diff options
| author | David Zeuthen <zeuthen@google.com> | 2021-02-11 08:37:31 -0500 |
|---|---|---|
| committer | David Zeuthen <zeuthen@google.com> | 2021-02-11 08:44:51 -0500 |
| commit | 37388b36bf4f5eb9b85f08268cc59294278ec741 (patch) | |
| tree | 3a9566632ef02ecf217f6d560cadd50b52ba6b35 /identity | |
| parent | 1d926594bde26421d3133942e36f8354740d3d79 (diff) | |
| download | platform_hardware_interfaces-37388b36bf4f5eb9b85f08268cc59294278ec741.tar.gz platform_hardware_interfaces-37388b36bf4f5eb9b85f08268cc59294278ec741.tar.bz2 platform_hardware_interfaces-37388b36bf4f5eb9b85f08268cc59294278ec741.zip | |
Identity: Fix breakage caused by recent changes in libsoft_attestation_cert.
CL:1566356 changed the notBefore and notAfter fields in the X.509
attestation certificate returned by generate_attestation_from_EVP().
This broke the default implementation of the Identity Credential HAL.
Fixed by setting TAG_CERTIFICATE_NOT_BEFORE and
TAG_CERTIFICATE_NOT_AFTER to the expected values.
Test: atest VtsHalIdentityTargetTest
Bug: 179933300
Change-Id: I2dbca41c1e905c17cd2bc565d2e987945b86273a
Diffstat (limited to 'identity')
| -rw-r--r-- | identity/support/src/IdentityCredentialSupport.cpp | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/identity/support/src/IdentityCredentialSupport.cpp b/identity/support/src/IdentityCredentialSupport.cpp index 38348ac1b0..91985ceca6 100644 --- a/identity/support/src/IdentityCredentialSupport.cpp +++ b/identity/support/src/IdentityCredentialSupport.cpp @@ -874,8 +874,11 @@ optional<vector<vector<uint8_t>>> createAttestation( i2d_X509_NAME(subjectName.get(), &subjectPtr); + uint64_t nowMilliSeconds = time(nullptr) * 1000; ::keymaster::AuthorizationSet auth_set( ::keymaster::AuthorizationSetBuilder() + .Authorization(::keymaster::TAG_CERTIFICATE_NOT_BEFORE, nowMilliSeconds) + .Authorization(::keymaster::TAG_CERTIFICATE_NOT_AFTER, expireTimeMilliSeconds) .Authorization(::keymaster::TAG_ATTESTATION_CHALLENGE, challenge.data(), challenge.size()) .Authorization(::keymaster::TAG_ACTIVE_DATETIME, activeTimeMilliSeconds) @@ -918,7 +921,7 @@ optional<vector<vector<uint8_t>>> createAttestation( // the VTS tests. Of course, this is a pretend-only game since hopefully no // relying party is ever going to trust our batch key and those keys above // it. - ::keymaster::PureSoftKeymasterContext context(::keymaster::KmVersion::KEYMASTER_4_1, + ::keymaster::PureSoftKeymasterContext context(::keymaster::KmVersion::KEYMINT_1, KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT); ::keymaster::CertificateChain cert_chain_out = generate_attestation_from_EVP( @@ -926,7 +929,7 @@ optional<vector<vector<uint8_t>>> createAttestation( *attestation_signing_key, &error); if (KM_ERROR_OK != error) { - LOG(ERROR) << "Error generate attestation from EVP key" << error; + LOG(ERROR) << "Error generating attestation from EVP key: " << error; return {}; } |