commit 9ea08f23c2a8d1e0d647461ace289f0087dd80df
author Seth Moore <sethmo@google.com> Thu Jul 22 16:42:17 2021 -0700
committer Seth Moore <sethmo@google.com> Fri Jul 23 15:48:49 2021 +0000
tree bb262476f2b51b94e22c6305742b83624dc33f22
parent 339e3c3e89a80932bc3c9ca517ea969cc88faadb

Fix ill-formed certificate request

1. The MAC tag value was not being included in the uploaded data, so
   it was previosly impossible to verify the keys to sign mac.
2. The device info is supposed to be an array with [Verified,
   Unverified] info. It was previously just the verified info.

Test: Manual. Uploaded sample data to device info service.
Change-Id: I096bc5ded0b38fc56864e75c5e06dfbef62e9a74
Bug: 194492359

provisioner/rkp_factory_extraction_tool.cpp

diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp
index 5878d22..c439b99 100644
--- a/provisioner/rkp_factory_extraction_tool.cpp
+++ b/provisioner/rkp_factory_extraction_tool.cpp
@@ -67,19 +67,24 @@
     return challenge;
 }
 
-Array composeCertificateRequest(ProtectedData&& protectedData, DeviceInfo&& deviceInfo,
-                                const std::vector<uint8_t>& challenge) {
-    Array emptyMacedKeysToSign;
-    emptyMacedKeysToSign
-        .add(std::vector<uint8_t>(0))   // empty protected headers as bstr
-        .add(Map())                     // empty unprotected headers
-        .add(Null())                    // nil for the payload
-        .add(std::vector<uint8_t>(0));  // empty tag as bstr
-    Array certificateRequest;
-    certificateRequest.add(EncodedItem(std::move(deviceInfo.deviceInfo)))
-        .add(challenge)
-        .add(EncodedItem(std::move(protectedData.protectedData)))
-        .add(std::move(emptyMacedKeysToSign));
+Array composeCertificateRequest(const ProtectedData& protectedData,
+                                const DeviceInfo& verifiedDeviceInfo,
+                                const std::vector<uint8_t>& challenge,
+                                const std::vector<uint8_t>& keysToSignMac) {
+    Array macedKeysToSign = Array()
+                                .add(std::vector<uint8_t>(0))  // empty protected headers as bstr
+                                .add(Map())                    // empty unprotected headers
+                                .add(Null())                   // nil for the payload
+                                .add(keysToSignMac);           // MAC as returned from the HAL
+
+    Array deviceInfo =
+        Array().add(EncodedItem(verifiedDeviceInfo.deviceInfo)).add(Map());  // Empty device info
+
+    Array certificateRequest = Array()
+                                   .add(std::move(deviceInfo))
+                                   .add(challenge)
+                                   .add(EncodedItem(protectedData.protectedData))
+                                   .add(std::move(macedKeysToSign));
     return certificateRequest;
 }
 
@@ -134,18 +139,19 @@
 
     std::vector<uint8_t> keysToSignMac;
     std::vector<MacedPublicKey> emptyKeys;
-    DeviceInfo deviceInfo;
+    DeviceInfo verifiedDeviceInfo;
     ProtectedData protectedData;
     ::ndk::ScopedAStatus status = rkp_service->generateCertificateRequest(
-        FLAGS_test_mode, emptyKeys, getEekChain(), challenge, &deviceInfo, &protectedData,
+        FLAGS_test_mode, emptyKeys, getEekChain(), challenge, &verifiedDeviceInfo, &protectedData,
         &keysToSignMac);
     if (!status.isOk()) {
         std::cerr << "Bundle extraction failed for '" << fullName
                   << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
         exit(-1);
     }
-    writeOutput(
-        composeCertificateRequest(std::move(protectedData), std::move(deviceInfo), challenge));
+    auto request =
+        composeCertificateRequest(protectedData, verifiedDeviceInfo, challenge, keysToSignMac);
+    writeOutput(request);
 }
 
 }  // namespace