diff options
| author | Shawn Willden <swillden@google.com> | 2016-04-29 02:55:27 +0000 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2016-04-29 02:55:27 +0000 |
| commit | 4141966fdac510bd95e3d7829223aadd715ce233 (patch) | |
| tree | 413c9cab85bfc89ef6079b89555b171dc2a10b6d | |
| parent | f924c9143ba07c4722c3b0d048eec1366a4740a7 (diff) | |
| parent | eabae3005e170c757d779ef83813644f3fdd3e35 (diff) | |
| download | android_system_keymaster-4141966fdac510bd95e3d7829223aadd715ce233.tar.gz android_system_keymaster-4141966fdac510bd95e3d7829223aadd715ce233.tar.bz2 android_system_keymaster-4141966fdac510bd95e3d7829223aadd715ce233.zip | |
Revert "Revert "Add authority key ID to attestation certificates.""
am: eabae3005e
* commit 'eabae3005e170c757d779ef83813644f3fdd3e35':
Revert "Revert "Add authority key ID to attestation certificates.""
Change-Id: I308755e9144d0f07aa076ef26e317060624803fa
| -rw-r--r-- | asymmetric_key.cpp | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/asymmetric_key.cpp b/asymmetric_key.cpp index 4412618..c4e2da5 100644 --- a/asymmetric_key.cpp +++ b/asymmetric_key.cpp @@ -21,6 +21,7 @@ #include <openssl/asn1.h> #include <openssl/stack.h> #include <openssl/x509.h> +#include <openssl/x509v3.h> #include "attestation_record.h" #include "openssl_err.h" @@ -257,12 +258,39 @@ keymaster_error_t AsymmetricKey::GenerateAttestation(const KeymasterContext& con certificate.get(), &error)) return error; - if (!X509_sign(certificate.get(), sign_key.get(), EVP_sha256())) - return TranslateLastOpenSslError(); - if (!copy_attestation_chain(context, sign_algorithm, cert_chain, &error)) return error; + // Copy subject key identifier from cert_chain->entries[1] as authority key_id. + if (cert_chain->entry_count < 2) { + // cert_chain must have at least two entries, one for the cert we're trying to create and + // one for the cert for the key that signs the new cert. + return KM_ERROR_UNKNOWN_ERROR; + } + + const uint8_t* p = cert_chain->entries[1].data; + X509_Ptr signing_cert(d2i_X509(nullptr, &p, cert_chain->entries[1].data_length)); + if (!signing_cert.get()) { + return TranslateLastOpenSslError(); + } + + UniquePtr<X509V3_CTX> x509v3_ctx(new X509V3_CTX); + *x509v3_ctx = {}; + X509V3_set_ctx(x509v3_ctx.get(), signing_cert.get(), certificate.get(), nullptr /* req */, + nullptr /* crl */, 0 /* flags */); + + X509_EXTENSION_Ptr auth_key_id(X509V3_EXT_nconf_nid(nullptr /* conf */, x509v3_ctx.get(), + NID_authority_key_identifier, + const_cast<char*>("keyid:always"))); + if (!auth_key_id.get() || + !X509_add_ext(certificate.get(), auth_key_id.get() /* Don't release; copied */, + -1 /* insert at end */)) { + return TranslateLastOpenSslError(); + } + + if (!X509_sign(certificate.get(), sign_key.get(), EVP_sha256())) + return TranslateLastOpenSslError(); + return get_certificate_blob(certificate.get(), &cert_chain->entries[0]); } |