From 647c87122193a1312b26d223c8b980f762314028 Mon Sep 17 00:00:00 2001 From: Subrahmanyaman Date: Fri, 26 Aug 2022 22:27:21 +0000 Subject: [PATCH] In RKP test mode, skip including AdditionalCertChain from ProtectedData --- .../com/android/javacard/test/KMRKPFunctionalTest.java | 2 +- .../test/com/android/javacard/test/KMTestUtils.java | 8 +++++--- .../keymaster/RemotelyProvisionedComponentDevice.java | 4 ++++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/Applet/JCardSimProvider/test/com/android/javacard/test/KMRKPFunctionalTest.java b/Applet/JCardSimProvider/test/com/android/javacard/test/KMRKPFunctionalTest.java index a06b4b16..133d4ca5 100644 --- a/Applet/JCardSimProvider/test/com/android/javacard/test/KMRKPFunctionalTest.java +++ b/Applet/JCardSimProvider/test/com/android/javacard/test/KMRKPFunctionalTest.java @@ -261,7 +261,7 @@ public void testGenerateCsrProdMode() { init(); short[] noOfKeys = {0, 5, 10}; for (int i = 0; i < noOfKeys.length; i++) { - testGenerateCsr(noOfKeys[i] /*no_keys*/, (short) 2 /*eek_chain_len*/, true /*testMode*/); + testGenerateCsr(noOfKeys[i] /*no_keys*/, (short) 2 /*eek_chain_len*/, false /*testMode*/); KMRepository.instance().clean(); } cleanUp(); diff --git a/Applet/JCardSimProvider/test/com/android/javacard/test/KMTestUtils.java b/Applet/JCardSimProvider/test/com/android/javacard/test/KMTestUtils.java index 43aa61e7..e9d5be04 100644 --- a/Applet/JCardSimProvider/test/com/android/javacard/test/KMTestUtils.java +++ b/Applet/JCardSimProvider/test/com/android/javacard/test/KMTestUtils.java @@ -447,7 +447,7 @@ public static void validateProtectedData(KMSEProvider cryptoProvider, KMEncoder // Validate the decrypted payload. // payload = [signedMac + bcc + ? AdditionalCertChain] //-------------------------------------------- - short payloadLength = 3; + short payloadLength = testMode ? (short) 2 : (short) 3; short additionalCertChain = 0; short headersExp = KMCoseHeaders.exp(); short coseKeyExp = KMCoseKey.exp(); @@ -468,8 +468,10 @@ public static void validateProtectedData(KMSEProvider cryptoProvider, KMEncoder KMArray.cast(arrInst).add((short) 2, KMByteBlob.exp()); KMArray.cast(arrInst).add((short) 3, KMByteBlob.exp()); short coseSignArr = KMArray.exp(arrInst); - additionalCertChain = KMMap.instance((short) 1); - KMMap.cast(additionalCertChain).add((short) 0, KMTextString.exp(), coseSignArr); + if (!testMode) { + additionalCertChain = KMMap.instance((short) 1); + KMMap.cast(additionalCertChain).add((short) 0, KMTextString.exp(), coseSignArr); + } // protected payload exp short payload = KMArray.instance(payloadLength); KMArray.cast(payload).add((short) 0, signedMacArr); diff --git a/Applet/src/com/android/javacard/keymaster/RemotelyProvisionedComponentDevice.java b/Applet/src/com/android/javacard/keymaster/RemotelyProvisionedComponentDevice.java index 216c9359..72331fa4 100644 --- a/Applet/src/com/android/javacard/keymaster/RemotelyProvisionedComponentDevice.java +++ b/Applet/src/com/android/javacard/keymaster/RemotelyProvisionedComponentDevice.java @@ -561,6 +561,10 @@ public void process(short ins, APDU apdu) throws Exception { } private boolean isAdditionalCertificateChainPresent() { + if ((TRUE == data[getEntry(TEST_MODE)])) { + // In test mode, don't include AdditionalCertificateChain in ProtectedData. + return false; + } return (storeDataInst.getAdditionalCertChainLength() == 0 ? false : true); }