From 06353ef218b63d26832541117561fae5ed2be8a0 Mon Sep 17 00:00:00 2001
From: Hunter Knepshield <hknepshield@google.com>
Date: Mon, 25 Jan 2021 16:23:34 -0800
Subject: [PATCH] Create a new certificate for 2021 CTS UICCs.

This certificate will be used to enforce a clean break between "old" CTS
UICCs and new ones. The new UICCs will have hardware support for new
calculations that the old ones aren't capable of.

Old certificate:
./testkey.x509.pem
SHA-1: 61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81
SHA-256: A4:0D:A8:0A:59:D1:70:CA:A9:50:CF:15:C1:8C:45:4D:47:A3:9B:26:98:9D:8B:64:0E:CD:74:5B:A7:1B:F5:DC

New certificate:
./cts_uicc_2021.x509.pem
SHA-1: 06:97:71:39:21:E8:65:D0:1C:45:C4:A8:8D:45:7A:9D:96:F4:39:27
SHA-256: CE:7B:2B:47:AE:2B:75:52:C8:F9:2C:C2:91:24:27:98:83:04:1F:B6:23:A5:F1:94:A8:2C:9B:F1:5D:49:2A:A0

We won't yet submit the change to switch the signature of
CtsCarrierApiTestCases, as that will introduce downstream presubmit and
postsubmit failures until the new hardware is available for device labs.

Bug: 178419755
Test: temporarily switch CtsCarrierApiTestCases to be signed with
cts-uicc-2021-testkey, ensure:
  - Suite fails on a device with the old CTS SIM due to lack of carrier
  privileges
  - Suite passes with updated cuttlefish modem simulator ARF content

Change-Id: I7598426bd3e4db90a8f0d8d80ea03468fb30f876
---
 target/product/security/Android.bp            |  11 +++++++-
 target/product/security/README                |   9 ++++---
 target/product/security/cts_uicc_2021.pk8     | Bin 0 -> 1217 bytes
 .../product/security/cts_uicc_2021.x509.pem   |  24 ++++++++++++++++++
 4 files changed, 39 insertions(+), 5 deletions(-)
 create mode 100644 target/product/security/cts_uicc_2021.pk8
 create mode 100644 target/product/security/cts_uicc_2021.x509.pem

diff --git a/target/product/security/Android.bp b/target/product/security/Android.bp
index 98698c579e..99f774252a 100644
--- a/target/product/security/Android.bp
+++ b/target/product/security/Android.bp
@@ -13,7 +13,16 @@ android_app_certificate {
     certificate: "testkey",
 }
 
-// Google-owned certificate for CTS testing, since we can't trust arbitrary keys on release devices.
+// Certificate for CTS tests that rely on UICC hardware conforming to the
+// updated CTS UICC card specification introduced in 2021. See
+// //cts/tests/tests/carrierapi/Android.bp for more details.
+android_app_certificate {
+    name: "cts-uicc-2021-testkey",
+    certificate: "cts_uicc_2021",
+}
+
+// Google-owned certificate for CTS testing, since we can't trust arbitrary keys
+// on release devices.
 prebuilt_etc {
     name: "fsverity-release-cert-der",
     src: "fsverity-release.x509.der",
diff --git a/target/product/security/README b/target/product/security/README
index 6e75e4de01..2b161bb0ee 100644
--- a/target/product/security/README
+++ b/target/product/security/README
@@ -11,10 +11,11 @@ key generation
 
 The following commands were used to generate the test key pairs:
 
-  development/tools/make_key testkey  '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
-  development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
-  development/tools/make_key shared   '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
-  development/tools/make_key media    '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
+  development/tools/make_key testkey       '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
+  development/tools/make_key platform      '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
+  development/tools/make_key shared        '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
+  development/tools/make_key media         '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
+  development/tools/make_key cts_uicc_2021 '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
 
