Gitiles
Code Review Sign In
review.blissroms.org / platform_system_keymaster / refs/heads/17 / . / ng / AndroidRemotelyProvisionedComponentDevice.cpp
blob: c8d4070412b9e3723c2d6f5d1161c7a648a2d3e6 [file] [log] [blame]
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "AndroidRemotelyProvisionedComponentDevice.h"
18
19#include <assert.h>
20#include <variant>
21
22#include <cppbor.h>
23#include <cppbor_parse.h>
24
25#include <KeyMintUtils.h>
26#include <keymaster/cppcose/cppcose.h>
27#include <keymaster/keymaster_configuration.h>
28
29#include <openssl/bn.h>
30#include <openssl/ec.h>
31#include <openssl/rand.h>
32#include <openssl/x509.h>
33
34namespace aidl::android::hardware::security::keymint {
35
Shawn Willden9a3792e2021-04-08 09:38:14 -0600[diff] [blame]36using keymaster::GenerateCsrRequest;
37using keymaster::GenerateCsrResponse;
Tri Vo6cad4b42022-09-28 11:18:14 -0700[diff] [blame]38using keymaster::GenerateCsrV2Request;
39using keymaster::GenerateCsrV2Response;
Shawn Willden9a3792e2021-04-08 09:38:14 -0600[diff] [blame]40using keymaster::GenerateRkpKeyRequest;
41using keymaster::GenerateRkpKeyResponse;
Tri Vo4ae0b0c2022-10-11 17:16:04 -0700[diff] [blame]42using keymaster::GetHwInfoRequest;
43using keymaster::GetHwInfoResponse;
Shawn Willden9a3792e2021-04-08 09:38:14 -0600[diff] [blame]44using keymaster::KeymasterBlob;
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]45using ::std::string;
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]46using ::std::unique_ptr;
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]47using ::std::vector;
48using bytevec = ::std::vector<uint8_t>;
49
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]50namespace {
51
52constexpr auto STATUS_FAILED = IRemotelyProvisionedComponent::STATUS_FAILED;
53
54struct AStatusDeleter {
55 void operator()(AStatus* p) { AStatus_delete(p); }
56};
57
58class Status {
59 public:
60 Status() : status_(AStatus_newOk()) {}
61 Status(int32_t errCode, const std::string& errMsg)
62 : status_(AStatus_fromServiceSpecificErrorWithMessage(errCode, errMsg.c_str())) {}
63 explicit Status(const std::string& errMsg)
64 : status_(AStatus_fromServiceSpecificErrorWithMessage(STATUS_FAILED, errMsg.c_str())) {}
65 explicit Status(AStatus* status) : status_(status ? status : AStatus_newOk()) {}
66
67 Status(Status&&) = default;
68 Status(const Status&) = delete;
69
Shawn Willden9a3792e2021-04-08 09:38:14 -0600[diff] [blame]70 operator ::ndk::ScopedAStatus() && { // NOLINT(google-explicit-constructor)
71 return ndk::ScopedAStatus(status_.release());
72 }
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]73
74 bool isOk() const { return AStatus_isOk(status_.get()); }
75
76 const char* getMessage() const { return AStatus_getMessage(status_.get()); }
77
78 private:
79 std::unique_ptr<AStatus, AStatusDeleter> status_;
80};
81
82} // namespace
83
84AndroidRemotelyProvisionedComponentDevice::AndroidRemotelyProvisionedComponentDevice(
85 const std::shared_ptr<AndroidKeyMintDevice>& keymint) {
86 impl_ = keymint->getKeymasterImpl();
87}
88
89ScopedAStatus AndroidRemotelyProvisionedComponentDevice::getHardwareInfo(RpcHardwareInfo* info) {
Tri Vo4ae0b0c2022-10-11 17:16:04 -0700[diff] [blame]90 GetHwInfoResponse response = impl_->GetHwInfo();
91 if (response.error != KM_ERROR_OK) {
92 return Status(-static_cast<int32_t>(response.error), "Failed to get hardware info.");
93 }
94
95 info->versionNumber = response.version;
96 info->rpcAuthorName = response.rpcAuthorName;
97 info->supportedEekCurve = response.supportedEekCurve;
98 info->uniqueId = response.uniqueId;
