Merge "Updated to enforce leaf certificate containing attestation record to not to hold the CRL Distribution Points extension in it." am: adff54caf4 am: 3e619b8cc5

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2427795

Change-Id: Ifd67e763427e1a58b458d251d3c9aad615564b96
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

@@ -108,6 +108,15 @@ bool KeyCharacteristicsBasicallyValid(SecurityLevel secLevel,
     return true;
 }
 
+void check_crl_distribution_points_extension_not_present(X509* certificate) {
+    ASN1_OBJECT_Ptr crl_dp_oid(OBJ_txt2obj(kCrlDPOid, 1 /* dotted string format */));
+    ASSERT_TRUE(crl_dp_oid.get());
+
+    int location =
+            X509_get_ext_by_OBJ(certificate, crl_dp_oid.get(), -1 /* search from beginning */);
+    ASSERT_EQ(location, -1);
+}
+
 void check_attestation_version(uint32_t attestation_version, int32_t aidl_version) {
     // Version numbers in attestation extensions should be a multiple of 100.
     EXPECT_EQ(attestation_version % 100, 0);
@@ -1690,6 +1699,10 @@ bool verify_attestation_record(int32_t aidl_version,                   //
     EXPECT_TRUE(!!cert.get());
     if (!cert.get()) return false;
 
+    // Make sure CRL Distribution Points extension is not present in a certificate
+    // containing attestation record.
+    check_crl_distribution_points_extension_not_present(cert.get());
+
     ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get());
     EXPECT_TRUE(!!attest_rec);
     if (!attest_rec) return false;

security/keymint/support/include/keymint_support/attestation_record.h

@@ -43,6 +43,8 @@ class AuthorizationSet;
  */
 static const char kAttestionRecordOid[] = "1.3.6.1.4.1.11129.2.1.17";
 
+static const char kCrlDPOid[] = "2.5.29.31";  // Standard CRL Distribution Points extension.
+
 enum class VerifiedBoot : uint8_t {
     VERIFIED = 0,
     SELF_SIGNED = 1,