From df1adeba7fdff6ae1556f647efb155c71918fa76 Mon Sep 17 00:00:00 2001 From: Shawn Willden Date: Mon, 25 Apr 2016 08:56:27 -0600 Subject: Reject too-large key attestation challenges. Attestation certificates include an app-provided challenge value, which is defined in the documentation as an arbitrary byte array between 0 and 128 bytes in length, inclusive. SoftKeymaster does not restrict the length of challenge values during key attestation, and it should. Bug: 28369352 Change-Id: Ibf16fb93f3bc82783bcc7736eb6de789be70d7a8 --- soft_keymaster_device.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/soft_keymaster_device.cpp b/soft_keymaster_device.cpp index d6c9e6b..eddbc5d 100644 --- a/soft_keymaster_device.cpp +++ b/soft_keymaster_device.cpp @@ -73,6 +73,7 @@ struct keystore_module soft_keymaster2_device_module = { namespace keymaster { +const size_t kMaximumAttestationChallengeLength = 128; const size_t kOperationTableSize = 16; template std::vector make_vector(const T* array, size_t len) { @@ -1060,6 +1061,14 @@ keymaster_error_t SoftKeymasterDevice::attest_key(const keymaster2_device_t* dev request.SetKeyMaterial(*key_to_attest); request.attest_params.Reinitialize(*attest_params); + keymaster_blob_t attestation_challenge = {}; + request.attest_params.GetTagValue(TAG_ATTESTATION_CHALLENGE, &attestation_challenge); + if (attestation_challenge.data_length > kMaximumAttestationChallengeLength) { + LOG_E("%d-byte attestation challenge; only %d bytes allowed", + attestation_challenge.data_length, kMaximumAttestationChallengeLength); + return KM_ERROR_INVALID_INPUT_LENGTH; + } + AttestKeyResponse response; convert_device(dev)->impl_->AttestKey(request, &response); if (response.error != KM_ERROR_OK) -- cgit v1.2.3