From cb238ffdad120424ebf23226c7ad5309f64b1e8e Mon Sep 17 00:00:00 2001
From: Eran Messeri <eranm@google.com>
Date: Tue, 8 Jun 2021 11:38:31 +0100
Subject: [PATCH] Test validity of device-unique attestation chain

Test the validity of the chain produced when device-unique attestation
is requested.

When the caller requests that the key attestation be signed using the
device-unique attestation key, the chain will look different than
a chain signed by the batch key (common case):
(1) The chain is exactly of length 2.
(2) The root is self-signed and is unique to the device.

Test that the chain is correctly signed in this change. The root is not
currently correctly self-signed, so don't test (2) yet.

Bug: 189425310
Bug: 187803288
Test: atest VtsHalKeymasterV4_1TargetTest:PerInstance/DeviceUniqueAttestationTest
Change-Id: I91578eb2b7588685cc86c467423e9394c3f3c262
---
 .../DeviceUniqueAttestationTest.cpp           | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/keymaster/4.1/vts/functional/DeviceUniqueAttestationTest.cpp b/keymaster/4.1/vts/functional/DeviceUniqueAttestationTest.cpp
index 0639da8ab1..3d97daf274 100644
--- a/keymaster/4.1/vts/functional/DeviceUniqueAttestationTest.cpp
+++ b/keymaster/4.1/vts/functional/DeviceUniqueAttestationTest.cpp
@@ -16,6 +16,7 @@
 
 #define LOG_TAG "keymaster_hidl_hal_test"
 #include <cutils/log.h>
+#include <vector>
 
 #include "Keymaster4_1HidlTest.h"
 
@@ -178,6 +179,33 @@ void check_attestation_record(AttestationRecord attestation, const HidlBuf& chal
             << DIFFERENCE(expected_hw_enforced, attestation.hardware_enforced);
 }
 
+X509_Ptr parse_cert_blob(const std::vector<uint8_t>& blob) {
+    const uint8_t* p = blob.data();
+    return X509_Ptr(d2i_X509(nullptr /* allocate new */, &p, blob.size()));
+}
+
+bool check_certificate_chain_signatures(const hidl_vec<hidl_vec<uint8_t>>& cert_chain) {
+    // TODO: Check that root is self-signed once b/187803288 is resolved.
+    for (size_t i = 0; i < cert_chain.size() - 1; ++i) {
+        X509_Ptr key_cert(parse_cert_blob(cert_chain[i]));
+        X509_Ptr signing_cert(parse_cert_blob(cert_chain[i + 1]));
+
+        if (!key_cert.get() || !signing_cert.get()) {
+            return false;
+        }
+
+        EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
+        if (!signing_pubkey.get()) {
+            return false;
+        }
+
+        if (!X509_verify(key_cert.get(), signing_pubkey.get())) {
+            return false;
+        }
+    }
+    return true;
+}
+
 }  // namespace
 
 using std::string;
@@ -243,6 +271,7 @@ TEST_P(DeviceUniqueAttestationTest, Rsa) {
 
     EXPECT_EQ(ErrorCode::OK, result);
     EXPECT_EQ(2U, cert_chain.size());
+    EXPECT_TRUE(check_certificate_chain_signatures(cert_chain));
     if (dumpAttestations) {
       for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
     }
@@ -289,6 +318,7 @@ TEST_P(DeviceUniqueAttestationTest, Ecdsa) {
 
     EXPECT_EQ(ErrorCode::OK, result);
     EXPECT_EQ(2U, cert_chain.size());
+    EXPECT_TRUE(check_certificate_chain_signatures(cert_chain));
     if (dumpAttestations) {
       for (auto cert_ : cert_chain) dumpContent(bin2hex(cert_));
     }