commit dc9965665e90a9ac11486838f472e262e68d1e0d
author Shawn Willden <swillden@google.com> Wed Apr 12 06:36:08 2017 -0600
committer Shawn Willden <swillden@google.com> Fri Apr 14 11:38:17 2017 +0000
tree d1bd2cbf3107dcdd70c678ed2b44c6234aeaa248
parent 4b93bb21dcd2ae0c744814e760e1c4e7a23c13b6

Require attestation app ID.

Bug: 37318025
Test: Manually tested
Change-Id: Iaa992c8d22e0c88c2a2570355199befa484adc19

keymaster/3.0/default/KeymasterDevice.cpp

diff --git a/keymaster/3.0/default/KeymasterDevice.cpp b/keymaster/3.0/default/KeymasterDevice.cpp
index 6b4524b..58102bb 100644
--- a/keymaster/3.0/default/KeymasterDevice.cpp
+++ b/keymaster/3.0/default/KeymasterDevice.cpp
@@ -519,6 +519,7 @@
 
     hidl_vec<hidl_vec<uint8_t>> resultCertChain;
 
+    bool foundAttestationApplicationId = false;
     for (size_t i = 0; i < attestParams.size(); ++i) {
         switch (attestParams[i].tag) {
         case Tag::ATTESTATION_ID_BRAND:
@@ -532,11 +533,22 @@
             // never perform any device id attestation.
             _hidl_cb(ErrorCode::CANNOT_ATTEST_IDS, resultCertChain);
             return Void();
+
+        case Tag::ATTESTATION_APPLICATION_ID:
+            foundAttestationApplicationId = true;
+            break;
+
         default:
             break;
         }
     }
 
+    // KM3 devices reject missing attest application IDs. KM2 devices do not.
+    if (!foundAttestationApplicationId) {
+        _hidl_cb(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
+                 resultCertChain);
+    }
+
     keymaster_cert_chain_t cert_chain{nullptr, 0};
 
     auto kmKeyToAttest = hidlVec2KmKeyBlob(keyToAttest);