Fix CSR format for RKPv3
The data format changed a bit, and the fingerprint needs to be included
at the end of the CSRv3 data. Make sure to include that, else the RKP
server rejects the payload.
Test: run tool + upload output
Test: rkp_factory_extraction_lib_test
Change-Id: I5a13b21e65c64f19b9417a7d1e169710867e7a8f
diff --git a/provisioner/rkp_factory_extraction_lib.cpp b/provisioner/rkp_factory_extraction_lib.cpp
index d85e85f..8db62e6 100644
--- a/provisioner/rkp_factory_extraction_lib.cpp
+++ b/provisioner/rkp_factory_extraction_lib.cpp
@@ -17,6 +17,7 @@
#include "rkp_factory_extraction_lib.h"
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
+#include <android-base/properties.h>
#include <android/binder_manager.h>
#include <cppbor.h>
#include <cstddef>
@@ -198,6 +199,8 @@
}
CborResult<Array> composeCertificateRequestV3(const std::vector<uint8_t>& csr) {
+ const std::string kFingerprintProp = "ro.build.fingerprint";
+
auto [parsedCsr, _, csrErrMsg] = cppbor::parse(csr);
if (!parsedCsr) {
return {nullptr, csrErrMsg};
@@ -206,6 +209,13 @@
return {nullptr, "CSR is not a CBOR array."};
}
+ if (!::android::base::WaitForPropertyCreation(kFingerprintProp)) {
+ return {nullptr, "Unable to read build fingerprint"};
+ }
+
+ Map unverifiedDeviceInfo =
+ Map().add("fingerprint", ::android::base::GetProperty(kFingerprintProp, /*default=*/""));
+ parsedCsr->asArray()->add(std::move(unverifiedDeviceInfo));
return {std::unique_ptr<Array>(parsedCsr.release()->asArray()), ""};
}
diff --git a/provisioner/rkp_factory_extraction_lib_test.cpp b/provisioner/rkp_factory_extraction_lib_test.cpp
index 05509b3..72d7b71 100644
--- a/provisioner/rkp_factory_extraction_lib_test.cpp
+++ b/provisioner/rkp_factory_extraction_lib_test.cpp
@@ -22,6 +22,7 @@
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include <aidl/android/hardware/security/keymint/MacedPublicKey.h>
#include <aidl/android/hardware/security/keymint/RpcHardwareInfo.h>
+#include <android-base/properties.h>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
@@ -250,10 +251,16 @@
auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get());
ASSERT_THAT(csr, NotNull()) << csrErrMsg;
- ASSERT_THAT(csr, Pointee(Property(&Array::size, Eq(4))));
+ ASSERT_THAT(csr, Pointee(Property(&Array::size, Eq(5))));
EXPECT_THAT(csr->get(0 /* version */), Pointee(Eq(Uint(3))));
EXPECT_THAT(csr->get(1)->asMap(), NotNull());
EXPECT_THAT(csr->get(2)->asArray(), NotNull());
EXPECT_THAT(csr->get(3)->asArray(), NotNull());
+
+ const Map* unverifedDeviceInfo = csr->get(4)->asMap();
+ ASSERT_THAT(unverifedDeviceInfo, NotNull());
+ EXPECT_THAT(unverifedDeviceInfo->get("fingerprint"), NotNull());
+ const Tstr fingerprint(android::base::GetProperty("ro.build.fingerprint", ""));
+ EXPECT_THAT(*unverifedDeviceInfo->get("fingerprint")->asTstr(), Eq(fingerprint));
}