Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 659f996a authored by Shawn Willden's avatar Shawn Willden
Browse files

Change KM attestation generation to managed cert type. 

Bug: 171846199
Test: atest VtsHalIdentityTargetTest
Change-Id: I03c55f74a21d24b3db8460b85816a4da5939c4ed
parent 2528ddca

identity/support/src/IdentityCredentialSupport.cpp

+15 −18
Original line number Diff line number Diff line
@@ -935,18 +935,19 @@ bool parseAsn1Time(const ASN1_TIME* asn1Time, time_t* outTime) { 
optional<vector<vector<uint8_t>>> createAttestation(

        const EVP_PKEY* key, const vector<uint8_t>& applicationId, const vector<uint8_t>& challenge,

        uint64_t activeTimeMilliSeconds, uint64_t expireTimeMilliSeconds, bool isTestCredential) {

    const keymaster_cert_chain_t* attestation_chain =

            ::keymaster::getAttestationChain(KM_ALGORITHM_EC, nullptr);

    if (attestation_chain == nullptr) {

        LOG(ERROR) << "Error getting attestation chain";

    keymaster_error_t error;

    ::keymaster::CertificateChain attestation_chain =

            ::keymaster::getAttestationChain(KM_ALGORITHM_EC, &error);

    if (KM_ERROR_OK != error) {

        LOG(ERROR) << "Error getting attestation chain " << error;

        return {};

    }

    if (expireTimeMilliSeconds == 0) {

        if (attestation_chain->entry_count < 1) {

        if (attestation_chain.entry_count < 1) {

            LOG(ERROR) << "Expected at least one entry in attestation chain";

            return {};

        }

        keymaster_blob_t* bcBlob = &(attestation_chain->entries[0]);

        keymaster_blob_t* bcBlob = &(attestation_chain.entries[0]);

        const uint8_t* bcData = bcBlob->data;

        auto bc = X509_Ptr(d2i_X509(nullptr, &bcData, bcBlob->data_length));

        time_t bcNotAfter;
@@ -1015,34 +1016,30 @@ optional<vector<vector<uint8_t>>> createAttestation( 
    }

    ::keymaster::AuthorizationSet hwEnforced(hwEnforcedBuilder);



    keymaster_error_t error;

    ::keymaster::CertChainPtr cert_chain_out;



    // Pretend to be implemented in a trusted environment just so we can pass

    // the VTS tests. Of course, this is a pretend-only game since hopefully no

    // relying party is ever going to trust our batch key and those keys above

    // it.

    //

    ::keymaster::PureSoftKeymasterContext context(::keymaster::KmVersion::KEYMASTER_4_1,

                                                  KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT);



    error = generate_attestation_from_EVP(key, swEnforced, hwEnforced, auth_set, context,

                                          *attestation_chain, *attestation_signing_key,

                                          &cert_chain_out);

    ::keymaster::CertificateChain cert_chain_out = generate_attestation_from_EVP(

            key, swEnforced, hwEnforced, auth_set, context, move(attestation_chain),

            *attestation_signing_key, &error);



    if (KM_ERROR_OK != error || !cert_chain_out) {

    if (KM_ERROR_OK != error) {

        LOG(ERROR) << "Error generate attestation from EVP key" << error;

        return {};

    }



    // translate certificate format from keymaster_cert_chain_t to vector<uint8_t>.

    // translate certificate format from keymaster_cert_chain_t to vector<vector<uint8_t>>.

    vector<vector<uint8_t>> attestationCertificate;

    for (int i = 0; i < cert_chain_out->entry_count; i++) {

    for (int i = 0; i < cert_chain_out.entry_count; i++) {

        attestationCertificate.insert(

                attestationCertificate.end(),

                vector<uint8_t>(

                        cert_chain_out->entries[i].data,

                        cert_chain_out->entries[i].data + cert_chain_out->entries[i].data_length));

                        cert_chain_out.entries[i].data,

                        cert_chain_out.entries[i].data + cert_chain_out.entries[i].data_length));

    }



    return attestationCertificate;