Merge "Select the DICE validation rules based on the VSR" into main am: b484308d5c am: 68e76934b2

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2678076

Change-Id: Ic9d18238b7e350f2aedb550452d4633f727e3fef
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Andrew Scull 2023-09-21 20:35:20 +00:00 committed by Automerger Merge Worker
commit 44d47323f5
2 changed files with 22 additions and 2 deletions

View file

@ -962,6 +962,20 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequestSignedPayload(
return signedRequest->value(); return signedRequest->value();
} }
ErrMsgOr<hwtrust::DiceChain::Kind> getDiceChainKind() {
int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
switch (vendor_api_level) {
case __ANDROID_API_T__:
return hwtrust::DiceChain::Kind::kVsr13;
case __ANDROID_API_U__:
return hwtrust::DiceChain::Kind::kVsr14;
case __ANDROID_API_V__:
return hwtrust::DiceChain::Kind::kVsr15;
default:
return "Unsupported vendor API level: " + std::to_string(vendor_api_level);
}
}
ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request, ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request,
const std::vector<uint8_t>& challenge) { const std::vector<uint8_t>& challenge) {
auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request); auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request);
@ -996,7 +1010,12 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t
} }
// DICE chain is [ pubkey, + DiceChainEntry ]. // DICE chain is [ pubkey, + DiceChainEntry ].
auto diceContents = validateBcc(diceCertChain, hwtrust::DiceChain::Kind::kVsr14); auto diceChainKind = getDiceChainKind();
if (!diceChainKind) {
return diceChainKind.message();
}
auto diceContents = validateBcc(diceCertChain, *diceChainKind);
if (!diceContents) { if (!diceContents) {
return diceContents.message() + "\n" + prettyPrint(diceCertChain); return diceContents.message() + "\n" + prettyPrint(diceCertChain);
} }

View file

@ -90,6 +90,7 @@ DiceCertChain = [
DiceChainEntryPayload = { ; CWT [RFC8392] DiceChainEntryPayload = { ; CWT [RFC8392]
1 : tstr, ; Issuer 1 : tstr, ; Issuer
2 : tstr, ; Subject 2 : tstr, ; Subject
-4670554 : "android.15", ; Profile Name
-4670552 : bstr .cbor PubKeyEd25519 / -4670552 : bstr .cbor PubKeyEd25519 /
bstr .cbor PubKeyECDSA256 / bstr .cbor PubKeyECDSA256 /
bstr .cbor PubKeyECDSA384, ; Subject Public Key bstr .cbor PubKeyECDSA384, ; Subject Public Key