identity: Make NoS libeic and AOSP libeic align

1. Add input parameter buffer size for CBOR data encoding because Nugget OS protobuf buffer is not null terminated. 2. Modify some libeic APIs to align with NoS libeic. Bug: 198403263 Test: atest VtsHalIdentityTargetTest atest android.security.identity.cts Change-Id: I9bc3689da2571c0925972f33b7314cbaaad0e28d
author: Joseph Jang <josephjang@google.com> 2021-09-01 16:50:09 +0800
committer: Joseph Jang <josephjang@google.com> 2021-09-06 18:27:08 +0800
commit: dabb3c515fc17e358a19ff78cd3d7a6fccd0a15c (patch)
tree: 783ae8bc42632fa0f9dbf1ecbe2079531c784670 /identity/aidl/default/FakeSecureHardwareProxy.cpp
parent: 334a6134deb33e3ebdb1c5b5e1989a5e049ed3b2 (diff)
1 files changed, 57 insertions, 25 deletions
diff --git a/identity/aidl/default/FakeSecureHardwareProxy.cpp b/identity/aidl/default/FakeSecureHardwareProxy.cpp
index 287ffb82e1..f0307dc324 100644
--- a/identity/aidl/default/FakeSecureHardwareProxy.cpp
+++ b/identity/aidl/default/FakeSecureHardwareProxy.cpp
@@ -70,6 +70,7 @@ bool FakeSecureHardwareProvisioningProxy::initialize(bool testCredential) {
 bool FakeSecureHardwareProvisioningProxy::initializeForUpdate(
         bool testCredential, string docType, vector<uint8_t> encryptedCredentialKeys) {
     return eicProvisioningInitForUpdate(&ctx_, testCredential, docType.c_str(),
+                                        docType.size(),
                                         encryptedCredentialKeys.data(),
                                         encryptedCredentialKeys.size());
 }
@@ -92,8 +93,11 @@ optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::createCredentialK
 bool FakeSecureHardwareProvisioningProxy::startPersonalization(
         int accessControlProfileCount, vector<int> entryCounts, const string& docType,
         size_t expectedProofOfProvisioningSize) {
-    if (!eicProvisioningStartPersonalization(&ctx_, accessControlProfileCount, entryCounts.data(),
-                                             entryCounts.size(), docType.c_str(),
+
+    if (!eicProvisioningStartPersonalization(&ctx_, accessControlProfileCount,
+                                             entryCounts.data(),
+                                             entryCounts.size(),
+                                             docType.c_str(), docType.size(),
                                              expectedProofOfProvisioningSize)) {
         return false;
     }
@@ -105,9 +109,11 @@ optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::addAccessControlP
         int id, const vector<uint8_t>& readerCertificate, bool userAuthenticationRequired,
         uint64_t timeoutMillis, uint64_t secureUserId) {
     vector<uint8_t> mac(28);
+    uint8_t scratchSpace[512];
     if (!eicProvisioningAddAccessControlProfile(
                 &ctx_, id, readerCertificate.data(), readerCertificate.size(),
-                userAuthenticationRequired, timeoutMillis, secureUserId, mac.data())) {
+                userAuthenticationRequired, timeoutMillis, secureUserId, mac.data(),
+                scratchSpace, sizeof(scratchSpace))) {
         return {};
     }
     return mac;
@@ -117,9 +123,15 @@ bool FakeSecureHardwareProvisioningProxy::beginAddEntry(const vector<int>& acces
                                                         const string& nameSpace, const string& name,
                                                         uint64_t entrySize) {
     uint8_t scratchSpace[512];
-    return eicProvisioningBeginAddEntry(&ctx_, accessControlProfileIds.data(),
-                                        accessControlProfileIds.size(), nameSpace.c_str(),
-                                        name.c_str(), entrySize, scratchSpace, sizeof scratchSpace);
+    vector<uint8_t> uint8AccessControlProfileIds;
+    for (size_t i = 0; i < accessControlProfileIds.size(); i++) {
+        uint8AccessControlProfileIds.push_back(accessControlProfileIds[i] & 0xFF);
+    }
+
+    return eicProvisioningBeginAddEntry(&ctx_, uint8AccessControlProfileIds.data(),
+                                        uint8AccessControlProfileIds.size(), nameSpace.c_str(),
+                                        nameSpace.size(), name.c_str(), name.size(), entrySize,
+                                        scratchSpace, sizeof(scratchSpace));
 }
 
