From 8c255e69bf3edf5bbfc6ddc5910f1fb91a228e9b Mon Sep 17 00:00:00 2001 From: Max Bires Date: Wed, 2 Feb 2022 12:03:28 -0800 Subject: [PATCH] Enforcing canonicalization of DeviceInfo. This change specifies that the DeviceInfo map returned by the IRPC HAL implementation should be canonicalized. Additionally, it adds coverage to the VTS tests to ensure this requirement is enforced. Test: atest VtsHalRemotelyProvisionedComponentTargetTest Change-Id: I276f38497a307c407d305b62a3e9af78a403054e --- .../aidl/android/hardware/security/keymint/DeviceInfo.aidl | 4 +++- .../vts/functional/VtsRemotelyProvisionedComponentTests.cpp | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl b/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl index 586e6597a6..153a04f2b5 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl @@ -27,7 +27,9 @@ package android.hardware.security.keymint; @VintfStability parcelable DeviceInfo { /** - * DeviceInfo is a CBOR Map structure described by the following CDDL. + * DeviceInfo is a CBOR Map structure described by the following CDDL. DeviceInfo must be + * canonicalized according to the specification in RFC 7049. The ordering presented here is + * non-canonical to group similar entries semantically. * * DeviceInfo = { * "brand" : tstr, diff --git a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp index 3a7e000450..927d7d7daf 100644 --- a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp +++ b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp @@ -422,7 +422,7 @@ class CertificateRequestTest : public VtsRemotelyProvisionedComponentTests { ASSERT_TRUE(deviceInfoMap) << "Failed to parse deviceInfo: " << deviceInfoErrMsg; ASSERT_TRUE(deviceInfoMap->asMap()); - checkDeviceInfo(deviceInfoMap->asMap()); + checkDeviceInfo(deviceInfoMap->asMap(), deviceInfo.deviceInfo); auto& signingKey = bccContents->back().pubKey; auto macKey = verifyAndParseCoseSign1(signedMac->asArray(), signingKey, @@ -466,7 +466,7 @@ class CertificateRequestTest : public VtsRemotelyProvisionedComponentTests { } } - void checkDeviceInfo(const cppbor::Map* deviceInfo) { + void checkDeviceInfo(const cppbor::Map* deviceInfo, bytevec deviceInfoBytes) { const auto& version = deviceInfo->get("version"); ASSERT_TRUE(version); ASSERT_TRUE(version->asUint()); @@ -518,6 +518,8 @@ class CertificateRequestTest : public VtsRemotelyProvisionedComponentTests { default: FAIL() << "Unrecognized version: " << version->asUint()->value(); } + ASSERT_EQ(deviceInfo->clone()->asMap()->canonicalize().encode(), deviceInfoBytes) + << "DeviceInfo ordering is non-canonical."; } bytevec eekId_;