1 /*
2 * Copyright 2021, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h>
18
19 #include <assert.h>
20 #include <variant>
21
22 #include <KeyMintUtils.h>
23 #include <keymaster/keymaster_configuration.h>
24
25 #include <trusty_keymaster/TrustyKeyMintDevice.h>
26
27 namespace aidl::android::hardware::security::keymint::trusty {
28
29 using keymaster::GenerateCsrRequest;
30 using keymaster::GenerateCsrResponse;
31 using keymaster::GenerateRkpKeyRequest;
32 using keymaster::GenerateRkpKeyResponse;
33 using keymaster::KeymasterBlob;
34 using ::std::string;
35 using ::std::unique_ptr;
36 using ::std::vector;
37 using bytevec = ::std::vector<uint8_t>;
38
39 namespace {
40
41 constexpr auto STATUS_FAILED = IRemotelyProvisionedComponent::STATUS_FAILED;
42
43 struct AStatusDeleter {
operator ()aidl::android::hardware::security::keymint::trusty::__anon4fc9e5670111::AStatusDeleter44 void operator()(AStatus* p) { AStatus_delete(p); }
45 };
46
47 class Status {
48 public:
Status()49 Status() : status_(AStatus_newOk()) {}
Status(int32_t errCode,const std::string & errMsg)50 Status(int32_t errCode, const std::string& errMsg)
51 : status_(AStatus_fromServiceSpecificErrorWithMessage(errCode, errMsg.c_str())) {}
Status(const std::string & errMsg)52 explicit Status(const std::string& errMsg)
53 : status_(AStatus_fromServiceSpecificErrorWithMessage(STATUS_FAILED, errMsg.c_str())) {}
Status(AStatus * status)54 explicit Status(AStatus* status) : status_(status ? status : AStatus_newOk()) {}
55
56 Status(Status&&) = default;
57 Status(const Status&) = delete;
58
operator ::ndk::ScopedAStatus()59 operator ::ndk::ScopedAStatus() && { // NOLINT(google-explicit-constructor)
60 return ndk::ScopedAStatus(status_.release());
61 }
62
isOk() const63 bool isOk() const { return AStatus_isOk(status_.get()); }
64
getMessage() const65 const char* getMessage() const { return AStatus_getMessage(status_.get()); }
66
67 private:
68 std::unique_ptr<AStatus, AStatusDeleter> status_;
69 };
70
71 } // namespace
72
getHardwareInfo(RpcHardwareInfo * info)73 ScopedAStatus TrustyRemotelyProvisionedComponentDevice::getHardwareInfo(RpcHardwareInfo* info) {
74 info->versionNumber = 2;
75 info->rpcAuthorName = "Google";
76 info->supportedEekCurve = RpcHardwareInfo::CURVE_25519;
77 info->uniqueId = "Trusty: My password is ******";
78 return ScopedAStatus::ok();
79 }
80
generateEcdsaP256KeyPair(bool testMode,MacedPublicKey * macedPublicKey,bytevec * privateKeyHandle)81 ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateEcdsaP256KeyPair(
82 bool testMode, MacedPublicKey* macedPublicKey, bytevec* privateKeyHandle) {
83 GenerateRkpKeyRequest request(impl_->message_version());
84 request.test_mode = testMode;
85 GenerateRkpKeyResponse response(impl_->message_version());
86 impl_->GenerateRkpKey(request, &response);
87 if (response.error != KM_ERROR_OK) {
88 return Status(-static_cast<int32_t>(response.error), "Failure in key generation.");
89 }
90
91 macedPublicKey->macedKey = km_utils::kmBlob2vector(response.maced_public_key);
92 *privateKeyHandle = km_utils::kmBlob2vector(response.key_blob);
93 return ScopedAStatus::ok();
94 }
95
generateCertificateRequest(bool testMode,const vector<MacedPublicKey> & keysToSign,const bytevec & endpointEncCertChain,const bytevec & challenge,DeviceInfo * deviceInfo,ProtectedData * protectedData,bytevec * keysToSignMac)96 ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateCertificateRequest(
97 bool testMode, const vector<MacedPublicKey>& keysToSign,
98 const bytevec& endpointEncCertChain, const bytevec& challenge, DeviceInfo* deviceInfo,
99 ProtectedData* protectedData, bytevec* keysToSignMac) {
100 GenerateCsrRequest request(impl_->message_version());
101 request.test_mode = testMode;
102 request.num_keys = keysToSign.size();
103 request.keys_to_sign_array = new KeymasterBlob[keysToSign.size()];
104 for (size_t i = 0; i < keysToSign.size(); i++) {
105 request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size());
106 }
107 request.SetEndpointEncCertChain(endpointEncCertChain.data(), endpointEncCertChain.size());
108 request.SetChallenge(challenge.data(), challenge.size());
109 GenerateCsrResponse response(impl_->message_version());
110 impl_->GenerateCsr(request, &response);
111
112 if (response.error != KM_ERROR_OK) {
113 return Status(-static_cast<int32_t>(response.error), "Failure in CSR Generation.");
114 }
115 deviceInfo->deviceInfo = km_utils::kmBlob2vector(response.device_info_blob);
116 protectedData->protectedData = km_utils::kmBlob2vector(response.protected_data_blob);
117 *keysToSignMac = km_utils::kmBlob2vector(response.keys_to_sign_mac);
118 return ScopedAStatus::ok();
119 }
120
121 } // namespace aidl::android::hardware::security::keymint::trusty
122