Allow caller to specify key CN in generate_attestation_from_EVP().
This is needed to generate attestations in the default Identity
Credential HAL implementation which uses software KM.
Test: atest VtsHalIdentityTargetTest
Bug: 171745570
Change-Id: Ic96d1d2362851edca562c5defa1e48bdd0e6e060
Merged-In: I93b6cb939972c214dc67250dd62aa4fdd76273d6
diff --git a/include/keymaster/km_openssl/attestation_utils.h b/include/keymaster/km_openssl/attestation_utils.h
index e30d90f..3c3ed3b 100644
--- a/include/keymaster/km_openssl/attestation_utils.h
+++ b/include/keymaster/km_openssl/attestation_utils.h
@@ -62,6 +62,7 @@
const uint keymaster_version, // input
const keymaster_cert_chain_t& attestation_chain, // input
const keymaster_key_blob_t& attestation_signing_key, // input
+ const char* key_subject_common_name, // input
CertChainPtr* cert_chain_out); // Output.
} // namespace keymaster
diff --git a/km_openssl/attestation_utils.cpp b/km_openssl/attestation_utils.cpp
index 6b60fe8..e1be08b 100644
--- a/km_openssl/attestation_utils.cpp
+++ b/km_openssl/attestation_utils.cpp
@@ -311,6 +311,7 @@
const AttestationRecordContext& context, // input
const keymaster_cert_chain_t& attestation_chain, // input
const keymaster_key_blob_t& attestation_signing_key, // input
+ const char* key_subject_common_name, // input
CertChainPtr* cert_chain_out) { // Output.
if (!cert_chain_out) {
@@ -335,7 +336,7 @@
!X509_NAME_add_entry_by_txt(subjectName.get(), //
"CN", //
MBSTRING_ASC,
- reinterpret_cast<const uint8_t*>("Android Keystore Key"),
+ reinterpret_cast<const uint8_t*>(key_subject_common_name),
-1, // len
-1, // loc
0 /* set */) ||
@@ -469,10 +470,11 @@
uint64_t usageExpireDateTime = UINT64_MAX;
key.authorizations().GetTagValue(TAG_USAGE_EXPIRE_DATETIME, &usageExpireDateTime);
- return generate_attestation_common(pkey.get(), key.sw_enforced(), key.hw_enforced(),
- attest_params, activeDateTime, usageExpireDateTime,
- kCurrentKeymasterVersion, context, attestation_chain,
- attestation_signing_key, cert_chain_out);
+ const char* key_subject_common_name = "Android Keystore Key";
+ return generate_attestation_common(
+ pkey.get(), key.sw_enforced(), key.hw_enforced(), attest_params, activeDateTime,
+ usageExpireDateTime, kCurrentKeymasterVersion, context, attestation_chain,
+ attestation_signing_key, key_subject_common_name, cert_chain_out);
}
// Generate attestation certificate base on the EVP key and other parameters
@@ -491,6 +493,7 @@
const uint keymaster_version, // input
const keymaster_cert_chain_t& attestation_chain, // input
const keymaster_key_blob_t& attestation_signing_key, // input
+ const char* key_subject_common_name, // input
CertChainPtr* cert_chain_out) { // Output.
uint64_t activeDateTime = 0;
@@ -499,9 +502,10 @@
uint64_t usageExpireDateTime = UINT64_MAX;
attest_params.GetTagValue(TAG_USAGE_EXPIRE_DATETIME, &usageExpireDateTime);
- return generate_attestation_common(
- evp_key, sw_enforced, hw_enforced, attest_params, activeDateTime, usageExpireDateTime,
- keymaster_version, context, attestation_chain, attestation_signing_key, cert_chain_out);
+ return generate_attestation_common(evp_key, sw_enforced, hw_enforced, attest_params,
+ activeDateTime, usageExpireDateTime, keymaster_version,
+ context, attestation_chain, attestation_signing_key,
+ key_subject_common_name, cert_chain_out);
}
} // namespace keymaster
