Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 706251f2 authored by Eran Messeri's avatar Eran Messeri Committed by Automerger Merge Worker
Browse files

Merge "Test validity of device-unique attestation chain" am: 14bb8407 am:...

Merge "Test validity of device-unique attestation chain" am: 14bb8407 am: 49f82b25 am: 8cf02d04 am: 67377ece

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1730430

Change-Id: Iafa6a58369c92da20d4cc9ba4de4c7aa256e7d82
parents dd6f2caa 67377ece
Loading
Loading
Loading
Loading
+30 −0
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@

#define LOG_TAG "keymaster_hidl_hal_test"
#include <cutils/log.h>
#include <vector>

#include "Keymaster4_1HidlTest.h"

@@ -178,6 +179,33 @@ void check_attestation_record(AttestationRecord attestation, const HidlBuf& chal
            << DIFFERENCE(expected_hw_enforced, attestation.hardware_enforced);
}

X509_Ptr parse_cert_blob(const std::vector<uint8_t>& blob) {
    const uint8_t* p = blob.data();
    return X509_Ptr(d2i_X509(nullptr /* allocate new */, &p, blob.size()));
}

bool check_certificate_chain_signatures(const hidl_vec<hidl_vec<uint8_t>>& cert_chain) {
    // TODO: Check that root is self-signed once b/187803288 is resolved.
    for (size_t i = 0; i < cert_chain.size() - 1; ++i) {
        X509_Ptr key_cert(parse_cert_blob(cert_chain[i]));
        X509_Ptr signing_cert(parse_cert_blob(cert_chain[i + 1]));

        if (!key_cert.get() || !signing_cert.get()) {
            return false;
        }

        EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
        if (!signing_pubkey.get()) {
            return false;
        }

        if (!X509_verify(key_cert.get(), signing_pubkey.get())) {
            return false;
        }
    }
    return true;
}

}  // namespace

using std::string;
@@ -243,6 +271,7 @@ TEST_P(DeviceUniqueAttestationTest, Rsa) {

    EXPECT_EQ(ErrorCode::OK, result);
    EXPECT_EQ(2U, cert_chain.size());
    EXPECT_TRUE(check_certificate_chain_signatures(cert_chain));
    if (dumpAttestations) {
      for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
    }
@@ -289,6 +318,7 @@ TEST_P(DeviceUniqueAttestationTest, Ecdsa) {

    EXPECT_EQ(ErrorCode::OK, result);
    EXPECT_EQ(2U, cert_chain.size());
    EXPECT_TRUE(check_certificate_chain_signatures(cert_chain));
    if (dumpAttestations) {
      for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
    }