platform_system_security/keystore/KeyAttestationApplicationId.cpp
Eran Messeri 03fc4c8769 KeyStore: Limit the Attestation Application ID
Limit the size of the Application ID attestation vector _prior_ to
sending it for attestation by Keymaster.
Previously, the Attestation Application ID vector would be DER-encoded
to contain all packages belonging to the caller UID, and only then
truncated to the max value that could be sent to Keymaster (1K),
potentially resulting in malformed DER-encoded data.

This makes clients' lives hard, as they would have to deal with
malformed DER, and breaks CTS tests that expect to parse this field in
the attestation record, when the device has too many packages running on
the system UID.

This change limits the size of the DER-encoded vector that would be
passed into Keymaster by estimating the encoded size and refraining from
adding any more package information into it if it'd exceed 1K when
encoded.

Also, cope with PackageManager failure to provide the list of packages.

Merged-In: I39ab9338922f7be358d27e1b2dae5d0a36009109

Test: keystore_unit_tests (adb pushed to /data/local/tmp, then: LD_LIBRARY_PATH=/data/local/tmp /data/local/tmp/keystore_unit_tests)
Test: runtest --path cts/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement
Bug: 112179406
Bug: 112061724
Bug: 111260028
Change-Id: I0759a632fbf678814f6b1c258f0b2e2524edb85c
2018-08-16 18:53:15 +01:00

51 lines
1.8 KiB
C++

/*
**
** Copyright 2016, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#include "include/keystore/KeyAttestationApplicationId.h"
#include <binder/Parcel.h>
namespace android {
namespace security {
namespace keymaster {
KeyAttestationApplicationId::KeyAttestationApplicationId() = default;
KeyAttestationApplicationId::KeyAttestationApplicationId(
std::unique_ptr<KeyAttestationPackageInfo> package) :
packageInfos_(new std::vector<std::unique_ptr<KeyAttestationPackageInfo>>()) {
packageInfos_->push_back(std::move(package));
}
KeyAttestationApplicationId::KeyAttestationApplicationId(PackageInfoVector packages)
: packageInfos_(std::make_shared<PackageInfoVector>(std::move(packages))) {}
status_t KeyAttestationApplicationId::writeToParcel(Parcel* parcel) const {
return parcel->writeParcelableVector(packageInfos_);
}
status_t KeyAttestationApplicationId::readFromParcel(const Parcel* parcel) {
std::unique_ptr<std::vector<std::unique_ptr<KeyAttestationPackageInfo>>> temp_vector;
auto rc = parcel->readParcelableVector(&temp_vector);
if (rc != NO_ERROR) return rc;
packageInfos_.reset(temp_vector.release());
return NO_ERROR;
}
} // namespace keymaster
} // namespace security
} // namespace android