• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "credstore"
18 
19 #include <algorithm>
20 #include <optional>
21 
22 #include <android-base/logging.h>
23 #include <android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
24 #include <android/hardware/security/keymint/RpcHardwareInfo.h>
25 #include <binder/IPCThreadState.h>
26 #include <binder/IServiceManager.h>
27 #include <rkp/support/rkpd_client.h>
28 #include <vintf/VintfObject.h>
29 
30 #include "Credential.h"
31 #include "CredentialData.h"
32 #include "CredentialStore.h"
33 #include "Session.h"
34 #include "Util.h"
35 #include "WritableCredential.h"
36 
37 namespace android {
38 namespace security {
39 namespace identity {
40 namespace {
41 
42 using ::android::security::rkp::RemotelyProvisionedKey;
43 using ::android::security::rkp::support::getRpcKey;
44 
45 }  // namespace
46 
CredentialStore(const std::string & dataPath,sp<IIdentityCredentialStore> hal)47 CredentialStore::CredentialStore(const std::string& dataPath, sp<IIdentityCredentialStore> hal)
48     : dataPath_(dataPath), hal_(hal) {}
49 
init()50 bool CredentialStore::init() {
51     Status status = hal_->getHardwareInformation(&hwInfo_);
52     if (!status.isOk()) {
53         LOG(ERROR) << "Error getting hardware information: " << status.toString8();
54         return false;
55     }
56     halApiVersion_ = hal_->getInterfaceVersion();
57 
58     if (hwInfo_.isRemoteKeyProvisioningSupported) {
59         status = hal_->getRemotelyProvisionedComponent(&rpc_);
60         if (!status.isOk()) {
61             LOG(ERROR) << "Error getting remotely provisioned component: " << status;
62             return false;
63         }
64     }
65 
66     LOG(INFO) << "Connected to Identity Credential HAL with API version " << halApiVersion_
67               << " and name '" << hwInfo_.credentialStoreName << "' authored by '"
68               << hwInfo_.credentialStoreAuthorName << "' with chunk size " << hwInfo_.dataChunkSize
69               << " directoAccess set to " << (hwInfo_.isDirectAccess ? "true" : "false")
70               << " and remote key provisioning support "
71               << (hwInfo_.isRemoteKeyProvisioningSupported ? "enabled" : "disabled");
72     return true;
73 }
74 
~CredentialStore()75 CredentialStore::~CredentialStore() {}
76 
getSecurityHardwareInfo(SecurityHardwareInfoParcel * _aidl_return)77 Status CredentialStore::getSecurityHardwareInfo(SecurityHardwareInfoParcel* _aidl_return) {
78     SecurityHardwareInfoParcel info;
79     info.directAccess = hwInfo_.isDirectAccess;
80     info.supportedDocTypes = hwInfo_.supportedDocTypes;
81     *_aidl_return = info;
82     return Status::ok();
83 };
84 
createCredential(const std::string & credentialName,const std::string & docType,sp<IWritableCredential> * _aidl_return)85 Status CredentialStore::createCredential(const std::string& credentialName,
86                                          const std::string& docType,
87                                          sp<IWritableCredential>* _aidl_return) {
88     uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
89     optional<bool> credentialExists =
90         CredentialData::credentialExists(dataPath_, callingUid, credentialName);
91     if (!credentialExists.has_value()) {
92         return Status::fromServiceSpecificError(
93             ERROR_GENERIC, "Error determining if credential with given name exists");
94     }
95     if (credentialExists.value()) {
96         return Status::fromServiceSpecificError(ERROR_ALREADY_PERSONALIZED,
97                                                 "Credential with given name already exists");
98     }
99 
100     if (hwInfo_.supportedDocTypes.size() > 0) {
101         if (std::find(hwInfo_.supportedDocTypes.begin(), hwInfo_.supportedDocTypes.end(),
102                       docType) == hwInfo_.supportedDocTypes.end()) {
103             return Status::fromServiceSpecificError(ERROR_DOCUMENT_TYPE_NOT_SUPPORTED,
104                                                     "No support for given document type");
105         }
106     }
107 
108     sp<IWritableIdentityCredential> halWritableCredential;
109     Status status = hal_->createCredential(docType, false, &halWritableCredential);
110     if (!status.isOk()) {
111         return halStatusToGenericError(status);
112     }
113 
114     if (hwInfo_.isRemoteKeyProvisioningSupported) {
115         status = setRemotelyProvisionedAttestationKey(halWritableCredential.get());
116         if (!status.isOk()) {
117             LOG(WARNING) << status.toString8()
