Revert "Add remote key provisioning to the IC HAL"
Revert "Add dependency on keymint cpp lib"
Revert "Allow default identity service to call keymint"
Revert submission 1956689-add rkp to identity-default
Reason for revert: Broke git-master. Will resubmit later.
Reverted Changes:
I96dcf3027:Add remote key provisioning to the IC HAL
Id686ac33a:Add dependency on keymint cpp lib
Ib368a2a00:Log to logd in the default identity service
I7d2906de0:Refactor IC support for RKP
Iae0f14f1c:Fix formatting of identity credential aidl
I01d086a4b:Allow default identity service to call keymint
Change-Id: I76a898c04090c5befe5fb5a5d07ec2e397fdd8b3
diff --git a/identity/aidl/vts/Android.bp b/identity/aidl/vts/Android.bp
index c5b84a1..7b6f2c8 100644
--- a/identity/aidl/vts/Android.bp
+++ b/identity/aidl/vts/Android.bp
@@ -11,8 +11,6 @@
name: "VtsHalIdentityTargetTest",
defaults: [
"VtsHalTargetTestDefaults",
- "keymint_use_latest_hal_aidl_cpp_static",
- "keymint_use_latest_hal_aidl_ndk_static",
"use_libaidlvintf_gtest_helper_static",
],
cflags: [
@@ -34,15 +32,12 @@
],
shared_libs: [
"libbinder",
- "libbinder_ndk",
"libcrypto",
],
static_libs: [
- "android.hardware.security.secureclock-V1-ndk",
"libcppbor_external",
"libcppcose_rkp",
"libkeymaster_portable",
- "libkeymint_vts_test_utils",
"libpuresoftkeymasterdevice",
"android.hardware.keymaster@4.0",
"android.hardware.identity-support-lib",
@@ -51,7 +46,6 @@
"android.hardware.keymaster-V4-ndk",
"libkeymaster4support",
"libkeymaster4_1support",
- "libkeymint_remote_prov_support",
],
test_suites: [
"general-tests",
diff --git a/identity/aidl/vts/Util.cpp b/identity/aidl/vts/Util.cpp
index f3d7c30..1148cb0 100644
--- a/identity/aidl/vts/Util.cpp
+++ b/identity/aidl/vts/Util.cpp
@@ -20,16 +20,12 @@
#include <android-base/logging.h>
-#include <KeyMintAidlTestBase.h>
#include <aidl/Gtest.h>
-#include <aidl/android/hardware/security/keymint/MacedPublicKey.h>
#include <android-base/stringprintf.h>
#include <keymaster/km_openssl/openssl_utils.h>
#include <keymasterV4_1/attestation_record.h>
-#include <keymint_support/openssl_utils.h>
-#include <openssl/evp.h>
-
#include <charconv>
+
#include <map>
namespace android::hardware::identity::test_utils {
@@ -40,13 +36,10 @@
using std::string;
using std::vector;
-using ::aidl::android::hardware::security::keymint::test::check_maced_pubkey;
-using ::aidl::android::hardware::security::keymint::test::p256_pub_key;
using ::android::sp;
using ::android::String16;
using ::android::base::StringPrintf;
using ::android::binder::Status;
-using ::android::hardware::security::keymint::MacedPublicKey;
using ::keymaster::X509_Ptr;
bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
@@ -65,77 +58,6 @@
}
}
-optional<vector<vector<uint8_t>>> createFakeRemotelyProvisionedCertificateChain(
- const MacedPublicKey& macedPublicKey) {
- // The helper library uses the NDK symbols, so play a little trickery here to convert
- // the data into the proper type so we can reuse the helper function to get the pubkey.
