diff options
| author | Seth Moore <sethmo@google.com> | 2022-01-25 22:44:24 +0000 |
|---|---|---|
| committer | Seth Moore <sethmo@google.com> | 2022-01-25 22:44:24 +0000 |
| commit | be32113307d67f54e594e5322f85b65e4e2c4fdb (patch) | |
| tree | a9b8786c217a28e6c47f127ae518109cc98c3a41 /identity | |
| parent | b5b69f0e009388fccb000a9a8aac5a38dbbd2726 (diff) | |
Revert "Add remote key provisioning to the IC HAL"
Revert "Add dependency on keymint cpp lib"
Revert "Allow default identity service to call keymint"
Revert submission 1956689-add rkp to identity-default
Reason for revert: Broke git-master. Will resubmit later.
Reverted Changes:
I96dcf3027:Add remote key provisioning to the IC HAL
Id686ac33a:Add dependency on keymint cpp lib
Ib368a2a00:Log to logd in the default identity service
I7d2906de0:Refactor IC support for RKP
Iae0f14f1c:Fix formatting of identity credential aidl
I01d086a4b:Allow default identity service to call keymint
Change-Id: I76a898c04090c5befe5fb5a5d07ec2e397fdd8b3
Diffstat (limited to 'identity')
28 files changed, 59 insertions, 508 deletions
diff --git a/identity/aidl/Android.bp b/identity/aidl/Android.bp index e3b819125a..dad3b8d74c 100644 --- a/identity/aidl/Android.bp +++ b/identity/aidl/Android.bp @@ -15,7 +15,6 @@ aidl_interface { ], imports: [ "android.hardware.keymaster", - "android.hardware.security.keymint", ], stability: "vintf", backend: { @@ -26,7 +25,6 @@ aidl_interface { vndk: { enabled: true, }, - apps_enabled: false, }, }, versions: [ diff --git a/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/HardwareInformation.aidl b/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/HardwareInformation.aidl index 9b96ea8a68..cd8d56b5bd 100644 --- a/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/HardwareInformation.aidl +++ b/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/HardwareInformation.aidl @@ -39,5 +39,4 @@ parcelable HardwareInformation { int dataChunkSize; boolean isDirectAccess; @utf8InCpp String[] supportedDocTypes; - boolean isRemoteKeyProvisioningSupported = false; } diff --git a/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/IIdentityCredentialStore.aidl b/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/IIdentityCredentialStore.aidl index 31ca8b10f3..c912c526ab 100644 --- a/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/IIdentityCredentialStore.aidl +++ b/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/IIdentityCredentialStore.aidl @@ -38,7 +38,6 @@ interface IIdentityCredentialStore { android.hardware.identity.IWritableIdentityCredential createCredential(in @utf8InCpp String docType, in boolean testCredential); android.hardware.identity.IIdentityCredential getCredential(in android.hardware.identity.CipherSuite cipherSuite, in byte[] credentialData); android.hardware.identity.IPresentationSession createPresentationSession(in android.hardware.identity.CipherSuite cipherSuite); - android.hardware.security.keymint.IRemotelyProvisionedComponent getRemotelyProvisionedComponent(); const int STATUS_OK = 0; const int STATUS_FAILED = 1; const int STATUS_CIPHER_SUITE_NOT_SUPPORTED = 2; diff --git a/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/IWritableIdentityCredential.aidl b/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/IWritableIdentityCredential.aidl index 5377349a52..9a0fa9e9e5 100644 --- a/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/IWritableIdentityCredential.aidl +++ b/identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/IWritableIdentityCredential.aidl @@ -41,5 +41,4 @@ interface IWritableIdentityCredential { byte[] addEntryValue(in byte[] content); @SuppressWarnings(value={"out-array"}) void finishAddingEntries(out byte[] credentialData, out byte[] proofOfProvisioningSignature); void setExpectedProofOfProvisioningSize(in int expectedProofOfProvisioningSize); - void setRemotelyProvisionedAttestationKey(in byte[] attestationKeyBlob, in byte[] attestationCertificate); } diff --git a/identity/aidl/android/hardware/identity/HardwareInformation.aidl b/identity/aidl/android/hardware/identity/HardwareInformation.aidl index acd13b6da6..d67739d94a 100644 --- a/identity/aidl/android/hardware/identity/HardwareInformation.aidl +++ b/identity/aidl/android/hardware/identity/HardwareInformation.aidl @@ -51,19 +51,4 @@ parcelable HardwareInformation { * */ @utf8InCpp String[] supportedDocTypes; - - /** - * isRemoteKeyProvisioningSupported indicates whether or not the underlying implementation - * supports a remotely provisioned key for attestation or not. If this field is false, then - * the implementation only uses a factory-installed, fixed attestation key. If this field is - * true, then an IRemotelyProvisionedComponent is associated with the IIdentityCredentialStore, - * and a remotely provisioned key blob may be provided for credential key attestation. - * - * Note that remote provisioning is not required, even when it is supported. Implementations - * MUST use a factory-installed attestation key as a fallback for when there are no - * remotely provisioned keys available. This behavior mirrors keystore key attestation. - * - * This field was added in API version 4. - */ - boolean isRemoteKeyProvisioningSupported = false; } diff --git a/identity/aidl/android/hardware/identity/IIdentityCredentialStore.aidl b/identity/aidl/android/hardware/identity/IIdentityCredentialStore.aidl index d3e4da04a0..959ee02b9d 100644 --- a/identity/aidl/android/hardware/identity/IIdentityCredentialStore.aidl +++ b/identity/aidl/android/hardware/identity/IIdentityCredentialStore.aidl @@ -21,7 +21,6 @@ import android.hardware.identity.HardwareInformation; import android.hardware.identity.IIdentityCredential; import android.hardware.identity.IPresentationSession; import android.hardware.identity.IWritableIdentityCredential; -import android.hardware.security.keymint.IRemotelyProvisionedComponent; /** * IIdentityCredentialStore provides an interface to a secure store for user identity documents. @@ -264,23 +263,4 @@ interface IIdentityCredentialStore { * @return an IPresentationSession interface. */ IPresentationSession createPresentationSession(in CipherSuite cipherSuite); - - /** - * Fetch the IRemotelyProvisionedComponent that is used to generate attestation keys for - * remote provisionining. Keys generated by this component are to be certified by a remote - * provisionined