytevec csr;

security/rkp/CHANGELOG.md

+2 −1
Original line number Diff line number Diff line
@@ -36,4 +36,5 @@ This document provides an exact description of which changes have occurred in th 
    * the chain of signing, MACing, and encryption operations has been replaced with a single

      COSE_Sign1 object.

    * CertificateType has been added to identify the type of certificate being requested.

* RpcHardwareInfo

  * `supportedNumKeysInCsr` added to report the maximum number of keys supported in a CSR.

security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl

+2 −0
Original line number Diff line number Diff line
@@ -39,7 +39,9 @@ parcelable RpcHardwareInfo { 
  @utf8InCpp String rpcAuthorName;

  int supportedEekCurve = 0;

  @nullable @utf8InCpp String uniqueId;

  int supportedNumKeysInCsr = 4;

  const int CURVE_NONE = 0;

  const int CURVE_P256 = 1;

  const int CURVE_25519 = 2;

  const int MIN_SUPPORTED_NUM_KEYS_IN_CSR = 20;

}

security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl

+13 −0
Original line number Diff line number Diff line
@@ -74,4 +74,17 @@ parcelable RpcHardwareInfo { 
     *

     */

    @nullable @utf8InCpp String uniqueId;



    /**

     * supportedNumKeysInCsr is the maximum number of keys in a CSR that this implementation can

     * support. This value is implementation defined.

     *

     * From version 3 onwards, supportedNumKeysInCsr must be larger or equal to

     * MIN_SUPPORTED_NUM_KEYS_IN_CSR.

     *

     * The default value was chosen as the value enforced by the VTS test in versions 1 and 2 of

     * this interface.

     */

    const int MIN_SUPPORTED_NUM_KEYS_IN_CSR = 20;

    int supportedNumKeysInCsr = 4;

}