1 // Copyright 2021, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 //! Implements get_attestation_key_info which loads remote provisioned or user
16 //! generated attestation keys.
17
18 use crate::database::{BlobMetaData, KeyEntryLoadBits, KeyType};
19 use crate::database::{KeyIdGuard, KeystoreDB};
20 use crate::error::{Error, ErrorCode};
21 use crate::permission::KeyPerm;
22 use crate::remote_provisioning::RemProvState;
23 use crate::utils::check_key_permission;
24 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
25 AttestationKey::AttestationKey, Certificate::Certificate, KeyParameter::KeyParameter, Tag::Tag,
26 };
27 use android_system_keystore2::aidl::android::system::keystore2::{
28 Domain::Domain, KeyDescriptor::KeyDescriptor,
29 };
30 use anyhow::{Context, Result};
31 use keystore2_crypto::parse_subject_from_certificate;
32
33 /// KeyMint takes two different kinds of attestation keys. Remote provisioned keys
34 /// and those that have been generated by the user. Unfortunately, they need to be
35 /// handled quite differently, thus the different representations.
36 pub enum AttestationKeyInfo {
37 RemoteProvisioned {
38 attestation_key: AttestationKey,
39 attestation_certs: Certificate,
40 },
41 UserGenerated {
42 key_id_guard: KeyIdGuard,
43 blob: Vec<u8>,
44 blob_metadata: BlobMetaData,
45 issuer_subject: Vec<u8>,
46 },
47 }
48
49 /// This function loads and, optionally, assigns the caller's remote provisioned
50 /// attestation key if a challenge is present. Alternatively, if `attest_key_descriptor` is given,
51 /// it loads the user generated attestation key from the database.
get_attest_key_info( key: &KeyDescriptor, caller_uid: u32, attest_key_descriptor: Option<&KeyDescriptor>, params: &[KeyParameter], rem_prov_state: &RemProvState, db: &mut KeystoreDB, ) -> Result<Option<AttestationKeyInfo>>52 pub fn get_attest_key_info(
53 key: &KeyDescriptor,
54 caller_uid: u32,
55 attest_key_descriptor: Option<&KeyDescriptor>,
56 params: &[KeyParameter],
57 rem_prov_state: &RemProvState,
58 db: &mut KeystoreDB,
59 ) -> Result<Option<AttestationKeyInfo>> {
60 let challenge_present = params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE);
61 match attest_key_descriptor {
62 None if challenge_present => rem_prov_state
63 .get_remotely_provisioned_attestation_key_and_certs(&key, caller_uid, params, db)
64 .context(concat!(
65 "In get_attest_key_and_cert_chain: ",
66 "Trying to get remotely provisioned attestation key."
67 ))
68 .map(|result| {
69 result.map(|(attestation_key, attestation_certs)| {
70 AttestationKeyInfo::RemoteProvisioned { attestation_key, attestation_certs }
71 })
72 }),
73 None => Ok(None),
74 Some(attest_key) => get_user_generated_attestation_key(&attest_key, caller_uid, db)
75 .context("In get_attest_key_and_cert_chain: Trying to load attest key")
76 .map(Some),
77 }
78 }
79
get_user_generated_attestation_key( key: &KeyDescriptor, caller_uid: u32, db: &mut KeystoreDB, ) -> Result<AttestationKeyInfo>80 fn get_user_generated_attestation_key(
81 key: &KeyDescriptor,
82 caller_uid: u32,
83 db: &mut KeystoreDB,
84 ) -> Result<AttestationKeyInfo> {
85 let (key_id_guard, blob, cert, blob_metadata) =
86 load_attest_key_blob_and_cert(&key, caller_uid, db)
87 .context("In get_user_generated_attestation_key: Failed to load blob and cert")?;
88
89 let issuer_subject: Vec<u8> = parse_subject_from_certificate(&cert).context(
90 "In get_user_generated_attestation_key: Failed to parse subject from certificate.",
91 )?;
92
93 Ok(AttestationKeyInfo::UserGenerated { key_id_guard, blob, issuer_subject, blob_metadata })
94 }
95
load_attest_key_blob_and_cert( key: &KeyDescriptor, caller_uid: u32, db: &mut KeystoreDB, ) -> Result<(KeyIdGuard, Vec<u8>, Vec<u8>, BlobMetaData)>96 fn load_attest_key_blob_and_cert(
97 key: &KeyDescriptor,
98 caller_uid: u32,
99 db: &mut KeystoreDB,
100 ) -> Result<(KeyIdGuard, Vec<u8>, Vec<u8>, BlobMetaData)> {
101 match key.domain {
102 Domain::BLOB => Err(Error::Km(ErrorCode::INVALID_ARGUMENT)).context(
103 "In load_attest_key_blob_and_cert: Domain::BLOB attestation keys not supported",
104 ),
105 _ => {
106 let (key_id_guard, mut key_entry) = db
107 .load_key_entry(
108 &key,
109 KeyType::Client,
110 KeyEntryLoadBits::BOTH,
111 caller_uid,
112 |k, av| check_key_permission(KeyPerm::use_(), k, &av),
113 )
114 .context("In load_attest_key_blob_and_cert: Failed to load key.")?;
115
116 let (blob, blob_metadata) =
117 key_entry.take_key_blob_info().ok_or_else(Error::sys).context(concat!(
118 "In load_attest_key_blob_and_cert: Successfully loaded key entry,",
119 " but KM blob was missing."
120 ))?;
121 let cert = key_entry.take_cert().ok_or_else(Error::sys).context(concat!(
122 "In load_attest_key_blob_and_cert: Successfully loaded key entry,",
123 " but cert was missing."
124 ))?;
125 Ok((key_id_guard, blob, cert, blob_metadata))
126 }
127 }
128 }
129