Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8c255e69 authored by Max Bires's avatar Max Bires
Browse files

Enforcing canonicalization of DeviceInfo. 

This change specifies that the DeviceInfo map returned by the IRPC HAL
implementation should be canonicalized. Additionally, it adds coverage
to the VTS tests to ensure this requirement is enforced.

Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I276f38497a307c407d305b62a3e9af78a403054e
parent 87a6fbc5

security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl

+3 −1
Original line number Diff line number Diff line
@@ -27,7 +27,9 @@ package android.hardware.security.keymint; 
@VintfStability

parcelable DeviceInfo {

    /**

     * DeviceInfo is a CBOR Map structure described by the following CDDL.

     * DeviceInfo is a CBOR Map structure described by the following CDDL. DeviceInfo must be

     * canonicalized according to the specification in RFC 7049. The ordering presented here is

     * non-canonical to group similar entries semantically.

     *

     *     DeviceInfo = {

     *         "brand" : tstr,

security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp

+4 −2
Original line number Diff line number Diff line
@@ -422,7 +422,7 @@ class CertificateRequestTest : public VtsRemotelyProvisionedComponentTests { 
        ASSERT_TRUE(deviceInfoMap) << "Failed to parse deviceInfo: " << deviceInfoErrMsg;

        ASSERT_TRUE(deviceInfoMap->asMap());



        checkDeviceInfo(deviceInfoMap->asMap());

        checkDeviceInfo(deviceInfoMap->asMap(), deviceInfo.deviceInfo);



        auto& signingKey = bccContents->back().pubKey;

        auto macKey = verifyAndParseCoseSign1(signedMac->asArray(), signingKey,
@@ -466,7 +466,7 @@ class CertificateRequestTest : public VtsRemotelyProvisionedComponentTests { 
        }

    }



    void checkDeviceInfo(const cppbor::Map* deviceInfo) {

    void checkDeviceInfo(const cppbor::Map* deviceInfo, bytevec deviceInfoBytes) {

        const auto& version = deviceInfo->get("version");

        ASSERT_TRUE(version);

        ASSERT_TRUE(version->asUint());
@@ -518,6 +518,8 @@ class CertificateRequestTest : public VtsRemotelyProvisionedComponentTests { 
            default:

                FAIL() << "Unrecognized version: " << version->asUint()->value();

        }

        ASSERT_EQ(deviceInfo->clone()->asMap()->canonicalize().encode(), deviceInfoBytes)

                << "DeviceInfo ordering is non-canonical.";

    }



    bytevec eekId_;