diff options
-rw-r--r-- | android_keymaster/android_keymaster.cpp | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/android_keymaster/android_keymaster.cpp b/android_keymaster/android_keymaster.cpp index 4a97bad..3e97f04 100644 --- a/android_keymaster/android_keymaster.cpp +++ b/android_keymaster/android_keymaster.cpp @@ -360,6 +360,8 @@ void AndroidKeymaster::GenerateKey(const GenerateKeyRequest& request, &response->certificate_chain); } +constexpr int kRkpVersionWithoutSuperencryption = 3; + void AndroidKeymaster::GenerateRkpKey(const GenerateRkpKeyRequest& request, GenerateRkpKeyResponse* response) { if (response == nullptr) return; @@ -370,6 +372,11 @@ void AndroidKeymaster::GenerateRkpKey(const GenerateRkpKeyRequest& request, return; } + GetHwInfoResponse hwInfo(message_version()); + rem_prov_ctx->GetHwInfo(&hwInfo); + bool test_mode = + (hwInfo.version >= kRkpVersionWithoutSuperencryption) ? false : request.test_mode; + // Generate the keypair that will become the attestation key. GenerateKeyRequest gen_key_request(message_version_); gen_key_request.key_description.Reinitialize(kKeyMintEcdsaP256Params, @@ -403,13 +410,13 @@ void AndroidKeymaster::GenerateRkpKey(const GenerateRkpKeyRequest& request, .add(CoseKey::CURVE, P256) .add(CoseKey::PUBKEY_X, x_coord) .add(CoseKey::PUBKEY_Y, y_coord); - if (request.test_mode) { + if (test_mode) { cose_public_key_map.add(CoseKey::TEST_KEY, cppbor::Null()); } std::vector<uint8_t> cosePublicKey = cose_public_key_map.canonicalize().encode(); - auto macFunction = getMacFunction(request.test_mode, rem_prov_ctx); + auto macFunction = getMacFunction(test_mode, rem_prov_ctx); auto macedKey = constructCoseMac0(macFunction, {} /* externalAad */, cosePublicKey); if (!macedKey) { response->error = static_cast<keymaster_error_t>(kStatusFailed); @@ -432,6 +439,13 @@ void AndroidKeymaster::GenerateCsr(const GenerateCsrRequest& request, return; } + GetHwInfoResponse hwInfo(message_version()); + rem_prov_ctx->GetHwInfo(&hwInfo); + if (hwInfo.version >= kRkpVersionWithoutSuperencryption) { + response->error = static_cast<keymaster_error_t>(kStatusRemoved); + return; + } + auto macFunction = getMacFunction(request.test_mode, rem_prov_ctx); auto pubKeysToSign = validateAndExtractPubkeys(request.test_mode, request.num_keys, request.keys_to_sign_array, macFunction); |