Merge "Select the DICE validation rules based on the VSR" into main
This commit is contained in:
Andrew Scull
Gerrit Code Review
commit
b484308d5c
2 changed files with 22 additions and 2 deletions
|
|
@ -962,6 +962,20 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequestSignedPayload(
|
||||||
return signedRequest->value();
|
return signedRequest->value();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ErrMsgOr<hwtrust::DiceChain::Kind> getDiceChainKind() {
|
||||||
|
int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
|
||||||
|
switch (vendor_api_level) {
|
||||||
|
case __ANDROID_API_T__:
|
||||||
|
return hwtrust::DiceChain::Kind::kVsr13;
|
||||||
|
case __ANDROID_API_U__:
|
||||||
|
return hwtrust::DiceChain::Kind::kVsr14;
|
||||||
|
case __ANDROID_API_V__:
|
||||||
|
return hwtrust::DiceChain::Kind::kVsr15;
|
||||||
|
default:
|
||||||
|
return "Unsupported vendor API level: " + std::to_string(vendor_api_level);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request,
|
ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request,
|
||||||
const std::vector<uint8_t>& challenge) {
|
const std::vector<uint8_t>& challenge) {
|
||||||
auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request);
|
auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request);
|
||||||
|
|
@ -996,7 +1010,12 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t
|
||||||
}
|
}
|
||||||
|
|
||||||
// DICE chain is [ pubkey, + DiceChainEntry ].
|
// DICE chain is [ pubkey, + DiceChainEntry ].
|
||||||
auto diceContents = validateBcc(diceCertChain, hwtrust::DiceChain::Kind::kVsr14);
|
auto diceChainKind = getDiceChainKind();
|
||||||
|
if (!diceChainKind) {
|
||||||
|
return diceChainKind.message();
|
||||||
|
}
|
||||||
|
|
||||||
|
auto diceContents = validateBcc(diceCertChain, *diceChainKind);
|
||||||
if (!diceContents) {
|
if (!diceContents) {
|
||||||
return diceContents.message() + "\n" + prettyPrint(diceCertChain);
|
return diceContents.message() + "\n" + prettyPrint(diceCertChain);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -90,9 +90,10 @@ DiceCertChain = [
|
||||||
DiceChainEntryPayload = { ; CWT [RFC8392]
|
DiceChainEntryPayload = { ; CWT [RFC8392]
|
||||||
1 : tstr, ; Issuer
|
1 : tstr, ; Issuer
|
||||||
2 : tstr, ; Subject
|
2 : tstr, ; Subject
|
||||||
|
-4670554 : "android.15", ; Profile Name
|
||||||
-4670552 : bstr .cbor PubKeyEd25519 /
|
-4670552 : bstr .cbor PubKeyEd25519 /
|
||||||
bstr .cbor PubKeyECDSA256 /
|
bstr .cbor PubKeyECDSA256 /
|
||||||
bstr .cbor PubKeyECDSA384, ; Subject Public Key
|
bstr .cbor PubKeyECDSA384, ; Subject Public Key
|
||||||
-4670553 : bstr ; Key Usage
|
-4670553 : bstr ; Key Usage
|
||||||
|
|
||||||
; NOTE: All of the following fields may be omitted for a "Degenerate DICE Chain", as
|
; NOTE: All of the following fields may be omitted for a "Degenerate DICE Chain", as
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue