Add remote key provisioning to the IC HAL
The IIdentityCredentialStore can now advertise the correct
IRemotelyProvisionedComponent that is used for getting remotely
provisioned attestation keys.
IWritableIdentityCredential has a new method so it can accept remotely
provisioned keys.
Update the VTS tests to check the new RKP functionality.
Support RKP in the default identity cred service
Test: VtsHalIdentityTargetTest
Bug: 194696876
Change-Id: I96dcf3027e0f21790c35900ddf8cc0953bd3b1ca
diff --git a/identity/aidl/default/common/WritableIdentityCredential.cpp b/identity/aidl/default/common/WritableIdentityCredential.cpp
index 200ee61..e420a7b 100644
--- a/identity/aidl/default/common/WritableIdentityCredential.cpp
+++ b/identity/aidl/default/common/WritableIdentityCredential.cpp
@@ -79,8 +79,15 @@
IIdentityCredentialStore::STATUS_INVALID_DATA, "Challenge can not be empty"));
}
- optional<vector<uint8_t>> certChain =
- hwProxy_->createCredentialKey(attestationChallenge, attestationApplicationId);
+ optional<vector<uint8_t>> certChain;
+ if (attestationKeyBlob_ && attestationCertificateChain_) {
+ certChain = hwProxy_->createCredentialKeyUsingRkp(
+ attestationChallenge, attestationApplicationId, *attestationKeyBlob_,
+ attestationCertificateChain_->at(0));
+ } else {
+ certChain = hwProxy_->createCredentialKey(attestationChallenge, attestationApplicationId);
+ }
+
if (!certChain) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
IIdentityCredentialStore::STATUS_FAILED,
@@ -95,8 +102,14 @@
}
*outCertificateChain = vector<Certificate>();
- for (const vector<uint8_t>& cert : certs.value()) {
- Certificate c = Certificate();
+ for (vector<uint8_t>& cert : certs.value()) {
+ Certificate c;
+ c.encodedCertificate = std::move(cert);
+ outCertificateChain->push_back(std::move(c));
+ }
+
+ for (const vector<uint8_t>& cert : *attestationCertificateChain_) {
+ Certificate c;
c.encodedCertificate = cert;
outCertificateChain->push_back(std::move(c));
}
@@ -402,4 +415,36 @@
return ndk::ScopedAStatus::ok();
}
+ndk::ScopedAStatus WritableIdentityCredential::setRemotelyProvisionedAttestationKey(
+ const vector<uint8_t>& attestationKeyBlob,
+ const vector<uint8_t>& attestationCertificateChain) {
+ if (!hardwareInformation_.isRemoteKeyProvisioningSupported) {
+ return ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(
+ EX_UNSUPPORTED_OPERATION, "Remote key provisioning is not supported"));
+ }
+
+ if (attestationKeyBlob.empty() || attestationCertificateChain.empty()) {
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
+ IIdentityCredentialStore::STATUS_FAILED,
+ "Empty data passed to setRemotlyProvisionedAttestationKey"));
+ }
+
+ if (attestationKeyBlob_.has_value()) {
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
+ IIdentityCredentialStore::STATUS_FAILED, "Attestation key already set"));
+ }
+
+ optional<vector<vector<uint8_t>>> certs =
+ support::certificateChainSplit(attestationCertificateChain);
+ if (!certs) {
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
+ IIdentityCredentialStore::STATUS_FAILED,
+ "Error splitting chain into separate certificates"));
+ }
+
+ attestationKeyBlob_ = attestationKeyBlob;
+ attestationCertificateChain_ = *certs;
+ return ndk::ScopedAStatus::ok();
+}
+
} // namespace aidl::android::hardware::identity