Revert "Add remote key provisioning to the IC HAL"
Revert "Add dependency on keymint cpp lib"
Revert "Allow default identity service to call keymint"
Revert submission 1956689-add rkp to identity-default
Reason for revert: Broke git-master. Will resubmit later.
Reverted Changes:
I96dcf3027:Add remote key provisioning to the IC HAL
Id686ac33a:Add dependency on keymint cpp lib
Ib368a2a00:Log to logd in the default identity service
I7d2906de0:Refactor IC support for RKP
Iae0f14f1c:Fix formatting of identity credential aidl
I01d086a4b:Allow default identity service to call keymint
Change-Id: I76a898c04090c5befe5fb5a5d07ec2e397fdd8b3
diff --git a/identity/aidl/default/common/IdentityCredential.cpp b/identity/aidl/default/common/IdentityCredential.cpp
index ff80752..7678ecb 100644
--- a/identity/aidl/default/common/IdentityCredential.cpp
+++ b/identity/aidl/default/common/IdentityCredential.cpp
@@ -1012,8 +1012,8 @@
IIdentityCredentialStore::STATUS_FAILED, "Error creating provisioning proxy"));
}
shared_ptr<WritableIdentityCredential> wc =
- ndk::SharedRefBase::make<WritableIdentityCredential>(
- provisioningHwProxy, docType_, testCredential_, hardwareInformation_);
+ ndk::SharedRefBase::make<WritableIdentityCredential>(provisioningHwProxy, docType_,
+ testCredential_);
if (!wc->initializeForUpdate(encryptedCredentialKeys_)) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
IIdentityCredentialStore::STATUS_FAILED,
diff --git a/identity/aidl/default/common/IdentityCredential.h b/identity/aidl/default/common/IdentityCredential.h
index 5929829..2935fb8 100644
--- a/identity/aidl/default/common/IdentityCredential.h
+++ b/identity/aidl/default/common/IdentityCredential.h
@@ -48,13 +48,11 @@
public:
IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory,
const vector<uint8_t>& credentialData,
- std::shared_ptr<PresentationSession> session,
- HardwareInformation hardwareInformation)
+ std::shared_ptr<PresentationSession> session)
: hwProxyFactory_(hwProxyFactory),
credentialData_(credentialData),
session_(std::move(session)),
numStartRetrievalCalls_(0),
- hardwareInformation_(std::move(hardwareInformation)),
expectedDeviceNameSpacesSize_(0) {}
// Parses and decrypts credentialData_, return a status code from
@@ -105,7 +103,6 @@
vector<uint8_t> credentialData_;
shared_ptr<PresentationSession> session_;
int numStartRetrievalCalls_;
- HardwareInformation hardwareInformation_;
// Set by initialize()
string docType_;
diff --git a/identity/aidl/default/common/IdentityCredentialStore.cpp b/identity/aidl/default/common/IdentityCredentialStore.cpp
index bbc2cef..4703ffe 100644
--- a/identity/aidl/default/common/IdentityCredentialStore.cpp
+++ b/identity/aidl/default/common/IdentityCredentialStore.cpp
@@ -17,7 +17,6 @@
#define LOG_TAG "IdentityCredentialStore"
#include <android-base/logging.h>
-#include <android/binder_manager.h>
#include "IdentityCredential.h"
#include "IdentityCredentialStore.h"
@@ -26,24 +25,15 @@
namespace aidl::android::hardware::identity {
-using ::aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
-
-IdentityCredentialStore::IdentityCredentialStore(sp<SecureHardwareProxyFactory> hwProxyFactory,
- optional<string> remotelyProvisionedComponent)
- : hwProxyFactory_(hwProxyFactory),
- remotelyProvisionedComponentName_(remotelyProvisionedComponent) {
- hardwareInformation_.credentialStoreName = "Identity Credential Reference Implementation";
- hardwareInformation_.credentialStoreAuthorName = "Google";
- hardwareInformation_.dataChunkSize = kGcmChunkSize;
- hardwareInformation_.isDirectAccess = false;
- hardwareInformation_.supportedDocTypes = {};
- hardwareInformation_.isRemoteKeyProvisioningSupported =
- remotelyProvisionedComponentName_.has_value();
-}
-
ndk::ScopedAStatus IdentityCredentialStore::getHardwareInformation(
HardwareInformation* hardwareInformation) {
- *hardwareInformation = hardwareInformation_;
+ HardwareInformation hw;