 // Returns encryptedContent.
@@ -128,11 +140,16 @@ optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::addEntryValue(
         const vector<uint8_t>& content) {
     vector<uint8_t> eicEncryptedContent;
     uint8_t scratchSpace[512];
+    vector<uint8_t> uint8AccessControlProfileIds;
+    for (size_t i = 0; i < accessControlProfileIds.size(); i++) {
+        uint8AccessControlProfileIds.push_back(accessControlProfileIds[i] & 0xFF);
+    }
+
     eicEncryptedContent.resize(content.size() + 28);
     if (!eicProvisioningAddEntryValue(
-                &ctx_, accessControlProfileIds.data(), accessControlProfileIds.size(),
-                nameSpace.c_str(), name.c_str(), content.data(), content.size(),
-                eicEncryptedContent.data(), scratchSpace, sizeof scratchSpace)) {
+                &ctx_, uint8AccessControlProfileIds.data(), uint8AccessControlProfileIds.size(),
+                nameSpace.c_str(), nameSpace.size(), name.c_str(), name.size(), content.data(),
+                content.size(), eicEncryptedContent.data(), scratchSpace, sizeof(scratchSpace))) {
         return {};
     }
     return eicEncryptedContent;
@@ -152,7 +169,7 @@ optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::finishGetCredenti
         const string& docType) {
     vector<uint8_t> encryptedCredentialKeys(116);
     size_t size = encryptedCredentialKeys.size();
-    if (!eicProvisioningFinishGetCredentialData(&ctx_, docType.c_str(),
+    if (!eicProvisioningFinishGetCredentialData(&ctx_, docType.c_str(), docType.size(),
                                                 encryptedCredentialKeys.data(), &size)) {
         return {};
     }
@@ -170,7 +187,7 @@ bool FakeSecureHardwarePresentationProxy::initialize(bool testCredential, string
                                                      vector<uint8_t> encryptedCredentialKeys) {
     LOG(INFO) << "FakeSecureHardwarePresentationProxy created, sizeof(EicPresentation): "
               << sizeof(EicPresentation);
-    return eicPresentationInit(&ctx_, testCredential, docType.c_str(),
+    return eicPresentationInit(&ctx_, testCredential, docType.c_str(), docType.size(),
                                encryptedCredentialKeys.data(), encryptedCredentialKeys.size());
 }
 
@@ -181,8 +198,9 @@ FakeSecureHardwarePresentationProxy::generateSigningKeyPair(string docType, time
     size_t publicKeyCertSize = sizeof(publicKeyCert);
     vector<uint8_t> signingKeyBlob(60);
 
-    if (!eicPresentationGenerateSigningKeyPair(&ctx_, docType.c_str(), now, publicKeyCert,
-                                               &publicKeyCertSize, signingKeyBlob.data())) {
+    if (!eicPresentationGenerateSigningKeyPair(&ctx_, docType.c_str(), docType.size(), now,
+                                               publicKeyCert, &publicKeyCertSize,
+                                               signingKeyBlob.data())) {
         return {};
     }
 
@@ -244,10 +262,12 @@ optional<bool> FakeSecureHardwarePresentationProxy::validateAccessControlProfile
         int id, const vector<uint8_t>& readerCertificate, bool userAuthenticationRequired,
         int timeoutMillis, uint64_t secureUserId, const vector<uint8_t>& mac) {
     bool accessGranted = false;
+    uint8_t scratchSpace[512];
     if (!eicPresentationValidateAccessControlProfile(&ctx_, id, readerCertificate.data(),
                                                      readerCertificate.size(),
                                                      userAuthenticationRequired, timeoutMillis,
-                                                     secureUserId, mac.data(), &accessGranted)) {
+                                                     secureUserId, mac.data(), &accessGranted,
+                                                     scratchSpace, sizeof(scratchSpace))) {
         return {};
     }
     return accessGranted;
@@ -267,7 +287,7 @@ bool FakeSecureHardwarePresentationProxy::calcMacKey(
     }
     return eicPresentationCalcMacKey(&ctx_, sessionTranscript.data(), sessionTranscript.size(),
                                      readerEphemeralPublicKey.data(), signingKeyBlob.data(),
-                                     docType.c_str(), numNamespacesWithValues,
+                                     docType.c_str(), docType.size(), numNamespacesWithValues,
                                      expectedProofOfProvisioningSize);
 }
 