Tri Voe5fb9052023-03-09 15:19:50 -0800[diff] [blame]99 info->supportedNumKeysInCsr = response.supportedNumKeysInCsr;
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]100 return ScopedAStatus::ok();
101}
102
103ScopedAStatus AndroidRemotelyProvisionedComponentDevice::generateEcdsaP256KeyPair(
104 bool testMode, MacedPublicKey* macedPublicKey, bytevec* privateKeyHandle) {
105 GenerateRkpKeyRequest request(impl_->message_version());
106 request.test_mode = testMode;
107 GenerateRkpKeyResponse response(impl_->message_version());
108 impl_->GenerateRkpKey(request, &response);
109 if (response.error != KM_ERROR_OK) {
110 return Status(-static_cast<int32_t>(response.error), "Failure in key generation.");
111 }
112
113 macedPublicKey->macedKey = km_utils::kmBlob2vector(response.maced_public_key);
114 *privateKeyHandle = km_utils::kmBlob2vector(response.key_blob);
115 return ScopedAStatus::ok();
116}
117
118ScopedAStatus AndroidRemotelyProvisionedComponentDevice::generateCertificateRequest(
119 bool testMode, const vector<MacedPublicKey>& keysToSign, const bytevec& endpointEncCertChain,
120 const bytevec& challenge, DeviceInfo* deviceInfo, ProtectedData* protectedData,
121 bytevec* keysToSignMac) {
122 GenerateCsrRequest request(impl_->message_version());
123 request.test_mode = testMode;
124 request.num_keys = keysToSign.size();
David Drysdaleb80ef352022-01-24 08:07:34 +0000[diff] [blame]125 request.keys_to_sign_array = new (std::nothrow) KeymasterBlob[keysToSign.size()];
David Drysdale01d2e132022-01-25 09:46:45 +0000[diff] [blame]126 if (request.keys_to_sign_array == nullptr) {
127 return km_utils::kmError2ScopedAStatus(KM_ERROR_MEMORY_ALLOCATION_FAILED);
128 }
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]129 for (size_t i = 0; i < keysToSign.size(); i++) {
130 request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size());
131 }
132 request.SetEndpointEncCertChain(endpointEncCertChain.data(), endpointEncCertChain.size());
133 request.SetChallenge(challenge.data(), challenge.size());
134 GenerateCsrResponse response(impl_->message_version());
135 impl_->GenerateCsr(request, &response);
136
137 if (response.error != KM_ERROR_OK) {
138 return Status(-static_cast<int32_t>(response.error), "Failure in CSR Generation.");
139 }
140 deviceInfo->deviceInfo = km_utils::kmBlob2vector(response.device_info_blob);
141 protectedData->protectedData = km_utils::kmBlob2vector(response.protected_data_blob);
142 *keysToSignMac = km_utils::kmBlob2vector(response.keys_to_sign_mac);
143 return ScopedAStatus::ok();
144}
145
Tri Vo6cad4b42022-09-28 11:18:14 -0700[diff] [blame]146ScopedAStatus AndroidRemotelyProvisionedComponentDevice::generateCertificateRequestV2(
147 const std::vector<MacedPublicKey>& keysToSign, const std::vector<uint8_t>& challenge,
148 std::vector<uint8_t>* csr) {
149 GenerateCsrV2Request request(impl_->message_version());
150 if (!request.InitKeysToSign(keysToSign.size())) {
151 return km_utils::kmError2ScopedAStatus(static_cast<keymaster_error_t>(STATUS_FAILED));
152 }
153 for (size_t i = 0; i < keysToSign.size(); i++) {
154 request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size());
155 }
156 request.SetChallenge(challenge.data(), challenge.size());
157 GenerateCsrV2Response response(impl_->message_version());
158 impl_->GenerateCsrV2(request, &response);
159
160 if (response.error != KM_ERROR_OK) {
161 return Status(-static_cast<int32_t>(response.error), "Failure in CSR v2 generation.");
162 }
163 *csr = km_utils::kmBlob2vector(response.csr);
164 return ScopedAStatus::ok();
165}
166
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]167} // namespace aidl::android::hardware::security::keymint