Loading security/keymint/aidl/android/hardware/security/keymint/Tag.aidl +14 −3 Original line number Diff line number Diff line Loading @@ -827,11 +827,22 @@ enum Tag { /** * DEVICE_UNIQUE_ATTESTATION is an argument to IKeyMintDevice::attested key generation/import * operations. It indicates that attestation using a device-unique key is requested, rather * than a batch key. When a device-unique key is used, the returned chain should contain two * certificates: * than a batch key. When a device-unique key is used, the returned chain should contain two or * three certificates. * * In case the chain contains two certificates, they should be: * * The attestation certificate, containing the attestation extension, as described in KeyCreationResult.aidl. * KeyCreationResult.aidl. * * A self-signed root certificate, signed by the device-unique key. * * In case the chain contains three certificates, they should be: * * The attestation certificate, containing the attestation extension, as described in * KeyCreationResult.aidl, signed by the device-unique key. * * An intermediate certificate, containing the public portion of the device-unique key. * * A self-signed root certificate, signed by a dedicated key, certifying the * intermediate. Ideally, the dedicated key would be the same for all StrongBox * instances of the same manufacturer to ease validation. * * No additional chained certificates are provided. Only SecurityLevel::STRONGBOX * IKeyMintDevices may support device-unique attestations. SecurityLevel::TRUSTED_ENVIRONMENT * IKeyMintDevices must return ErrorCode::INVALID_ARGUMENT if they receive Loading security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp +9 −4 Original line number Diff line number Diff line Loading @@ -40,11 +40,16 @@ class DeviceUniqueAttestationTest : public KeyMintAidlTestBase { AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics); // The device-unique attestation chain should contain exactly two certificates: // The device-unique attestation chain should contain exactly three certificates: // * The leaf with the attestation extension. // * A self-signed root, signed using the device-unique key. ASSERT_EQ(cert_chain_.size(), 2); EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); // * An intermediate, signing the leaf using the device-unique key. // * A self-signed root, signed using some authority's key, certifying // the device-unique key. const size_t chain_length = cert_chain_.size(); ASSERT_TRUE(chain_length == 2 || chain_length == 3); // TODO(b/191361618): Once StrongBox implementations use a correctly-issued // certificate chain, do not skip issuers matching. EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_, /* strict_issuer_check= */ false)); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics); EXPECT_TRUE(verify_attestation_record("challenge", "foo", sw_enforced, hw_enforced, Loading security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +3 −2 Original line number Diff line number Diff line Loading @@ -1493,7 +1493,8 @@ AuthorizationSet SwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_ return authList; } AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain) { AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain, bool strict_issuer_check) { std::stringstream cert_data; for (size_t i = 0; i < chain.size(); ++i) { Loading @@ -1520,7 +1521,7 @@ AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain) { string cert_issuer = x509NameToStr(X509_get_issuer_name(key_cert.get())); string signer_subj = x509NameToStr(X509_get_subject_name(signing_cert.get())); if (cert_issuer != signer_subj) { if (cert_issuer != signer_subj && strict_issuer_check) { return AssertionFailure() << "Cert " << i << " has wrong issuer.\n" << " Signer subject is " << signer_subj << " Issuer subject is " << cert_issuer << endl Loading security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h +2 −1 Original line number Diff line number Diff line Loading @@ -349,7 +349,8 @@ void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey); AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics); AuthorizationSet SwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics); ::testing::AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain); ::testing::AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain, bool strict_issuer_check = true); #define INSTANTIATE_KEYMINT_AIDL_TEST(name) \ INSTANTIATE_TEST_SUITE_P(PerInstance, name, \ Loading Loading
security/keymint/aidl/android/hardware/security/keymint/Tag.aidl +14 −3 Original line number Diff line number Diff line Loading @@ -827,11 +827,22 @@ enum Tag { /** * DEVICE_UNIQUE_ATTESTATION is an argument to IKeyMintDevice::attested key generation/import * operations. It indicates that attestation using a device-unique key is requested, rather * than a batch key. When a device-unique key is used, the returned chain should contain two * certificates: * than a batch key. When a device-unique key is used, the returned chain should contain two or * three certificates. * * In case the chain contains two certificates, they should be: * * The attestation certificate, containing the attestation extension, as described in KeyCreationResult.aidl. * KeyCreationResult.aidl. * * A self-signed root certificate, signed by the device-unique key. * * In case the chain contains three certificates, they should be: * * The attestation certificate, containing the attestation extension, as described in * KeyCreationResult.aidl, signed by the device-unique key. * * An intermediate certificate, containing the public portion of the device-unique key. * * A self-signed root certificate, signed by a dedicated key, certifying the * intermediate. Ideally, the dedicated key would be the same for all StrongBox * instances of the same manufacturer to ease validation. * * No additional chained certificates are provided. Only SecurityLevel::STRONGBOX * IKeyMintDevices may support device-unique attestations. SecurityLevel::TRUSTED_ENVIRONMENT * IKeyMintDevices must return ErrorCode::INVALID_ARGUMENT if they receive Loading
security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp +9 −4 Original line number Diff line number Diff line Loading @@ -40,11 +40,16 @@ class DeviceUniqueAttestationTest : public KeyMintAidlTestBase { AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics); // The device-unique attestation chain should contain exactly two certificates: // The device-unique attestation chain should contain exactly three certificates: // * The leaf with the attestation extension. // * A self-signed root, signed using the device-unique key. ASSERT_EQ(cert_chain_.size(), 2); EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_)); // * An intermediate, signing the leaf using the device-unique key. // * A self-signed root, signed using some authority's key, certifying // the device-unique key. const size_t chain_length = cert_chain_.size(); ASSERT_TRUE(chain_length == 2 || chain_length == 3); // TODO(b/191361618): Once StrongBox implementations use a correctly-issued // certificate chain, do not skip issuers matching. EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_, /* strict_issuer_check= */ false)); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics); EXPECT_TRUE(verify_attestation_record("challenge", "foo", sw_enforced, hw_enforced, Loading
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +3 −2 Original line number Diff line number Diff line Loading @@ -1493,7 +1493,8 @@ AuthorizationSet SwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_ return authList; } AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain) { AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain, bool strict_issuer_check) { std::stringstream cert_data; for (size_t i = 0; i < chain.size(); ++i) { Loading @@ -1520,7 +1521,7 @@ AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain) { string cert_issuer = x509NameToStr(X509_get_issuer_name(key_cert.get())); string signer_subj = x509NameToStr(X509_get_subject_name(signing_cert.get())); if (cert_issuer != signer_subj) { if (cert_issuer != signer_subj && strict_issuer_check) { return AssertionFailure() << "Cert " << i << " has wrong issuer.\n" << " Signer subject is " << signer_subj << " Issuer subject is " << cert_issuer << endl Loading
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h +2 −1 Original line number Diff line number Diff line Loading @@ -349,7 +349,8 @@ void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey); AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics); AuthorizationSet SwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics); ::testing::AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain); ::testing::AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain, bool strict_issuer_check = true); #define INSTANTIATE_KEYMINT_AIDL_TEST(name) \ INSTANTIATE_TEST_SUITE_P(PerInstance, name, \ Loading
