diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2021-07-09 01:12:14 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2021-07-09 01:12:14 +0000 |
commit | 30b0cd2ee4a917e4505df39af59d05f5a80a8ed8 (patch) | |
tree | 768cd8a0c02feca887ae0185748bbf89df10cde9 | |
parent | 9b022f0e3e3ff6c7dd7710af88242cc1aad6df52 (diff) | |
parent | 3c44456c54c4f111ca6a301cb50bac8a07bd13d0 (diff) | |
download | keymaster-30b0cd2ee4a917e4505df39af59d05f5a80a8ed8.tar.gz |
Snap for 7533212 from 3c44456c54c4f111ca6a301cb50bac8a07bd13d0 to sc-release
Change-Id: I497c793703527c8c333563f96eb17f09b3081d94
4 files changed, 12 insertions, 7 deletions
diff --git a/android_keymaster/android_keymaster.cpp b/android_keymaster/android_keymaster.cpp index ab3b9d1..3850481 100644 --- a/android_keymaster/android_keymaster.cpp +++ b/android_keymaster/android_keymaster.cpp @@ -421,7 +421,7 @@ void AndroidKeymaster::GenerateCsr(const GenerateCsrRequest& request, std::vector<uint8_t> devicePrivKey; cppbor::Array bcc; if (request.test_mode) { - std::tie(devicePrivKey, bcc) = rem_prov_ctx->GenerateBcc(); + std::tie(devicePrivKey, bcc) = rem_prov_ctx->GenerateBcc(/*testMode=*/true); } else { devicePrivKey = rem_prov_ctx->devicePrivKey_; auto clone = rem_prov_ctx->bcc_.clone(); diff --git a/contexts/pure_soft_remote_provisioning_context.cpp b/contexts/pure_soft_remote_provisioning_context.cpp index e79a856..a943f42 100644 --- a/contexts/pure_soft_remote_provisioning_context.cpp +++ b/contexts/pure_soft_remote_provisioning_context.cpp @@ -25,6 +25,7 @@ #include <openssl/bn.h> #include <openssl/ec.h> #include <openssl/hkdf.h> +#include <openssl/rand.h> namespace keymaster { @@ -38,7 +39,7 @@ using cppcose::VERIFY; constexpr uint32_t kMacKeyLength = 32; PureSoftRemoteProvisioningContext::PureSoftRemoteProvisioningContext() { - std::tie(devicePrivKey_, bcc_) = GenerateBcc(); + std::tie(devicePrivKey_, bcc_) = GenerateBcc(/*testMode=*/false); } PureSoftRemoteProvisioningContext::~PureSoftRemoteProvisioningContext() {} @@ -84,13 +85,17 @@ std::unique_ptr<cppbor::Map> PureSoftRemoteProvisioningContext::CreateDeviceInfo } std::pair<std::vector<uint8_t> /* privKey */, cppbor::Array /* BCC */> -PureSoftRemoteProvisioningContext::GenerateBcc() const { +PureSoftRemoteProvisioningContext::GenerateBcc(bool testMode) const { std::vector<uint8_t> privKey(ED25519_PRIVATE_KEY_LEN); std::vector<uint8_t> pubKey(ED25519_PUBLIC_KEY_LEN); uint8_t seed[32]; // Length is hard-coded in the BoringCrypto API - auto seed_vector = DeriveBytesFromHbk("Device Key Seed", sizeof(seed)); - std::copy(seed_vector.begin(), seed_vector.end(), seed); + if (testMode) { + RAND_bytes(seed, sizeof(seed)); + } else { + auto seed_vector = DeriveBytesFromHbk("Device Key Seed", sizeof(seed)); + std::copy(seed_vector.begin(), seed_vector.end(), seed); + } ED25519_keypair_from_seed(pubKey.data(), privKey.data(), seed); auto coseKey = cppbor::Map() diff --git a/include/keymaster/contexts/pure_soft_remote_provisioning_context.h b/include/keymaster/contexts/pure_soft_remote_provisioning_context.h index 98baa0a..307795b 100644 --- a/include/keymaster/contexts/pure_soft_remote_provisioning_context.h +++ b/include/keymaster/contexts/pure_soft_remote_provisioning_context.h @@ -32,7 +32,7 @@ class PureSoftRemoteProvisioningContext : public RemoteProvisioningContext { std::vector<uint8_t> DeriveBytesFromHbk(const std::string& context, size_t numBytes) const override; std::unique_ptr<cppbor::Map> CreateDeviceInfo() const override; - std::pair<std::vector<uint8_t>, cppbor::Array> GenerateBcc() const override; + std::pair<std::vector<uint8_t>, cppbor::Array> GenerateBcc(bool testMode) const override; std::optional<cppcose::HmacSha256> GenerateHmacSha256(const cppcose::bytevec& input) const override; }; diff --git a/include/keymaster/remote_provisioning_context.h b/include/keymaster/remote_provisioning_context.h index 656a1e6..a5c4d1d 100644 --- a/include/keymaster/remote_provisioning_context.h +++ b/include/keymaster/remote_provisioning_context.h @@ -34,7 +34,7 @@ class RemoteProvisioningContext { virtual std::vector<uint8_t> DeriveBytesFromHbk(const std::string& context, size_t numBytes) const = 0; virtual std::unique_ptr<cppbor::Map> CreateDeviceInfo() const = 0; - virtual std::pair<std::vector<uint8_t>, cppbor::Array> GenerateBcc() const = 0; + virtual std::pair<std::vector<uint8_t>, cppbor::Array> GenerateBcc(bool testMode) const = 0; // Generate an HMAC-SHA256 over the given input. This is used to verify a given // input hasn't changed across multiple calls to the remote provisioning HAL. |