Do not use RKP for DEVICE_UNIQUE_ATTESTATION. am: 7409f7c8dd
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/19021559
Change-Id: I31e52f39fdab46fe028291efed004f0757e66d98
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/keystore2/src/attestation_key_utils.rs b/keystore2/src/attestation_key_utils.rs
index 8354ba5..3408942 100644
--- a/keystore2/src/attestation_key_utils.rs
+++ b/keystore2/src/attestation_key_utils.rs
@@ -59,8 +59,11 @@
db: &mut KeystoreDB,
) -> Result<Option<AttestationKeyInfo>> {
let challenge_present = params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE);
+ let is_device_unique_attestation =
+ params.iter().any(|kp| kp.tag == Tag::DEVICE_UNIQUE_ATTESTATION);
match attest_key_descriptor {
- None if challenge_present => rem_prov_state
+ // Do not select an RKP key if DEVICE_UNIQUE_ATTESTATION is present.
+ None if challenge_present && !is_device_unique_attestation => rem_prov_state
.get_remotely_provisioned_attestation_key_and_certs(key, caller_uid, params, db)
.context(concat!(
"In get_attest_key_and_cert_chain: ",