authority, then used to attest to credential keys via - * IWritableIdentityCredential.setRemotelyProvisionedAttestationKey. - * - * Support for this method is indicated by HardwareInformation. If the - * |isRemoteKeyProvisioningSupported| field is false, this method will fail with - * EX_UNSUPPORTED_OPERATION. - * - * This method was added in API version 4. - * - * @see - * android.hardware.identity.IWritableIdentityCredential#setRemotelyProvisionedAttestationKey - * - * @return an IRemotelyProvisionedComponent that is used to generate attestation keys. - */ - IRemotelyProvisionedComponent getRemotelyProvisionedComponent(); } diff --git a/identity/aidl/android/hardware/identity/IWritableIdentityCredential.aidl b/identity/aidl/android/hardware/identity/IWritableIdentityCredential.aidl index 756b008aa5..9dec3122c7 100644 --- a/identity/aidl/android/hardware/identity/IWritableIdentityCredential.aidl +++ b/identity/aidl/android/hardware/identity/IWritableIdentityCredential.aidl @@ -335,36 +335,4 @@ interface IWritableIdentityCredential { * @param expectedProofOfProvisioningSize the expected size of ProofOfProvisioning. */ void setExpectedProofOfProvisioningSize(in int expectedProofOfProvisioningSize); - - /** - * Sets the attestation key used to sign the credentialKey certificate. This method is used to - * support remotely provisioned attestation keys, removing the credential's dependency on any - * factory-provisioned attestation key. - * - * This method must be called before getAttestationCertificate. After this method is called, - * the certificate chain returned by getAttestationCertificate will contain a leaf certificate - * signed by attestationKeyBlob and the chain in attestationCertificate will make up the rest - * of the returned chain. - * - * Returns EX_UNSUPPORTED_FUNCTION if remote provisioning is not supported - * (see IIdentityCredentialStore.getHardwareInformation()). - * - * This method was added in API version 4. - * - * @param attestationKeyBlob is a key blob generated by the IRemotelyProvisionedComponent that - * is returned by ICredentialStore.getRemotelyProvisionedComponent. The format is vendor- - * specified, and matches the key blob returned by IKeyMintDevice.generateKey. - * - * @param attestationCertificate contains the X.509 certificate chain that certifies the - * attestationKeyBlob. This certificate is expected to have been remotely provisioned - * by a trusted authority. This parameter must contain a concatenated chain of DER-encoded - * X.509 certificates. The certificates must be ordered such that the attestation key - * certificate is first (starting at byte 0). The issuer certificate for the attestation - * certificate immediately follows, continuing this chain to the final, root certificate. - * - * @see getAttestationCertificate - * @see android.hardware.identity.ICredentialStore#getRemotelyProvisionedComponent - */ - void setRemotelyProvisionedAttestationKey( - in byte[] attestationKeyBlob, in byte[] attestationCertificate); } diff --git a/identity/aidl/default/Android.bp b/identity/aidl/default/Android.bp index 32b35439ef..ca24afa6cc 100644 --- a/identity/aidl/default/Android.bp +++ b/identity/aidl/default/Android.bp @@ -42,7 +42,6 @@ cc_library_static { "android.hardware.identity-support-lib", "android.hardware.identity-V4-ndk", "android.hardware.keymaster-V4-ndk", - "android.hardware.security.keymint-V2-ndk", ], } @@ -82,9 +81,6 @@ cc_binary { init_rc: ["identity-default.rc"], vintf_fragments: ["identity-default.xml"], vendor: true, - defaults: [ - "keymint_use_latest_hal_aidl_ndk_static", - ], cflags: [ "-Wall", "-Wextra", diff --git a/identity/aidl/default/EicOpsImpl.cc b/identity/aidl/default/EicOpsImpl.cc index 3fd9f1dcee..c98a91ebc3 100644 --- a/identity/aidl/default/EicOpsImpl.cc +++ b/identity/aidl/default/EicOpsImpl.cc @@ -267,42 +267,25 @@ bool eicOpsCreateEcKey(uint8_t privateKey[EIC_P256_PRIV_KEY_SIZE], bool eicOpsCreateCredentialKey(uint8_t privateKey[EIC_P256_PRIV_KEY_SIZE], const uint8_t* challenge, size_t challengeSize, const uint8_t* applicationId, - size_t applicationIdSize, bool testCredential, - const uint8_t* attestationKeyBlob, size_t attestationKeyBlobSize, - const uint8_t* attestationKeyCert, size_t attestationKeyCertSize, - uint8_t* cert, size_t* certSize) { - vector<uint8_t> flatChain; - vector<uint8_t> keyPair; - vector<uint8_t> challengeVec(challenge, challenge + challengeSize); - vector<uint8_t> applicationIdVec(applicationId, applicationId + applicationIdSize); - if (attestationKeyBlob && attestationKeyBlobSize > 0 && attestationKeyCert && - attestationKeyCertSize > 0) { - vector<uint8_t> attestationKeyBlobVec(attestationKeyBlob, - attestationKeyBlob + attestationKeyBlobSize); - vector<uint8_t> attestationKeyCertVec(attestationKeyCert, - attestationKeyCert + attestationKeyCertSize); - optional<std::pair<vector<uint8_t>, vector<uint8_t>>> keyAndCert = - android::hardware::identity::support::createEcKeyPairWithAttestationKey( - challengeVec, applicationIdVec, attestationKeyBlobVec, - attestationKeyCertVec, testCredential); - if (!keyAndCert) { - eicDebug("Error generating CredentialKey and attestation"); - return false; - } - keyPair = std::move(keyAndCert->first); - flatChain = std::move(keyAndCert->second); - } else { - optional<std::pair<vector<uint8_t>, vector<vector<uint8_t>>>> ret = - android::hardware::identity::support::createEcKeyPairAndAttestation( - challengeVec, applicationIdVec, testCredential); - if (!ret) { - eicDebug("Error generating CredentialKey and attestation"); - return false; - } - keyPair = std::move(ret->first); - flatChain = android::hardware::identity::support::certificateChainJoin(ret->second); + size_t applicationIdSize, bool testCredential, uint8_t* cert, + size_t* certSize) { + vector<uint8_t> challengeVec(challengeSize); + memcpy(challengeVec.data(), challenge, challengeSize); + + vector<uint8_t> applicationIdVec(applicationIdSize); + memcpy(applicationIdVec.data(), applicationId, applicationIdSize); + + optional<std::pair<vector<uint8_t>, vector<vector<uint8_t>>>> ret = + android::hardware::identity::support::createEcKeyPairAndAttestation( + challengeVec, applicationIdVec, testCredential); + if (!ret) { + eicDebug("Error generating CredentialKey and attestation"); + return false; } + // Extract certificate chain. + vector<uint8_t> flatChain = + android::hardware::identity::support::certificateChainJoin(ret.value().second); if (*certSize < flatChain.size()) { eicDebug("Buffer for certificate is only %zd bytes long, need %zd bytes", *certSize, flatChain.size()); @@ -313,7 +296,7 @@ bool eicOpsCreateCredentialKey(uint8_t privateKey[EIC_P256_PRIV_KEY_SIZE], const // Extract private key. optional<vector<uint8_t>> privKey = - android::hardware::identity::support::ecKeyPairGetPrivateKey(keyPair); + android::hardware::identity::support::ecKeyPairGetPrivateKey(ret.value().first); if (!privKey) { eicDebug("Error extracting private key"); return false; @@ -537,12 +520,10 @@ bool eicOpsHkdf(const uint8_t* sharedSecret, size_t sharedSecretSize, const uint #ifdef EIC_DEBUG void eicPrint(const char* format, ...) { - char buf[1024]; va_list args; va_start(args, format); - vsnprintf(buf, sizeof(buf), format, args); + vfprintf(stderr, format, args); va_end(args); - LOG(INFO) << buf; } void eicHexdump(const char* message, const uint8_t* data, size_t dataSize) { diff --git a/identity/aidl/default/FakeSecureHardwareProxy.cpp b/identity/aidl/default/FakeSecureHardwareProxy.cpp index 9b9a749427..91e634c0c3 100644 --- a/identity/aidl/default/FakeSecureHardwareProxy.cpp +++ b/identity/aidl/default/FakeSecureHardwareProxy.cpp @@ -155,11 +155,7 @@ optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::createCredentialK size_t publicKeyCertSize = sizeof publicKeyCert; if (!eicProvisioningCreateCredentialKey(&ctx_, challenge.data(), challenge.size(), applicationId.data(), applicationId.size(), - /*attestationKeyBlob=*/nullptr, - /*attestationKeyBlobSize=*/0, - /*attestationKeyCert=*/nullptr, - /*attestationKeyCertSize=*/0, publicKeyCert, - &publicKeyCertSize)) { + publicKeyCert, &publicKeyCertSize)) { return std::nullopt; } vector<uint8_t> pubKeyCert(publicKeyCertSize); @@ -167,23 +163,6 @@ optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::createCredentialK return pubKeyCert; } -optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::createCredentialKeyUsingRkp( - const vector<uint8_t>& challenge, const vector<uint8_t>& applicationId, - const vector<uint8_t>& attestationKeyBlob, const vector<uint8_t>& attstationKeyCert) { - size_t publicKeyCertSize = 4096; - vector<uint8_t> publicKeyCert(publicKeyCertSize); - if (!eicProvisioningCreateCredentialKey(&ctx_, challenge.data(), challenge.size(), - applicationId.data(), applicationId.size(), - attestationKeyBlob.data(), attestationKeyBlob.size(), - attstationKeyCert.data(), attstationKeyCert.size(), - publicKeyCert.data(), &publicKeyCertSize)) { - LOG(ERROR) << "error creating credential key"; - return std::nullopt; - } - publicKeyCert.resize(publicKeyCertSize); - return publicKeyCert; -} - bool FakeSecureHardwareProvisioningProxy::startPersonalization( int accessControlProfileCount, const vector<int>& entryCounts, const string& docType, size_t expectedProofOfProvisioningSize) { diff --git a/identity/aidl/default/FakeSecureHardwareProxy.h b/identity/aidl/default/FakeSecureHardwareProxy.h index 2512074b5f..df98c7a121 100644 --- a/identity/aidl/default/FakeSecureHardwareProxy.h +++ b/identity/aidl/default/FakeSecureHardwareProxy.h @@ -43,11 +43,6 @@ class FakeSecureHardwareProvisioningProxy : public SecureHardwareProvisioningPro optional<vector<uint8_t>> createCredentialKey(const vector<uint8_t>& challenge, const vector<uint8_t>& applicationId) override; - optional<vector<uint8_t>> createCredentialKeyUsingRkp( - const vector<uint8_t>& challenge, const vector<uint8_t>& applicationId, - const vector<uint8_t>& attestationKeyBlob, - const vector<uint8_t>& attestationKeyCert) override; - bool startPersonalization(int accessControlProfileCount, const vector<int>& entryCounts, const string& docType, size_t expectedProofOfProvisioningSize) override; diff --git a/identity/aidl/default/common/IdentityCredential.cpp b/identity/aidl/default/common/IdentityCredential.cpp index ff80752ee7..7678ecb918 100644 --- a/identity/aidl/default/common/IdentityCredential.cpp +++ b/identity/aidl/default/common/IdentityCredential.cpp @@ -1012,8 +1012,8 @@ ndk::ScopedAStatus IdentityCredential::updateCredential( IIdentityCredentialStore::STATUS_FAILED, "Error creating provisioning proxy")); } shared_ptr<WritableIdentityCredential> wc = - ndk::SharedRefBase::make<WritableIdentityCredential>( - provisioningHwProxy, docType_, testCredential_, hardwareInformation_); + ndk::SharedRefBase::make<WritableIdentityCredential>(provisioningHwProxy, docType_, + testCredential_); if (!wc->initializeForUpdate(encryptedCredentialKeys_)) { return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( IIdentityCredentialStore::STATUS_FAILED, diff --git a/identity/aidl/default/common/IdentityCredential.h b/identity/aidl/default/common/IdentityCredential.h index 592982991d..2935fb80a7 100644 --- a/identity/aidl/default/common/IdentityCredential.h +++ b/identity/aidl/default/common/IdentityCredential.h @@ -48,13 +48,11 @@ class IdentityCredential : public BnIdentityCredential { public: IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory, const vector<uint8_t>& credentialData, - std::shared_ptr<PresentationSession> session, - HardwareInformation hardwareInformation) + std::shared_ptr<PresentationSession> session) : hwProxyFactory_(hwProxyFactory), credentialData_(credentialData), session_(std::move(session)), numStartRetrievalCalls_(0), - hardwareInformation_(std::move(hardwareInformation)), expectedDeviceNameSpacesSize_(0) {} // Parses and decrypts credentialData_, return a status code from @@ -105,7 +103,6 @@ class IdentityCredential : public BnIdentityCredential { vector<uint8_t> credentialData_; shared_ptr<PresentationSession> session_; int numStartRetrievalCalls_; - HardwareInformation hardwareInformation_; // Set by initialize() string docType_; diff --git a/identity/aidl/default/common/IdentityCredentialStore.cpp b/identity/aidl/default/common/IdentityCredentialStore.cpp index bbc2cefb8f..4703ffe646 100644 --- a/identity/aidl/default/common/IdentityCredentialStore.cpp +++ b/identity/aidl/default/common/IdentityCredentialStore.cpp @@ -17,7 +17,6 @@ #define LOG_TAG "IdentityCredentialStore" #include <android-base/logging.h> -#include <android/binder_manager.h> #include "IdentityCredential.h" #include "IdentityCredentialStore.h" @@ -26,24 +25,15 @@ namespace aidl::android::hardware::identity { -using ::aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent; - -IdentityCredentialStore::IdentityCredentialStore(sp<SecureHardwareProxyFactory> hwProxyFactory, - optional<string> remotelyProvisionedComponent) - : hwProxyFactory_(hwProxyFactory), - remotelyProvisionedComponentName_(remotelyProvisionedComponent) { - hardwareInformation_.credentialStoreName = "Identity Credential Reference Implementation"; - hardwareInformation_.credentialStoreAuthorName = "Google"; - hardwareInformation_.dataChunkSize = kGcmChunkSize; - hardwareInformation_.isDirectAccess = false; - hardwareInformation_.supportedDocTypes = {}; - hardwareInformation_.isRemoteKeyProvisioningSupported = - remotelyProvisionedComponentName_.has_value(); -} - ndk::ScopedAStatus IdentityCredentialStore::getHardwareInformation( HardwareInformation* hardwareInformation) { - *hardwareInformation = hardwareInformation_; + HardwareInformation hw; + hw.credentialStoreName = "Identity Credential Reference Implementation"; + hw.credentialStoreAuthorName = "Google"; + hw.dataChunkSize = kGcmChunkSize; + hw.isDirectAccess = false; + hw.supportedDocTypes = {}; + *hardwareInformation = hw; return ndk::ScopedAStatus::ok(); } @@ -52,8 +42,7 @@ ndk::ScopedAStatus IdentityCredentialStore::createCredential( shared_ptr<IWritableIdentityCredential>* outWritableCredential) { sp<SecureHardwareProvisioningProxy> hwProxy = hwProxyFactory_->createProvisioningProxy(); shared_ptr<WritableIdentityCredential> wc = - ndk::SharedRefBase::make<WritableIdentityCredential>(hwProxy, docType, testCredential, - hardwareInformation_); + ndk::SharedRefBase::make<WritableIdentityCredential>(hwProxy, docType, testCredential); if (!wc->initialize()) { return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( IIdentityCredentialStore::STATUS_FAILED, @@ -74,7 +63,7 @@ ndk::ScopedAStatus IdentityCredentialStore::getCredential( } shared_ptr<IdentityCredential> credential = ndk::SharedRefBase::make<IdentityCredential>( - hwProxyFactory_, credentialData, nullptr /* session */, hardwareInformation_); + hwProxyFactory_, credentialData, nullptr /* session */); auto ret = credential->initialize(); if (ret != IIdentityCredentialStore::STATUS_OK) { return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( @@ -94,8 +83,8 @@ ndk::ScopedAStatus IdentityCredentialStore::createPresentationSession( } sp<SecureHardwareSessionProxy> hwProxy = hwProxyFactory_->createSessionProxy(); - shared_ptr<PresentationSession> session = ndk::SharedRefBase::make<PresentationSession>( - hwProxyFactory_, hwProxy, hardwareInformation_); + shared_ptr<PresentationSession> session = + ndk::SharedRefBase::make<PresentationSession>(hwProxyFactory_, hwProxy); auto ret = session->initialize(); if (ret != IIdentityCredentialStore::STATUS_OK) { return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( @@ -105,23 +94,4 @@ ndk::ScopedAStatus IdentityCredentialStore::createPresentationSession( return ndk::ScopedAStatus::ok(); } -ndk::ScopedAStatus IdentityCredentialStore::getRemotelyProvisionedComponent( - shared_ptr<IRemotelyProvisionedComponent>* outRemotelyProvisionedComponent) { - if (!remotelyProvisionedComponentName_) { - return ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage( - EX_UNSUPPORTED_OPERATION, "Remote key provisioning is not supported")); - } - - ndk::SpAIBinder binder( - AServiceManager_waitForService(remotelyProvisionedComponentName_->c_str())); - if (binder.get() == nullptr) { - return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( - IIdentityCredentialStore::STATUS_FAILED, - "Unable to get remotely provisioned component")); - } - - *outRemotelyProvisionedComponent = IRemotelyProvisionedComponent::fromBinder(binder); - return ndk::ScopedAStatus::ok(); -} - } // namespace aidl::android::hardware::identity diff --git a/identity/aidl/default/common/IdentityCredentialStore.h b/identity/aidl/default/common/IdentityCredentialStore.h index dd1261b750..77b894dbd6 100644 --- a/identity/aidl/default/common/IdentityCredentialStore.h +++ b/identity/aidl/default/common/IdentityCredentialStore.h @@ -18,7 +18,6 @@ #define ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIALSTORE_H #include <aidl/android/hardware/identity/BnIdentityCredentialStore.h> -#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h> #include "SecureHardwareProxy.h" @@ -26,18 +25,14 @@ namespace aidl::android::hardware::identity { using ::android::sp; using ::android::hardware::identity::SecureHardwareProxyFactory; -using ::std::optional; using ::std::shared_ptr; using ::std::string; using ::std::vector; class IdentityCredentialStore : public BnIdentityCredentialStore { public: - // If remote key provisioning is supported, pass the service name for the correct - // IRemotelyProvisionedComponent to the remotelyProvisionedComponent parameter. Else - // pass std::nullopt to indicate remote key provisioning is not supported. - IdentityCredentialStore(sp<SecureHardwareProxyFactory> hwProxyFactory, - optional<string> remotelyProvisionedComponent); + IdentityCredentialStore(sp<SecureHardwareProxyFactory> hwProxyFactory) + : hwProxyFactory_(hwProxyFactory) {} // The GCM chunk size used by this implementation is 64 KiB. static constexpr size_t kGcmChunkSize = 64 * 1024; @@ -55,14 +50,8 @@ class IdentityCredentialStore : public BnIdentityCredentialStore { ndk::ScopedAStatus createPresentationSession( CipherSuite cipherSuite, shared_ptr<IPresentationSession>* outSession) override; - ndk::ScopedAStatus getRemotelyProvisionedComponent( - shared_ptr<::aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent>* - outRemotelyProvisionedComponent) override; - private: sp<SecureHardwareProxyFactory> hwProxyFactory_; - optional<string> remotelyProvisionedComponentName_; - HardwareInformation hardwareInformation_; }; } // namespace aidl::android::hardware::identity diff --git a/identity/aidl/default/common/PresentationSession.cpp b/identity/aidl/default/common/PresentationSession.cpp index 2eb7f2ea16..fbd897281a 100644 --- a/identity/aidl/default/common/PresentationSession.cpp +++ b/identity/aidl/default/common/PresentationSession.cpp @@ -122,8 +122,8 @@ ndk::ScopedAStatus PresentationSession::setSessionTranscript( ndk::ScopedAStatus PresentationSession::getCredential( const vector<uint8_t>& credentialData, shared_ptr<IIdentityCredential>* outCredential) { shared_ptr<PresentationSession> p = ref<PresentationSession>(); - shared_ptr<IdentityCredential> credential = ndk::SharedRefBase::make<IdentityCredential>( - hwProxyFactory_, credentialData, p, hardwareInformation_); + shared_ptr<IdentityCredential> credential = + ndk::SharedRefBase::make<IdentityCredential>(hwProxyFactory_, credentialData, p); int ret = credential->initialize(); if (ret != IIdentityCredentialStore::STATUS_OK) { return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( diff --git a/identity/aidl/default/common/PresentationSession.h b/identity/aidl/default/common/PresentationSession.h index 4cb174a82c..76ca67b675 100644 --- a/identity/aidl/default/common/PresentationSession.h +++ b/identity/aidl/default/common/PresentationSession.h @@ -38,11 +38,8 @@ using ::std::vector; class PresentationSession : public BnPresentationSession { public: PresentationSession(sp<SecureHardwareProxyFactory> hwProxyFactory, - sp<SecureHardwareSessionProxy> hwProxy, - HardwareInformation hardwareInformation) - : hwProxyFactory_(std::move(hwProxyFactory)), - hwProxy_(std::move(hwProxy)), - hardwareInformation_(std::move(hardwareInformation)) {} + sp<SecureHardwareSessionProxy> hwProxy) + : hwProxyFactory_(std::move(hwProxyFactory)), hwProxy_(std::move(hwProxy)) {} virtual ~PresentationSession(); @@ -68,7 +65,6 @@ class PresentationSession : public BnPresentationSession { // Set by constructor sp<SecureHardwareProxyFactory> hwProxyFactory_; sp<SecureHardwareSessionProxy> hwProxy_; - HardwareInformation hardwareInformation_; // Set by initialize() uint64_t id_; diff --git a/identity/aidl/default/common/SecureHardwareProxy.h b/identity/aidl/default/common/SecureHardwareProxy.h index 9f63ad809b..a580444230 100644 --- a/identity/aidl/default/common/SecureHardwareProxy.h +++ b/identity/aidl/default/common/SecureHardwareProxy.h @@ -82,18 +82,6 @@ class SecureHardwareProvisioningProxy : public RefBase { virtual optional<vector<uint8_t>> createCredentialKey(const vector<uint8_t>& challenge, const vector<uint8_t>& applicationId) = 0; - // Returns public key certificate with a remotely provisioned attestation key. - // - // This returns a single certificate that is signed by the given |attestationKeyBlob|. - // The implementation of eicOpsCreateCredentialKey() on the TA side must coordinate - // with its corresponding keymint implementation to sign using the attestation key. The - // |attestationKeyCert| parameter is the certificates for |attestationKeyBlob|, - // formatted as concatenated, DER-encoded, X.509 certificates. - virtual optional<vector<uint8_t>> createCredentialKeyUsingRkp( - const vector<uint8_t>& challenge, const vector<uint8_t>& applicationId, - const vector<uint8_t>& attestationKeyBlob, - const vector<uint8_t>& attestationKeyCert) = 0; - virtual bool startPersonalization(int accessControlProfileCount, const vector<int>& entryCounts, const string& docType, size_t expectedProofOfProvisioningSize) = 0; diff --git a/identity/aidl/default/common/WritableIdentityCredential.cpp b/identity/aidl/default/common/WritableIdentityCredential.cpp index e420a7b74b..200ee61df4 100644 --- a/identity/aidl/default/common/WritableIdentityCredential.cpp +++ b/identity/aidl/default/common/WritableIdentityCredential.cpp @@ -79,15 +79,8 @@ ndk::ScopedAStatus WritableIdentityCredential::getAttestationCertificate( IIdentityCredentialStore::STATUS_INVALID_DATA, "Challenge can not be empty")); } - optional<vector<uint8_t>> certChain; - if (attestationKeyBlob_ && attestationCertificateChain_) { - certChain = hwProxy_->createCredentialKeyUsingRkp( - attestationChallenge, attestationApplicationId, *attestationKeyBlob_, - attestationCertificateChain_->at(0)); - } else { - certChain = hwProxy_->createCredentialKey(attestationChallenge, attestationApplicationId); - } - + optional<vector<uint8_t>> certChain = + hwProxy_->createCredentialKey(attestationChallenge, attestationApplicationId); if (!certChain) { return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( IIdentityCredentialStore::STATUS_FAILED, @@ -102,14 +95,8 @@ ndk::ScopedAStatus WritableIdentityCredential::getAttestationCertificate( } *outCertificateChain = vector<Certificate>(); - for (vector<uint8_t>& cert : certs.value()) { - Certificate c; - c.encodedCertificate = std::move(cert); - outCertificateChain->push_back(std::move(c)); - } - - for (const vector<uint8_t>& cert : *attestationCertificateChain_) { - Certificate c; + for (const vector<uint8_t>& cert : certs.value()) { + Certificate c = Certificate(); c.encodedCertificate = cert; outCertificateChain->push_back(std::move(c)); } @@ -415,36 +402,4 @@ ndk::ScopedAStatus WritableIdentityCredential::finishAddingEntries( return ndk::ScopedAStatus::ok(); } -ndk::ScopedAStatus WritableIdentityCredential::setRemotelyProvisionedAttestationKey( - const vector<uint8_t>& attestationKeyBlob, - const vector<uint8_t>& attestationCertificateChain) { - if (!hardwareInformation_.isRemoteKeyProvisioningSupported) { - return ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage( - EX_UNSUPPORTED_OPERATION, "Remote key provisioning is not supported")); - } - - if (attestationKeyBlob.empty() || attestationCertificateChain.empty()) { - return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( - IIdentityCredentialStore::STATUS_FAILED, - "Empty data passed to setRemotlyProvisionedAttestationKey")); - } - - if (attestationKeyBlob_.has_value()) { - return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( - IIdentityCredentialStore::STATUS_FAILED, "Attestation key already set")); - } - - optional<vector<vector<uint8_t>>> certs = - support::certificateChainSplit(attestationCertificateChain); - if (!certs) { - return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( - IIdentityCredentialStore::STATUS_FAILED, - "Error splitting chain into separate certificates")); - } - - attestationKeyBlob_ = attestationKeyBlob; - attestationCertificateChain_ = *certs; - return ndk::ScopedAStatus::ok(); -} - } // namespace aidl::android::hardware::identity diff --git a/identity/aidl/default/common/WritableIdentityCredential.h b/identity/aidl/default/common/WritableIdentityCredential.h index 39d32c9dc7..36ad4300d1 100644 --- a/identity/aidl/default/common/WritableIdentityCredential.h +++ b/identity/aidl/default/common/WritableIdentityCredential.h @@ -30,7 +30,6 @@ namespace aidl::android::hardware::identity { using ::android::sp; using ::android::hardware::identity::SecureHardwareProvisioningProxy; -using ::std::optional; using ::std::set; using ::std::string; using ::std::vector; @@ -42,11 +41,8 @@ class WritableIdentityCredential : public BnWritableIdentityCredential { // For an updated credential, call initializeForUpdate() right after construction. // WritableIdentityCredential(sp<SecureHardwareProvisioningProxy> hwProxy, const string& docType, - bool testCredential, HardwareInformation hardwareInformation) - : hwProxy_(hwProxy), - docType_(docType), - testCredential_(testCredential), - hardwareInformation_(std::move(hardwareInformation)) {} + bool testCredential) + : hwProxy_(hwProxy), docType_(docType), testCredential_(testCredential) {} ~WritableIdentityCredential(); @@ -82,16 +78,11 @@ class WritableIdentityCredential : public BnWritableIdentityCredential { vector<uint8_t>* outCredentialData, vector<uint8_t>* outProofOfProvisioningSignature) override; - ndk::ScopedAStatus setRemotelyProvisionedAttestationKey( - const vector<uint8_t>& attestationKeyBlob, - const vector<uint8_t>& attestationCertificateChain) override; - private: // Set by constructor. sp<SecureHardwareProvisioningProxy> hwProxy_; string docType_; bool testCredential_; - HardwareInformation hardwareInformation_; // This is set in initialize(). bool startPersonalizationCalled_; @@ -118,10 +109,6 @@ class WritableIdentityCredential : public BnWritableIdentityCredential { vector<int32_t> entryAccessControlProfileIds_; vector<uint8_t> entryBytes_; set<string> allNameSpaces_; - - // Remotely provisioned attestation data, set via setRemotelyProvisionedAttestationKey - optional<vector<uint8_t>> attestationKeyBlob_; - optional<vector<vector<uint8_t>>> attestationCertificateChain_; }; } // namespace aidl::android::hardware::identity diff --git a/identity/aidl/default/libeic/EicOps.h b/identity/aidl/default/libeic/EicOps.h index df96c7db48..aa26e6202a 100644 --- a/identity/aidl/default/libeic/EicOps.h +++ b/identity/aidl/default/libeic/EicOps.h @@ -196,19 +196,13 @@ bool eicOpsCreateEcKey(uint8_t privateKey[EIC_P256_PRIV_KEY_SIZE], // Generates CredentialKey plus an attestation certificate. // -// If |attestationKeyBlob| is non-NULL, the certificate must be signed by the -// the provided attestation key. Else, the certificate must be signed by the -// attestation key that the secure area has been factory provisioned with. The -// given |challenge|, |applicationId|, and |testCredential| must be signed -// into the attestation. +// The attestation certificate will be signed by the attestation keys the secure +// area has been provisioned with. The given |challenge| and |applicationId| +// will be used as will |testCredential|. // -// When |attestationKeyBlob| is non-NULL, then |attestationKeyCert| must -// also be passed so that the underlying implementation can properly chain up -// the newly-generated certificate to the existing chain. -// -// The generated certificate must be in X.509 format and returned in |cert| -// and |certSize| must be set to the size of this array. This function must -// set |certSize| to the size of the certification chain on successfully return. +// The generated certificate will be in X.509 format and returned in |cert| +// and |certSize| must be set to the size of this array and this function will +// set it to the size of the certification chain on successfully return. // // This may return either a single certificate or an entire certificate // chain. If it returns only a single certificate, the implementation of @@ -217,10 +211,8 @@ bool eicOpsCreateEcKey(uint8_t privateKey[EIC_P256_PRIV_KEY_SIZE], // bool eicOpsCreateCredentialKey(uint8_t privateKey[EIC_P256_PRIV_KEY_SIZE], const uint8_t* challenge, size_t challengeSize, const uint8_t* applicationId, - size_t applicationIdSize, bool testCredential, - const uint8_t* attestationKeyBlob, size_t attestationKeyBlobSize, - const uint8_t* attestationKeyCert, size_t attestationKeyCertSize, - uint8_t* /*out*/ cert, size_t* /*inout*/ certSize); + size_t applicationIdSize, bool testCredential, uint8_t* cert, + size_t* certSize); // inout // Generate an X.509 certificate for the key identified by |publicKey| which // must be of the form returned by eicOpsCreateEcKey(). diff --git a/identity/aidl/default/libeic/EicProvisioning.c b/identity/aidl/default/libeic/EicProvisioning.c index ff009dde6b..a241b71b50 100644 --- a/identity/aidl/default/libeic/EicProvisioning.c +++ b/identity/aidl/default/libeic/EicProvisioning.c @@ -133,10 +133,7 @@ bool eicProvisioningGetId(EicProvisioning* ctx, uint32_t* outId) { bool eicProvisioningCreateCredentialKey(EicProvisioning* ctx, const uint8_t* challenge, size_t challengeSize, const uint8_t* applicationId, - size_t applicationIdSize, const uint8_t* attestationKeyBlob, - size_t attestationKeyBlobSize, - const uint8_t* attestationKeyCert, - size_t attestationKeyCertSize, uint8_t* publicKeyCert, + size_t applicationIdSize, uint8_t* publicKeyCert, size_t* publicKeyCertSize) { if (ctx->isUpdate) { eicDebug("Cannot create CredentialKey on update"); @@ -145,9 +142,7 @@ bool eicProvisioningCreateCredentialKey(EicProvisioning* ctx, const uint8_t* cha if (!eicOpsCreateCredentialKey(ctx->credentialPrivateKey, challenge, challengeSize, applicationId, applicationIdSize, ctx->testCredential, - attestationKeyBlob, attestationKeyBlobSize, attestationKeyCert, - attestationKeyCertSize, publicKeyCert, publicKeyCertSize)) { - eicDebug("Error creating credential key"); + publicKeyCert, publicKeyCertSize)) { return false; } return true; diff --git a/identity/aidl/default/libeic/EicProvisioning.h b/identity/aidl/default/libeic/EicProvisioning.h index 2619bfc45e..d94f8f18c2 100644 --- a/identity/aidl/default/libeic/EicProvisioning.h +++ b/identity/aidl/default/libeic/EicProvisioning.h @@ -77,10 +77,7 @@ bool eicProvisioningGetId(EicProvisioning* ctx, uint32_t* outId); bool eicProvisioningCreateCredentialKey(EicProvisioning* ctx, const uint8_t* challenge, size_t challengeSize, const uint8_t* applicationId, - size_t applicationIdSize, const uint8_t* attestationKeyBlob, - size_t attestationKeyBlobSize, - const uint8_t* attestationKeyCert, - size_t attestationKeyCertSize, uint8_t* publicKeyCert, + size_t applicationIdSize, uint8_t* publicKeyCert, size_t* publicKeyCertSize); bool eicProvisioningStartPersonalization(EicProvisioning* ctx, int accessControlProfileCount, diff --git a/identity/aidl/default/service.cpp