Validate DICE chain based on context
The DICE chain in the ProtectedData objects are evaluated against the
specification from v1 and v2 of the HAL whereas the chain in
AuthenticatedMessage objects are evaluated against the specification
from v3.
There are only small differences with v3 aligning to the standards where
there was previously more leniency.
Fix: 262599829
Test: TH
Change-Id: Ied14362b5530485eb6c2302a0ae0f21da9cdb33f
diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index 9620b6a..99e18c1 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@@ -290,11 +290,12 @@
return chain.encode();
}
-ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc) {
+ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc,
+ hwtrust::DiceChain::Kind kind) {
auto encodedBcc = bcc->encode();
- auto chain = hwtrust::DiceChain::verify(encodedBcc);
+ auto chain = hwtrust::DiceChain::Verify(encodedBcc, kind);
if (!chain.ok()) return chain.error().message();
- auto keys = chain->cose_public_keys();
+ auto keys = chain->CosePublicKeys();
if (!keys.ok()) return keys.error().message();
std::vector<BccEntryData> result;
for (auto& key : *keys) {
@@ -569,7 +570,7 @@
}
// BCC is [ pubkey, + BccEntry]
- auto bccContents = validateBcc(bcc->asArray());
+ auto bccContents = validateBcc(bcc->asArray(), hwtrust::DiceChain::Kind::kProtectedData);
if (!bccContents) {
return bccContents.message() + "\n" + prettyPrint(bcc.get());
}
@@ -859,8 +860,8 @@
return "AuthenticatedRequest SignedData must be an Array.";
}
- // DICE chain is [ pubkey, + DiceChainEntry ]. Its format is the same as BCC from RKP v1-2.
- auto diceContents = validateBcc(diceCertChain);
+ // DICE chain is [ pubkey, + DiceChainEntry ].
+ auto diceContents = validateBcc(diceCertChain, hwtrust::DiceChain::Kind::kAuthenticatedMessage);
if (!diceContents) {
return diceContents.message() + "\n" + prettyPrint(diceCertChain);
}