commit 76d95baf664502e93e703fe1d76e9a7304b36d9d
author David Drysdale <drysdale@google.com> Wed Sep 25 14:00:10 2024 +0100
committer David Drysdale <drysdale@google.com> Wed Sep 25 14:00:10 2024 +0100
tree bacc0752aa8a00254bbfb6ab202c3187f361120f
parent 94b1285f47007190c767bffd65feb35480156fe8

Remove incorrect/confusing Certificate use

The `Certificate` type from the KeyMint AIDL is intended to hold a
single DER-encoded certificate, but some of the RKP-handling code
re-uses it to hold a concatenated cert chain.

Remove as many of these incorrect/misleading uses of the AIDL
`Certificate` type as possible, and add comments for the ones remaining.

Flag: none, comments + pure refactor
Test: keystore2_client_tests
Change-Id: Id159078f31dd892d51596cc67308ced27fadd968

keystore2/src/attestation_key_utils.rs

diff --git a/keystore2/src/attestation_key_utils.rs b/keystore2/src/attestation_key_utils.rs
index 184b3cb..4a8923c 100644
--- a/keystore2/src/attestation_key_utils.rs
+++ b/keystore2/src/attestation_key_utils.rs
@@ -23,7 +23,7 @@
 use crate::remote_provisioning::RemProvState;
 use crate::utils::check_key_permission;
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
-    AttestationKey::AttestationKey, Certificate::Certificate, KeyParameter::KeyParameter, Tag::Tag,
+    AttestationKey::AttestationKey, KeyParameter::KeyParameter, Tag::Tag,
 };
 use android_system_keystore2::aidl::android::system::keystore2::{
     Domain::Domain, KeyDescriptor::KeyDescriptor, ResponseCode::ResponseCode,
@@ -37,7 +37,8 @@
 pub enum AttestationKeyInfo {
     RkpdProvisioned {
         attestation_key: AttestationKey,
-        attestation_certs: Certificate,
+        /// Concatenated chain of DER-encoded certificates (ending with the root).
+        attestation_certs: Vec<u8>,
     },
     UserGenerated {
         key_id_guard: KeyIdGuard,