diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-06-01 23:21:56 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-06-01 23:21:56 +0000 |
commit | 2d8352d27654c5f0125cebd2d743aecb6e509a6c (patch) | |
tree | 8b781c60507b3ee2fcb43fe3513b40f8e31cce15 | |
parent | 23de756fc7c21d785ad65289712340989b67d4b4 (diff) | |
parent | d472bd60089ed63b21b2b68a331f1a5a8ca59205 (diff) | |
download | security-android14-d1-s2-release.tar.gz |
Snap for 10243005 from d472bd60089ed63b21b2b68a331f1a5a8ca59205 to udc-d1-releaseandroid-14.0.0_r9android-14.0.0_r8android-14.0.0_r7android-14.0.0_r6android-14.0.0_r5android-14.0.0_r4android-14.0.0_r3android-14.0.0_r12android-14.0.0_r11android-14.0.0_r10android14-d1-s7-releaseandroid14-d1-s6-releaseandroid14-d1-s5-releaseandroid14-d1-s4-releaseandroid14-d1-s3-releaseandroid14-d1-s2-releaseandroid14-d1-s1-releaseandroid14-d1-release
Change-Id: I2f148c7ef29978cab1259e4768fe079ee284b73e
-rw-r--r-- | provisioner/rkp_factory_extraction_lib.cpp | 61 | ||||
-rw-r--r-- | provisioner/rkp_factory_extraction_lib.h | 3 | ||||
-rw-r--r-- | provisioner/rkp_factory_extraction_lib_test.cpp | 6 | ||||
-rw-r--r-- | provisioner/rkp_factory_extraction_tool.cpp | 24 |
4 files changed, 36 insertions, 58 deletions
diff --git a/provisioner/rkp_factory_extraction_lib.cpp b/provisioner/rkp_factory_extraction_lib.cpp index 8db62e6b..ab7d17c9 100644 --- a/provisioner/rkp_factory_extraction_lib.cpp +++ b/provisioner/rkp_factory_extraction_lib.cpp @@ -195,7 +195,11 @@ void selfTestGetCsrV1(std::string_view componentName, IRemotelyProvisionedCompon protectedData, *eekChain, eekId, hwInfo.supportedEekCurve, irpc, challenge); - std::cout << "Self test successful." << std::endl; + if (!result) { + std::cerr << "Self test failed for IRemotelyProvisionedComponent '" << componentName + << "'. Error message: '" << result.message() << "'." << std::endl; + exit(-1); + } } CborResult<Array> composeCertificateRequestV3(const std::vector<uint8_t>& csr) { @@ -220,22 +224,7 @@ CborResult<Array> composeCertificateRequestV3(const std::vector<uint8_t>& csr) { } CborResult<cppbor::Array> getCsrV3(std::string_view componentName, - IRemotelyProvisionedComponent* irpc) { - std::vector<uint8_t> csr; - std::vector<MacedPublicKey> emptyKeys; - const std::vector<uint8_t> challenge = generateChallenge(); - - auto status = irpc->generateCertificateRequestV2(emptyKeys, challenge, &csr); - if (!status.isOk()) { - std::cerr << "Bundle extraction failed for '" << componentName - << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl; - exit(-1); - } - - return composeCertificateRequestV3(csr); -} - -void selfTestGetCsrV3(std::string_view componentName, IRemotelyProvisionedComponent* irpc) { + IRemotelyProvisionedComponent* irpc, bool selfTest) { std::vector<uint8_t> csr; std::vector<MacedPublicKey> emptyKeys; const std::vector<uint8_t> challenge = generateChallenge(); @@ -247,17 +236,20 @@ void selfTestGetCsrV3(std::string_view componentName, IRemotelyProvisionedCompon exit(-1); } - auto result = verifyFactoryCsr(/*keysToSign=*/cppbor::Array(), csr, irpc, challenge); - if (!result) { - std::cerr << "Self test failed for '" << componentName - << "'. Error message: " << result.message() << "." << std::endl; - exit(-1); + if (selfTest) { + auto result = verifyFactoryCsr(/*keysToSign=*/cppbor::Array(), csr, irpc, challenge); + if (!result) { + std::cerr << "Self test failed for IRemotelyProvisionedComponent '" << componentName + << "'. Error message: '" << result.message() << "'." << std::endl; + exit(-1); + } } - std::cout << "Self test successful." << std::endl; + return composeCertificateRequestV3(csr); } -CborResult<Array> getCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc) { +CborResult<Array> getCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc, + bool selfTest) { RpcHardwareInfo hwInfo; auto status = irpc->getHardwareInfo(&hwInfo); if (!status.isOk()) { @@ -267,24 +259,11 @@ CborResult<Array> getCsr(std::string_view componentName, IRemotelyProvisionedCom } if (hwInfo.versionNumber < kVersionWithoutSuperencryption) { + if (selfTest) { + selfTestGetCsrV1(componentName, irpc); + } return getCsrV1(componentName, irpc); } else { - return getCsrV3(componentName, irpc); - } -} - -void selfTestGetCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc) { - RpcHardwareInfo hwInfo; - auto status = irpc->getHardwareInfo(&hwInfo); - if (!status.isOk()) { - std::cerr << "Failed to get hardware info for '" << componentName - << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl; - exit(-1); - } - - if (hwInfo.versionNumber < kVersionWithoutSuperencryption) { - selfTestGetCsrV1(componentName, irpc); - } else { - selfTestGetCsrV3(componentName, irpc); + return getCsrV3(componentName, irpc, selfTest); } } diff --git a/provisioner/rkp_factory_extraction_lib.h b/provisioner/rkp_factory_extraction_lib.h index a2183380..ae8ea6b6 100644 --- a/provisioner/rkp_factory_extraction_lib.h +++ b/provisioner/rkp_factory_extraction_lib.h @@ -46,7 +46,8 @@ std::vector<uint8_t> generateChallenge(); // what went wrong. CborResult<cppbor::Array> getCsr(std::string_view componentName, - aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent* irpc); + aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent* irpc, + bool selfTest); // Generates a test certificate chain and validates it, exiting the process on error. void selfTestGetCsr( diff --git a/provisioner/rkp_factory_extraction_lib_test.cpp b/provisioner/rkp_factory_extraction_lib_test.cpp index 72d7b716..3fe88da8 100644 --- a/provisioner/rkp_factory_extraction_lib_test.cpp +++ b/provisioner/rkp_factory_extraction_lib_test.cpp @@ -180,7 +180,8 @@ TEST(LibRkpFactoryExtractionTests, GetCsrWithV2Hal) { SetArgPointee<6>(kFakeMac), // Return(ByMove(ScopedAStatus::ok())))); // - auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get()); + auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get(), + /*selfTest=*/false); ASSERT_THAT(csr, NotNull()) << csrErrMsg; ASSERT_THAT(csr->asArray(), Pointee(Property(&Array::size, Eq(4)))); @@ -249,7 +250,8 @@ TEST(LibRkpFactoryExtractionTests, GetCsrWithV3Hal) { .WillOnce(DoAll(SaveArg<1>(&challenge), SetArgPointee<2>(kCsr), Return(ByMove(ScopedAStatus::ok())))); - auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get()); + auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get(), + /*selfTest=*/false); ASSERT_THAT(csr, NotNull()) << csrErrMsg; ASSERT_THAT(csr, Pointee(Property(&Array::size, Eq(5)))); diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp index 2aeabe0a..5ba777e8 100644 --- a/provisioner/rkp_factory_extraction_tool.cpp +++ b/provisioner/rkp_factory_extraction_tool.cpp @@ -35,10 +35,10 @@ using namespace cppbor; using namespace cppcose; DEFINE_string(output_format, "build+csr", "How to format the output. Defaults to 'build+csr'."); -DEFINE_bool(self_test, false, - "If true, the tool does not output CSR data, but instead performs a self-test, " - "validating a test payload for correctness. This may be used to verify a device on the " - "factory line before attempting to upload the output to the device info service."); +DEFINE_bool(self_test, true, + "If true, this tool performs a self-test, validating the payload for correctness. " + "This checks that the device on the factory line is producing valid output " + "before attempting to upload the output to the device info service."); namespace { @@ -81,17 +81,13 @@ void getCsrForInstance(const char* name, void* /*context*/) { exit(-1); } - if (FLAGS_self_test) { - selfTestGetCsr(name, rkp_service.get()); - } else { - auto [request, errMsg] = getCsr(name, rkp_service.get()); - if (!request) { - std::cerr << "Unable to build CSR for '" << fullName << ": " << errMsg << std::endl; - exit(-1); - } - - writeOutput(std::string(name), *request); + auto [request, errMsg] = getCsr(name, rkp_service.get(), FLAGS_self_test); + if (!request) { + std::cerr << "Unable to build CSR for '" << fullName << ": " << errMsg << std::endl; + exit(-1); } + + writeOutput(std::string(name), *request); } } // namespace |