commit 8c255e69bf3edf5bbfc6ddc5910f1fb91a228e9b
author Max Bires <jbires@google.com> Wed Feb 02 12:03:28 2022 -0800
committer Max Bires <jbires@google.com> Thu Feb 03 01:00:03 2022 +0000
tree 1827a74116d740f4470c9390c4951e120ceb0f6b
parent 87a6fbc5cdb6f7767d53e87bcdb63ddde7c30220

Enforcing canonicalization of DeviceInfo.

This change specifies that the DeviceInfo map returned by the IRPC HAL
implementation should be canonicalized. Additionally, it adds coverage
to the VTS tests to ensure this requirement is enforced.

Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I276f38497a307c407d305b62a3e9af78a403054e

security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl

diff --git a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl b/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
index 586e659..153a04f 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
@@ -27,7 +27,9 @@
 @VintfStability
 parcelable DeviceInfo {
     /**
-     * DeviceInfo is a CBOR Map structure described by the following CDDL.
+     * DeviceInfo is a CBOR Map structure described by the following CDDL. DeviceInfo must be
+     * canonicalized according to the specification in RFC 7049. The ordering presented here is
+     * non-canonical to group similar entries semantically.
      *
      *     DeviceInfo = {
      *         "brand" : tstr,

security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp

diff --git a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index 3a7e000..927d7d7 100644
--- a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -422,7 +422,7 @@
         ASSERT_TRUE(deviceInfoMap) << "Failed to parse deviceInfo: " << deviceInfoErrMsg;
         ASSERT_TRUE(deviceInfoMap->asMap());
 
-        checkDeviceInfo(deviceInfoMap->asMap());
+        checkDeviceInfo(deviceInfoMap->asMap(), deviceInfo.deviceInfo);
 
         auto& signingKey = bccContents->back().pubKey;
         auto macKey = verifyAndParseCoseSign1(signedMac->asArray(), signingKey,
@@ -466,7 +466,7 @@
         }
     }
 
-    void checkDeviceInfo(const cppbor::Map* deviceInfo) {
+    void checkDeviceInfo(const cppbor::Map* deviceInfo, bytevec deviceInfoBytes) {
         const auto& version = deviceInfo->get("version");
         ASSERT_TRUE(version);
         ASSERT_TRUE(version->asUint());
@@ -518,6 +518,8 @@
             default:
                 FAIL() << "Unrecognized version: " << version->asUint()->value();
         }
+        ASSERT_EQ(deviceInfo->clone()->asMap()->canonicalize().encode(), deviceInfoBytes)
+                << "DeviceInfo ordering is non-canonical.";
     }
 
     bytevec eekId_;