+ hw.credentialStoreName = "Identity Credential Reference Implementation";
+ hw.credentialStoreAuthorName = "Google";
+ hw.dataChunkSize = kGcmChunkSize;
+ hw.isDirectAccess = false;
+ hw.supportedDocTypes = {};
+ *hardwareInformation = hw;
return ndk::ScopedAStatus::ok();
}
@@ -52,8 +42,7 @@
shared_ptr<IWritableIdentityCredential>* outWritableCredential) {
sp<SecureHardwareProvisioningProxy> hwProxy = hwProxyFactory_->createProvisioningProxy();
shared_ptr<WritableIdentityCredential> wc =
- ndk::SharedRefBase::make<WritableIdentityCredential>(hwProxy, docType, testCredential,
- hardwareInformation_);
+ ndk::SharedRefBase::make<WritableIdentityCredential>(hwProxy, docType, testCredential);
if (!wc->initialize()) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
IIdentityCredentialStore::STATUS_FAILED,
@@ -74,7 +63,7 @@
}
shared_ptr<IdentityCredential> credential = ndk::SharedRefBase::make<IdentityCredential>(
- hwProxyFactory_, credentialData, nullptr /* session */, hardwareInformation_);
+ hwProxyFactory_, credentialData, nullptr /* session */);
auto ret = credential->initialize();
if (ret != IIdentityCredentialStore::STATUS_OK) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
@@ -94,8 +83,8 @@
}
sp<SecureHardwareSessionProxy> hwProxy = hwProxyFactory_->createSessionProxy();
- shared_ptr<PresentationSession> session = ndk::SharedRefBase::make<PresentationSession>(
- hwProxyFactory_, hwProxy, hardwareInformation_);
+ shared_ptr<PresentationSession> session =
+ ndk::SharedRefBase::make<PresentationSession>(hwProxyFactory_, hwProxy);
auto ret = session->initialize();
if (ret != IIdentityCredentialStore::STATUS_OK) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
@@ -105,23 +94,4 @@
return ndk::ScopedAStatus::ok();
}
-ndk::ScopedAStatus IdentityCredentialStore::getRemotelyProvisionedComponent(
- shared_ptr<IRemotelyProvisionedComponent>* outRemotelyProvisionedComponent) {
- if (!remotelyProvisionedComponentName_) {
- return ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(
- EX_UNSUPPORTED_OPERATION, "Remote key provisioning is not supported"));
- }
-
- ndk::SpAIBinder binder(
- AServiceManager_waitForService(remotelyProvisionedComponentName_->c_str()));
- if (binder.get() == nullptr) {
- return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
- IIdentityCredentialStore::STATUS_FAILED,
- "Unable to get remotely provisioned component"));
- }
-
- *outRemotelyProvisionedComponent = IRemotelyProvisionedComponent::fromBinder(binder);
- return ndk::ScopedAStatus::ok();
-}
-
} // namespace aidl::android::hardware::identity
diff --git a/identity/aidl/default/common/IdentityCredentialStore.h b/identity/aidl/default/common/IdentityCredentialStore.h
index dd1261b..77b894d 100644
--- a/identity/aidl/default/common/IdentityCredentialStore.h
+++ b/identity/aidl/default/common/IdentityCredentialStore.h
@@ -18,7 +18,6 @@
#define ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIALSTORE_H
#include <aidl/android/hardware/identity/BnIdentityCredentialStore.h>
-#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include "SecureHardwareProxy.h"
@@ -26,18 +25,14 @@
using ::android::sp;
using ::android::hardware::identity::SecureHardwareProxyFactory;
-using ::std::optional;
using ::std::shared_ptr;
using ::std::string;
using ::std::vector;
class IdentityCredentialStore : public BnIdentityCredentialStore {
public:
- // If remote key provisioning is supported, pass the service name for the correct
- // IRemotelyProvisionedComponent to the remotelyProvisionedComponent parameter. Else
- // pass std::nullopt to indicate remote key provisioning is not supported.
- IdentityCredentialStore(sp<SecureHardwareProxyFactory> hwProxyFactory,
- optional<string> remotelyProvisionedComponent);
+ IdentityCredentialStore(sp<SecureHardwareProxyFactory> hwProxyFactory)
+ : hwProxyFactory_(hwProxyFactory) {}
// The GCM chunk size used by this implementation is 64 KiB.
