diff options
author | Seth Moore <sethmo@google.com> | 2021-07-22 16:42:17 -0700 |
---|---|---|
committer | Seth Moore <sethmo@google.com> | 2021-07-23 08:49:22 -0700 |
commit | 80ec4ac7847144ea6b4764d8eea08fb91d5d49e6 (patch) | |
tree | dcc4e948d9db013c49826f1710cc86f7459ece45 | |
parent | 2ac2bbb546b8028c2c7f5a9a7567a477eaa6ce64 (diff) | |
download | security-80ec4ac7847144ea6b4764d8eea08fb91d5d49e6.tar.gz |
Fix ill-formed certificate request
1. The MAC tag value was not being included in the uploaded data, so
it was previosly impossible to verify the keys to sign mac.
2. The device info is supposed to be an array with [Verified,
Unverified] info. It was previously just the verified info.
Ignore-AOSP-First: No merge path from AOSP. This is picked from AOSP.
Test: Manual. Uploaded sample data to device info service.
Change-Id: I096bc5ded0b38fc56864e75c5e06dfbef62e9a74
Merged-In: I096bc5ded0b38fc56864e75c5e06dfbef62e9a74
Fixes: 194492359
-rw-r--r-- | provisioner/rkp_factory_extraction_tool.cpp | 40 |
1 files changed, 23 insertions, 17 deletions
diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp index 5878d227..c439b990 100644 --- a/provisioner/rkp_factory_extraction_tool.cpp +++ b/provisioner/rkp_factory_extraction_tool.cpp @@ -67,19 +67,24 @@ std::vector<uint8_t> generateChallenge() { return challenge; } -Array composeCertificateRequest(ProtectedData&& protectedData, DeviceInfo&& deviceInfo, - const std::vector<uint8_t>& challenge) { - Array emptyMacedKeysToSign; - emptyMacedKeysToSign - .add(std::vector<uint8_t>(0)) // empty protected headers as bstr - .add(Map()) // empty unprotected headers - .add(Null()) // nil for the payload - .add(std::vector<uint8_t>(0)); // empty tag as bstr - Array certificateRequest; - certificateRequest.add(EncodedItem(std::move(deviceInfo.deviceInfo))) - .add(challenge) - .add(EncodedItem(std::move(protectedData.protectedData))) - .add(std::move(emptyMacedKeysToSign)); +Array composeCertificateRequest(const ProtectedData& protectedData, + const DeviceInfo& verifiedDeviceInfo, + const std::vector<uint8_t>& challenge, + const std::vector<uint8_t>& keysToSignMac) { + Array macedKeysToSign = Array() + .add(std::vector<uint8_t>(0)) // empty protected headers as bstr + .add(Map()) // empty unprotected headers + .add(Null()) // nil for the payload + .add(keysToSignMac); // MAC as returned from the HAL + + Array deviceInfo = + Array().add(EncodedItem(verifiedDeviceInfo.deviceInfo)).add(Map()); // Empty device info + + Array certificateRequest = Array() + .add(std::move(deviceInfo)) + .add(challenge) + .add(EncodedItem(protectedData.protectedData)) + .add(std::move(macedKeysToSign)); return certificateRequest; } @@ -134,18 +139,19 @@ void getCsrForInstance(const char* name, void* /*context*/) { std::vector<uint8_t> keysToSignMac; std::vector<MacedPublicKey> emptyKeys; - DeviceInfo deviceInfo; + DeviceInfo verifiedDeviceInfo; ProtectedData protectedData; ::ndk::ScopedAStatus status = rkp_service->generateCertificateRequest( - FLAGS_test_mode, emptyKeys, getEekChain(), challenge, &deviceInfo, &protectedData, + FLAGS_test_mode, emptyKeys, getEekChain(), challenge, &verifiedDeviceInfo, &protectedData, &keysToSignMac); if (!status.isOk()) { std::cerr << "Bundle extraction failed for '" << fullName << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl; exit(-1); } - writeOutput( - composeCertificateRequest(std::move(protectedData), std::move(deviceInfo), challenge)); + auto request = + composeCertificateRequest(protectedData, verifiedDeviceInfo, challenge, keysToSignMac); + writeOutput(request); } } // namespace |