Identity: Update for changes to ISO 18013-5.
Key derivation for session encryption and MACing now involves mixing
in SessionTranscriptBytes. Update docs, default implementation, and
VTS tests to reflect this.
Also, the standard changed such that instead of DeviceAuthentication
being MACed or signed, it's instead DeviceAuthenticationBytes which is
defined as #6.24(bstr .cbor DeviceAuthentication). The same also for
ReaderAuthentication, now ReaderAuthenticationBytes is the CBOR which
is signed by the reader.
Also update the URL for CDDL since it's now a published RFC.
Bug: 159482543
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: I73fc7eb48ffb71e00a8b54849266ed814295fa39
diff --git a/identity/aidl/vts/ReaderAuthTests.cpp b/identity/aidl/vts/ReaderAuthTests.cpp
index 680ba5b..b11f6c5 100644
--- a/identity/aidl/vts/ReaderAuthTests.cpp
+++ b/identity/aidl/vts/ReaderAuthTests.cpp
@@ -289,16 +289,19 @@
.add("Accessible by None", false)))
.encode();
}
- vector<uint8_t> dataToSign = cppbor::Array()
- .add("ReaderAuthentication")
- .add(sessionTranscript.clone())
- .add(cppbor::Semantic(24, itemsRequestBytes))
- .encode();
+ vector<uint8_t> encodedReaderAuthentication =
+ cppbor::Array()
+ .add("ReaderAuthentication")
+ .add(sessionTranscript.clone())
+ .add(cppbor::Semantic(24, itemsRequestBytes))
+ .encode();
+ vector<uint8_t> encodedReaderAuthenticationBytes =
+ cppbor::Semantic(24, encodedReaderAuthentication).encode();
optional<vector<uint8_t>> readerSignature =
- support::coseSignEcDsa(readerPrivateKey, // private key for reader
- {}, // content
- dataToSign, // detached content
+ support::coseSignEcDsa(readerPrivateKey, // private key for reader
+ {}, // content
+ encodedReaderAuthenticationBytes, // detached content
support::certificateChainJoin(readerCertChain));
ASSERT_TRUE(readerSignature);
@@ -528,17 +531,20 @@
.add("Accessible by C", false)
.add("Accessible by None", false)))
.encode();
- vector<uint8_t> dataToSign = cppbor::Array()
- .add("ReaderAuthentication")
- .add(sessionTranscript.clone())
- .add(cppbor::Semantic(24, itemsRequestBytes))
- .encode();
+ vector<uint8_t> encodedReaderAuthentication =
+ cppbor::Array()
+ .add("ReaderAuthentication")
+ .add(sessionTranscript.clone())
+ .add(cppbor::Semantic(24, itemsRequestBytes))
+ .encode();
+ vector<uint8_t> encodedReaderAuthenticationBytes =
+ cppbor::Semantic(24, encodedReaderAuthentication).encode();
vector<vector<uint8_t>> readerCertChain = {cert_reader_SelfSigned_};
optional<vector<uint8_t>> readerSignature =
- support::coseSignEcDsa(readerPrivateKey_, // private key for reader
- {}, // content
- dataToSign, // detached content
+ support::coseSignEcDsa(readerPrivateKey_, // private key for reader
+ {}, // content
+ encodedReaderAuthenticationBytes, // detached content
support::certificateChainJoin(readerCertChain));
ASSERT_TRUE(readerSignature);