Merge "Add an implementation defined limit on number of keys in CSR"
diff --git a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index 5b11741..97fe08a 100644
--- a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -251,6 +251,19 @@
EXPECT_LE(hwInfo.uniqueId->size(), 32);
}
+/**
+ * Verify implementation supports at least MIN_SUPPORTED_NUM_KEYS_IN_CSR keys in a CSR.
+ */
+TEST_P(GetHardwareInfoTests, supportedNumKeysInCsr) {
+ if (rpcHardwareInfo.versionNumber < VERSION_WITHOUT_TEST_MODE) {
+ return;
+ }
+
+ RpcHardwareInfo hwInfo;
+ ASSERT_TRUE(provisionable_->getHardwareInfo(&hwInfo).isOk());
+ ASSERT_GE(hwInfo.supportedNumKeysInCsr, RpcHardwareInfo::MIN_SUPPORTED_NUM_KEYS_IN_CSR);
+}
+
using GenerateKeyTests = VtsRemotelyProvisionedComponentTests;
INSTANTIATE_REM_PROV_AIDL_TEST(GenerateKeyTests);
@@ -728,8 +741,7 @@
* Generate a non-empty certificate request with multiple keys.
*/
TEST_P(CertificateRequestV2Test, NonEmptyRequestMultipleKeys) {
- // TODO(b/254137722): define a minimum number of keys that must be supported.
- generateKeys(false /* testMode */, 5 /* numKeys */);
+ generateKeys(false /* testMode */, rpcHardwareInfo.supportedNumKeysInCsr /* numKeys */);
bytevec csr;
diff --git a/security/rkp/CHANGELOG.md b/security/rkp/CHANGELOG.md
index eb2041d..29b1a1c 100644
--- a/security/rkp/CHANGELOG.md
+++ b/security/rkp/CHANGELOG.md
@@ -36,4 +36,5 @@
* the chain of signing, MACing, and encryption operations has been replaced with a single
COSE_Sign1 object.
* CertificateType has been added to identify the type of certificate being requested.
-
+* RpcHardwareInfo
+ * `supportedNumKeysInCsr` added to report the maximum number of keys supported in a CSR.
diff --git a/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl
index 5ff45f8..b1f99e1 100644
--- a/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl
+++ b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl
@@ -39,7 +39,9 @@
@utf8InCpp String rpcAuthorName;
int supportedEekCurve = 0;
@nullable @utf8InCpp String uniqueId;
+ int supportedNumKeysInCsr = 4;
const int CURVE_NONE = 0;
const int CURVE_P256 = 1;
const int CURVE_25519 = 2;
+ const int MIN_SUPPORTED_NUM_KEYS_IN_CSR = 20;
}
diff --git a/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl b/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl
index 0cb33ce..5fe5b00 100644
--- a/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl
+++ b/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl
@@ -74,4 +74,17 @@
*
*/
@nullable @utf8InCpp String uniqueId;
+
+ /**
+ * supportedNumKeysInCsr is the maximum number of keys in a CSR that this implementation can
+ * support. This value is implementation defined.
+ *
+ * From version 3 onwards, supportedNumKeysInCsr must be larger or equal to
+ * MIN_SUPPORTED_NUM_KEYS_IN_CSR.
+ *
+ * The default value was chosen as the value enforced by the VTS test in versions 1 and 2 of
+ * this interface.
+ */
+ const int MIN_SUPPORTED_NUM_KEYS_IN_CSR = 20;
+ int supportedNumKeysInCsr = 4;
}