Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 0b939c785994917ea133bd824742515cfa0c1e67^! / .
commit0b939c785994917ea133bd824742515cfa0c1e67[log] [tgz]
authorAlice Wang <aliceywang@google.com>Thu Dec 21 11:10:14 2023 +0000
committerAlice Wang <aliceywang@google.com>Thu Dec 21 11:23:46 2023 +0000
tree550cb0283e9d179436d35017d95101909ecddb90
parentafcf8ddf40f8f8106720b9136649ff5bdd1fda72 [diff]
[x509] Reduce serial number array length to 16 bytes

This cl reduces the length of the x509 certificate's serial number
array from 20 bytes to 16 bytes to circumvent en encoding issue
related to MSB.

During the encoding process, a leading zero can be added to the
array when MSB is 1. Consequently, a 20-byte serial number could
exceed the maximum length of 20 bytes defined in RFC 5280 if the
first element of the serial number array is greater than 128.

Bug: 317065113
Test: atest rialto_test --iterations 10
Change-Id: Iac1655182d1706659f88afcf4ba0c0700c918a8d

diff --git a/service_vm/requests/src/client_vm.rs b/service_vm/requests/src/client_vm.rs
index 5b1bf6c..6ebed50 100644
--- a/service_vm/requests/src/client_vm.rs
+++ b/service_vm/requests/src/client_vm.rs

@@ -28,7 +28,7 @@
 use coset::{AsCborValue, CborSerializable, CoseSign, CoseSign1};
 use der::{Decode, Encode};
 use diced_open_dice::{DiceArtifacts, HASH_SIZE};
-use log::error;
+use log::{error, info};
 use microdroid_kernel_hashes::{INITRD_DEBUG_HASH, INITRD_NORMAL_HASH, KERNEL_HASH};
 use service_vm_comm::{ClientVmAttestationParams, Csr, CsrPayload, RequestProcessingError};
 use x509_cert::{certificate::Certificate, name::Name};
@@ -86,9 +86,11 @@
 
     // Builds the TBSCertificate.
     // The serial number can be up to 20 bytes according to RFC5280 s4.1.2.2.
-    // In this case, a serial number with a length of 20 bytes is used to ensure that each
+    // In this case, a serial number with a length of 16 bytes is used to ensure that each
     // certificate signed by RKP VM has a unique serial number.
-    let mut serial_number = [0u8; 20];
+    // Attention: Do not use 20 bytes here as when the MSB is 1, a leading 0 byte can be
+    // added during the encoding to make the serial number length exceed 20 bytes.
+    let mut serial_number = [0u8; 16];
     rand_bytes(&mut serial_number)?;
     let subject = Name::encode_from_string("CN=Android Protected Virtual Machine Key")?;
     let rkp_cert = Certificate::from_der(&params.remotely_provisioned_cert)?;
@@ -98,6 +100,8 @@
         } else {
             Vec::new()
         };
+
+    info!("The client VM DICE chain validation succeeded. Beginning to generate the certificate.");
     let attestation_ext = cert::AttestationExtension::new(
         &csr_payload.challenge,
         client_vm_dice_chain.all_entries_are_secure(),