Keystore 2.0: Add support for the new CERTIFICATE_* tags.
Test: Keystore CTS tests
Change-Id: Ifbecd4517e8b6fb143283ed3f815aed4812a3c4a
diff --git a/keystore2/src/crypto/certificate_utils.cpp b/keystore2/src/crypto/certificate_utils.cpp
index 4b0dca4..4aed224 100644
--- a/keystore2/src/crypto/certificate_utils.cpp
+++ b/keystore2/src/crypto/certificate_utils.cpp
@@ -42,17 +42,30 @@
DEFINE_OPENSSL_OBJECT_POINTER(AUTHORITY_KEYID);
DEFINE_OPENSSL_OBJECT_POINTER(BASIC_CONSTRAINTS);
DEFINE_OPENSSL_OBJECT_POINTER(X509_ALGOR);
+DEFINE_OPENSSL_OBJECT_POINTER(BIGNUM);
} // namespace
-std::variant<CertUtilsError, X509_NAME_Ptr> makeCommonName(const std::string& name) {
+constexpr const char kDefaultCommonName[] = "Default Common Name";
+
+std::variant<CertUtilsError, X509_NAME_Ptr>
+makeCommonName(std::optional<std::reference_wrapper<const std::vector<uint8_t>>> name) {
+ if (name) {
+ const uint8_t* p = name->get().data();
+ X509_NAME_Ptr x509_name(d2i_X509_NAME(nullptr, &p, name->get().size()));
+ if (!x509_name) {
+ return CertUtilsError::MemoryAllocation;
+ }
+ return x509_name;
+ }
+
X509_NAME_Ptr x509_name(X509_NAME_new());
if (!x509_name) {
- return CertUtilsError::BoringSsl;
+ return CertUtilsError::MemoryAllocation;
}
if (!X509_NAME_add_entry_by_txt(x509_name.get(), "CN", MBSTRING_ASC,
- reinterpret_cast<const uint8_t*>(name.c_str()), name.length(),
- -1 /* loc */, 0 /* set */)) {
+ reinterpret_cast<const uint8_t*>(kDefaultCommonName),
+ sizeof(kDefaultCommonName) - 1, -1 /* loc */, 0 /* set */)) {
return CertUtilsError::BoringSsl;
}
return x509_name;
@@ -159,14 +172,11 @@
// Callers should pass an empty X509_Ptr and check the return value for CertUtilsError::Ok (0)
// before accessing the result.
std::variant<CertUtilsError, X509_Ptr>
-makeCertRump(const uint32_t serial, const char subject[], const uint64_t activeDateTimeMilliSeconds,
+makeCertRump(std::optional<std::reference_wrapper<const std::vector<uint8_t>>> serial,
+ std::optional<std::reference_wrapper<const std::vector<uint8_t>>> subject,
+ const uint64_t activeDateTimeMilliSeconds,
const uint64_t usageExpireDateTimeMilliSeconds) {
- // Sanitize pointer arguments.
- if (!subject || strlen(subject) == 0) {
- return CertUtilsError::InvalidArgument;
- }
-
// Create certificate structure.
X509_Ptr certificate(X509_new());
if (!certificate) {
@@ -178,9 +188,23 @@
return CertUtilsError::BoringSsl;
}
+ BIGNUM_Ptr bn_serial;
+ if (serial) {
+ bn_serial = BIGNUM_Ptr(BN_bin2bn(serial->get().data(), serial->get().size(), nullptr));
+ if (!bn_serial) {
+ return CertUtilsError::MemoryAllocation;
+ }
+ } else {
+ bn_serial = BIGNUM_Ptr(BN_new());
+ if (!bn_serial) {
+ return CertUtilsError::MemoryAllocation;
+ }
+ BN_zero(bn_serial.get());
+ }
+
// Set the certificate serialNumber
ASN1_INTEGER_Ptr serialNumber(ASN1_INTEGER_new());
- if (!serialNumber || !ASN1_INTEGER_set(serialNumber.get(), serial) ||
+ if (!serialNumber || !BN_to_ASN1_INTEGER(bn_serial.get(), serialNumber.get()) ||
!X509_set_serialNumber(certificate.get(), serialNumber.get() /* Don't release; copied */))
return CertUtilsError::BoringSsl;
@@ -215,7 +239,9 @@
}
std::variant<CertUtilsError, X509_Ptr>
-makeCert(const EVP_PKEY* evp_pkey, const uint32_t serial, const char subject[],
+makeCert(const EVP_PKEY* evp_pkey,
+ std::optional<std::reference_wrapper<const std::vector<uint8_t>>> serial,
+ std::optional<std::reference_wrapper<const std::vector<uint8_t>>> subject,
const uint64_t activeDateTimeMilliSeconds, const uint64_t usageExpireDateTimeMilliSeconds,
bool addSubjectKeyIdEx, std::optional<KeyUsageExtension> keyUsageEx,
std::optional<BasicConstraintsExtension> basicConstraints) {
diff --git a/keystore2/src/crypto/include/certificate_utils.h b/keystore2/src/crypto/include/certificate_utils.h
index 1e80d80..e31ebc4 100644
--- a/keystore2/src/crypto/include/certificate_utils.h
+++ b/keystore2/src/crypto/include/certificate_utils.h
@@ -80,7 +80,7 @@
* `signCert` or `signCertWith`.
