1 /*
2 * Copyright 2021, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h>
18
19 #include <assert.h>
20 #include <variant>
21
22 #include <KeyMintUtils.h>
23 #include <keymaster/keymaster_configuration.h>
24
25 #include <trusty_keymaster/TrustyKeyMintDevice.h>
26
27 namespace aidl::android::hardware::security::keymint::trusty {
28
29 using keymaster::GenerateCsrRequest;
30 using keymaster::GenerateCsrResponse;
31 using keymaster::GenerateRkpKeyRequest;
32 using keymaster::GenerateRkpKeyResponse;
33 using keymaster::KeymasterBlob;
34 using ::std::string;
35 using ::std::unique_ptr;
36 using ::std::vector;
37 using bytevec = ::std::vector<uint8_t>;
38
39 namespace {
40
41 constexpr auto STATUS_FAILED = IRemotelyProvisionedComponent::STATUS_FAILED;
42
43 struct AStatusDeleter {
operator ()aidl::android::hardware::security::keymint::trusty::__anon0592a4820111::AStatusDeleter44 void operator()(AStatus* p) { AStatus_delete(p); }
45 };
46
47 class Status {
48 public:
Status()49 Status() : status_(AStatus_newOk()) {}
Status(int32_t errCode,const std::string & errMsg)50 Status(int32_t errCode, const std::string& errMsg)
51 : status_(AStatus_fromServiceSpecificErrorWithMessage(errCode, errMsg.c_str())) {}
Status(const std::string & errMsg)52 explicit Status(const std::string& errMsg)
53 : status_(AStatus_fromServiceSpecificErrorWithMessage(STATUS_FAILED, errMsg.c_str())) {}
Status(AStatus * status)54 explicit Status(AStatus* status) : status_(status ? status : AStatus_newOk()) {}
55
56 Status(Status&&) = default;
57 Status(const Status&) = delete;
58
operator ::ndk::ScopedAStatus()59 operator ::ndk::ScopedAStatus() && { // NOLINT(google-explicit-constructor)
60 return ndk::ScopedAStatus(status_.release());
61 }
62
isOk() const63 bool isOk() const { return AStatus_isOk(status_.get()); }
64
getMessage() const65 const char* getMessage() const { return AStatus_getMessage(status_.get()); }
66
67 private:
68 std::unique_ptr<AStatus, AStatusDeleter> status_;
69 };
70
71 } // namespace
72
getHardwareInfo(RpcHardwareInfo * info)73 ScopedAStatus TrustyRemotelyProvisionedComponentDevice::getHardwareInfo(RpcHardwareInfo* info) {
74 info->versionNumber = 1;
75 info->rpcAuthorName = "Google";
76 info->supportedEekCurve = RpcHardwareInfo::CURVE_25519;
77 return ScopedAStatus::ok();
78 }
79
generateEcdsaP256KeyPair(bool testMode,MacedPublicKey * macedPublicKey,bytevec * privateKeyHandle)80 ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateEcdsaP256KeyPair(
81 bool testMode, MacedPublicKey* macedPublicKey, bytevec* privateKeyHandle) {
82 GenerateRkpKeyRequest request(impl_->message_version());
83 request.test_mode = testMode;
84 GenerateRkpKeyResponse response(impl_->message_version());
85 impl_->GenerateRkpKey(request, &response);
86 if (response.error != KM_ERROR_OK) {
87 return Status(-static_cast<int32_t>(response.error), "Failure in key generation.");
88 }
89
90 macedPublicKey->macedKey = km_utils::kmBlob2vector(response.maced_public_key);
91 *privateKeyHandle = km_utils::kmBlob2vector(response.key_blob);
92 return ScopedAStatus::ok();
93 }
94
generateCertificateRequest(bool testMode,const vector<MacedPublicKey> & keysToSign,const bytevec & endpointEncCertChain,const bytevec & challenge,DeviceInfo * deviceInfo,ProtectedData * protectedData,bytevec * keysToSignMac)95 ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateCertificateRequest(
96 bool testMode, const vector<MacedPublicKey>& keysToSign,
97 const bytevec& endpointEncCertChain, const bytevec& challenge, DeviceInfo* deviceInfo,
98 ProtectedData* protectedData, bytevec* keysToSignMac) {
99 GenerateCsrRequest request(impl_->message_version());
100 request.test_mode = testMode;
101 request.num_keys = keysToSign.size();
102 request.keys_to_sign_array = new KeymasterBlob[keysToSign.size()];
103 for (size_t i = 0; i < keysToSign.size(); i++) {
104 request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size());
105 }
106 request.SetEndpointEncCertChain(endpointEncCertChain.data(), endpointEncCertChain.size());
107 request.SetChallenge(challenge.data(), challenge.size());
108 GenerateCsrResponse response(impl_->message_version());
109 impl_->GenerateCsr(request, &response);
110
111 if (response.error != KM_ERROR_OK) {
112 return Status(-static_cast<int32_t>(response.error), "Failure in CSR Generation.");
113 }
114 deviceInfo->deviceInfo = km_utils::kmBlob2vector(response.device_info_blob);
115 protectedData->protectedData = km_utils::kmBlob2vector(response.protected_data_blob);
116 *keysToSignMac = km_utils::kmBlob2vector(response.keys_to_sign_mac);
117 return ScopedAStatus::ok();
118 }
119
120 } // namespace aidl::android::hardware::security::keymint::trusty
121