static constexpr size_t kGcmChunkSize = 64 * 1024;
@@ -55,14 +50,8 @@
ndk::ScopedAStatus createPresentationSession(
CipherSuite cipherSuite, shared_ptr<IPresentationSession>* outSession) override;
- ndk::ScopedAStatus getRemotelyProvisionedComponent(
- shared_ptr<::aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent>*
- outRemotelyProvisionedComponent) override;
-
private:
sp<SecureHardwareProxyFactory> hwProxyFactory_;
- optional<string> remotelyProvisionedComponentName_;
- HardwareInformation hardwareInformation_;
};
} // namespace aidl::android::hardware::identity
diff --git a/identity/aidl/default/common/PresentationSession.cpp b/identity/aidl/default/common/PresentationSession.cpp
index 2eb7f2e..fbd8972 100644
--- a/identity/aidl/default/common/PresentationSession.cpp
+++ b/identity/aidl/default/common/PresentationSession.cpp
@@ -122,8 +122,8 @@
ndk::ScopedAStatus PresentationSession::getCredential(
const vector<uint8_t>& credentialData, shared_ptr<IIdentityCredential>* outCredential) {
shared_ptr<PresentationSession> p = ref<PresentationSession>();
- shared_ptr<IdentityCredential> credential = ndk::SharedRefBase::make<IdentityCredential>(
- hwProxyFactory_, credentialData, p, hardwareInformation_);
+ shared_ptr<IdentityCredential> credential =
+ ndk::SharedRefBase::make<IdentityCredential>(hwProxyFactory_, credentialData, p);
int ret = credential->initialize();
if (ret != IIdentityCredentialStore::STATUS_OK) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
diff --git a/identity/aidl/default/common/PresentationSession.h b/identity/aidl/default/common/PresentationSession.h
index 4cb174a..76ca67b 100644
--- a/identity/aidl/default/common/PresentationSession.h
+++ b/identity/aidl/default/common/PresentationSession.h
@@ -38,11 +38,8 @@
class PresentationSession : public BnPresentationSession {
public:
PresentationSession(sp<SecureHardwareProxyFactory> hwProxyFactory,
- sp<SecureHardwareSessionProxy> hwProxy,
- HardwareInformation hardwareInformation)
- : hwProxyFactory_(std::move(hwProxyFactory)),
- hwProxy_(std::move(hwProxy)),
- hardwareInformation_(std::move(hardwareInformation)) {}
+ sp<SecureHardwareSessionProxy> hwProxy)
+ : hwProxyFactory_(std::move(hwProxyFactory)), hwProxy_(std::move(hwProxy)) {}
virtual ~PresentationSession();
@@ -68,7 +65,6 @@
// Set by constructor
sp<SecureHardwareProxyFactory> hwProxyFactory_;
sp<SecureHardwareSessionProxy> hwProxy_;
- HardwareInformation hardwareInformation_;
// Set by initialize()
uint64_t id_;
diff --git a/identity/aidl/default/common/SecureHardwareProxy.h b/identity/aidl/default/common/SecureHardwareProxy.h
index 9f63ad8..a580444 100644
--- a/identity/aidl/default/common/SecureHardwareProxy.h
+++ b/identity/aidl/default/common/SecureHardwareProxy.h
@@ -82,18 +82,6 @@
virtual optional<vector<uint8_t>> createCredentialKey(const vector<uint8_t>& challenge,
const vector<uint8_t>& applicationId) = 0;
- // Returns public key certificate with a remotely provisioned attestation key.
- //
- // This returns a single certificate that is signed by the given |attestationKeyBlob|.
- // The implementation of eicOpsCreateCredentialKey() on the TA side must coordinate
- // with its corresponding keymint implementation to sign using the attestation key. The
- // |attestationKeyCert| parameter is the certificates for |attestationKeyBlob|,
- // formatted as concatenated, DER-encoded, X.509 certificates.
