From 37388b36bf4f5eb9b85f08268cc59294278ec741 Mon Sep 17 00:00:00 2001
From: David Zeuthen <zeuthen@google.com>
Date: Thu, 11 Feb 2021 08:37:31 -0500
Subject: [PATCH] Identity: Fix breakage caused by recent changes in
 libsoft_attestation_cert.

CL:1566356 changed the notBefore and notAfter fields in the X.509
attestation certificate returned by generate_attestation_from_EVP().
This broke the default implementation of the Identity Credential HAL.

Fixed by setting TAG_CERTIFICATE_NOT_BEFORE and
TAG_CERTIFICATE_NOT_AFTER to the expected values.

Test: atest VtsHalIdentityTargetTest
Bug: 179933300
Change-Id: I2dbca41c1e905c17cd2bc565d2e987945b86273a
---
 identity/support/src/IdentityCredentialSupport.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/identity/support/src/IdentityCredentialSupport.cpp b/identity/support/src/IdentityCredentialSupport.cpp
index 38348ac1b0..91985ceca6 100644
--- a/identity/support/src/IdentityCredentialSupport.cpp
+++ b/identity/support/src/IdentityCredentialSupport.cpp
@@ -874,8 +874,11 @@ optional<vector<vector<uint8_t>>> createAttestation(
 
     i2d_X509_NAME(subjectName.get(), &subjectPtr);
 
+    uint64_t nowMilliSeconds = time(nullptr) * 1000;
     ::keymaster::AuthorizationSet auth_set(
             ::keymaster::AuthorizationSetBuilder()
+                    .Authorization(::keymaster::TAG_CERTIFICATE_NOT_BEFORE, nowMilliSeconds)
+                    .Authorization(::keymaster::TAG_CERTIFICATE_NOT_AFTER, expireTimeMilliSeconds)
                     .Authorization(::keymaster::TAG_ATTESTATION_CHALLENGE, challenge.data(),
                                    challenge.size())
                     .Authorization(::keymaster::TAG_ACTIVE_DATETIME, activeTimeMilliSeconds)
@@ -918,7 +921,7 @@ optional<vector<vector<uint8_t>>> createAttestation(
     // the VTS tests. Of course, this is a pretend-only game since hopefully no
     // relying party is ever going to trust our batch key and those keys above
     // it.
-    ::keymaster::PureSoftKeymasterContext context(::keymaster::KmVersion::KEYMASTER_4_1,
+    ::keymaster::PureSoftKeymasterContext context(::keymaster::KmVersion::KEYMINT_1,
                                                   KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT);
 
     ::keymaster::CertificateChain cert_chain_out = generate_attestation_from_EVP(
@@ -926,7 +929,7 @@ optional<vector<vector<uint8_t>>> createAttestation(
             *attestation_signing_key, &error);
 
     if (KM_ERROR_OK != error) {
-        LOG(ERROR) << "Error generate attestation from EVP key" << error;
+        LOG(ERROR) << "Error generating attestation from EVP key: " << error;
         return {};
     }