Loading radio/aidl/compat/libradiocompat/sim/structs.cpp +40 −6 Original line number Diff line number Diff line Loading @@ -70,26 +70,60 @@ V1_0::Carrier toHidl(const aidl::Carrier& carrier) { }; } static aidl::CarrierInfo toCarrierInfo(const aidl::Carrier& carrier) { return { .mcc = carrier.mcc, .mnc = carrier.mnc, }; } static std::vector<aidl::CarrierInfo> toCarrierInfos(const std::vector<aidl::Carrier>& carriers) { std::vector<aidl::CarrierInfo> infos(carriers.size()); for (size_t i = 0; i < carriers.size(); i++) { infos[i] = toCarrierInfo(carriers[i]); } return infos; } V1_0::Carrier toHidl(const aidl::CarrierInfo& carrierInfo) { return { .mcc = carrierInfo.mcc, .mnc = carrierInfo.mnc, }; } aidl::CarrierRestrictions toAidl(const V1_0::CarrierRestrictions& cr) { auto allowedCarriers = toAidl(cr.allowedCarriers); auto excludedCarriers = toAidl(cr.excludedCarriers); return { .allowedCarriers = toAidl(cr.allowedCarriers), .excludedCarriers = toAidl(cr.excludedCarriers), .allowedCarriers = allowedCarriers, .excludedCarriers = excludedCarriers, .allowedCarriersPrioritized = true, .allowedCarrierInfoList = toCarrierInfos(allowedCarriers), .excludedCarrierInfoList = toCarrierInfos(excludedCarriers), }; } aidl::CarrierRestrictions toAidl(const V1_4::CarrierRestrictionsWithPriority& cr) { auto allowedCarriers = toAidl(cr.allowedCarriers); auto excludedCarriers = toAidl(cr.excludedCarriers); return { .allowedCarriers = toAidl(cr.allowedCarriers), .excludedCarriers = toAidl(cr.excludedCarriers), .allowedCarriers = allowedCarriers, .excludedCarriers = excludedCarriers, .allowedCarriersPrioritized = cr.allowedCarriersPrioritized, .allowedCarrierInfoList = toCarrierInfos(allowedCarriers), .excludedCarrierInfoList = toCarrierInfos(excludedCarriers), }; } V1_4::CarrierRestrictionsWithPriority toHidl(const aidl::CarrierRestrictions& cr) { return { .allowedCarriers = toHidl(cr.allowedCarriers), .excludedCarriers = toHidl(cr.excludedCarriers), .allowedCarriers = (cr.allowedCarriers.size() > cr.allowedCarrierInfoList.size()) ? toHidl(cr.allowedCarriers) : toHidl(cr.allowedCarrierInfoList), .excludedCarriers = (cr.excludedCarriers.size() > cr.excludedCarrierInfoList.size()) ? toHidl(cr.excludedCarriers) : toHidl(cr.excludedCarrierInfoList), .allowedCarriersPrioritized = cr.allowedCarriersPrioritized, }; } Loading radio/aidl/compat/libradiocompat/sim/structs.h +1 −0 Original line number Diff line number Diff line Loading @@ -37,6 +37,7 @@ V1_0::SimApdu toHidl(const ::aidl::android::hardware::radio::sim::SimApdu& apdu) ::aidl::android::hardware::radio::sim::Carrier toAidl(const V1_0::Carrier& carrier); V1_0::Carrier toHidl(const ::aidl::android::hardware::radio::sim::Carrier& carrier); V1_0::Carrier toHidl(const ::aidl::android::hardware::radio::sim::CarrierInfo& carrierInfo); ::aidl::android::hardware::radio::sim::CarrierRestrictions // toAidl(const V1_0::CarrierRestrictions& cr); Loading radio/aidl/vts/radio_sim_test.cpp +15 −11 Original line number Diff line number Diff line Loading @@ -485,8 +485,10 @@ TEST_P(RadioSimTest, setAllowedCarriers) { } else { carrierRestrictions.allowedCarrierInfoList.resize(1); carrierRestrictions.excludedCarrierInfoList.resize(0); carrierRestrictions.allowedCarrierInfoList[0].mcc = std::string("321"); carrierRestrictions.allowedCarrierInfoList[0].mnc = std::string("654"); // TODO(b/365568518): change mcc/mnc to something else once CF fully supports // setAllowedCarriers carrierRestrictions.allowedCarrierInfoList[0].mcc = std::string("123"); carrierRestrictions.allowedCarrierInfoList[0].mnc = std::string("456"); carrierRestrictions.allowedCarrierInfoList[0].spn = std::string("TestNetwork"); carrierRestrictions.allowedCarrierInfoList[0].gid1 = std::string("BAE000000000000"); carrierRestrictions.allowedCarrierInfoList[0].gid2 = std::string("AE0000000000000"); Loading Loading @@ -517,7 +519,7 @@ TEST_P(RadioSimTest, setAllowedCarriers) { sleep(2); updateSimCardStatus(); } // TODO: uncomment once CF fully supports setAllowedCarriers // TODO(b/365568518): uncomment once CF fully supports setAllowedCarriers // EXPECT_EQ(CardStatus::STATE_RESTRICTED, cardStatus.cardState); } Loading Loading @@ -545,19 +547,21 @@ TEST_P(RadioSimTest, setAllowedCarriers) { } else { ASSERT_EQ(1, radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList.size()); EXPECT_EQ(0, radioRsp_sim->carrierRestrictionsResp.excludedCarrierInfoList.size()); ASSERT_TRUE(std::string("321") == ASSERT_EQ(std::string("123"), radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList[0].mcc); ASSERT_TRUE(std::string("654") == ASSERT_EQ(std::string("456"), radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList[0].mnc); ASSERT_TRUE(std::string("BAE000000000000") == #if 0 // TODO(b/365568518): enable once CF fully supports setAllowedCarriers ASSERT_EQ(std::string("BAE000000000000"), radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList[0].gid1); ASSERT_TRUE(std::string("AE0000000000000") == ASSERT_EQ(std::string("AE0000000000000"), radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList[0].gid2); ASSERT_TRUE(std::string("9987") == ASSERT_EQ(std::string("9987"), radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList[0].imsiPrefix); ASSERT_TRUE(radioRsp_sim->carrierRestrictionsResp.allowedCarriersPrioritized); EXPECT_EQ(CarrierRestrictions::CarrierRestrictionStatus::RESTRICTED, radioRsp_sim->carrierRestrictionsResp.status); #endif ASSERT_TRUE(radioRsp_sim->carrierRestrictionsResp.allowedCarriersPrioritized); EXPECT_EQ(SimLockMultiSimPolicy::NO_MULTISIM_POLICY, radioRsp_sim->multiSimPolicyResp); } sleep(10); Loading security/keymint/support/include/remote_prov/remote_prov_utils.h +8 −1 Original line number Diff line number Diff line Loading @@ -21,6 +21,7 @@ #include <vector> #include "aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h" #include <hwtrust/hwtrust.h> #include <keymaster/cppcose/cppcose.h> namespace aidl::android::hardware::security::keymint::remote_prov { Loading Loading @@ -176,7 +177,8 @@ ErrMsgOr<std::vector<BccEntryData>> verifyProductionProtectedData( */ ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyFactoryCsr( const cppbor::Array& keysToSign, const std::vector<uint8_t>& csr, IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge); IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge, bool allowDegenerate = true); /** * Verify the CSR as if the device is a final production sample. */ Loading @@ -188,4 +190,9 @@ ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyProductionCsr( /** Checks whether the CSR has a proper DICE chain. */ ErrMsgOr<bool> isCsrWithProperDiceChain(const std::vector<uint8_t>& csr); /** Verify the DICE chain. */ ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc, hwtrust::DiceChain::Kind kind, bool allowAnyMode, bool allowDegenerate); } // namespace aidl::android::hardware::security::keymint::remote_prov security/keymint/support/remote_prov_utils.cpp +23 −11 Original line number Diff line number Diff line Loading @@ -26,7 +26,6 @@ #include <android-base/macros.h> #include <android-base/properties.h> #include <cppbor.h> #include <hwtrust/hwtrust.h> #include <json/json.h> #include <keymaster/km_openssl/ec_key.h> #include <keymaster/km_openssl/ecdsa_operation.h> Loading Loading @@ -325,7 +324,8 @@ bytevec getProdEekChain(int32_t supportedEekCurve) { } ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc, hwtrust::DiceChain::Kind kind, bool allowAnyMode) { hwtrust::DiceChain::Kind