- virtual optional<vector<uint8_t>> createCredentialKeyUsingRkp(
- const vector<uint8_t>& challenge, const vector<uint8_t>& applicationId,
- const vector<uint8_t>& attestationKeyBlob,
- const vector<uint8_t>& attestationKeyCert) = 0;
-
virtual bool startPersonalization(int accessControlProfileCount, const vector<int>& entryCounts,
const string& docType,
size_t expectedProofOfProvisioningSize) = 0;
diff --git a/identity/aidl/default/common/WritableIdentityCredential.cpp b/identity/aidl/default/common/WritableIdentityCredential.cpp
index e420a7b..200ee61 100644
--- a/identity/aidl/default/common/WritableIdentityCredential.cpp
+++ b/identity/aidl/default/common/WritableIdentityCredential.cpp
@@ -79,15 +79,8 @@
IIdentityCredentialStore::STATUS_INVALID_DATA, "Challenge can not be empty"));
}
- optional<vector<uint8_t>> certChain;
- if (attestationKeyBlob_ && attestationCertificateChain_) {
- certChain = hwProxy_->createCredentialKeyUsingRkp(
- attestationChallenge, attestationApplicationId, *attestationKeyBlob_,
- attestationCertificateChain_->at(0));
- } else {
- certChain = hwProxy_->createCredentialKey(attestationChallenge, attestationApplicationId);
- }
-
+ optional<vector<uint8_t>> certChain =
+ hwProxy_->createCredentialKey(attestationChallenge, attestationApplicationId);
if (!certChain) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
IIdentityCredentialStore::STATUS_FAILED,
@@ -102,14 +95,8 @@
}
*outCertificateChain = vector<Certificate>();
- for (vector<uint8_t>& cert : certs.value()) {
- Certificate c;
- c.encodedCertificate = std::move(cert);
- outCertificateChain->push_back(std::move(c));
- }
-
- for (const vector<uint8_t>& cert : *attestationCertificateChain_) {
- Certificate c;
+ for (const vector<uint8_t>& cert : certs.value()) {
+ Certificate c = Certificate();
c.encodedCertificate = cert;
outCertificateChain->push_back(std::move(c));
}
@@ -415,36 +402,4 @@
return ndk::ScopedAStatus::ok();
}
-ndk::ScopedAStatus WritableIdentityCredential::setRemotelyProvisionedAttestationKey(
- const vector<uint8_t>& attestationKeyBlob,
- const vector<uint8_t>& attestationCertificateChain) {
- if (!hardwareInformation_.isRemoteKeyProvisioningSupported) {
- return ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(
- EX_UNSUPPORTED_OPERATION, "Remote key provisioning is not supported"));
- }
-
- if (attestationKeyBlob.empty() || attestationCertificateChain.empty()) {
- return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
- IIdentityCredentialStore::STATUS_FAILED,
- "Empty data passed to setRemotlyProvisionedAttestationKey"));
- }
-
- if (attestationKeyBlob_.has_value()) {
- return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
- IIdentityCredentialStore::STATUS_FAILED, "Attestation key already set"));
- }
-
- optional<vector<vector<uint8_t>>> certs =
- support::certificateChainSplit(attestationCertificateChain);
- if (!certs) {
- return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
- IIdentityCredentialStore::STATUS_FAILED,
- "Error splitting chain into separate certificates"));
- }
-
- attestationKeyBlob_ = attestationKeyBlob;
- attestationCertificateChain_ = *certs;
- return ndk::ScopedAStatus::ok();
-}
-
} // namespace aidl::android::hardware::identity
diff --git a/identity/aidl/default/common/WritableIdentityCredential.h b/identity/aidl/default/common/WritableIdentityCredential.h
index 39d32c9..36ad430 100644
--- a/identity/aidl/default/common/WritableIdentityCredential.h
+++ b/identity/aidl/default/common/WritableIdentityCredential.h
@@ -30,7 +30,6 @@
using ::android::sp;
using ::android::hardware::identity::SecureHardwareProvisioningProxy;
-using ::std::optional;
using ::std::set;
using ::std::string;
using ::std::vector;
@@ -42,11 +41,8 @@
// For an updated credential, call initializeForUpdate() right after construction.
//
WritableIdentityCredential(sp<SecureHardwareProvisioningProxy> hwProxy, const string& docType,
- bool testCredential, HardwareInformation hardwareInformation)
- : hwProxy_(hwProxy),
- docType_(docType),
- testCredential_(testCredential),
- hardwareInformation_(std::move(hardwareInformation)) {}
+ bool testCredential)
+ : hwProxy_(hwProxy), docType_(docType), testCredential_(testCredential) {}
~WritableIdentityCredential();
@@ -82,16 +78,11 @@
vector<uint8_t>* outCredentialData,
vector<uint8_t>* outProofOfProvisioningSignature) override;
- ndk::ScopedAStatus setRemotelyProvisionedAttestationKey(
- const vector<uint8_t>& attestationKeyBlob,
- const vector<uint8_t>& attestationCertificateChain) override;
-
private:
// Set by constructor.
sp<SecureHardwareProvisioningProxy> hwProxy_;
string docType_;
bool testCredential_;
- HardwareInformation hardwareInformation_;
// This is set in initialize().
bool startPersonalizationCalled_;
@@ -118,10 +109,6 @@
vector<int32_t> entryAccessControlProfileIds_;
vector<uint8_t> entryBytes_;
set<string> allNameSpaces_;
-
- // Remotely provisioned attestation data, set via setRemotelyProvisionedAttestationKey
- optional<vector<uint8_t>> attestationKeyBlob_;
- optional<vector<vector<uint8_t>>> attestationCertificateChain_;
};
} // namespace aidl::android::hardware::identity