Merge "Test validity of device-unique attestation chain" am: 14bb840731 am: 49f82b2558 Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1730430 Change-Id: Icd0096d40948a7084686750212593c8c8884995e

commit: 8cf02d048d62e48f4df202386b3f0258ba2cdb9a [log] [tgz]
author: Eran Messeri <eranm@google.com> Mon Jun 14 11:49:33 2021 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Mon Jun 14 11:49:33 2021 +0000
tree: 898795eb6a617e42defac7de8ade5f840af7571c
parent: 228a7b1dc9ccd2d64716df6a0afee5a572fbdb0f [diff]
parent: 49f82b2558a539b9caca059101713b5ae7e4d405 [diff]
diff --git a/keymaster/4.1/vts/functional/DeviceUniqueAttestationTest.cpp b/keymaster/4.1/vts/functional/DeviceUniqueAttestationTest.cpp
index 0639da8..3d97daf 100644
--- a/keymaster/4.1/vts/functional/DeviceUniqueAttestationTest.cpp
+++ b/keymaster/4.1/vts/functional/DeviceUniqueAttestationTest.cpp

@@ -16,6 +16,7 @@
 
 #define LOG_TAG "keymaster_hidl_hal_test"
 #include <cutils/log.h>
+#include <vector>
 
 #include "Keymaster4_1HidlTest.h"
 
@@ -178,6 +179,33 @@
             << DIFFERENCE(expected_hw_enforced, attestation.hardware_enforced);
 }
 
+X509_Ptr parse_cert_blob(const std::vector<uint8_t>& blob) {
+    const uint8_t* p = blob.data();
+    return X509_Ptr(d2i_X509(nullptr /* allocate new */, &p, blob.size()));
+}
+
+bool check_certificate_chain_signatures(const hidl_vec<hidl_vec<uint8_t>>& cert_chain) {
+    // TODO: Check that root is self-signed once b/187803288 is resolved.
+    for (size_t i = 0; i < cert_chain.size() - 1; ++i) {
+        X509_Ptr key_cert(parse_cert_blob(cert_chain[i]));
+        X509_Ptr signing_cert(parse_cert_blob(cert_chain[i + 1]));
+
+        if (!key_cert.get() || !signing_cert.get()) {
+            return false;
+        }
+
+        EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
+        if (!signing_pubkey.get()) {
+            return false;
+        }
+
+        if (!X509_verify(key_cert.get(), signing_pubkey.get())) {
+            return false;
+        }
+    }
+    return true;
+}
+
 }  // namespace
 
 using std::string;
@@ -243,6 +271,7 @@
 
     EXPECT_EQ(ErrorCode::OK, result);
     EXPECT_EQ(2U, cert_chain.size());
+    EXPECT_TRUE(check_certificate_chain_signatures(cert_chain));
     if (dumpAttestations) {
       for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
     }
@@ -289,6 +318,7 @@
 
     EXPECT_EQ(ErrorCode::OK, result);
     EXPECT_EQ(2U, cert_chain.size());
+    EXPECT_TRUE(check_certificate_chain_signatures(cert_chain));
     if (dumpAttestations) {
       for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
     }
commit	8cf02d048d62e48f4df202386b3f0258ba2cdb9a	[log] [tgz]
author	Eran Messeri <eranm@google.com>	Mon Jun 14 11:49:33 2021 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Mon Jun 14 11:49:33 2021 +0000
tree	898795eb6a617e42defac7de8ade5f840af7571c
parent	228a7b1dc9ccd2d64716df6a0afee5a572fbdb0f [diff]
parent	49f82b2558a539b9caca059101713b5ae7e4d405 [diff]