b/identity/aidl/default/service.cpp index ed3c4cbcce..1ff52f9773 100644 --- a/identity/aidl/default/service.cpp +++ b/identity/aidl/default/service.cpp @@ -16,7 +16,6 @@ #define LOG_TAG "android.hardware.identity-service" -#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h> #include <android-base/logging.h> #include <android/binder_manager.h> #include <android/binder_process.h> @@ -33,7 +32,6 @@ using ::android::base::LogSeverity; using ::android::base::StderrLogger; using ::aidl::android::hardware::identity::IdentityCredentialStore; -using ::aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent; using ::android::hardware::identity::FakeSecureHardwareProxyFactory; using ::android::hardware::identity::SecureHardwareProxyFactory; @@ -49,13 +47,10 @@ int main(int /*argc*/, char* argv[]) { InitLogging(argv, ComboLogger); sp<SecureHardwareProxyFactory> hwProxyFactory = new FakeSecureHardwareProxyFactory(); - const std::string remotelyProvisionedComponentName = - std::string(IRemotelyProvisionedComponent::descriptor) + "/default"; ABinderProcess_setThreadPoolMaxThreadCount(0); std::shared_ptr<IdentityCredentialStore> store = - ndk::SharedRefBase::make<IdentityCredentialStore>(hwProxyFactory, - remotelyProvisionedComponentName); + ndk::SharedRefBase::make<IdentityCredentialStore>(hwProxyFactory); const std::string instance = std::string() + IdentityCredentialStore::descriptor + "/default"; binder_status_t status = AServiceManager_addService(store->asBinder().get(), instance.c_str()); diff --git a/identity/aidl/vts/Android.bp b/identity/aidl/vts/Android.bp index c5b84a16c5..7b6f2c81ee 100644 --- a/identity/aidl/vts/Android.bp +++ b/identity/aidl/vts/Android.bp @@ -11,8 +11,6 @@ cc_test { name: "VtsHalIdentityTargetTest", defaults: [ "VtsHalTargetTestDefaults", - "keymint_use_latest_hal_aidl_cpp_static", - "keymint_use_latest_hal_aidl_ndk_static", "use_libaidlvintf_gtest_helper_static", ], cflags: [ @@ -34,15 +32,12 @@ cc_test { ], shared_libs: [ "libbinder", - "libbinder_ndk", "libcrypto", ], static_libs: [ - "android.hardware.security.secureclock-V1-ndk", "libcppbor_external", "libcppcose_rkp", "libkeymaster_portable", - "libkeymint_vts_test_utils", "libpuresoftkeymasterdevice", "android.hardware.keymaster@4.0", "android.hardware.identity-support-lib", @@ -51,7 +46,6 @@ cc_test { "android.hardware.keymaster-V4-ndk", "libkeymaster4support", "libkeymaster4_1support", - "libkeymint_remote_prov_support", ], test_suites: [ "general-tests", diff --git a/identity/aidl/vts/Util.cpp b/identity/aidl/vts/Util.cpp index f3d7c30548..1148cb0b60 100644 --- a/identity/aidl/vts/Util.cpp +++ b/identity/aidl/vts/Util.cpp @@ -20,16 +20,12 @@ #include <android-base/logging.h> -#include <KeyMintAidlTestBase.h> #include <aidl/Gtest.h> -#include <aidl/android/hardware/security/keymint/MacedPublicKey.h> #include <android-base/stringprintf.h> #include <keymaster/km_openssl/openssl_utils.h> #include <keymasterV4_1/attestation_record.h> -#include <keymint_support/openssl_utils.h> -#include <openssl/evp.h> - #include <charconv> + #include <map> namespace android::hardware::identity::test_utils { @@ -40,13 +36,10 @@ using std::optional; using std::string; using std::vector; -using ::aidl::android::hardware::security::keymint::test::check_maced_pubkey; -using ::aidl::android::hardware::security::keymint::test::p256_pub_key; using ::android::sp; using ::android::String16; using ::android::base::StringPrintf; using ::android::binder::Status; -using ::android::hardware::security::keymint::MacedPublicKey; using ::keymaster::X509_Ptr; bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential, @@ -65,77 +58,6 @@ bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential } } -optional<vector<vector<uint8_t>>> createFakeRemotelyProvisionedCertificateChain( - const MacedPublicKey& macedPublicKey) { - // The helper library uses the NDK symbols, so play a little trickery here to convert - // the data into the proper type so we can reuse the helper function to get the pubkey. - ::aidl::android::hardware::security::keymint::MacedPublicKey ndkMacedPublicKey; - ndkMacedPublicKey.macedKey = macedPublicKey.macedKey; - - vector<uint8_t> publicKeyBits; - check_maced_pubkey(ndkMacedPublicKey, /*testMode=*/true, &publicKeyBits); - - ::aidl::android::hardware::security::keymint::EVP_PKEY_Ptr publicKey; - p256_pub_key(publicKeyBits, &publicKey); - - // Generate an arbitrary root key for our chain - bssl::UniquePtr<EC_KEY> ecRootKey(EC_KEY_new()); - bssl::UniquePtr<EVP_PKEY> rootKey(EVP_PKEY_new()); - if (ecRootKey.get() == nullptr || rootKey.get() == nullptr) { - LOG(ERROR) << "Memory allocation failed"; - return {}; - } - - bssl::UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); - if (group.get() == nullptr) { - LOG(ERROR) << "Error creating EC group by curve name"; - return {}; - } - - if (EC_KEY_set_group(ecRootKey.get(), group.get()) != 1 || - EC_KEY_generate_key(ecRootKey.get()) != 1 || EC_KEY_check_key(ecRootKey.get()) < 0) { - LOG(ERROR) << "Error generating key"; - return {}; - } - - if (EVP_PKEY_set1_EC_KEY(rootKey.get(), ecRootKey.get()) != 1) { - LOG(ERROR) << "Error getting private key"; - return {}; - } - - // The VTS test does not fully validate the chain, so we're ok without the proper CA extensions. - map<string, vector<uint8_t>> extensions; - - // Now make a self-signed cert - optional<vector<uint8_t>> root = support::ecPublicKeyGenerateCertificate( - rootKey.get(), rootKey.get(), - /*serialDecimal=*/"31415", - /*subject=*/"Android IdentityCredential VTS Test Root Certificate", - /*subject=*/"Android IdentityCredential VTS Test Root Certificate", - /*validityNotBefore=*/time(nullptr), - /*validityNotAfter=*/time(nullptr) + 365 * 24 * 3600, extensions); - if (!root) { - LOG(ERROR) << "Error generating root cert"; - return std::nullopt; - } - - // Now sign a CA cert so that we have a chain that's good enough to satisfy - // the VTS tests. - optional<vector<uint8_t>> intermediate = support::ecPublicKeyGenerateCertificate( - publicKey.get(), rootKey.get(), - /*serialDecimal=*/"42", - /*subject=*/"Android IdentityCredential VTS Test Root Certificate", - /*subject=*/"Android IdentityCredential VTS Test Attestation Certificate", - /*validityNotBefore=*/time(nullptr), - /*validityNotAfter=*/time(nullptr) + 365 * 24 * 3600, extensions); - if (!intermediate) { - LOG(ERROR) << "Error