Merge "Deprecate CSR v1 and v2 in IRPC v3" am: 74a699c4d8
am: eb06c44f4f
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2510195 Change-Id: I037315bb7bfaf6dd106739b22b0537e01aed6cc9 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
2379f9b037
3 changed files with 20 additions and 14 deletions
|
@ -31,7 +31,7 @@ This document provides an exact description of which changes have occurred in th
|
|||
* IRemotelyProvisionedComponent
|
||||
* The need for an EEK has been removed. There is no longer an encrypted portion of the CSR.
|
||||
* Keys for new CSR format must be generated with test mode set to false, effectively removing test
|
||||
mode in the new CSR flow. Old behavior is kept unchanged for backwards compatibility.
|
||||
mode in the new CSR flow.
|
||||
* The schema for the CSR itself has been significantly simplified, please see
|
||||
IRemotelyProvisionedComponent.aidl for more details. Notably,
|
||||
* the chain of signing, MACing, and encryption operations has been replaced with a single
|
||||
|
|
|
@ -144,9 +144,9 @@ interface IRemotelyProvisionedComponent {
|
|||
byte[] generateEcdsaP256KeyPair(in boolean testMode, out MacedPublicKey macedPublicKey);
|
||||
|
||||
/**
|
||||
* This method can be removed in version 3 of the HAL. The header is kept around for
|
||||
* backwards compatibility purposes. From v3, this method is allowed to raise a
|
||||
* ServiceSpecificException with an error code of STATUS_REMOVED.
|
||||
* This method has been deprecated since version 3 of the HAL. The header is kept around for
|
||||
* backwards compatibility purposes. From v3, this method must raise a ServiceSpecificException
|
||||
* with an error code of STATUS_REMOVED.
|
||||
*
|
||||
* For v1 and v2 implementations:
|
||||
* generateCertificateRequest creates a certificate request to be sent to the provisioning
|
||||
|
|
|
@ -408,16 +408,8 @@ class CertificateRequestTest : public CertificateRequestTestBase {
|
|||
ASSERT_FALSE(HasFatalFailure());
|
||||
|
||||
if (rpcHardwareInfo.versionNumber >= VERSION_WITHOUT_TEST_MODE) {
|
||||
bytevec keysToSignMac;
|
||||
DeviceInfo deviceInfo;
|
||||
ProtectedData protectedData;
|
||||
auto status = provisionable_->generateCertificateRequest(
|
||||
false, {}, {}, {}, &deviceInfo, &protectedData, &keysToSignMac);
|
||||
if (!status.isOk() && (status.getServiceSpecificError() ==
|
||||
BnRemotelyProvisionedComponent::STATUS_REMOVED)) {
|
||||
GTEST_SKIP() << "This test case applies to RKP v3+ only if "
|
||||
<< "generateCertificateRequest() is implemented.";
|
||||
}
|
||||
GTEST_SKIP() << "This test case only applies to RKP v1 and v2. "
|
||||
<< "RKP version discovered: " << rpcHardwareInfo.versionNumber;
|
||||
}
|
||||
}
|
||||
};
|
||||
|
@ -798,6 +790,20 @@ TEST_P(CertificateRequestV2Test, NonEmptyRequest_testKeyInProdCert) {
|
|||
BnRemotelyProvisionedComponent::STATUS_TEST_KEY_IN_PRODUCTION_REQUEST);
|
||||
}
|
||||
|
||||
/**
|
||||
* Call generateCertificateRequest(). Make sure it's removed.
|
||||
*/
|
||||
TEST_P(CertificateRequestV2Test, CertificateRequestV1Removed) {
|
||||
bytevec keysToSignMac;
|
||||
DeviceInfo deviceInfo;
|
||||
ProtectedData protectedData;
|
||||
auto status = provisionable_->generateCertificateRequest(
|
||||
true /* testMode */, {} /* keysToSign */, {} /* EEK chain */, challenge_, &deviceInfo,
|
||||
&protectedData, &keysToSignMac);
|
||||
ASSERT_FALSE(status.isOk()) << status.getMessage();
|
||||
EXPECT_EQ(status.getServiceSpecificError(), BnRemotelyProvisionedComponent::STATUS_REMOVED);
|
||||
}
|
||||
|
||||
void parse_root_of_trust(const vector<uint8_t>& attestation_cert,
|
||||
vector<uint8_t>* verified_boot_key, VerifiedBoot* verified_boot_state,
|
||||
bool* device_locked, vector<uint8_t>* verified_boot_hash) {
|
||||
|
|
Loading…
Reference in a new issue