Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a601d074 authored by Andrew Scull's avatar Andrew Scull
Browse files

Validate DICE chain based on context 

The DICE chain in the ProtectedData objects are evaluated against the
specification from v1 and v2 of the HAL whereas the chain in
AuthenticatedMessage objects are evaluated against the specification
from v3.

There are only small differences with v3 aligning to the standards where
there was previously more leniency.

Fix: 262599829
Test: TH
Change-Id: Ied14362b5530485eb6c2302a0ae0f21da9cdb33f
parent 86d21739

security/keymint/support/remote_prov_utils.cpp

+7 −6
Original line number Diff line number Diff line
@@ -290,11 +290,12 @@ bytevec getProdEekChain(int32_t supportedEekCurve) { 
    return chain.encode();

}



ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc) {

ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc,

                                                hwtrust::DiceChain::Kind kind) {

    auto encodedBcc = bcc->encode();

    auto chain = hwtrust::DiceChain::verify(encodedBcc);

    auto chain = hwtrust::DiceChain::Verify(encodedBcc, kind);

    if (!chain.ok()) return chain.error().message();

    auto keys = chain->cose_public_keys();

    auto keys = chain->CosePublicKeys();

    if (!keys.ok()) return keys.error().message();

    std::vector<BccEntryData> result;

    for (auto& key : *keys) {
@@ -569,7 +570,7 @@ ErrMsgOr<std::vector<BccEntryData>> verifyProtectedData( 
    }



    // BCC is [ pubkey, + BccEntry]

    auto bccContents = validateBcc(bcc->asArray());

    auto bccContents = validateBcc(bcc->asArray(), hwtrust::DiceChain::Kind::kProtectedData);

    if (!bccContents) {

        return bccContents.message() + "\n" + prettyPrint(bcc.get());

    }
@@ -859,8 +860,8 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t 
        return "AuthenticatedRequest SignedData must be an Array.";

    }



    // DICE chain is [ pubkey, + DiceChainEntry ]. Its format is the same as BCC from RKP v1-2.

    auto diceContents = validateBcc(diceCertChain);

    // DICE chain is [ pubkey, + DiceChainEntry ].

    auto diceContents = validateBcc(diceCertChain, hwtrust::DiceChain::Kind::kAuthenticatedMessage);

    if (!diceContents) {

        return diceContents.message() + "\n" + prettyPrint(diceCertChain);

    }