* @param evp_pkey The public key that the certificate is issued for.
* @param serial The certificate serial number.
- * @param subject The subject common name.
+ * @param subject The X509 name encoded subject common name.
* @param activeDateTimeMilliSeconds The not before date in epoch milliseconds.
* @param usageExpireDateTimeMilliSeconds The not after date in epoch milliseconds.
* @param addSubjectKeyIdEx If true, adds the subject key id extension.
@@ -89,14 +89,14 @@
* @return CertUtilsError::Ok on success.
*/
std::variant<CertUtilsError, X509_Ptr>
-makeCert(const EVP_PKEY* evp_pkey, //
- const uint32_t serial, //
- const char subject[], //
- const uint64_t activeDateTimeMilliSeconds, //
- const uint64_t usageExpireDateTimeMilliSeconds, //
- bool addSubjectKeyIdEx, //
- std::optional<KeyUsageExtension> keyUsageEx, //
- std::optional<BasicConstraintsExtension> basicConstraints); //
+makeCert(const EVP_PKEY* evp_pkey, //
+ std::optional<std::reference_wrapper<const std::vector<uint8_t>>> serial, //
+ std::optional<std::reference_wrapper<const std::vector<uint8_t>>> subject, //
+ const uint64_t activeDateTimeMilliSeconds, //
+ const uint64_t usageExpireDateTimeMilliSeconds, //
+ bool addSubjectKeyIdEx, //
+ std::optional<KeyUsageExtension> keyUsageEx, //
+ std::optional<BasicConstraintsExtension> basicConstraints); //
/**
* Takes the subject name from `signingCert` and sets it as issuer name in `cert`.
diff --git a/keystore2/src/crypto/tests/certificate_utils_test.cpp b/keystore2/src/crypto/tests/certificate_utils_test.cpp
index 2df9ce5..119c3fa 100644
--- a/keystore2/src/crypto/tests/certificate_utils_test.cpp
+++ b/keystore2/src/crypto/tests/certificate_utils_test.cpp
@@ -173,8 +173,8 @@
.isCertificationKey = true,
};
- auto certV = makeCert(pkey.get(), 1, "Me", now_ms - kValidity, now_ms + kValidity,
- true /* subject key id extension */, keyUsage, bcons);
+ auto certV = makeCert(pkey.get(), std::nullopt, std::nullopt, now_ms - kValidity,
+ now_ms + kValidity, true /* subject key id extension */, keyUsage, bcons);
ASSERT_TRUE(std::holds_alternative<X509_Ptr>(certV));
auto& cert = std::get<X509_Ptr>(certV);
ASSERT_TRUE(!setIssuer(cert.get(), cert.get(), true));
@@ -272,8 +272,8 @@
.isCertificationKey = true,
};
- auto certV = makeCert(pkey.get(), 1, "Me", now_ms - kValidity, now_ms + kValidity,
- true /* subject key id extension */, keyUsage, bcons);
+ auto certV = makeCert(pkey.get(), std::nullopt, std::nullopt, now_ms - kValidity,
+ now_ms + kValidity, true /* subject key id extension */, keyUsage, bcons);
ASSERT_TRUE(std::holds_alternative<X509_Ptr>(certV));
auto& cert = std::get<X509_Ptr>(certV);
ASSERT_TRUE(!setIssuer(cert.get(), cert.get(), true));