Revise the attestation application id format
Signatures, or rather the signing certificates must be the same
for all packages sharing a uid. This patch changes the
format of the attestation application id such that there is
only one set of certificate digests rather than one per package.
Change-Id: I8c37ac452bbe8ea299fa08de5034b8370e736f6c
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index bd7fd18..ed30401 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -14,6 +14,8 @@
* limitations under the License.
*/
+#define LOG_TAG "keystore"
+
#include "key_store_service.h"
#include <fcntl.h>
@@ -1151,15 +1153,12 @@
auto* dev = mKeyStore->getDeviceForBlob(keyBlob);
if (!dev->attest_key) return KM_ERROR_UNIMPLEMENTED;
- /* get the attestation application id
- * the result is actually a pair: .second contains the error code and if this is NO_ERROR
- * .first contains the requested attestation id
- */
auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid);
- if (asn1_attestation_id_result.second != android::NO_ERROR) {
+ if (!asn1_attestation_id_result.isOk()) {
ALOGE("failed to gather attestation_id");
return KM_ERROR_ATTESTATION_APPLICATION_ID_MISSING;
}
+ const std::vector<uint8_t>& asn1_attestation_id = asn1_attestation_id_result;
/*
* Make a mutable copy of the params vector which to append the attestation id to.
@@ -1167,9 +1166,10 @@
*/
auto mutable_params = params.params;
- mutable_params.push_back({.tag = KM_TAG_ATTESTATION_APPLICATION_ID,
- .blob = {asn1_attestation_id_result.first.data(),
- asn1_attestation_id_result.first.size()}});
+ mutable_params.push_back(
+ {.tag = KM_TAG_ATTESTATION_APPLICATION_ID,
+ .blob = {asn1_attestation_id.data(),
+ asn1_attestation_id.size()}});
const keymaster_key_param_set_t in_params = {
const_cast<keymaster_key_param_t*>(mutable_params.data()), mutable_params.size()};