Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 9d64ce401177cb32c62485ced52bd394a77b0edf / . / ng / AndroidRemotelyProvisionedComponentDevice.cpp
blob: ccd13d535504addee5ba51e1edb1e638d632e298 [file] [log] [blame]
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "AndroidRemotelyProvisionedComponentDevice.h"
18
19#include <assert.h>
20#include <variant>
21
22#include <cppbor.h>
23#include <cppbor_parse.h>
24
25#include <KeyMintUtils.h>
26#include <keymaster/cppcose/cppcose.h>
27#include <keymaster/keymaster_configuration.h>
28
29#include <openssl/bn.h>
30#include <openssl/ec.h>
31#include <openssl/rand.h>
32#include <openssl/x509.h>
33
34namespace aidl::android::hardware::security::keymint {
35
Shawn Willden9a3792e2021-04-08 09:38:14 -0600[diff] [blame]36using keymaster::GenerateCsrRequest;
37using keymaster::GenerateCsrResponse;
38using keymaster::GenerateRkpKeyRequest;
39using keymaster::GenerateRkpKeyResponse;
40using keymaster::KeymasterBlob;
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]41using ::std::string;
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]42using ::std::unique_ptr;
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]43using ::std::vector;
44using bytevec = ::std::vector<uint8_t>;
45
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]46namespace {
47
48constexpr auto STATUS_FAILED = IRemotelyProvisionedComponent::STATUS_FAILED;
49
50struct AStatusDeleter {
51 void operator()(AStatus* p) { AStatus_delete(p); }
52};
53
54class Status {
55 public:
56 Status() : status_(AStatus_newOk()) {}
57 Status(int32_t errCode, const std::string& errMsg)
58 : status_(AStatus_fromServiceSpecificErrorWithMessage(errCode, errMsg.c_str())) {}
59 explicit Status(const std::string& errMsg)
60 : status_(AStatus_fromServiceSpecificErrorWithMessage(STATUS_FAILED, errMsg.c_str())) {}
61 explicit Status(AStatus* status) : status_(status ? status : AStatus_newOk()) {}
62
63 Status(Status&&) = default;
64 Status(const Status&) = delete;
65
Shawn Willden9a3792e2021-04-08 09:38:14 -0600[diff] [blame]66 operator ::ndk::ScopedAStatus() && { // NOLINT(google-explicit-constructor)
67 return ndk::ScopedAStatus(status_.release());
68 }
Max Bires01799e02021-04-19 18:58:04 -0700[diff] [blame]69
70 bool isOk() const { return AStatus_isOk(status_.get()); }
71
72 const char* getMessage() const { return AStatus_getMessage(status_.get()); }
73
74 private:
75 std::unique_ptr<AStatus, AStatusDeleter> status_;
76};
77
78} // namespace
79
80AndroidRemotelyProvisionedComponentDevice::AndroidRemotelyProvisionedComponentDevice(
81 const std::shared_ptr<AndroidKeyMintDevice>& keymint) {
82 impl_ = keymint->getKeymasterImpl();
83}
84
85ScopedAStatus AndroidRemotelyProvisionedComponentDevice::getHardwareInfo(RpcHardwareInfo* info) {
86 info->versionNumber = 1;
87 info->rpcAuthorName = "Google";
88 info->supportedEekCurve = RpcHardwareInfo::CURVE_25519;
89 return ScopedAStatus::ok();
90}
91
92ScopedAStatus AndroidRemotelyProvisionedComponentDevice::generateEcdsaP256KeyPair(
93 bool testMode, MacedPublicKey* macedPublicKey, bytevec* privateKeyHandle) {
94 GenerateRkpKeyRequest request(impl_->message_version());
95 request.test_mode = testMode;
96 GenerateRkpKeyResponse response(impl_->message_version());
97 impl_->GenerateRkpKey(request, &response);
98 if (response.error != KM_ERROR_OK) {
99 return Status(-static_cast<int32_t>(response.error), "Failure in key generation.");
100 }
101
102 macedPublicKey->macedKey = km_utils::kmBlob2vector(response.maced_public_key);
103 *privateKeyHandle = km_utils::kmBlob2vector(response.key_blob);
104 return ScopedAStatus::ok();
105}
106
107ScopedAStatus AndroidRemotelyProvisionedComponentDevice::generateCertificateRequest(
108 bool testMode, const vector<MacedPublicKey>& keysToSign, const bytevec& endpointEncCertChain,
109 const bytevec& challenge, DeviceInfo* deviceInfo, ProtectedData* protectedData,
110 bytevec* keysToSignMac) {
111 GenerateCsrRequest request(impl_->message_version());
112 request.test_mode = testMode;
113 request.num_keys = keysToSign.size();
114 request.keys_to_sign_array = new KeymasterBlob[keysToSign.size()];
115 for (size_t i = 0; i < keysToSign.size(); i++) {
116 request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size());
117 }
118 request.SetEndpointEncCertChain(endpointEncCertChain.data(), endpointEncCertChain.size());
119 request.SetChallenge(challenge.data(), challenge.size());
120 GenerateCsrResponse response(impl_->message_version());
121 impl_->GenerateCsr(request, &response);
122
123 if (response.error != KM_ERROR_OK) {
124 return Status(-static_cast<int32_t>(response.error), "Failure in CSR Generation.");
125 }
126 deviceInfo->deviceInfo = km_utils::kmBlob2vector(response.device_info_blob);
127 protectedData->protectedData = km_utils::kmBlob2vector(response.protected_data_blob);
128 *keysToSignMac = km_utils::kmBlob2vector(response.keys_to_sign_mac);
129 return ScopedAStatus::ok();
130}
131
132} // namespace aidl::android::hardware::security::keymint