Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 03d7a1a4f3982ce3da9ecfb23d7d65fa148f677d^! / . / security / keymint / aidl / vts / functional / DeviceUniqueAttestationTest.cpp
commit03d7a1a4f3982ce3da9ecfb23d7d65fa148f677d[log] [tgz]
authorEran Messeri <eranm@google.com>Tue Jul 06 12:07:57 2021 +0100
committerEran Messeri <eranm@google.com>Tue Jul 06 14:32:16 2021 +0100
treee4120c42d90a72581b9e9c3f9d4d48d5cae6c4cd
parentf4c8ff9bef34092787e97149e38cd1bb052635c8 [diff] [blame]
KeyMint: Fix device-unique attestation chain specification

Fix the device-unique attestation chain specification: The chain should
have two or three certificates.
In case of two certificates, the device-unique key should be used for
the self-signed root.
In case of three certificates, the device-unique key should be certified
by another key (ideally shared by all StrongBox instances from the same
manufacturer, to ease validation).

Adjust the device-unique attestation tests to accept two or three
certificates in the chain.

Additionally, the current StrongBox KeyMint implementation can not yet
generate fully-valid chains (with matching subjects and issuers), so
relax that check.

Bug: 191361618
Test: m VtsAidlKeyMintTargetTest
Change-Id: I6e6bca33ebb4af67cac8e41a39e9c305d0f1345f

diff --git a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
index a3ed3ad..d7abf07 100644
--- a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
+++ b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp

@@ -40,11 +40,16 @@
 
         AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
 
-        // The device-unique attestation chain should contain exactly two certificates:
+        // The device-unique attestation chain should contain exactly three certificates:
         // * The leaf with the attestation extension.
-        // * A self-signed root, signed using the device-unique key.
-        ASSERT_EQ(cert_chain_.size(), 2);
-        EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
+        // * An intermediate, signing the leaf using the device-unique key.
+        // * A self-signed root, signed using some authority's key, certifying
+        //   the device-unique key.
+        const size_t chain_length = cert_chain_.size();
+        ASSERT_TRUE(chain_length == 2 || chain_length == 3);
+        // TODO(b/191361618): Once StrongBox implementations use a correctly-issued
+        // certificate chain, do not skip issuers matching.
+        EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_, /* strict_issuer_check= */ false));
 
         AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
         EXPECT_TRUE(verify_attestation_record("challenge", "foo", sw_enforced, hw_enforced,