diff --git a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp index 5b11741cef..97fe08a110 100644 --- a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp +++ b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp @@ -251,6 +251,19 @@ TEST_P(GetHardwareInfoTests, uniqueId) { EXPECT_LE(hwInfo.uniqueId->size(), 32); } +/** + * Verify implementation supports at least MIN_SUPPORTED_NUM_KEYS_IN_CSR keys in a CSR. + */ +TEST_P(GetHardwareInfoTests, supportedNumKeysInCsr) { + if (rpcHardwareInfo.versionNumber < VERSION_WITHOUT_TEST_MODE) { + return; + } + + RpcHardwareInfo hwInfo; + ASSERT_TRUE(provisionable_->getHardwareInfo(&hwInfo).isOk()); + ASSERT_GE(hwInfo.supportedNumKeysInCsr, RpcHardwareInfo::MIN_SUPPORTED_NUM_KEYS_IN_CSR); +} + using GenerateKeyTests = VtsRemotelyProvisionedComponentTests; INSTANTIATE_REM_PROV_AIDL_TEST(GenerateKeyTests); @@ -728,8 +741,7 @@ TEST_P(CertificateRequestV2Test, NonEmptyRequestReproducible) { * Generate a non-empty certificate request with multiple keys. */ TEST_P(CertificateRequestV2Test, NonEmptyRequestMultipleKeys) { - // TODO(b/254137722): define a minimum number of keys that must be supported. - generateKeys(false /* testMode */, 5 /* numKeys */); + generateKeys(false /* testMode */, rpcHardwareInfo.supportedNumKeysInCsr /* numKeys */); bytevec csr; diff --git a/security/rkp/CHANGELOG.md b/security/rkp/CHANGELOG.md index eb2041d146..29b1a1c9bd 100644 --- a/security/rkp/CHANGELOG.md +++ b/security/rkp/CHANGELOG.md @@ -36,4 +36,5 @@ This document provides an exact description of which changes have occurred in th * the chain of signing, MACing, and encryption operations has been replaced with a single COSE_Sign1 object. * CertificateType has been added to identify the type of certificate being requested. - +* RpcHardwareInfo + * `supportedNumKeysInCsr` added to report the maximum number of keys supported in a CSR. diff --git a/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl index 5ff45f8a94..b1f99e1b71 100644 --- a/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl +++ b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl @@ -39,7 +39,9 @@ parcelable RpcHardwareInfo { @utf8InCpp String rpcAuthorName; int supportedEekCurve = 0; @nullable @utf8InCpp String uniqueId; + int supportedNumKeysInCsr = 4; const int CURVE_NONE = 0; const int CURVE_P256 = 1; const int CURVE_25519 = 2; + const int MIN_SUPPORTED_NUM_KEYS_IN_CSR = 20; } diff --git a/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl b/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl index 0cb33ce91e..5fe5b00b89 100644 --- a/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl +++ b/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl @@ -74,4 +74,17 @@ parcelable RpcHardwareInfo { * */ @nullable @utf8InCpp String uniqueId; + + /** + * supportedNumKeysInCsr is the maximum number of keys in a CSR that this implementation can + * support. This value is implementation defined. + * + * From version 3 onwards, supportedNumKeysInCsr must be larger or equal to + * MIN_SUPPORTED_NUM_KEYS_IN_CSR. + * + * The default value was chosen as the value enforced by the VTS test in versions 1 and 2 of + * this interface. + */ + const int MIN_SUPPORTED_NUM_KEYS_IN_CSR = 20; + int supportedNumKeysInCsr = 4; }