Merge "Select the DICE validation rules based on the VSR" into main

2023-09-21 18:48:49 +00:00 · 2023-09-21 18:48:49 +00:00 · b484308d5c
commit b484308d5c
parent 606a406750 1ca978f373
2 changed files with 22 additions and 2 deletions
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@ -962,6 +962,20 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequestSignedPayload(
    return signedRequest->value();
 }

+ErrMsgOr<hwtrust::DiceChain::Kind> getDiceChainKind() {
+    int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
+    switch (vendor_api_level) {
+        case __ANDROID_API_T__:
+            return hwtrust::DiceChain::Kind::kVsr13;
+        case __ANDROID_API_U__:
+            return hwtrust::DiceChain::Kind::kVsr14;
+        case __ANDROID_API_V__:
+            return hwtrust::DiceChain::Kind::kVsr15;
+        default:
+            return "Unsupported vendor API level: " + std::to_string(vendor_api_level);
+    }
+}
+
 ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request,
                                                       const std::vector<uint8_t>& challenge) {
    auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request);
@ -996,7 +1010,12 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t
    }

    // DICE chain is [ pubkey, + DiceChainEntry ].
-    auto diceContents = validateBcc(diceCertChain, hwtrust::DiceChain::Kind::kVsr14);
+    auto diceChainKind = getDiceChainKind();
+    if (!diceChainKind) {
+        return diceChainKind.message();
+    }
+
+    auto diceContents = validateBcc(diceCertChain, *diceChainKind);
    if (!diceContents) {
        return diceContents.message() + "\n" + prettyPrint(diceCertChain);
    }
--- a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
+++ b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
@ -90,9 +90,10 @@ DiceCertChain = [
 DiceChainEntryPayload = {                    ; CWT [RFC8392]
    1 : tstr,                                ; Issuer
    2 : tstr,                                ; Subject
+    -4670554 : "android.15",                 ; Profile Name
    -4670552 : bstr .cbor PubKeyEd25519 /
            bstr .cbor PubKeyECDSA256 /
-            bstr .cbor PubKeyECDSA384,    ; Subject Public Key
+            bstr .cbor PubKeyECDSA384,       ; Subject Public Key
    -4670553 : bstr                          ; Key Usage

    ; NOTE: All of the following fields may be omitted for a "Degenerate DICE Chain", as