generating intermediate cert"; - return std::nullopt; - } - - return vector<vector<uint8_t>>{std::move(*intermediate), std::move(*root)}; -} - optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal) { vector<uint8_t> privKey; return generateReaderCertificate(serialDecimal, &privKey); diff --git a/identity/aidl/vts/Util.h b/identity/aidl/vts/Util.h index b120dc9d19..80e52a21da 100644 --- a/identity/aidl/vts/Util.h +++ b/identity/aidl/vts/Util.h @@ -19,7 +19,6 @@ #include <android/hardware/identity/IIdentityCredentialStore.h> #include <android/hardware/identity/support/IdentityCredentialSupport.h> -#include <android/hardware/security/keymint/MacedPublicKey.h> #include <cppbor.h> #include <cppbor_parse.h> #include <gtest/gtest.h> @@ -98,9 +97,6 @@ struct TestProfile { bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential, sp<IIdentityCredentialStore>& credentialStore, bool testCredential); -optional<vector<vector<uint8_t>>> createFakeRemotelyProvisionedCertificateChain( - const ::android::hardware::security::keymint::MacedPublicKey& macedPublicKey); - optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal); optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal, diff --git a/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp b/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp index 94d4c881b8..bc37020293 100644 --- a/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp +++ b/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp @@ -18,8 +18,6 @@ #include <aidl/Gtest.h> #include <aidl/Vintf.h> -#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h> -#include <aidl/android/hardware/security/keymint/MacedPublicKey.h> #include <android-base/logging.h> #include <android/hardware/identity/IIdentityCredentialStore.h> #include <android/hardware/identity/support/IdentityCredentialSupport.h> @@ -44,8 +42,6 @@ using std::vector; using ::android::sp; using ::android::String16; using ::android::binder::Status; -using ::android::hardware::security::keymint::IRemotelyProvisionedComponent; -using ::android::hardware::security::keymint::MacedPublicKey; class IdentityCredentialTests : public testing::TestWithParam<string> { public: @@ -105,103 +101,6 @@ TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithChallenge) { attestationApplicationId, false); } -TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithRemoteProvisioning) { - HardwareInformation hwInfo; - ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk()); - - if (!hwInfo.isRemoteKeyProvisioningSupported) { - GTEST_SKIP() << "Remote provisioning is not supported"; - } - - Status result; - - sp<IWritableIdentityCredential> writableCredential; - ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_, - false /* testCredential */)); - - sp<IRemotelyProvisionedComponent> rpc; - result = credentialStore_->getRemotelyProvisionedComponent(&rpc); - ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage(); - - MacedPublicKey macedPublicKey; - std::vector<uint8_t> attestationKey; - result = rpc->generateEcdsaP256KeyPair(/*testMode=*/true, &macedPublicKey, &attestationKey); - ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage(); - - optional<vector<vector<uint8_t>>> remotelyProvisionedCertChain = - test_utils::createFakeRemotelyProvisionedCertificateChain(macedPublicKey); - ASSERT_TRUE(remotelyProvisionedCertChain); - - vector<uint8_t> concatenatedCerts; - for (const vector<uint8_t>& cert : *remotelyProvisionedCertChain) { - concatenatedCerts.insert(concatenatedCerts.end(), cert.begin(), cert.end()); - } - result = writableCredential->setRemotelyProvisionedAttestationKey(attestationKey, - concatenatedCerts); - ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage(); - - string challenge = "NotSoRandomChallenge1NotSoRandomChallenge1NotSoRandomChallenge1"; - vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end()); - vector<Certificate> attestationCertificate; - vector<uint8_t> attestationApplicationId = {1}; - - result = writableCredential->getAttestationCertificate( - attestationApplicationId, attestationChallenge, &attestationCertificate); - - ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage(); - - test_utils::validateAttestationCertificate(attestationCertificate, attestationChallenge, - attestationApplicationId, false); - - ASSERT_EQ(remotelyProvisionedCertChain->size() + 1, attestationCertificate.size()); - for (size_t i = 0; i < remotelyProvisionedCertChain->size(); ++i) { - ASSERT_EQ(remotelyProvisionedCertChain->at(i), - attestationCertificate[i + 1].encodedCertificate) - << "Certificate mismatch (cert index " << i + 1 << " out of " - << attestationCertificate.size() << " total certs)"; - } -} - -TEST_P(IdentityCredentialTests, verifyRemotelyProvisionedKeyMayOnlyBeSetOnce) { - HardwareInformation hwInfo; - ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk()); - - if (!hwInfo.isRemoteKeyProvisioningSupported) { - GTEST_SKIP() << "Remote provisioning is not supported"; - } - - sp<IRemotelyProvisionedComponent> rpc; - Status result = credentialStore_->getRemotelyProvisionedComponent(&rpc); - ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage(); - - MacedPublicKey macedPublicKey; - std::vector<uint8_t> attestationKey; - result = rpc->generateEcdsaP256KeyPair(/*testMode=*/true, &macedPublicKey, &attestationKey); - ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage(); - - optional<vector<vector<uint8_t>>> remotelyProvisionedCertChain = - test_utils::createFakeRemotelyProvisionedCertificateChain(macedPublicKey); - ASSERT_TRUE(remotelyProvisionedCertChain); - - vector<uint8_t> concatenatedCerts; - for (const vector<uint8_t>& cert : *remotelyProvisionedCertChain) { - concatenatedCerts.insert(concatenatedCerts.end(), cert.begin(), cert.end()); - } - - sp<IWritableIdentityCredential> writableCredential; - ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_, - /*testCredential=*/false)); - - result = writableCredential->setRemotelyProvisionedAttestationKey(attestationKey, - concatenatedCerts); - ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage(); - - // Now try again, and verify that the implementation rejects it. - result = writableCredential->setRemotelyProvisionedAttestationKey(attestationKey, - concatenatedCerts); - EXPECT_FALSE(result.isOk()); -} - TEST_P(IdentityCredentialTests, verifyAttestationDoubleCallFails) { Status result; |