Google Git
Sign in
android / platform / cts / 6d0a46390fd^! / .
commit6d0a46390fd6fb5c7e9d2ab28361afcc40ea1d40[log] [tgz]
authorRajesh Nyamagoud <nyamagoud@google.com>Thu Feb 09 18:36:37 2023 +0000
committerRajesh Nyamagoud <nyamagoud@google.com>Thu Feb 09 18:43:59 2023 +0000
tree174530b04ce33f56a5a9ad309333d2fbb105834a
parent42506cce848c056c20fc80ddab6115a60b227a00 [diff]
Updated to enforce leaf certificate containing attestation record
to not to hold the CRL Distribution Points extension in it.

Bug: 260332189
Test: atest android.keystore.cts.AttestKeyTest
Change-Id: I61f07d3d1f0dda76be17aa014f81df3ea5ab0c79

diff --git a/tests/security/src/android/keystore/cts/Attestation.java b/tests/security/src/android/keystore/cts/Attestation.java
index ae2e29a..49c5d0d 100644
--- a/tests/security/src/android/keystore/cts/Attestation.java
+++ b/tests/security/src/android/keystore/cts/Attestation.java

@@ -16,8 +16,6 @@
 
 package android.keystore.cts;
 
-import co.nstant.in.cbor.CborException;
-
 import com.google.common.base.CharMatcher;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.io.BaseEncoding;
@@ -26,6 +24,8 @@
 import java.security.cert.X509Certificate;
 import java.util.Set;
 
+import co.nstant.in.cbor.CborException;
+
 /**
  * Parses an attestation certificate and provides an easy-to-use interface for examining the
  * contents.
@@ -35,6 +35,8 @@
     static final String ASN1_OID = "1.3.6.1.4.1.11129.2.1.17";
     static final String KEY_USAGE_OID = "2.5.29.15"; // Standard key usage extension.
 
+    static final String CRL_DP_OID = "2.5.29.31"; // Standard CRL Distribution Points extension.
+
     public static final int KM_SECURITY_LEVEL_SOFTWARE = 0;
     public static final int KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1;
     public static final int KM_SECURITY_LEVEL_STRONG_BOX = 2;
@@ -89,6 +91,10 @@
                 throw new CertificateParsingException("Unable to parse EAT extension", cbe);
             }
         }
+        if (x509Cert.getExtensionValue(CRL_DP_OID) != null) {
+            throw new CertificateParsingException(
+                    "CRL Distribution Points extension found in leaf certificate.");
+        }
         return new Asn1Attestation(x509Cert, strictParsing);
     }