Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-01 11:36:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge "Add checks for different size of challenge"

Browse Source
This commit is contained in:
Treehugger Robot
2023-04-17 04:20:54 +00:00
committed by Gerrit Code Review
parent d83eed2fe3 fde3ad1db5
commit a95f69da2e
3 changed files with 40 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
security/keymint/support/remote_prov_utils.cpp
View File

@@ -855,8 +855,8 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequestSignedPayload(
return "Challenge must be a Bstr."; return "Challenge must be a Bstr.";
} }
if (challenge.size() < 16 || challenge.size() > 64) { if (challenge.size() > 64) {
return "Challenge size must be between 16 and 64 bytes inclusive. " return "Challenge size must be between 0 and 64 bytes inclusive. "
"However, challenge is " + "However, challenge is " +
std::to_string(challenge.size()) + " bytes long."; std::to_string(challenge.size()) + " bytes long.";
} }

4
security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl
View File

@@ -315,7 +315,7 @@ interface IRemotelyProvisionedComponent {
* *
* @param in challenge contains a byte string from the provisioning server which will be * @param in challenge contains a byte string from the provisioning server which will be
* included in the signed data of the CSR structure. Different provisioned backends may * included in the signed data of the CSR structure. Different provisioned backends may
* use different semantic data for this field, but the supported sizes must be between 16 * use different semantic data for this field, but the supported sizes must be between 0
* and 64 bytes, inclusive. * and 64 bytes, inclusive.
* *
* @return the following CBOR Certificate Signing Request (Csr) serialized into a byte array: * @return the following CBOR Certificate Signing Request (Csr) serialized into a byte array:
@@ -344,7 +344,7 @@ interface IRemotelyProvisionedComponent {
* UdsCerts, * UdsCerts,
* DiceCertChain, * DiceCertChain,
* SignedData<[ * SignedData<[
* challenge: bstr .size (16..64), ; Provided by the method parameters * challenge: bstr .size (0..64), ; Provided by the method parameters
* bstr .cbor T, * bstr .cbor T,
* ]>, * ]>,
* ] * ]

47
security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
View File

@@ -49,6 +49,9 @@ namespace {
constexpr int32_t VERSION_WITH_UNIQUE_ID_SUPPORT = 2; constexpr int32_t VERSION_WITH_UNIQUE_ID_SUPPORT = 2;
constexpr int32_t VERSION_WITHOUT_TEST_MODE = 3; constexpr int32_t VERSION_WITHOUT_TEST_MODE = 3;
constexpr uint8_t MIN_CHALLENGE_SIZE = 0;
constexpr uint8_t MAX_CHALLENGE_SIZE = 64;
#define INSTANTIATE_REM_PROV_AIDL_TEST(name) \ #define INSTANTIATE_REM_PROV_AIDL_TEST(name) \
GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(name); \ GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(name); \
INSTANTIATE_TEST_SUITE_P( \ INSTANTIATE_TEST_SUITE_P( \
@@ -693,32 +696,54 @@ class CertificateRequestV2Test : public CertificateRequestTestBase {
}; };
/** /**
* Generate an empty certificate request, and decrypt and verify the structure and content. * Generate an empty certificate request with all possible length of challenge, and decrypt and
* verify the structure and content.
*/ */
TEST_P(CertificateRequestV2Test, EmptyRequest) { TEST_P(CertificateRequestV2Test, EmptyRequest) {
bytevec csr; bytevec csr;
auto status = for (auto size = MIN_CHALLENGE_SIZE; size <= MAX_CHALLENGE_SIZE; size++) {
provisionable_->generateCertificateRequestV2({} /* keysToSign */, challenge_, &csr); SCOPED_TRACE(testing::Message() << "challenge[" << size << "]");
ASSERT_TRUE(status.isOk()) << status.getMessage(); auto challenge = randomBytes(size);
auto status =
provisionable_->generateCertificateRequestV2({} /* keysToSign */, challenge, &csr);
ASSERT_TRUE(status.isOk()) << status.getMessage();
auto result = verifyProductionCsr(cppbor::Array(), csr, provisionable_.get(), challenge_); auto result = verifyProductionCsr(cppbor::Array(), csr, provisionable_.get(), challenge);
ASSERT_TRUE(result) << result.message(); ASSERT_TRUE(result) << result.message();
}
} }
/** /**
* Generate a non-empty certificate request. Decrypt, parse and validate the contents. * Generate a non-empty certificate request with all possible length of challenge. Decrypt, parse
* and validate the contents.
*/ */
TEST_P(CertificateRequestV2Test, NonEmptyRequest) { TEST_P(CertificateRequestV2Test, NonEmptyRequest) {
generateKeys(false /* testMode */, 1 /* numKeys */); generateKeys(false /* testMode */, 1 /* numKeys */);
bytevec csr; bytevec csr;
auto status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge_, &csr); for (auto size = MIN_CHALLENGE_SIZE; size <= MAX_CHALLENGE_SIZE; size++) {
ASSERT_TRUE(status.isOk()) << status.getMessage(); SCOPED_TRACE(testing::Message() << "challenge[" << size << "]");
auto challenge = randomBytes(size);
auto status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge, &csr);
ASSERT_TRUE(status.isOk()) << status.getMessage();
auto result = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge_); auto result = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge);
ASSERT_TRUE(result) << result.message(); ASSERT_TRUE(result) << result.message();
}
}
/**
* Generate an empty certificate request with invalid size of challenge
*/
TEST_P(CertificateRequestV2Test, EmptyRequestWithInvalidChallengeFail) {
bytevec csr;
auto status = provisionable_->generateCertificateRequestV2(
/* keysToSign */ {}, randomBytes(MAX_CHALLENGE_SIZE + 1), &csr);
EXPECT_FALSE(status.isOk()) << status.getMessage();
EXPECT_EQ(status.getServiceSpecificError(), BnRemotelyProvisionedComponent::STATUS_FAILED);
} }
/** /**