summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Zeuthen <zeuthen@google.com>2021-02-11 08:37:31 -0500
committerDavid Zeuthen <zeuthen@google.com>2021-02-11 08:44:51 -0500
commit37388b36bf4f5eb9b85f08268cc59294278ec741 (patch)
tree3a9566632ef02ecf217f6d560cadd50b52ba6b35
parent1d926594bde26421d3133942e36f8354740d3d79 (diff)
downloadplatform_hardware_interfaces-37388b36bf4f5eb9b85f08268cc59294278ec741.tar.gz
platform_hardware_interfaces-37388b36bf4f5eb9b85f08268cc59294278ec741.tar.bz2
platform_hardware_interfaces-37388b36bf4f5eb9b85f08268cc59294278ec741.zip
Identity: Fix breakage caused by recent changes in libsoft_attestation_cert.
CL:1566356 changed the notBefore and notAfter fields in the X.509 attestation certificate returned by generate_attestation_from_EVP(). This broke the default implementation of the Identity Credential HAL. Fixed by setting TAG_CERTIFICATE_NOT_BEFORE and TAG_CERTIFICATE_NOT_AFTER to the expected values. Test: atest VtsHalIdentityTargetTest Bug: 179933300 Change-Id: I2dbca41c1e905c17cd2bc565d2e987945b86273a
-rw-r--r--identity/support/src/IdentityCredentialSupport.cpp7
1 files changed, 5 insertions, 2 deletions
diff --git a/identity/support/src/IdentityCredentialSupport.cpp b/identity/support/src/IdentityCredentialSupport.cpp
index 38348ac1b0..91985ceca6 100644
--- a/identity/support/src/IdentityCredentialSupport.cpp
+++ b/identity/support/src/IdentityCredentialSupport.cpp
@@ -874,8 +874,11 @@ optional<vector<vector<uint8_t>>> createAttestation(
i2d_X509_NAME(subjectName.get(), &subjectPtr);
+ uint64_t nowMilliSeconds = time(nullptr) * 1000;
::keymaster::AuthorizationSet auth_set(
::keymaster::AuthorizationSetBuilder()
+ .Authorization(::keymaster::TAG_CERTIFICATE_NOT_BEFORE, nowMilliSeconds)
+ .Authorization(::keymaster::TAG_CERTIFICATE_NOT_AFTER, expireTimeMilliSeconds)
.Authorization(::keymaster::TAG_ATTESTATION_CHALLENGE, challenge.data(),
challenge.size())
.Authorization(::keymaster::TAG_ACTIVE_DATETIME, activeTimeMilliSeconds)
@@ -918,7 +921,7 @@ optional<vector<vector<uint8_t>>> createAttestation(
// the VTS tests. Of course, this is a pretend-only game since hopefully no
// relying party is ever going to trust our batch key and those keys above
// it.
- ::keymaster::PureSoftKeymasterContext context(::keymaster::KmVersion::KEYMASTER_4_1,
+ ::keymaster::PureSoftKeymasterContext context(::keymaster::KmVersion::KEYMINT_1,
KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT);
::keymaster::CertificateChain cert_chain_out = generate_attestation_from_EVP(
@@ -926,7 +929,7 @@ optional<vector<vector<uint8_t>>> createAttestation(
*attestation_signing_key, &error);
if (KM_ERROR_OK != error) {
- LOG(ERROR) << "Error generate attestation from EVP key" << error;
+ LOG(ERROR) << "Error generating attestation from EVP key: " << error;
return {};
}