- ::aidl::android::hardware::security::keymint::MacedPublicKey ndkMacedPublicKey;
- ndkMacedPublicKey.macedKey = macedPublicKey.macedKey;
-
- vector<uint8_t> publicKeyBits;
- check_maced_pubkey(ndkMacedPublicKey, /*testMode=*/true, &publicKeyBits);
-
- ::aidl::android::hardware::security::keymint::EVP_PKEY_Ptr publicKey;
- p256_pub_key(publicKeyBits, &publicKey);
-
- // Generate an arbitrary root key for our chain
- bssl::UniquePtr<EC_KEY> ecRootKey(EC_KEY_new());
- bssl::UniquePtr<EVP_PKEY> rootKey(EVP_PKEY_new());
- if (ecRootKey.get() == nullptr || rootKey.get() == nullptr) {
- LOG(ERROR) << "Memory allocation failed";
- return {};
- }
-
- bssl::UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
- if (group.get() == nullptr) {
- LOG(ERROR) << "Error creating EC group by curve name";
- return {};
- }
-
- if (EC_KEY_set_group(ecRootKey.get(), group.get()) != 1 ||
- EC_KEY_generate_key(ecRootKey.get()) != 1 || EC_KEY_check_key(ecRootKey.get()) < 0) {
- LOG(ERROR) << "Error generating key";
- return {};
- }
-
- if (EVP_PKEY_set1_EC_KEY(rootKey.get(), ecRootKey.get()) != 1) {
- LOG(ERROR) << "Error getting private key";
- return {};
- }
-
- // The VTS test does not fully validate the chain, so we're ok without the proper CA extensions.
- map<string, vector<uint8_t>> extensions;
-
- // Now make a self-signed cert
- optional<vector<uint8_t>> root = support::ecPublicKeyGenerateCertificate(
- rootKey.get(), rootKey.get(),
- /*serialDecimal=*/"31415",
- /*subject=*/"Android IdentityCredential VTS Test Root Certificate",
- /*subject=*/"Android IdentityCredential VTS Test Root Certificate",
- /*validityNotBefore=*/time(nullptr),
- /*validityNotAfter=*/time(nullptr) + 365 * 24 * 3600, extensions);
- if (!root) {
- LOG(ERROR) << "Error generating root cert";
- return std::nullopt;
- }
-
- // Now sign a CA cert so that we have a chain that's good enough to satisfy
- // the VTS tests.
- optional<vector<uint8_t>> intermediate = support::ecPublicKeyGenerateCertificate(
- publicKey.get(), rootKey.get(),
- /*serialDecimal=*/"42",
- /*subject=*/"Android IdentityCredential VTS Test Root Certificate",
- /*subject=*/"Android IdentityCredential VTS Test Attestation Certificate",
- /*validityNotBefore=*/time(nullptr),
- /*validityNotAfter=*/time(nullptr) + 365 * 24 * 3600, extensions);
- if (!intermediate) {
- LOG(ERROR) << "Error generating intermediate cert";
- return std::nullopt;
- }
-
- return vector<vector<uint8_t>>{std::move(*intermediate), std::move(*root)};
-}
-
optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal) {
vector<uint8_t> privKey;
return generateReaderCertificate(serialDecimal, &privKey);
diff --git a/identity/aidl/vts/Util.h b/identity/aidl/vts/Util.h
index b120dc9..80e52a2 100644
--- a/identity/aidl/vts/Util.h
+++ b/identity/aidl/vts/Util.h
@@ -19,7 +19,6 @@
#include <android/hardware/identity/IIdentityCredentialStore.h>
#include <android/hardware/identity/support/IdentityCredentialSupport.h>
-#include <android/hardware/security/keymint/MacedPublicKey.h>
#include <cppbor.h>
#include <cppbor_parse.h>
#include <gtest/gtest.h>
@@ -98,9 +97,6 @@
bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
sp<IIdentityCredentialStore>& credentialStore, bool testCredential);
-optional<vector<vector<uint8_t>>> createFakeRemotelyProvisionedCertificateChain(
- const ::android::hardware::security::keymint::MacedPublicKey& macedPublicKey);
-
optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal);
optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal,
diff --git a/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp b/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
index 94d4c88..bc37020 100644
--- a/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
+++ b/identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
@@ -18,8 +18,6 @@
#include <aidl/Gtest.h>
#include <aidl/Vintf.h>
-#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
-#include <aidl/android/hardware/security/keymint/MacedPublicKey.h>
#include <android-base/logging.h>
#include <android/hardware/identity/IIdentityCredentialStore.h>
#include <android/hardware/identity/support/IdentityCredentialSupport.h>
@@ -44,8 +42,6 @@
using ::android::sp;
using ::android::String16;
using ::android::binder::Status;
