Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dd6b7368 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Updated to enforce leaf certificate containing attestation record to... 

Merge "Updated to enforce leaf certificate containing attestation record to not to hold the CRL Distribution Points extension in it." am: adff54ca am: 3e619b8c am: 8b5cf88a

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2427795



Change-Id: I6819590e2e6281db97cccde3115a538d9475ce4b
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents b003b30b 8b5cf88a

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+13 −0
Original line number Diff line number Diff line
@@ -108,6 +108,15 @@ bool KeyCharacteristicsBasicallyValid(SecurityLevel secLevel, 
    return true;

}



void check_crl_distribution_points_extension_not_present(X509* certificate) {

    ASN1_OBJECT_Ptr crl_dp_oid(OBJ_txt2obj(kCrlDPOid, 1 /* dotted string format */));

    ASSERT_TRUE(crl_dp_oid.get());



    int location =

            X509_get_ext_by_OBJ(certificate, crl_dp_oid.get(), -1 /* search from beginning */);

    ASSERT_EQ(location, -1);

}



void check_attestation_version(uint32_t attestation_version, int32_t aidl_version) {

    // Version numbers in attestation extensions should be a multiple of 100.

    EXPECT_EQ(attestation_version % 100, 0);
@@ -1690,6 +1699,10 @@ bool verify_attestation_record(int32_t aidl_version, // 
    EXPECT_TRUE(!!cert.get());

    if (!cert.get()) return false;



    // Make sure CRL Distribution Points extension is not present in a certificate

    // containing attestation record.

    check_crl_distribution_points_extension_not_present(cert.get());



    ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get());

    EXPECT_TRUE(!!attest_rec);

    if (!attest_rec) return false;

security/keymint/support/include/keymint_support/attestation_record.h

+2 −0
Original line number Diff line number Diff line
@@ -43,6 +43,8 @@ class AuthorizationSet; 
 */

static const char kAttestionRecordOid[] = "1.3.6.1.4.1.11129.2.1.17";



static const char kCrlDPOid[] = "2.5.29.31";  // Standard CRL Distribution Points extension.



enum class VerifiedBoot : uint8_t {

    VERIFIED = 0,

    SELF_SIGNED = 1,