diff options
| author | Seth Moore <sethmo@google.com> | 2021-06-25 14:20:15 -0700 |
|---|---|---|
| committer | Seth Moore <sethmo@google.com> | 2021-07-01 10:17:28 -0700 |
| commit | f4c8ff9bef34092787e97149e38cd1bb052635c8 (patch) | |
| tree | 41b201ede6ba41be80f14e14749ea88f64ef0e76 /security/keymint/support/remote_prov_utils.cpp | |
| parent | 0ab5ef3ff712558dcf14df3a8f7df950a503b44b (diff) | |
Add a utility to JSON-format a CSR with build info
We need both the build fingerprint as well as the CSR when uploading
data to the APFE provisioning server. Add a utility function to format
the output as a JSON blob so that it may be easily collected in the
factory in a serialized data format, then later uploaded.
Test: libkeymint_remote_prov_support_test
Test: VtsAidlKeyMintTargetTest
Test: VtsHalRemotelyProvisionedComponentTargetTest
Bug: 191301285
Change-Id: I751c5461876d83251869539f1a395ba13cb5cf84
Diffstat (limited to 'security/keymint/support/remote_prov_utils.cpp')
| -rw-r--r-- | security/keymint/support/remote_prov_utils.cpp | 42 |
1 files changed, 38 insertions, 4 deletions
diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp index 982a1eb7b1..0cbee51044 100644 --- a/security/keymint/support/remote_prov_utils.cpp +++ b/security/keymint/support/remote_prov_utils.cpp @@ -14,13 +14,15 @@ * limitations under the License. */ +#include <iterator> #include <tuple> -#include <remote_prov/remote_prov_utils.h> - -#include <openssl/rand.h> - +#include <android-base/properties.h> #include <cppbor.h> +#include <json/json.h> +#include <openssl/base64.h> +#include <openssl/rand.h> +#include <remote_prov/remote_prov_utils.h> namespace aidl::android::hardware::security::keymint::remote_prov { @@ -180,4 +182,36 @@ ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc) { return result; } +JsonOutput jsonEncodeCsrWithBuild(const cppbor::Array& csr) { + const std::string kFingerprintProp = "ro.build.fingerprint"; + + if (!::android::base::WaitForPropertyCreation(kFingerprintProp)) { + return JsonOutput::Error("Unable to read build fingerprint"); + } + + bytevec csrCbor = csr.encode(); + size_t base64Length; + int rc = EVP_EncodedLength(&base64Length, csrCbor.size()); + if (!rc) { + return JsonOutput::Error("Error getting base64 length. Size overflow?"); + } + + std::vector<char> base64(base64Length); + rc = EVP_EncodeBlock(reinterpret_cast<uint8_t*>(base64.data()), csrCbor.data(), csrCbor.size()); + ++rc; // Account for NUL, which BoringSSL does not for some reason. + if (rc != base64Length) { + return JsonOutput::Error("Error writing base64. Expected " + std::to_string(base64Length) + + " bytes to be written, but " + std::to_string(rc) + + " bytes were actually written."); + } + + Json::Value json(Json::objectValue); + json["build_fingerprint"] = ::android::base::GetProperty(kFingerprintProp, /*default=*/""); + json["csr"] = base64.data(); // Boring writes a NUL-terminated c-string + + Json::StreamWriterBuilder factory; + factory["indentation"] = ""; // disable pretty formatting + return JsonOutput::Ok(Json::writeString(factory, json)); +} + } // namespace aidl::android::hardware::security::keymint::remote_prov |