1 /*
2 * Copyright 2021, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h>
18
19 #include <assert.h>
20 #include <variant>
21
22 #include <KeyMintUtils.h>
23 #include <keymaster/keymaster_configuration.h>
24
25 #include <trusty_keymaster/TrustyKeyMintDevice.h>
26
27 namespace aidl::android::hardware::security::keymint::trusty {
28
29 using keymaster::GenerateCsrRequest;
30 using keymaster::GenerateCsrResponse;
31 using keymaster::GenerateCsrV2Request;
32 using keymaster::GenerateCsrV2Response;
33 using keymaster::GenerateRkpKeyRequest;
34 using keymaster::GenerateRkpKeyResponse;
35 using keymaster::GetHwInfoRequest;
36 using keymaster::GetHwInfoResponse;
37 using keymaster::KeymasterBlob;
38 using km_utils::kmError2ScopedAStatus;
39 using ::std::string;
40 using ::std::unique_ptr;
41 using ::std::vector;
42 using bytevec = ::std::vector<uint8_t>;
43
44 namespace {
45
46 constexpr auto STATUS_FAILED = IRemotelyProvisionedComponent::STATUS_FAILED;
47
48 struct AStatusDeleter {
operator ()aidl::android::hardware::security::keymint::trusty::__anon87cc6cbb0111::AStatusDeleter49 void operator()(AStatus* p) { AStatus_delete(p); }
50 };
51
52 class Status {
53 public:
Status()54 Status() : status_(AStatus_newOk()) {}
Status(int32_t errCode,const std::string & errMsg)55 Status(int32_t errCode, const std::string& errMsg)
56 : status_(AStatus_fromServiceSpecificErrorWithMessage(errCode, errMsg.c_str())) {}
Status(const std::string & errMsg)57 explicit Status(const std::string& errMsg)
58 : status_(AStatus_fromServiceSpecificErrorWithMessage(STATUS_FAILED, errMsg.c_str())) {}
Status(AStatus * status)59 explicit Status(AStatus* status) : status_(status ? status : AStatus_newOk()) {}
60
61 Status(Status&&) = default;
62 Status(const Status&) = delete;
63
operator ::ndk::ScopedAStatus()64 operator ::ndk::ScopedAStatus() && { // NOLINT(google-explicit-constructor)
65 return ndk::ScopedAStatus(status_.release());
66 }
67
isOk() const68 bool isOk() const { return AStatus_isOk(status_.get()); }
69
getMessage() const70 const char* getMessage() const { return AStatus_getMessage(status_.get()); }
71
72 private:
73 std::unique_ptr<AStatus, AStatusDeleter> status_;
74 };
75
76 } // namespace
77
getHardwareInfo(RpcHardwareInfo * info)78 ScopedAStatus TrustyRemotelyProvisionedComponentDevice::getHardwareInfo(RpcHardwareInfo* info) {
79 GetHwInfoResponse response = impl_->GetHwInfo();
80 if (response.error != KM_ERROR_OK) {
81 return Status(-static_cast<int32_t>(response.error), "Failed to get hardware info.");
82 }
83
84 info->versionNumber = response.version;
85 info->rpcAuthorName = std::move(response.rpcAuthorName);
86 info->supportedEekCurve = response.supportedEekCurve;
87 info->uniqueId = std::move(response.uniqueId);
88 info->supportedNumKeysInCsr = response.supportedNumKeysInCsr;
89 return ScopedAStatus::ok();
90 }
91
generateEcdsaP256KeyPair(bool testMode,MacedPublicKey * macedPublicKey,bytevec * privateKeyHandle)92 ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateEcdsaP256KeyPair(
93 bool testMode, MacedPublicKey* macedPublicKey, bytevec* privateKeyHandle) {
94 GenerateRkpKeyRequest request(impl_->message_version());
95 request.test_mode = testMode;
96 GenerateRkpKeyResponse response(impl_->message_version());
97 impl_->GenerateRkpKey(request, &response);
98 if (response.error != KM_ERROR_OK) {
99 return Status(-static_cast<int32_t>(response.error), "Failure in key generation.");
100 }
101
102 macedPublicKey->macedKey = km_utils::kmBlob2vector(response.maced_public_key);
103 *privateKeyHandle = km_utils::kmBlob2vector(response.key_blob);
104 return ScopedAStatus::ok();
105 }
106
generateCertificateRequest(bool testMode,const vector<MacedPublicKey> & keysToSign,const bytevec & endpointEncCertChain,const bytevec & challenge,DeviceInfo * deviceInfo,ProtectedData * protectedData,bytevec * keysToSignMac)107 ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateCertificateRequest(
108 bool testMode, const vector<MacedPublicKey>& keysToSign,
109 const bytevec& endpointEncCertChain, const bytevec& challenge, DeviceInfo* deviceInfo,
110 ProtectedData* protectedData, bytevec* keysToSignMac) {
111 GenerateCsrRequest request(impl_->message_version());
112 request.test_mode = testMode;
113 request.num_keys = keysToSign.size();
114 request.keys_to_sign_array = new KeymasterBlob[keysToSign.size()];
115 for (size_t i = 0; i < keysToSign.size(); i++) {
116 request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size());
117 }
118 request.SetEndpointEncCertChain(endpointEncCertChain.data(), endpointEncCertChain.size());
119 request.SetChallenge(challenge.data(), challenge.size());
120 GenerateCsrResponse response(impl_->message_version());
121 impl_->GenerateCsr(request, &response);
122
123 if (response.error != KM_ERROR_OK) {
124 return Status(-static_cast<int32_t>(response.error), "Failure in CSR Generation.");
125 }
126 deviceInfo->deviceInfo = km_utils::kmBlob2vector(response.device_info_blob);
127 protectedData->protectedData = km_utils::kmBlob2vector(response.protected_data_blob);
128 *keysToSignMac = km_utils::kmBlob2vector(response.keys_to_sign_mac);
129 return ScopedAStatus::ok();
130 }
131
generateCertificateRequestV2(const std::vector<MacedPublicKey> & keysToSign,const std::vector<uint8_t> & challenge,std::vector<uint8_t> * csr)132 ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateCertificateRequestV2(
133 const std::vector<MacedPublicKey>& keysToSign, const std::vector<uint8_t>& challenge,
134 std::vector<uint8_t>* csr) {
135 GenerateCsrV2Request request(impl_->message_version());
136 if (!request.InitKeysToSign(keysToSign.size())) {
137 return kmError2ScopedAStatus(static_cast<keymaster_error_t>(STATUS_FAILED));
138 }
139 for (size_t i = 0; i < keysToSign.size(); i++) {
140 request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size());
141 }
142 request.SetChallenge(challenge.data(), challenge.size());
143 GenerateCsrV2Response response(impl_->message_version());
144 impl_->GenerateCsrV2(request, &response);
145
146 if (response.error != KM_ERROR_OK) {
147 return Status(-static_cast<int32_t>(response.error), "Failure in CSR v2 generation.");
148 }
149 *csr = km_utils::kmBlob2vector(response.csr);
150 return ScopedAStatus::ok();
151 }
152
153 } // namespace aidl::android::hardware::security::keymint::trusty
154