From e98263ec554b405bc1e80609780ce67252b2fd9d Mon Sep 17 00:00:00 2001 From: Rajesh Nyamagoud Date: Thu, 9 Feb 2023 20:36:33 +0000 Subject: [PATCH] Updated to enforce leaf certificate containing attestation record to not to hold the CRL Distribution Points extension in it. Bug: 260332189 Test: atest VtsAidlKeyMintTargetTest Change-Id: I7b191b4351984ce82db0e9440027ddbfc14b1c3a --- .../aidl/vts/functional/KeyMintAidlTestBase.cpp | 13 +++++++++++++ .../include/keymint_support/attestation_record.h | 2 ++ 2 files changed, 15 insertions(+) diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp index fb5ef49e36..1dec8d7a5f 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp @@ -108,6 +108,15 @@ bool KeyCharacteristicsBasicallyValid(SecurityLevel secLevel, return true; } +void check_crl_distribution_points_extension_not_present(X509* certificate) { + ASN1_OBJECT_Ptr crl_dp_oid(OBJ_txt2obj(kCrlDPOid, 1 /* dotted string format */)); + ASSERT_TRUE(crl_dp_oid.get()); + + int location = + X509_get_ext_by_OBJ(certificate, crl_dp_oid.get(), -1 /* search from beginning */); + ASSERT_EQ(location, -1); +} + void check_attestation_version(uint32_t attestation_version, int32_t aidl_version) { // Version numbers in attestation extensions should be a multiple of 100. EXPECT_EQ(attestation_version % 100, 0); @@ -1690,6 +1699,10 @@ bool verify_attestation_record(int32_t aidl_version, // EXPECT_TRUE(!!cert.get()); if (!cert.get()) return false; + // Make sure CRL Distribution Points extension is not present in a certificate + // containing attestation record. + check_crl_distribution_points_extension_not_present(cert.get()); + ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get()); EXPECT_TRUE(!!attest_rec); if (!attest_rec) return false; diff --git a/security/keymint/support/include/keymint_support/attestation_record.h b/security/keymint/support/include/keymint_support/attestation_record.h index bc76c9398e..f280f48cb3 100644 --- a/security/keymint/support/include/keymint_support/attestation_record.h +++ b/security/keymint/support/include/keymint_support/attestation_record.h @@ -43,6 +43,8 @@ class AuthorizationSet; */ static const char kAttestionRecordOid[] = "1.3.6.1.4.1.11129.2.1.17"; +static const char kCrlDPOid[] = "2.5.29.31"; // Standard CRL Distribution Points extension. + enum class VerifiedBoot : uint8_t { VERIFIED = 0, SELF_SIGNED = 1,