kind, bool allowAnyMode, bool allowDegenerate) { auto encodedBcc = bcc->encode(); // Use ro.build.type instead of ro.debuggable because ro.debuggable=1 for VTS testing Loading @@ -336,6 +336,11 @@ ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc, auto chain = hwtrust::DiceChain::Verify(encodedBcc, kind, allowAnyMode); if (!chain.ok()) return chain.error().message(); if (!allowDegenerate && !chain->IsProper()) { return "DICE chain is degenerate"; } auto keys = chain->CosePublicKeys(); if (!keys.ok()) return keys.error().message(); std::vector<BccEntryData> result; Loading Loading @@ -701,7 +706,8 @@ ErrMsgOr<std::vector<BccEntryData>> verifyProtectedData( } // BCC is [ pubkey, + BccEntry] auto bccContents = validateBcc(bcc->asArray(), hwtrust::DiceChain::Kind::kVsr13, allowAnyMode); auto bccContents = validateBcc(bcc->asArray(), hwtrust::DiceChain::Kind::kVsr13, allowAnyMode, /*allowDegenerate=*/true); if (!bccContents) { return bccContents.message() + "\n" + prettyPrint(bcc.get()); } Loading Loading @@ -997,7 +1003,8 @@ ErrMsgOr<hwtrust::DiceChain::Kind> getDiceChainKind() { ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request, const std::vector<uint8_t>& challenge, bool allowAnyMode = false) { bool allowAnyMode = false, bool allowDegenerate = true) { auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request); if (!parsedRequest) { return csrErrMsg; Loading Loading @@ -1035,19 +1042,20 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t return diceChainKind.message(); } auto diceContents = validateBcc(diceCertChain, *diceChainKind, allowAnyMode); auto diceContents = validateBcc(diceCertChain, *diceChainKind, allowAnyMode, allowDegenerate); if (!diceContents) { return diceContents.message() + "\n" + prettyPrint(diceCertChain); } auto& udsPub = diceContents->back().pubKey; auto udsPub = diceCertChain->get(0)->asMap()->encode(); auto& kmDiceKey = diceContents->back().pubKey; auto error = validateUdsCerts(*udsCerts, udsPub); if (!error.empty()) { return error; } auto signedPayload = verifyAndParseCoseSign1(signedData, udsPub, {} /* aad */); auto signedPayload = verifyAndParseCoseSign1(signedData, kmDiceKey, {} /* aad */); if (!signedPayload) { return signedPayload.message(); } Loading @@ -1064,7 +1072,8 @@ ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyCsr(const cppbor::Array& keysToSi const std::vector<uint8_t>& csr, IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge, bool isFactory, bool allowAnyMode = false) { bool isFactory, bool allowAnyMode = false, bool allowDegenerate = true) { RpcHardwareInfo info; provisionable->getHardwareInfo(&info); if (info.versionNumber != 3) { Loading @@ -1072,7 +1081,8 @@ ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyCsr(const cppbor::Array& keysToSi ") does not match expected version (3)."; } auto csrPayload = parseAndValidateAuthenticatedRequest(csr, challenge, allowAnyMode); auto csrPayload = parseAndValidateAuthenticatedRequest(csr, challenge, allowAnyMode, allowDegenerate); if (!csrPayload) { return csrPayload.message(); } Loading @@ -1082,8 +1092,10 @@ ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyCsr(const cppbor::Array& keysToSi ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyFactoryCsr( const cppbor::Array& keysToSign, const std::vector<uint8_t>& csr, IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge) { return verifyCsr(keysToSign, csr, provisionable, challenge, /*isFactory=*/true); IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge, bool allowDegenerate) { return verifyCsr(keysToSign, csr, provisionable, challenge, /*isFactory=*/true, /*allowAnyMode=*/false, allowDegenerate); } ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyProductionCsr( Loading Loading
