Revert^2 "Add remote key provisioning to the IC HAL"
be32113307d67f54e594e5322f85b65e4e2c4fdb
Change-Id: I55ddbddd0bc317f1f077a63b0275c4d55fd9c76f
diff --git a/identity/aidl/vts/Android.bp b/identity/aidl/vts/Android.bp
index 7b6f2c8..c5b84a1 100644
--- a/identity/aidl/vts/Android.bp
+++ b/identity/aidl/vts/Android.bp
@@ -11,6 +11,8 @@
name: "VtsHalIdentityTargetTest",
defaults: [
"VtsHalTargetTestDefaults",
+ "keymint_use_latest_hal_aidl_cpp_static",
+ "keymint_use_latest_hal_aidl_ndk_static",
"use_libaidlvintf_gtest_helper_static",
],
cflags: [
@@ -32,12 +34,15 @@
],
shared_libs: [
"libbinder",
+ "libbinder_ndk",
"libcrypto",
],
static_libs: [
+ "android.hardware.security.secureclock-V1-ndk",
"libcppbor_external",
"libcppcose_rkp",
"libkeymaster_portable",
+ "libkeymint_vts_test_utils",
"libpuresoftkeymasterdevice",
"android.hardware.keymaster@4.0",
"android.hardware.identity-support-lib",
@@ -46,6 +51,7 @@
"android.hardware.keymaster-V4-ndk",
"libkeymaster4support",
"libkeymaster4_1support",
+ "libkeymint_remote_prov_support",
],
test_suites: [
"general-tests",
diff --git a/identity/aidl/vts/Util.cpp b/identity/aidl/vts/Util.cpp
index 1148cb0..f3d7c30 100644
--- a/identity/aidl/vts/Util.cpp
+++ b/identity/aidl/vts/Util.cpp
@@ -20,12 +20,16 @@
#include <android-base/logging.h>
+#include <KeyMintAidlTestBase.h>
#include <aidl/Gtest.h>
+#include <aidl/android/hardware/security/keymint/MacedPublicKey.h>
#include <android-base/stringprintf.h>
#include <keymaster/km_openssl/openssl_utils.h>
#include <keymasterV4_1/attestation_record.h>
-#include <charconv>
+#include <keymint_support/openssl_utils.h>
+#include <openssl/evp.h>
+#include <charconv>
#include <map>
namespace android::hardware::identity::test_utils {
@@ -36,10 +40,13 @@
using std::string;
using std::vector;
+using ::aidl::android::hardware::security::keymint::test::check_maced_pubkey;
+using ::aidl::android::hardware::security::keymint::test::p256_pub_key;
using ::android::sp;
using ::android::String16;
using ::android::base::StringPrintf;
using ::android::binder::Status;
+using ::android::hardware::security::keymint::MacedPublicKey;
using ::keymaster::X509_Ptr;
bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
@@ -58,6 +65,77 @@
}
}
+optional<vector<vector<uint8_t>>> createFakeRemotelyProvisionedCertificateChain(
+ const MacedPublicKey& macedPublicKey) {
+ // The helper library uses the NDK symbols, so play a little trickery here to convert
+ // the data into the proper type so we can reuse the helper function to get the pubkey.
+ ::aidl::android::hardware::security::keymint::MacedPublicKey ndkMacedPublicKey;
+ ndkMacedPublicKey.macedKey = macedPublicKey.macedKey;
+
+ vector<uint8_t> publicKeyBits;
+ check_maced_pubkey(ndkMacedPublicKey, /*testMode=*/true, &publicKeyBits);
+
+ ::aidl::android::hardware::security::keymint::EVP_PKEY_Ptr publicKey;
+ p256_pub_key(publicKeyBits, &publicKey);
+
+ // Generate an arbitrary root key for our chain
+ bssl::UniquePtr<EC_KEY> ecRootKey(EC_KEY_new());
+ bssl::UniquePtr<EVP_PKEY> rootKey(EVP_PKEY_new());
+ if (ecRootKey.get() == nullptr || rootKey.get() == nullptr) {
+ LOG(ERROR) << "Memory allocation failed";
+ return {};
+ }
+
+ bssl::UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
+ if (group.get() == nullptr) {
+ LOG(ERROR) << "Error creating EC group by curve name";
+ return {};
+ }
+
+ if (EC_KEY_set_group(ecRootKey.get(), group.get()) != 1 ||
+ EC_KEY_generate_key(ecRootKey.get()) != 1 || EC_KEY_check_key(ecRootKey.get()) < 0) {
+ LOG(ERROR) << "Error generating key";
+ return {};
+ }
+
+ if (EVP_PKEY_set1_EC_KEY(rootKey.get(), ecRootKey.get()) != 1) {
+ LOG(ERROR) << "Error getting private key";
+ return {};
+ }
+
+ // The VTS test does not fully validate the chain, so we're ok without the proper CA extensions.
