1 /*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <aidl/android/hardware/security/keymint/RpcHardwareInfo.h>
18 #include <cppbor.h>
19 #include <cppbor_parse.h>
20 #include <keymaster/cppcose/cppcose.h>
21 #include <keymaster/keymaster_configuration.h>
22 #include <openssl/bn.h>
23 #include <openssl/ec.h>
24 #include <openssl/rand.h>
25 #include <openssl/x509.h>
26
27 #include <variant>
28
29 #include "KeyMintUtils.h"
30 #include "android/binder_auto_utils.h"
31 #include "remote_remotely_provisioned_component.h"
32
33 namespace aidl::android::hardware::security::keymint {
34 namespace {
35 using namespace cppcose;
36 using namespace keymaster;
37
38 using ::aidl::android::hardware::security::keymint::km_utils::kmBlob2vector;
39 using ::aidl::android::hardware::security::keymint::km_utils::
40 kmError2ScopedAStatus;
41 using ::ndk::ScopedAStatus;
42
43 // Error codes from the provisioning stack are negated.
toKeymasterError(const KeymasterResponse & response)44 ndk::ScopedAStatus toKeymasterError(const KeymasterResponse& response) {
45 auto error =
46 static_cast<keymaster_error_t>(-static_cast<int32_t>(response.error));
47 return kmError2ScopedAStatus(error);
48 }
49
50 } // namespace
51
RemoteRemotelyProvisionedComponent(keymaster::RemoteKeymaster & impl)52 RemoteRemotelyProvisionedComponent::RemoteRemotelyProvisionedComponent(
53 keymaster::RemoteKeymaster& impl)
54 : impl_(impl) {}
55
getHardwareInfo(RpcHardwareInfo * info)56 ScopedAStatus RemoteRemotelyProvisionedComponent::getHardwareInfo(
57 RpcHardwareInfo* info) {
58 GetHwInfoResponse response = impl_.GetHwInfo();
59 if (response.error != KM_ERROR_OK) {
60 return toKeymasterError(response);
61 }
62
63 info->versionNumber = response.version;
64 info->rpcAuthorName = response.rpcAuthorName;
65 info->supportedEekCurve = response.supportedEekCurve;
66 info->uniqueId = response.uniqueId;
67 info->supportedNumKeysInCsr = response.supportedNumKeysInCsr;
68 return ScopedAStatus::ok();
69 }
70
generateEcdsaP256KeyPair(bool testMode,MacedPublicKey * macedPublicKey,std::vector<uint8_t> * privateKeyHandle)71 ScopedAStatus RemoteRemotelyProvisionedComponent::generateEcdsaP256KeyPair(
72 bool testMode, MacedPublicKey* macedPublicKey,
73 std::vector<uint8_t>* privateKeyHandle) {
74 GenerateRkpKeyRequest request(impl_.message_version());
75 request.test_mode = testMode;
76 GenerateRkpKeyResponse response(impl_.message_version());
77 impl_.GenerateRkpKey(request, &response);
78 if (response.error != KM_ERROR_OK) {
79 return toKeymasterError(response);
80 }
81
82 macedPublicKey->macedKey = km_utils::kmBlob2vector(response.maced_public_key);
83 *privateKeyHandle = km_utils::kmBlob2vector(response.key_blob);
84 return ScopedAStatus::ok();
85 }
86
generateCertificateRequest(bool testMode,const std::vector<MacedPublicKey> & keysToSign,const std::vector<uint8_t> & endpointEncCertChain,const std::vector<uint8_t> & challenge,DeviceInfo * deviceInfo,ProtectedData * protectedData,std::vector<uint8_t> * keysToSignMac)87 ScopedAStatus RemoteRemotelyProvisionedComponent::generateCertificateRequest(
88 bool testMode, const std::vector<MacedPublicKey>& keysToSign,
89 const std::vector<uint8_t>& endpointEncCertChain,
90 const std::vector<uint8_t>& challenge, DeviceInfo* deviceInfo,
91 ProtectedData* protectedData, std::vector<uint8_t>* keysToSignMac) {
92 GenerateCsrRequest request(impl_.message_version());
93 request.test_mode = testMode;
94 request.num_keys = keysToSign.size();
95 request.keys_to_sign_array = new KeymasterBlob[keysToSign.size()];
96 for (size_t i = 0; i < keysToSign.size(); i++) {
97 request.SetKeyToSign(i, keysToSign[i].macedKey.data(),
98 keysToSign[i].macedKey.size());
99 }
100 request.SetEndpointEncCertChain(endpointEncCertChain.data(),
101 endpointEncCertChain.size());
102 request.SetChallenge(challenge.data(), challenge.size());
103 GenerateCsrResponse response(impl_.message_version());
104 impl_.GenerateCsr(request, &response);
105
106 if (response.error != KM_ERROR_OK) {
107 return toKeymasterError(response);
108 }
109 deviceInfo->deviceInfo = km_utils::kmBlob2vector(response.device_info_blob);
110 protectedData->protectedData =
111 km_utils::kmBlob2vector(response.protected_data_blob);
112 *keysToSignMac = km_utils::kmBlob2vector(response.keys_to_sign_mac);
113 return ScopedAStatus::ok();
114 }
115
generateCertificateRequestV2(const std::vector<MacedPublicKey> & keysToSign,const std::vector<uint8_t> & challenge,std::vector<uint8_t> * csr)116 ScopedAStatus RemoteRemotelyProvisionedComponent::generateCertificateRequestV2(
117 const std::vector<MacedPublicKey>& keysToSign,
118 const std::vector<uint8_t>& challenge, std::vector<uint8_t>* csr) {
119 GenerateCsrV2Request request(impl_.message_version());
120 if (!request.InitKeysToSign(keysToSign.size())) {
121 return kmError2ScopedAStatus(static_cast<keymaster_error_t>(
122 BnRemotelyProvisionedComponent::STATUS_FAILED));
123 }
124
125 for (size_t i = 0; i < keysToSign.size(); i++) {
126 request.SetKeyToSign(i, keysToSign[i].macedKey.data(),
127 keysToSign[i].macedKey.size());
128 }
129 request.SetChallenge(challenge.data(), challenge.size());
130 GenerateCsrV2Response response(impl_.message_version());
131 impl_.GenerateCsrV2(request, &response);
132
133 if (response.error != KM_ERROR_OK) {
134 return toKeymasterError(response);
135 }
136 *csr = km_utils::kmBlob2vector(response.csr);
137 return ScopedAStatus::ok();
138 }
139
140 } // namespace aidl::android::hardware::security::keymint
141