radio/aidl/compat/libradiocompat/sim/structs.cpp +40 −6 Original line number Diff line number Diff line Loading @@ -70,26 +70,60 @@ V1_0::Carrier toHidl(const aidl::Carrier& carrier) { }; } static aidl::CarrierInfo toCarrierInfo(const aidl::Carrier& carrier) { return { .mcc = carrier.mcc, .mnc = carrier.mnc, }; } static std::vector<aidl::CarrierInfo> toCarrierInfos(const std::vector<aidl::Carrier>& carriers) { std::vector<aidl::CarrierInfo> infos(carriers.size()); for (size_t i = 0; i < carriers.size(); i++) { infos[i] = toCarrierInfo(carriers[i]); } return infos; } V1_0::Carrier toHidl(const aidl::CarrierInfo& carrierInfo) { return { .mcc = carrierInfo.mcc, .mnc = carrierInfo.mnc, }; } aidl::CarrierRestrictions toAidl(const V1_0::CarrierRestrictions& cr) { auto allowedCarriers = toAidl(cr.allowedCarriers); auto excludedCarriers = toAidl(cr.excludedCarriers); return { .allowedCarriers = toAidl(cr.allowedCarriers), .excludedCarriers = toAidl(cr.excludedCarriers), .allowedCarriers = allowedCarriers, .excludedCarriers = excludedCarriers, .allowedCarriersPrioritized = true, .allowedCarrierInfoList = toCarrierInfos(allowedCarriers), .excludedCarrierInfoList = toCarrierInfos(excludedCarriers), }; } aidl::CarrierRestrictions toAidl(const V1_4::CarrierRestrictionsWithPriority& cr) { auto allowedCarriers = toAidl(cr.allowedCarriers); auto excludedCarriers = toAidl(cr.excludedCarriers); return { .allowedCarriers = toAidl(cr.allowedCarriers), .excludedCarriers = toAidl(cr.excludedCarriers), .allowedCarriers = allowedCarriers, .excludedCarriers = excludedCarriers, .allowedCarriersPrioritized = cr.allowedCarriersPrioritized, .allowedCarrierInfoList = toCarrierInfos(allowedCarriers), .excludedCarrierInfoList = toCarrierInfos(excludedCarriers), }; } V1_4::CarrierRestrictionsWithPriority toHidl(const aidl::CarrierRestrictions& cr) { return { .allowedCarriers = toHidl(cr.allowedCarriers), .excludedCarriers = toHidl(cr.excludedCarriers), .allowedCarriers = (cr.allowedCarriers.size() > cr.allowedCarrierInfoList.size()) ? toHidl(cr.allowedCarriers) : toHidl(cr.allowedCarrierInfoList), .excludedCarriers = (cr.excludedCarriers.size() > cr.excludedCarrierInfoList.size()) ? toHidl(cr.excludedCarriers) : toHidl(cr.excludedCarrierInfoList), .allowedCarriersPrioritized = cr.allowedCarriersPrioritized, }; } Loading
radio/aidl/compat/libradiocompat/sim/structs.h +1 −0 Original line number Diff line number Diff line Loading @@ -37,6 +37,7 @@ V1_0::SimApdu toHidl(const ::aidl::android::hardware::radio::sim::SimApdu& apdu) ::aidl::android::hardware::radio::sim::Carrier toAidl(const V1_0::Carrier& carrier); V1_0::Carrier toHidl(const ::aidl::android::hardware::radio::sim::Carrier& carrier); V1_0::Carrier toHidl(const ::aidl::android::hardware::radio::sim::CarrierInfo& carrierInfo); ::aidl::android::hardware::radio::sim::CarrierRestrictions // toAidl(const V1_0::CarrierRestrictions& cr); Loading
radio/aidl/vts/radio_sim_test.cpp +15 −11 Original line number Diff line number Diff line Loading @@ -485,8 +485,10 @@ TEST_P(RadioSimTest, setAllowedCarriers) { } else { carrierRestrictions.allowedCarrierInfoList.resize(1); carrierRestrictions.excludedCarrierInfoList.resize(0); carrierRestrictions.allowedCarrierInfoList[0].mcc = std::string("321"); carrierRestrictions.allowedCarrierInfoList[0].mnc = std::string("654"); // TODO(b/365568518): change mcc/mnc to something else once CF fully supports // setAllowedCarriers carrierRestrictions.allowedCarrierInfoList[0].mcc = std::string("123"); carrierRestrictions.allowedCarrierInfoList[0].mnc = std::string("456"); carrierRestrictions.allowedCarrierInfoList[0].spn = std::string("TestNetwork"); carrierRestrictions.allowedCarrierInfoList[0].gid1 = std::string("BAE000000000000"); carrierRestrictions.allowedCarrierInfoList[0].gid2 = std::string("AE0000000000000"); Loading Loading @@ -517,7 +519,7 @@ TEST_P(RadioSimTest, setAllowedCarriers) { sleep(2); updateSimCardStatus(); } // TODO: uncomment once CF fully supports setAllowedCarriers // TODO(b/365568518): uncomment once CF fully supports setAllowedCarriers // EXPECT_EQ(CardStatus::STATE_RESTRICTED, cardStatus.cardState); } Loading Loading @@ -545,19 +547,21 @@ TEST_P(RadioSimTest, setAllowedCarriers) { } else { ASSERT_EQ(1, radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList.size()); EXPECT_EQ(0, radioRsp_sim->carrierRestrictionsResp.excludedCarrierInfoList.size()); ASSERT_TRUE(std::string("321") == ASSERT_EQ(std::string("123"), radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList[0].mcc); ASSERT_TRUE(std::string("654") == ASSERT_EQ(std::string("456"), radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList[0].mnc); ASSERT_TRUE(std::string("BAE000000000000") == #if 0 // TODO(b/365568518): enable once CF fully supports setAllowedCarriers ASSERT_EQ(std::string("BAE000000000000"), radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList[0].gid1); ASSERT_TRUE(std::string("AE0000000000000") == ASSERT_EQ(std::string("AE0000000000000"), radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList[0].gid2); ASSERT_TRUE(std::string("9987") == ASSERT_EQ(std::string("9987"), radioRsp_sim->carrierRestrictionsResp.allowedCarrierInfoList[0].imsiPrefix); ASSERT_TRUE(radioRsp_sim->carrierRestrictionsResp.allowedCarriersPrioritized); EXPECT_EQ(CarrierRestrictions::CarrierRestrictionStatus::RESTRICTED, radioRsp_sim->carrierRestrictionsResp.status); #endif ASSERT_TRUE(radioRsp_sim->carrierRestrictionsResp.allowedCarriersPrioritized); EXPECT_EQ(SimLockMultiSimPolicy::NO_MULTISIM_POLICY, radioRsp_sim->multiSimPolicyResp); } sleep(10); Loading
security/keymint/support/include/remote_prov/remote_prov_utils.h +8 −1 Original line number Diff line number Diff line Loading @@ -21,6 +21,7 @@ #include <vector> #include "aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h" #include <hwtrust/hwtrust.h> #include <keymaster/cppcose/cppcose.h> namespace aidl::android::hardware::security::keymint::remote_prov { Loading Loading @@ -176,7 +177,8 @@ ErrMsgOr<std::vector<BccEntryData>> verifyProductionProtectedData( */ ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyFactoryCsr( const cppbor::Array& keysToSign, const std::vector<uint8_t>& csr, IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge); IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge, bool allowDegenerate = true); /** * Verify the CSR as if the device is a final production sample. */ Loading @@ -188,4 +190,9 @@ ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyProductionCsr( /** Checks whether the CSR has a proper DICE chain. */ ErrMsgOr<bool> isCsrWithProperDiceChain(const std::vector<uint8_t>& csr); /** Verify the DICE chain. */ ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc, hwtrust::DiceChain::Kind kind, bool allowAnyMode, bool allowDegenerate); } // namespace aidl::android::hardware::security::keymint::remote_prov
security/keymint/support/remote_prov_utils.cpp +23 −11 Original line number Diff line number Diff line Loading @@ -26,7 +26,6 @@ #include <android-base/macros.h> #include <android-base/properties.h> #include <cppbor.h> #include <hwtrust/hwtrust.h> #include <json/json.h> #include <keymaster/km_openssl/ec_key.h> #include <keymaster/km_openssl/ecdsa_operation.h> Loading Loading @@ -325,7 +324,8 @@ bytevec getProdEekChain(int32_t supportedEekCurve) { } ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc, hwtrust::DiceChain::Kind kind, bool allowAnyMode) { hwtrust::DiceChain::Kind