diff options
| author | Shawn Willden <swillden@google.com> | 2016-04-28 14:36:55 +0000 |
|---|---|---|
| committer | Shawn Willden <swillden@google.com> | 2016-04-28 14:36:55 +0000 |
| commit | 31746ba6432c624f57df2a6cfb584490095bb849 (patch) | |
| tree | 439fa7c8dce01804eb3f49bfc377fa4537e8ee0b | |
| parent | fed2be428f769650ca07c3858ef40880bba2ed18 (diff) | |
| download | android_system_keymaster-31746ba6432c624f57df2a6cfb584490095bb849.tar.gz android_system_keymaster-31746ba6432c624f57df2a6cfb584490095bb849.tar.bz2 android_system_keymaster-31746ba6432c624f57df2a6cfb584490095bb849.zip | |
Revert "Add authority key ID to attestation certificates."
This reverts commit fed2be428f769650ca07c3858ef40880bba2ed18 because it broke the ryu build in some very non-obvious way.
Change-Id: Ia7d697233a9f43365edb395a893f2a46d9303f61
| -rw-r--r-- | asymmetric_key.cpp | 34 |
1 files changed, 3 insertions, 31 deletions
diff --git a/asymmetric_key.cpp b/asymmetric_key.cpp index c4e2da5..4412618 100644 --- a/asymmetric_key.cpp +++ b/asymmetric_key.cpp @@ -21,7 +21,6 @@ #include <openssl/asn1.h> #include <openssl/stack.h> #include <openssl/x509.h> -#include <openssl/x509v3.h> #include "attestation_record.h" #include "openssl_err.h" @@ -258,39 +257,12 @@ keymaster_error_t AsymmetricKey::GenerateAttestation(const KeymasterContext& con certificate.get(), &error)) return error; - if (!copy_attestation_chain(context, sign_algorithm, cert_chain, &error)) - return error; - - // Copy subject key identifier from cert_chain->entries[1] as authority key_id. - if (cert_chain->entry_count < 2) { - // cert_chain must have at least two entries, one for the cert we're trying to create and - // one for the cert for the key that signs the new cert. - return KM_ERROR_UNKNOWN_ERROR; - } - - const uint8_t* p = cert_chain->entries[1].data; - X509_Ptr signing_cert(d2i_X509(nullptr, &p, cert_chain->entries[1].data_length)); - if (!signing_cert.get()) { - return TranslateLastOpenSslError(); - } - - UniquePtr<X509V3_CTX> x509v3_ctx(new X509V3_CTX); - *x509v3_ctx = {}; - X509V3_set_ctx(x509v3_ctx.get(), signing_cert.get(), certificate.get(), nullptr /* req */, - nullptr /* crl */, 0 /* flags */); - - X509_EXTENSION_Ptr auth_key_id(X509V3_EXT_nconf_nid(nullptr /* conf */, x509v3_ctx.get(), - NID_authority_key_identifier, - const_cast<char*>("keyid:always"))); - if (!auth_key_id.get() || - !X509_add_ext(certificate.get(), auth_key_id.get() /* Don't release; copied */, - -1 /* insert at end */)) { - return TranslateLastOpenSslError(); - } - if (!X509_sign(certificate.get(), sign_key.get(), EVP_sha256())) return TranslateLastOpenSslError(); + if (!copy_attestation_chain(context, sign_algorithm, cert_chain, &error)) + return error; + return get_certificate_blob(certificate.get(), &cert_chain->entries[0]); } |