From a601d074788540c02623fd85cb52ffd4232db6f3 Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Mon, 13 Mar 2023 16:46:49 +0000 Subject: [PATCH] Validate DICE chain based on context The DICE chain in the ProtectedData objects are evaluated against the specification from v1 and v2 of the HAL whereas the chain in AuthenticatedMessage objects are evaluated against the specification from v3. There are only small differences with v3 aligning to the standards where there was previously more leniency. Fix: 262599829 Test: TH Change-Id: Ied14362b5530485eb6c2302a0ae0f21da9cdb33f --- security/keymint/support/remote_prov_utils.cpp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp index 9620b6a2aa..99e18c118e 100644 --- a/security/keymint/support/remote_prov_utils.cpp +++ b/security/keymint/support/remote_prov_utils.cpp @@ -290,11 +290,12 @@ bytevec getProdEekChain(int32_t supportedEekCurve) { return chain.encode(); } -ErrMsgOr> validateBcc(const cppbor::Array* bcc) { +ErrMsgOr> validateBcc(const cppbor::Array* bcc, + hwtrust::DiceChain::Kind kind) { auto encodedBcc = bcc->encode(); - auto chain = hwtrust::DiceChain::verify(encodedBcc); + auto chain = hwtrust::DiceChain::Verify(encodedBcc, kind); if (!chain.ok()) return chain.error().message(); - auto keys = chain->cose_public_keys(); + auto keys = chain->CosePublicKeys(); if (!keys.ok()) return keys.error().message(); std::vector result; for (auto& key : *keys) { @@ -569,7 +570,7 @@ ErrMsgOr> verifyProtectedData( } // BCC is [ pubkey, + BccEntry] - auto bccContents = validateBcc(bcc->asArray()); + auto bccContents = validateBcc(bcc->asArray(), hwtrust::DiceChain::Kind::kProtectedData); if (!bccContents) { return bccContents.message() + "\n" + prettyPrint(bcc.get()); } @@ -859,8 +860,8 @@ ErrMsgOr parseAndValidateAuthenticatedRequest(const std::vector