kind, bool allowAnyMode, bool allowDegenerate) { auto encodedBcc = bcc->encode(); // Use ro.build.type instead of ro.debuggable because ro.debuggable=1 for VTS testing Loading @@ -336,6 +336,11 @@ ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc, auto chain = hwtrust::DiceChain::Verify(encodedBcc, kind, allowAnyMode); if (!chain.ok()) return chain.error().message(); if (!allowDegenerate && !chain->IsProper()) { return "DICE chain is degenerate"; } auto keys = chain->CosePublicKeys(); if (!keys.ok()) return keys.error().message(); std::vector<BccEntryData> result; Loading Loading @@ -701,7 +706,8 @@ ErrMsgOr<std::vector<BccEntryData>> verifyProtectedData( } // BCC is [ pubkey, + BccEntry] auto bccContents = validateBcc(bcc->asArray(), hwtrust::DiceChain::Kind::kVsr13, allowAnyMode); auto bccContents = validateBcc(bcc->asArray(), hwtrust::DiceChain::Kind::kVsr13, allowAnyMode, /*allowDegenerate=*/true); if (!bccContents) { return bccContents.message() + "\n" + prettyPrint(bcc.get()); } Loading Loading @@ -997,7 +1003,8 @@ ErrMsgOr<hwtrust::DiceChain::Kind> getDiceChainKind() { ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request, const std::vector<uint8_t>& challenge, bool allowAnyMode = false) { bool allowAnyMode = false, bool allowDegenerate = true) { auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request); if (!parsedRequest) { return csrErrMsg; Loading Loading @@ -1035,19 +1042,20 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t return diceChainKind.message(); } auto diceContents = validateBcc(diceCertChain, *diceChainKind, allowAnyMode); auto diceContents = validateBcc(diceCertChain, *diceChainKind, allowAnyMode, allowDegenerate); if (!diceContents) { return diceContents.message() + "\n" + prettyPrint(diceCertChain); } auto& udsPub = diceContents->back().pubKey; auto udsPub = diceCertChain->get(0)->asMap()->encode(); auto& kmDiceKey = diceContents->back().pubKey; auto error = validateUdsCerts(*udsCerts, udsPub); if (!error.empty()) { return error; } auto signedPayload = verifyAndParseCoseSign1(signedData, udsPub, {} /* aad */); auto signedPayload = verifyAndParseCoseSign1(signedData, kmDiceKey, {} /* aad */); if (!signedPayload) { return signedPayload.message(); } Loading @@ -1064,7 +1072,8 @@ ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyCsr(const cppbor::Array& keysToSi const std::vector<uint8_t>& csr, IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge, bool isFactory, bool allowAnyMode = false) { bool isFactory, bool allowAnyMode = false, bool allowDegenerate = true) { RpcHardwareInfo info; provisionable->getHardwareInfo(&info); if (info.versionNumber != 3) { Loading @@ -1072,7 +1081,8 @@ ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyCsr(const cppbor::Array& keysToSi ") does not match expected version (3)."; } auto csrPayload = parseAndValidateAuthenticatedRequest(csr, challenge, allowAnyMode); auto csrPayload = parseAndValidateAuthenticatedRequest(csr, challenge, allowAnyMode, allowDegenerate); if (!csrPayload) { return csrPayload.message(); } Loading @@ -1082,8 +1092,10 @@ ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyCsr(const cppbor::Array& keysToSi ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyFactoryCsr( const cppbor::Array& keysToSign, const std::vector<uint8_t>& csr, IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge) { return verifyCsr(keysToSign, csr, provisionable, challenge, /*isFactory=*/true); IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge, bool allowDegenerate) { return verifyCsr(keysToSign, csr, provisionable, challenge, /*isFactory=*/true, /*allowAnyMode=*/false, allowDegenerate); } ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyProductionCsr( Loading