@@ -275,10 +295,16 @@ AccessCheckResult FakeSecureHardwarePresentationProxy::startRetrieveEntryValue(
         const string& nameSpace, const string& name, unsigned int newNamespaceNumEntries,
         int32_t entrySize, const vector<int32_t>& accessControlProfileIds) {
     uint8_t scratchSpace[512];
+    vector<uint8_t> uint8AccessControlProfileIds;
+    for (size_t i = 0; i < accessControlProfileIds.size(); i++) {
+        uint8AccessControlProfileIds.push_back(accessControlProfileIds[i] & 0xFF);
+    }
+
     EicAccessCheckResult result = eicPresentationStartRetrieveEntryValue(
-            &ctx_, nameSpace.c_str(), name.c_str(), newNamespaceNumEntries, entrySize,
-            accessControlProfileIds.data(), accessControlProfileIds.size(), scratchSpace,
-            sizeof scratchSpace);
+            &ctx_, nameSpace.c_str(), nameSpace.size(), name.c_str(), name.size(),
+            newNamespaceNumEntries, entrySize, uint8AccessControlProfileIds.data(),
+            uint8AccessControlProfileIds.size(), scratchSpace,
+            sizeof(scratchSpace));
     switch (result) {
         case EIC_ACCESS_CHECK_RESULT_OK:
             return AccessCheckResult::kOk;
@@ -299,12 +325,18 @@ optional<vector<uint8_t>> FakeSecureHardwarePresentationProxy::retrieveEntryValu
         const vector<uint8_t>& encryptedContent, const string& nameSpace, const string& name,
         const vector<int32_t>& accessControlProfileIds) {
     uint8_t scratchSpace[512];
+    vector<uint8_t> uint8AccessControlProfileIds;
+    for (size_t i = 0; i < accessControlProfileIds.size(); i++) {
+        uint8AccessControlProfileIds.push_back(accessControlProfileIds[i] & 0xFF);
+    }
+
     vector<uint8_t> content;
     content.resize(encryptedContent.size() - 28);
     if (!eicPresentationRetrieveEntryValue(
                 &ctx_, encryptedContent.data(), encryptedContent.size(), content.data(),
-                nameSpace.c_str(), name.c_str(), accessControlProfileIds.data(),
-                accessControlProfileIds.size(), scratchSpace, sizeof scratchSpace)) {
+                nameSpace.c_str(), nameSpace.size(), name.c_str(), name.size(),
+                uint8AccessControlProfileIds.data(), uint8AccessControlProfileIds.size(),
+                scratchSpace, sizeof(scratchSpace))) {
         return {};
     }
     return content;
@@ -324,9 +356,9 @@ optional<vector<uint8_t>> FakeSecureHardwarePresentationProxy::deleteCredential(
         const string& docType, const vector<uint8_t>& challenge, bool includeChallenge,
         size_t proofOfDeletionCborSize) {
     vector<uint8_t> signatureOfToBeSigned(EIC_ECDSA_P256_SIGNATURE_SIZE);
-    if (!eicPresentationDeleteCredential(&ctx_, docType.c_str(), challenge.data(), challenge.size(),
-                                         includeChallenge, proofOfDeletionCborSize,
-                                         signatureOfToBeSigned.data())) {
+    if (!eicPresentationDeleteCredential(&ctx_, docType.c_str(), docType.size(), challenge.data(),
+                                         challenge.size(), includeChallenge,
+                                         proofOfDeletionCborSize, signatureOfToBeSigned.data())) {
         return {};
     }
     return signatureOfToBeSigned;
@@ -336,8 +368,8 @@ optional<vector<uint8_t>> FakeSecureHardwarePresentationProxy::proveOwnership(
         const string& docType, bool testCredential, const vector<uint8_t>& challenge,
         size_t proofOfOwnershipCborSize) {
     vector<uint8_t> signatureOfToBeSigned(EIC_ECDSA_P256_SIGNATURE_SIZE);
-    if (!eicPresentationProveOwnership(&ctx_, docType.c_str(), testCredential, challenge.data(),
-                                       challenge.size(), proofOfOwnershipCborSize,
+    if (!eicPresentationProveOwnership(&ctx_, docType.c_str(), docType.size(), testCredential,
+                                       challenge.data(), challenge.size(), proofOfOwnershipCborSize,
                                        signatureOfToBeSigned.data())) {
         return {};
     }
author	Joseph Jang <josephjang@google.com>	2021-09-01 16:50:09 +0800
committer	Joseph Jang <josephjang@google.com>	2021-09-06 18:27:08 +0800
commit	dabb3c515fc17e358a19ff78cd3d7a6fccd0a15c (patch)
tree	783ae8bc42632fa0f9dbf1ecbe2079531c784670 /identity/aidl/default/FakeSecureHardwareProxy.cpp
parent	334a6134deb33e3ebdb1c5b5e1989a5e049ed3b2 (diff)