platform_hardware_interfaces/security
Eran Messeri 03d7a1a4f3 KeyMint: Fix device-unique attestation chain specification
Fix the device-unique attestation chain specification: The chain should
have two or three certificates.
In case of two certificates, the device-unique key should be used for
the self-signed root.
In case of three certificates, the device-unique key should be certified
by another key (ideally shared by all StrongBox instances from the same
manufacturer, to ease validation).

Adjust the device-unique attestation tests to accept two or three
certificates in the chain.

Additionally, the current StrongBox KeyMint implementation can not yet
generate fully-valid chains (with matching subjects and issuers), so
relax that check.

Bug: 191361618
Test: m VtsAidlKeyMintTargetTest
Change-Id: I6e6bca33ebb4af67cac8e41a39e9c305d0f1345f
2021-07-06 14:32:16 +01:00
..
keymint KeyMint: Fix device-unique attestation chain specification 2021-07-06 14:32:16 +01:00
secureclock/aidl Allow CompOS APEX to access Keystore AIDL. 2021-06-18 10:21:36 +01:00
sharedsecret/aidl KeyMint VTS: allow for stricter SharedSecret impls 2021-06-28 14:58:28 +01:00