tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Validate DICE chain based on context" am: e5a5610018 am: e02b80a11f

Browse source 
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2485115

Change-Id: I374b8d28711ed76c6c9729f37069f30fb1aafe82
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Andrew Scull 2023-03-14 16:13:47 +00:00 committed by Automerger Merge Worker
commit 022a26ffa2
1 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
security/keymint/support/remote_prov_utils.cpp
View file

@ -290,11 +290,12 @@ bytevec getProdEekChain(int32_t supportedEekCurve) {
return chain.encode();
}
ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc) {
ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc,
hwtrust::DiceChain::Kind kind) {
auto encodedBcc = bcc->encode();
auto chain = hwtrust::DiceChain::verify(encodedBcc);
auto chain = hwtrust::DiceChain::Verify(encodedBcc, kind);
if (!chain.ok()) return chain.error().message();
auto keys = chain->cose_public_keys();
auto keys = chain->CosePublicKeys();
if (!keys.ok()) return keys.error().message();
std::vector<BccEntryData> result;
for (auto& key : *keys) {
@ -569,7 +570,7 @@ ErrMsgOr<std::vector<BccEntryData>> verifyProtectedData(
}
// BCC is [ pubkey, + BccEntry]
auto bccContents = validateBcc(bcc->asArray());
auto bccContents = validateBcc(bcc->asArray(), hwtrust::DiceChain::Kind::kProtectedData);
if (!bccContents) {
return bccContents.message() + "\n" + prettyPrint(bcc.get());
}
@ -859,8 +860,8 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t
return "AuthenticatedRequest SignedData must be an Array.";
}
// DICE chain is [ pubkey, + DiceChainEntry ]. Its format is the same as BCC from RKP v1-2.
auto diceContents = validateBcc(diceCertChain);
// DICE chain is [ pubkey, + DiceChainEntry ].
auto diceContents = validateBcc(diceCertChain, hwtrust::DiceChain::Kind::kAuthenticatedMessage);
if (!diceContents) {
return diceContents.message() + "\n" + prettyPrint(diceCertChain);
}