118                          << "\nUnable to fetch remotely provisioned attestation key, falling back "
119                          << "to the factory-provisioned attestation key.";
120         }
121     }
122 
123     sp<IWritableCredential> writableCredential = new WritableCredential(
124         dataPath_, credentialName, docType, false, hwInfo_, halWritableCredential);
125     *_aidl_return = writableCredential;
126     return Status::ok();
127 }
128 
getCredentialCommon(const std::string & credentialName,int32_t cipherSuite,sp<IPresentationSession> halSessionBinder,sp<ICredential> * _aidl_return)129 Status CredentialStore::getCredentialCommon(const std::string& credentialName, int32_t cipherSuite,
130                                             sp<IPresentationSession> halSessionBinder,
131                                             sp<ICredential>* _aidl_return) {
132     *_aidl_return = nullptr;
133 
134     uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
135     optional<bool> credentialExists =
136         CredentialData::credentialExists(dataPath_, callingUid, credentialName);
137     if (!credentialExists.has_value()) {
138         return Status::fromServiceSpecificError(
139             ERROR_GENERIC, "Error determining if credential with given name exists");
140     }
141     if (!credentialExists.value()) {
142         return Status::fromServiceSpecificError(ERROR_NO_SUCH_CREDENTIAL,
143                                                 "Credential with given name doesn't exist");
144     }
145 
146     // Note: IdentityCredentialStore.java's CipherSuite enumeration and CipherSuite from the
147     // HAL is manually kept in sync. So this cast is safe.
148     sp<Credential> credential =
149         new Credential(CipherSuite(cipherSuite), dataPath_, credentialName, callingUid, hwInfo_,
150                        hal_, halSessionBinder, halApiVersion_);
151 
152     Status loadStatus = credential->ensureOrReplaceHalBinder();
153     if (!loadStatus.isOk()) {
154         LOG(ERROR) << "Error loading credential";
155     } else {
156         *_aidl_return = credential;
157     }
158     return loadStatus;
159 }
160 
getCredentialByName(const std::string & credentialName,int32_t cipherSuite,sp<ICredential> * _aidl_return)161 Status CredentialStore::getCredentialByName(const std::string& credentialName, int32_t cipherSuite,
162                                             sp<ICredential>* _aidl_return) {
163     return getCredentialCommon(credentialName, cipherSuite, nullptr, _aidl_return);
164 }
165 
createPresentationSession(int32_t cipherSuite,sp<ISession> * _aidl_return)166 Status CredentialStore::createPresentationSession(int32_t cipherSuite, sp<ISession>* _aidl_return) {
167     sp<IPresentationSession> halPresentationSession;
168     Status status =
169         hal_->createPresentationSession(CipherSuite(cipherSuite), &halPresentationSession);
170     if (!status.isOk()) {
171         return halStatusToGenericError(status);
172     }
173 
174     *_aidl_return = new Session(cipherSuite, halPresentationSession, this);
175     return Status::ok();
176 }
177 
setRemotelyProvisionedAttestationKey(IWritableIdentityCredential * halWritableCredential)178 Status CredentialStore::setRemotelyProvisionedAttestationKey(
179     IWritableIdentityCredential* halWritableCredential) {
180     std::vector<uint8_t> keyBlob;
181     std::vector<uint8_t> encodedCertChain;
182     Status status;
183 
184     LOG(INFO) << "Fetching attestation key from RKPD";
185 
186     uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
187     std::optional<RemotelyProvisionedKey> key = getRpcKey(rpc_, callingUid);
188     if (!key) {
189         return Status::fromServiceSpecificError(
190             ERROR_GENERIC, "Failed to get remotely provisioned attestation key");
191     }
192 
193     if (key->keyBlob.empty()) {
194         return Status::fromServiceSpecificError(
195             ERROR_GENERIC, "Remotely provisioned attestation key blob is empty");
196     }
197 
198     keyBlob = std::move(key->keyBlob);
199     encodedCertChain = std::move(key->encodedCertChain);
200 
201     status = halWritableCredential->setRemotelyProvisionedAttestationKey(keyBlob, encodedCertChain);
202     if (!status.isOk()) {
203         LOG(ERROR) << "Error setting remotely provisioned attestation key on credential";
204         return status;
205     }
206     return Status::ok();
207 }
208 
209 }  // namespace identity
210 }  // namespace security
211 }  // namespace android
212