commit 89dfe8190d80c4a134d71dea0bea8112b86955f4
author TreeHugger Robot <treehugger-gerrit@google.com> Fri Jul 23 21:25:18 2021 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Fri Jul 23 21:25:18 2021 +0000
tree f654630c8368c1966b760db875bf3d3922170f3c
parent be9dcb85eb7f978ebd8776865a2ebb7d2da0f387
parent a9b154741131482fcb19f0fc95d211a8a3daf3a3

Merge "Fix ill-formed certificate request" into sc-dev am: a9b1547411

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15373963

Change-Id: I17b3b985274f2c426baa71ac0c45172a2fb17b21

provisioner/rkp_factory_extraction_tool.cpp

diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp
index 5878d22..c439b99 100644
--- a/provisioner/rkp_factory_extraction_tool.cpp
+++ b/provisioner/rkp_factory_extraction_tool.cpp
@@ -67,19 +67,24 @@
     return challenge;
 }
 
-Array composeCertificateRequest(ProtectedData&& protectedData, DeviceInfo&& deviceInfo,
-                                const std::vector<uint8_t>& challenge) {
-    Array emptyMacedKeysToSign;
-    emptyMacedKeysToSign
-        .add(std::vector<uint8_t>(0))   // empty protected headers as bstr
-        .add(Map())                     // empty unprotected headers
-        .add(Null())                    // nil for the payload
-        .add(std::vector<uint8_t>(0));  // empty tag as bstr
-    Array certificateRequest;
-    certificateRequest.add(EncodedItem(std::move(deviceInfo.deviceInfo)))
-        .add(challenge)
-        .add(EncodedItem(std::move(protectedData.protectedData)))
-        .add(std::move(emptyMacedKeysToSign));
+Array composeCertificateRequest(const ProtectedData& protectedData,
+                                const DeviceInfo& verifiedDeviceInfo,
+                                const std::vector<uint8_t>& challenge,
+                                const std::vector<uint8_t>& keysToSignMac) {
+    Array macedKeysToSign = Array()
+                                .add(std::vector<uint8_t>(0))  // empty protected headers as bstr
+                                .add(Map())                    // empty unprotected headers
+                                .add(Null())                   // nil for the payload
+                                .add(keysToSignMac);           // MAC as returned from the HAL
+
+    Array deviceInfo =
+        Array().add(EncodedItem(verifiedDeviceInfo.deviceInfo)).add(Map());  // Empty device info
+
+    Array certificateRequest = Array()
+                                   .add(std::move(deviceInfo))
+                                   .add(challenge)
+                                   .add(EncodedItem(protectedData.protectedData))
+                                   .add(std::move(macedKeysToSign));
     return certificateRequest;
 }
 
@@ -134,18 +139,19 @@
 
     std::vector<uint8_t> keysToSignMac;
     std::vector<MacedPublicKey> emptyKeys;
-    DeviceInfo deviceInfo;
+    DeviceInfo verifiedDeviceInfo;
     ProtectedData protectedData;
     ::ndk::ScopedAStatus status = rkp_service->generateCertificateRequest(
-        FLAGS_test_mode, emptyKeys, getEekChain(), challenge, &deviceInfo, &protectedData,
+        FLAGS_test_mode, emptyKeys, getEekChain(), challenge, &verifiedDeviceInfo, &protectedData,
         &keysToSignMac);
     if (!status.isOk()) {
         std::cerr << "Bundle extraction failed for '" << fullName
                   << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
         exit(-1);
     }
-    writeOutput(
-        composeCertificateRequest(std::move(protectedData), std::move(deviceInfo), challenge));
+    auto request =
+        composeCertificateRequest(protectedData, verifiedDeviceInfo, challenge, keysToSignMac);
+    writeOutput(request);
 }
 
 }  // namespace