 signing using the openssl commandline (for boot/system images)
 --------------------------------------------------------------
diff --git a/target/product/security/cts_uicc_2021.pk8 b/target/product/security/cts_uicc_2021.pk8
new file mode 100644
index 0000000000000000000000000000000000000000..3b2a7fa94acc11d6256fde00d2bc4bfe0c8677ed
GIT binary patch
literal 1217
zcmV;y1U~yPf&{$+0RS)!1_>&LNQU<f0RaI800e>rr!ay9qXGc{0)hbn0F>hr9-wa0
zC{zvcV8F-Dq?>8W5#G?EpB)+9Q3n`P{cr2`uFGaBk^-;z3fiLSE>n03c<7d)s+w3+
zT$`z#S@DrIJ}3YfVKpu{pOeVo*-MO$GI>Htrj}>qv*~mHFK0viWKlf`nXPg_q52UL
z2Rf(5K&Puy=*CwC-7nwrQ>}Nbrf9(5-o_kw_NY_LlUP|Sm$4Q_Tp<NQAMg77dX~+J
zU3mSW_HhTtRr+7&gvfSI?9=z5R1Wk5m=LG6EuX2F+c620%F`)iY6JGUp@^t&e7?V8
zRyE0E9geNT0L~i)yBkARC0klrKKf^RJw}ot0tsTi6RRCJ<snV}*#ZLr009Dm0RVTd
zL>+u*IOY@+6)Ea1b1j^NAt|3rWWBU~+X~D=K^dciF-vyS40}vZxq7%CW`oDF;UZxS
z+^w(PIy_<^sSN1@38IQJ@n#Bwxlz1PD0O3|dy|zXwBChY#8=+jP>=yxgd_W{tsx_9
zi3#gt7jxP%jY{FX_4!hs7iXfGNk_tRMrbo+WsJ7<t)P{nGxegI^nz*mOo$t-j8Y4J
z9$Ni0Y&=^LUQ1#86KOvo{ZnK%2UEC!BUmdtp#*?Sz6EQ<6yFU0TpW9gp7tp!mFB+0
z{TsR=uy*KojQZ3O7&Q!|FF9S@Gwe}+ele-idGv3G0e=p$6lE-Tj>40lc!2_efdIta
zSp-bSS;Mg0SV!yMe6k>OJV4h|lus+HP<=lR&kjYxGjjul(;%a_{0j@<`S#HVCvRb?
zOZ6T?Gb+PP<6}aOzcA=lh>w@leWKmm)$!&`&4tPnW5(YRtt)DG12Vurtb75fR&8*V
z8>x><sC59416U$Pzk9%ktBNnLq)7sSfdIjrOybhWs9MCZSOUf)=4nivak3Z-nWD&+
zy~@hQBXqRGMcYFSe2=Zr!Mw|vTQ9s00Cbcw2qotBO-5y2ujXXhZZfr9I7zJeQ|X6V
zvCJpsg%Ks5a=!!Dv4EqkVV|0So9Pj7mV6rKHeS|FWJCW;<VbuL+|BiLzV|b?W)T8`
zfJdz3eHu$PmUb;OgESD)fVC;#l_(I&9j+tw#xxK+IMNd<(nCcRB77M?jq(gWRx7f!
z8|-b&Hu;8D#L5WpvN8y8`RI+H_|ECkxLcUa*k0x}sqt~|(D!7cEc|^+PtOS-&Z2lZ
z{A`j9Sw+u-*WHzoawI^f^zoZB%!48-=>ma)0JXP-wsX!Ot*PWShRpxY_s|a+>tzHc
zJQ4Qc#ov-1pCC39Z`(X#N8E)D0jxTZ%6Y%ekDRk~iB^E1K+R4R+_IJpP7KMU)(OI{
z4u+cwJF3c(ooHy198`Dm!r@&HKBV2o_xA;CNU2(%cU`}a{r)ud+fI~<!^n8O@A(@}
zaRPyWAxbl`ENR3+^_SMpHbaq0>6=(+qGhpRKo@}A=x=b0#X#c(4ikGbKB-y4*ia8;
z>TRjGQWK`4S%3xI-lTWuw4SZfU)Oa^OJ|2i8RH7pGmb2sDFjtEKCO>GX`3towEz}t
f#poLtCvYw6NN8aJSrDI))DfIvlNSsN<thJ>uUbFR

literal 0
HcmV?d00001

diff --git a/target/product/security/cts_uicc_2021.x509.pem b/target/product/security/cts_uicc_2021.x509.pem
new file mode 100644
index 0000000000..744afea80e
--- /dev/null
+++ b/target/product/security/cts_uicc_2021.x509.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECzCCAvOgAwIBAgIUHYLIIL60vWPD6aOBwZUcdbsae+cwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
+DA1Nb3VudGFpbiBWaWV3MRAwDgYDVQQKDAdBbmRyb2lkMRAwDgYDVQQLDAdBbmRy
+b2lkMRAwDgYDVQQDDAdBbmRyb2lkMSIwIAYJKoZIhvcNAQkBFhNhbmRyb2lkQGFu
+ZHJvaWQuY29tMB4XDTIxMDEyNjAwMjAyMVoXDTQ4MDYxMzAwMjAyMVowgZQxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFp
+biBWaWV3MRAwDgYDVQQKDAdBbmRyb2lkMRAwDgYDVQQLDAdBbmRyb2lkMRAwDgYD
+VQQDDAdBbmRyb2lkMSIwIAYJKoZIhvcNAQkBFhNhbmRyb2lkQGFuZHJvaWQuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlOMSHqBu0ihUDfFgwMfO
+pJtpyxHe0KKfHRndUQcYU/1v6/auy2YqkgKv+AraoukuU3gJeOiWoaqaWFNcm6md
+WfGRNT4oABhhNS43n5PI4NlLjI4yeUJJppZn5LPpc/8vZ0P8ZFE9CJmtckCh+hES
+BzqnxkCnq1PoxlcF3S/f8lOtd6ymaMDf3sYcePaoU8yTWFksl7EWRVwhBUIf7/r8
+epbNiV14/aH2cQfHVfpf54TIdk7s0/ehVA70A5gQp7Utn6mY2zEJlMrTKWRqA/a5
+oYiob3y+v2JWNcljHY6twwDOGwW7G0NWJVtaWj76Z3o9RpIhAglivhOrHTflIU3+
+2QIDAQABo1MwUTAdBgNVHQ4EFgQUZJ1oGb33n/OY+Mm8ykci4I6c9OcwHwYDVR0j
+BBgwFoAUZJ1oGb33n/OY+Mm8ykci4I6c9OcwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEASajvU0KCN2kfATPV95LQVE3N/URPi/lX9MfQptE54E+R
+6dHwHQIwU/fBFapAHfGgrpwUZftJO+Bad2iu5s1IhTJ0Q5v0yHdvWfo4EzVeMzPV
++/DWU786pPEomFkb9ZKhgVkFNPcbXlkUm/9HxRHPRTm8x+BE/75PKI+kh+pDmM+P
+5v4W0qDKPgFzIY/D4F++gVyPZ3O+/GhunjsJozO+dvN+50FH6o/kBHm2+QqQNYPW
+f232F3CYtH4uWI0TkbwmSvVGW8iOqh330Cef5zqwSdOkzybUirXFsHUu1Zad1aLT
+t0mu6RgNEmX8efOQCcz2Z/on8lkIAxCBwLX7wkH5JA==
+-----END CERTIFICATE-----