platform_system_security/keystore/Signature.cpp
Eran Messeri aa55106d09 KeyStore: Limit the Attestation Application ID
Limit the size of the Application ID attestation vector _prior_ to
sending it for attestation by Keymaster.
Previously, the Attestation Application ID vector would be DER-encoded
to contain all packages belonging to the caller UID, and only then
truncated to the max value that could be sent to Keymaster (1K),
potentially resulting in malformed DER-encoded data.

This makes clients' lives hard, as they would have to deal with
malformed DER, and breaks CTS tests that expect to parse this field in
the attestation record, when the device has too many packages running on
the system UID.

This change limits the size of the DER-encoded vector that would be
passed into Keymaster by estimating the encoded size and refraining from
adding any more package information into it if it'd exceed 1K when
encoded.

Also, cope with PackageManager failure to provide the list of packages.

Test: keystore_unit_tests (adb pushed to /data/local/tmp, then: LD_LIBRARY_PATH=/data/local/tmp /data/local/tmp/keystore_unit_tests)
Test: runtest --path cts/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement
Bug: 112179406
Bug: 112061724
Bug: 111260028
Change-Id: I39ab9338922f7be358d27e1b2dae5d0a36009109
2018-08-14 17:59:01 -04:00

38 lines
1.1 KiB
C++

/*
**
** Copyright 2016, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#include "include/keystore/Signature.h"
#include <binder/Parcel.h>
namespace android {
namespace content {
namespace pm {
status_t Signature::writeToParcel(Parcel* parcel) const {
return parcel->writeByteVector(sig_data_);
}
status_t Signature::readFromParcel(const Parcel* parcel) {
return parcel->readByteVector(&sig_data_);
}
Signature::Signature(std::vector<uint8_t> signature_data) : sig_data_(std::move(signature_data)) {}
} // namespace pm
} // namespace content
} // namespace android