-using ::android::hardware::security::keymint::IRemotelyProvisionedComponent;
-using ::android::hardware::security::keymint::MacedPublicKey;
class IdentityCredentialTests : public testing::TestWithParam<string> {
public:
@@ -105,103 +101,6 @@
attestationApplicationId, false);
}
-TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithRemoteProvisioning) {
- HardwareInformation hwInfo;
- ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
-
- if (!hwInfo.isRemoteKeyProvisioningSupported) {
- GTEST_SKIP() << "Remote provisioning is not supported";
- }
-
- Status result;
-
- sp<IWritableIdentityCredential> writableCredential;
- ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_,
- false /* testCredential */));
-
- sp<IRemotelyProvisionedComponent> rpc;
- result = credentialStore_->getRemotelyProvisionedComponent(&rpc);
- ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
-
- MacedPublicKey macedPublicKey;
- std::vector<uint8_t> attestationKey;
- result = rpc->generateEcdsaP256KeyPair(/*testMode=*/true, &macedPublicKey, &attestationKey);
- ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
-
- optional<vector<vector<uint8_t>>> remotelyProvisionedCertChain =
- test_utils::createFakeRemotelyProvisionedCertificateChain(macedPublicKey);
- ASSERT_TRUE(remotelyProvisionedCertChain);
-
- vector<uint8_t> concatenatedCerts;
- for (const vector<uint8_t>& cert : *remotelyProvisionedCertChain) {
- concatenatedCerts.insert(concatenatedCerts.end(), cert.begin(), cert.end());
- }
- result = writableCredential->setRemotelyProvisionedAttestationKey(attestationKey,
- concatenatedCerts);
- ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
-
- string challenge = "NotSoRandomChallenge1NotSoRandomChallenge1NotSoRandomChallenge1";
- vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end());
- vector<Certificate> attestationCertificate;
- vector<uint8_t> attestationApplicationId = {1};
-
- result = writableCredential->getAttestationCertificate(
- attestationApplicationId, attestationChallenge, &attestationCertificate);
-
- ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
-
- test_utils::validateAttestationCertificate(attestationCertificate, attestationChallenge,
- attestationApplicationId, false);
-
- ASSERT_EQ(remotelyProvisionedCertChain->size() + 1, attestationCertificate.size());
- for (size_t i = 0; i < remotelyProvisionedCertChain->size(); ++i) {
- ASSERT_EQ(remotelyProvisionedCertChain->at(i),
- attestationCertificate[i + 1].encodedCertificate)
- << "Certificate mismatch (cert index " << i + 1 << " out of "
- << attestationCertificate.size() << " total certs)";
- }
-}
-
-TEST_P(IdentityCredentialTests, verifyRemotelyProvisionedKeyMayOnlyBeSetOnce) {
- HardwareInformation hwInfo;
- ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
-
- if (!hwInfo.isRemoteKeyProvisioningSupported) {
- GTEST_SKIP() << "Remote provisioning is not supported";
- }
-
- sp<IRemotelyProvisionedComponent> rpc;
- Status result = credentialStore_->getRemotelyProvisionedComponent(&rpc);
- ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
-
- MacedPublicKey macedPublicKey;
- std::vector<uint8_t> attestationKey;
- result = rpc->generateEcdsaP256KeyPair(/*testMode=*/true, &macedPublicKey, &attestationKey);
- ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
-
- optional<vector<vector<uint8_t>>> remotelyProvisionedCertChain =
- test_utils::createFakeRemotelyProvisionedCertificateChain(macedPublicKey);
- ASSERT_TRUE(remotelyProvisionedCertChain);
-
- vector<uint8_t> concatenatedCerts;
- for (const vector<uint8_t>& cert : *remotelyProvisionedCertChain) {
- concatenatedCerts.insert(concatenatedCerts.end(), cert.begin(), cert.end());
- }
-
- sp<IWritableIdentityCredential> writableCredential;
- ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_,
- /*testCredential=*/false));
-
- result = writableCredential->setRemotelyProvisionedAttestationKey(attestationKey,
- concatenatedCerts);
- ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage();
-
- // Now try again, and verify that the implementation rejects it.
- result = writableCredential->setRemotelyProvisionedAttestationKey(attestationKey,
- concatenatedCerts);
- EXPECT_FALSE(result.isOk());
-}
-
TEST_P(IdentityCredentialTests, verifyAttestationDoubleCallFails) {
Status result;