Updated to enforce leaf certificate containing attestation record to not to hold the CRL Distribution Points extension in it. Bug: 260332189 Test: atest VtsAidlKeyMintTargetTest Change-Id: I7b191b4351984ce82db0e9440027ddbfc14b1c3a

commit: e98263ec554b405bc1e80609780ce67252b2fd9d [log] [tgz]
author: Rajesh Nyamagoud <nyamagoud@google.com> Thu Feb 09 20:36:33 2023 +0000
committer: Rajesh Nyamagoud <nyamagoud@google.com> Fri Mar 03 16:48:28 2023 +0000
tree: 420556961ffa2666178c5455ffd0247a91709afa
parent: 6fdd6b000bff9b7ff90dcf573edde27e51e9ac37 [diff]
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index fb5ef49..1dec8d7 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

@@ -108,6 +108,15 @@
     return true;
 }
 
+void check_crl_distribution_points_extension_not_present(X509* certificate) {
+    ASN1_OBJECT_Ptr crl_dp_oid(OBJ_txt2obj(kCrlDPOid, 1 /* dotted string format */));
+    ASSERT_TRUE(crl_dp_oid.get());
+
+    int location =
+            X509_get_ext_by_OBJ(certificate, crl_dp_oid.get(), -1 /* search from beginning */);
+    ASSERT_EQ(location, -1);
+}
+
 void check_attestation_version(uint32_t attestation_version, int32_t aidl_version) {
     // Version numbers in attestation extensions should be a multiple of 100.
     EXPECT_EQ(attestation_version % 100, 0);
@@ -1690,6 +1699,10 @@
     EXPECT_TRUE(!!cert.get());
     if (!cert.get()) return false;
 
+    // Make sure CRL Distribution Points extension is not present in a certificate
+    // containing attestation record.
+    check_crl_distribution_points_extension_not_present(cert.get());
+
     ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get());
     EXPECT_TRUE(!!attest_rec);
     if (!attest_rec) return false;

diff --git a/security/keymint/support/include/keymint_support/attestation_record.h b/security/keymint/support/include/keymint_support/attestation_record.h
index bc76c93..f280f48 100644
--- a/security/keymint/support/include/keymint_support/attestation_record.h
+++ b/security/keymint/support/include/keymint_support/attestation_record.h

@@ -43,6 +43,8 @@
  */
 static const char kAttestionRecordOid[] = "1.3.6.1.4.1.11129.2.1.17";
 
+static const char kCrlDPOid[] = "2.5.29.31";  // Standard CRL Distribution Points extension.
+
 enum class VerifiedBoot : uint8_t {
     VERIFIED = 0,
     SELF_SIGNED = 1,
commit	e98263ec554b405bc1e80609780ce67252b2fd9d	[log] [tgz]
author	Rajesh Nyamagoud <nyamagoud@google.com>	Thu Feb 09 20:36:33 2023 +0000
committer	Rajesh Nyamagoud <nyamagoud@google.com>	Fri Mar 03 16:48:28 2023 +0000
tree	420556961ffa2666178c5455ffd0247a91709afa
parent	6fdd6b000bff9b7ff90dcf573edde27e51e9ac37 [diff]