+ map<string, vector<uint8_t>> extensions;
+
+ // Now make a self-signed cert
+ optional<vector<uint8_t>> root = support::ecPublicKeyGenerateCertificate(
+ rootKey.get(), rootKey.get(),
+ /*serialDecimal=*/"31415",
+ /*subject=*/"Android IdentityCredential VTS Test Root Certificate",
+ /*subject=*/"Android IdentityCredential VTS Test Root Certificate",
+ /*validityNotBefore=*/time(nullptr),
+ /*validityNotAfter=*/time(nullptr) + 365 * 24 * 3600, extensions);
+ if (!root) {
+ LOG(ERROR) << "Error generating root cert";
+ return std::nullopt;
+ }
+
+ // Now sign a CA cert so that we have a chain that's good enough to satisfy
+ // the VTS tests.
+ optional<vector<uint8_t>> intermediate = support::ecPublicKeyGenerateCertificate(
+ publicKey.get(), rootKey.get(),
+ /*serialDecimal=*/"42",
+ /*subject=*/"Android IdentityCredential VTS Test Root Certificate",
+ /*subject=*/"Android IdentityCredential VTS Test Attestation Certificate",
+ /*validityNotBefore=*/time(nullptr),
+ /*validityNotAfter=*/time(nullptr) + 365 * 24 * 3600, extensions);
+ if (!intermediate) {
+ LOG(ERROR) << "Error generating intermediate cert";
+ return std::nullopt;
+ }
+
+ return vector<vector<uint8_t>>{std::move(*intermediate), std::move(*root)};
+}
+
optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal) {
vector<uint8_t> privKey;
return generateReaderCertificate(serialDecimal, &privKey);
diff --git a/identity/aidl/vts/Util.h b/identity/aidl/vts/Util.h
index 80e52a2..b120dc9 100644
--- a/identity/aidl/vts/Util.h
+++ b/identity/aidl/vts/Util.h
@@ -19,6 +19,7 @@
#include <android/hardware/identity/IIdentityCredentialStore.h>
#include <android/hardware/identity/support/IdentityCredentialSupport.h>
+#include <android/hardware/security/keymint/MacedPublicKey.h>
#include <cppbor.h>
#include <cppbor_parse.h>
#include <gtest/gtest.h>
@@ -97,6 +98,9 @@
bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
sp<IIdentityCredentialStore>& credentialStore, bool testCredential);
+optional<vector<vector<uint8_t>>> createFakeRemotelyProvisionedCertificateChain(
+ const ::android::hardware::security::keymint::MacedPublicKey& macedPublicKey);
+
optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal);
optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal,
diff --git a/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp b/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
index bc37020..94d4c88 100644
--- a/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
+++ b/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
@@ -18,6 +18,8 @@
#include <aidl/Gtest.h>
#include <aidl/Vintf.h>
+#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
+#include <aidl/android/hardware/security/keymint/MacedPublicKey.h>
#include <android-base/logging.h>
#include <android/hardware/identity/IIdentityCredentialStore.h>
#include <android/hardware/identity/support/IdentityCredentialSupport.h>
@@ -42,6 +44,8 @@
using ::android::sp;
using ::android::String16;
using ::android::binder::Status;
+using ::android::hardware::security::keymint::IRemotelyProvisionedComponent;
+using ::android::hardware::security::keymint::MacedPublicKey;
class IdentityCredentialTests : public testing::TestWithParam<string> {
public:
@@ -101,6 +105,103 @@
attestationApplicationId, false);
}
+TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithRemoteProvisioning) {
+ HardwareInformation hwInfo;
+ ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
+
+ if (!hwInfo.isRemoteKeyProvisioningSupported) {
+ GTEST_SKIP() << "Remote provisioning is not supported";
+ }
+
+ Status result;
+
+ sp<IWritableIdentityCredential> writableCredential;
+ ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_,
+ false /* testCredential */));
+
+ sp<IRemotelyProvisionedComponent> rpc;
+ result = credentialStore_->getRemotelyProvisionedComponent(&rpc);
+ ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
+
+ MacedPublicKey macedPublicKey;
+ std::vector<uint8_t> attestationKey;
+ result = rpc->generateEcdsaP256KeyPair(/*testMode=*/true, &macedPublicKey, &attestationKey);
+ ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
+
+ optional<vector<vector<uint8_t>>> remotelyProvisionedCertChain =
+ test_utils::createFakeRemotelyProvisionedCertificateChain(macedPublicKey);
+ ASSERT_TRUE(remotelyProvisionedCertChain);
+
+ vector<uint8_t> concatenatedCerts;
+ for (const vector<uint8_t>& cert : *remotelyProvisionedCertChain) {
+ concatenatedCerts.insert(concatenatedCerts.end(), cert.begin(), cert.end());
+ }
+ result = writableCredential->setRemotelyProvisionedAttestationKey(attestationKey,
+ concatenatedCerts);
+ ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
+
+ string challenge = "NotSoRandomChallenge1NotSoRandomChallenge1NotSoRandomChallenge1";
+ vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end());
+ vector<Certificate> attestationCertificate;
+ vector<uint8_t> attestationApplicationId = {1};
+
+ result = writableCredential->getAttestationCertificate(
+ attestationApplicationId, attestationChallenge, &attestationCertificate);
+
+ ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
+
+ test_utils::validateAttestationCertificate(attestationCertificate, attestationChallenge,
+ attestationApplicationId, false);
+
+ ASSERT_EQ(remotelyProvisionedCertChain->size() + 1, attestationCertificate.size());
+ for (size_t i = 0; i < remotelyProvisionedCertChain->size(); ++i) {
+ ASSERT_EQ(remotelyProvisionedCertChain->at(i),
+ attestationCertificate[i + 1].encodedCertificate)
+ << "Certificate mismatch (cert index " << i + 1 << " out of "
+ << attestationCertificate.size() << " total certs)";
+ }
+}
+
+TEST_P(IdentityCredentialTests, verifyRemotelyProvisionedKeyMayOnlyBeSetOnce) {
+ HardwareInformation hwInfo;
+ ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
+
+ if (!hwInfo.isRemoteKeyProvisioningSupported) {
+ GTEST_SKIP() << "Remote provisioning is not supported";
+ }
+
+ sp<IRemotelyProvisionedComponent> rpc;
+ Status result = credentialStore_->getRemotelyProvisionedComponent(&rpc);
+ ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
+
+ MacedPublicKey macedPublicKey;
+ std::vector<uint8_t> attestationKey;
+ result = rpc->generateEcdsaP256KeyPair(/*testMode=*/true, &macedPublicKey, &attestationKey);
+ ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
+
+ optional<vector<vector<uint8_t>>> remotelyProvisionedCertChain =
+ test_utils::createFakeRemotelyProvisionedCertificateChain(macedPublicKey);
+ ASSERT_TRUE(remotelyProvisionedCertChain);
+
+ vector<uint8_t> concatenatedCerts;
+ for (const vector<uint8_t>& cert : *remotelyProvisionedCertChain) {
+ concatenatedCerts.insert(concatenatedCerts.end(), cert.begin(), cert.end());
+ }
+
+ sp<IWritableIdentityCredential> writableCredential;
+ ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_,
+ /*testCredential=*/false));
+
+ result = writableCredential->setRemotelyProvisionedAttestationKey(attestationKey,
+ concatenatedCerts);
+ ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
+
+ // Now try again, and verify that the implementation rejects it.
+ result = writableCredential->setRemotelyProvisionedAttestationKey(attestationKey,
+ concatenatedCerts);
+ EXPECT_FALSE(result.isOk());
+}
+
TEST_P(IdentityCredentialTests, verifyAttestationDoubleCallFails) {
Status result;