Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / eafa06164d1e1bafbe20562d540ab5420bb0f825 / . / identity / aidl / default / FakeSecureHardwareProxy.cpp
blob: de6762fc2e0d8e6a50594737b0efcdbf4dd79eba [file] [log] [blame]
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]1/*
2 * Copyright 2020, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "FakeSecureHardwareProxy"
18
19#include "FakeSecureHardwareProxy.h"
20
21#include <android/hardware/identity/support/IdentityCredentialSupport.h>
22
23#include <android-base/logging.h>
24#include <android-base/stringprintf.h>
25#include <string.h>
26
27#include <openssl/sha.h>
28
29#include <openssl/aes.h>
30#include <openssl/bn.h>
31#include <openssl/crypto.h>
32#include <openssl/ec.h>
33#include <openssl/err.h>
34#include <openssl/evp.h>
35#include <openssl/hkdf.h>
36#include <openssl/hmac.h>
37#include <openssl/objects.h>
38#include <openssl/pem.h>
39#include <openssl/pkcs12.h>
40#include <openssl/rand.h>
41#include <openssl/x509.h>
42#include <openssl/x509_vfy.h>
43
44#include <libeic.h>
45
46using ::std::optional;
47using ::std::string;
48using ::std::tuple;
49using ::std::vector;
50
51namespace android::hardware::identity {
52
53// ----------------------------------------------------------------------
54
55FakeSecureHardwareProvisioningProxy::FakeSecureHardwareProvisioningProxy() {}
56
57FakeSecureHardwareProvisioningProxy::~FakeSecureHardwareProvisioningProxy() {}
58
59bool FakeSecureHardwareProvisioningProxy::shutdown() {
60 LOG(INFO) << "FakeSecureHardwarePresentationProxy shutdown";
61 return true;
62}
63
64bool FakeSecureHardwareProvisioningProxy::initialize(bool testCredential) {
65 LOG(INFO) << "FakeSecureHardwareProvisioningProxy created, sizeof(EicProvisioning): "
66 << sizeof(EicProvisioning);
67 return eicProvisioningInit(&ctx_, testCredential);
68}
69
70// Returns public key certificate.
71optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::createCredentialKey(
72 const vector<uint8_t>& challenge, const vector<uint8_t>& applicationId) {
73 uint8_t publicKeyCert[4096];
74 size_t publicKeyCertSize = sizeof publicKeyCert;
75 if (!eicProvisioningCreateCredentialKey(&ctx_, challenge.data(), challenge.size(),
76 applicationId.data(), applicationId.size(),
77 publicKeyCert, &publicKeyCertSize)) {
78 return {};
79 }
80 vector<uint8_t> pubKeyCert(publicKeyCertSize);
81 memcpy(pubKeyCert.data(), publicKeyCert, publicKeyCertSize);
82 return pubKeyCert;
83}
84
85bool FakeSecureHardwareProvisioningProxy::startPersonalization(
86 int accessControlProfileCount, vector<int> entryCounts, const string& docType,
87 size_t expectedProofOfProvisioningSize) {
88 if (!eicProvisioningStartPersonalization(&ctx_, accessControlProfileCount, entryCounts.data(),
89 entryCounts.size(), docType.c_str(),
90 expectedProofOfProvisioningSize)) {
91 return false;
92 }
93 return true;
94}
95
96// Returns MAC (28 bytes).
97optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::addAccessControlProfile(
98 int id, const vector<uint8_t>& readerCertificate, bool userAuthenticationRequired,
99 uint64_t timeoutMillis, uint64_t secureUserId) {
100 vector<uint8_t> mac(28);
101 if (!eicProvisioningAddAccessControlProfile(
102 &ctx_, id, readerCertificate.data(), readerCertificate.size(),
103 userAuthenticationRequired, timeoutMillis, secureUserId, mac.data())) {
104 return {};
105 }
106 return mac;
107}
108
109bool FakeSecureHardwareProvisioningProxy::beginAddEntry(const vector<int>& accessControlProfileIds,
110 const string& nameSpace, const string& name,
111 uint64_t entrySize) {
112 uint8_t scratchSpace[512];
113 return eicProvisioningBeginAddEntry(&ctx_, accessControlProfileIds.data(),
114 accessControlProfileIds.size(), nameSpace.c_str(),
115 name.c_str(), entrySize, scratchSpace, sizeof scratchSpace);
116}
117
118// Returns encryptedContent.
119optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::addEntryValue(
120 const vector<int>& accessControlProfileIds, const string& nameSpace, const string& name,
121 const vector<uint8_t>& content) {
122 vector<uint8_t> eicEncryptedContent;
123 uint8_t scratchSpace[512];
124 eicEncryptedContent.resize(content.size() + 28);
125 if (!eicProvisioningAddEntryValue(
126 &ctx_, accessControlProfileIds.data(), accessControlProfileIds.size(),
127 nameSpace.c_str(), name.c_str(), content.data(), content.size(),
128 eicEncryptedContent.data(), scratchSpace, sizeof scratchSpace)) {
129 return {};
130 }
131 return eicEncryptedContent;
132}
133
134// Returns signatureOfToBeSigned (EIC_ECDSA_P256_SIGNATURE_SIZE bytes).
135optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::finishAddingEntries() {
136 vector<uint8_t> signatureOfToBeSigned(EIC_ECDSA_P256_SIGNATURE_SIZE);
137 if (!eicProvisioningFinishAddingEntries(&ctx_, signatureOfToBeSigned.data())) {
138 return {};
139 }
140 return signatureOfToBeSigned;
141}
142
143// Returns encryptedCredentialKeys (80 bytes).
144optional<vector<uint8_t>> FakeSecureHardwareProvisioningProxy::finishGetCredentialData(
145 const string& docType) {
146 vector<uint8_t> encryptedCredentialKeys(80);
147 if (!eicProvisioningFinishGetCredentialData(&ctx_, docType.c_str(),
148 encryptedCredentialKeys.data())) {
149 return {};
150 }
151 return encryptedCredentialKeys;
152}
153
154// ----------------------------------------------------------------------
155
156FakeSecureHardwarePresentationProxy::FakeSecureHardwarePresentationProxy() {}
157
158FakeSecureHardwarePresentationProxy::~FakeSecureHardwarePresentationProxy() {}
159
160bool FakeSecureHardwarePresentationProxy::initialize(bool testCredential, string docType,
161 vector<uint8_t> encryptedCredentialKeys) {
162 LOG(INFO) << "FakeSecureHardwarePresentationProxy created, sizeof(EicPresentation): "
163 << sizeof(EicPresentation);
164 return eicPresentationInit(&ctx_, testCredential, docType.c_str(),
165 encryptedCredentialKeys.data());
166}
167
168// Returns publicKeyCert (1st component) and signingKeyBlob (2nd component)
169optional<pair<vector<uint8_t>, vector<uint8_t>>>
170FakeSecureHardwarePresentationProxy::generateSigningKeyPair(string docType, time_t now) {
171 uint8_t publicKeyCert[512];
172 size_t publicKeyCertSize = sizeof(publicKeyCert);
173 vector<uint8_t> signingKeyBlob(60);
174
175 if (!eicPresentationGenerateSigningKeyPair(&ctx_, docType.c_str(), now, publicKeyCert,
176 &publicKeyCertSize, signingKeyBlob.data())) {
177 return {};
178 }
179
180 vector<uint8_t> cert;
181 cert.resize(publicKeyCertSize);
182 memcpy(cert.data(), publicKeyCert, publicKeyCertSize);
183
184 return std::make_pair(cert, signingKeyBlob);
185}
186
187// Returns private key
188optional<vector<uint8_t>> FakeSecureHardwarePresentationProxy::createEphemeralKeyPair() {
189 vector<uint8_t> priv(EIC_P256_PRIV_KEY_SIZE);
190 if (!eicPresentationCreateEphemeralKeyPair(&ctx_, priv.data())) {
191 return {};
192 }
193 return priv;
194}
195
196optional<uint64_t> FakeSecureHardwarePresentationProxy::createAuthChallenge() {
197 uint64_t challenge;
198 if (!eicPresentationCreateAuthChallenge(&ctx_, &challenge)) {
199 return {};
200 }
201 return challenge;
202}
203
204bool FakeSecureHardwarePresentationProxy::shutdown() {
205 LOG(INFO) << "FakeSecureHardwarePresentationProxy shutdown";
206 return true;
207}
208
209bool FakeSecureHardwarePresentationProxy::pushReaderCert(const vector<uint8_t>& certX509) {
210 return eicPresentationPushReaderCert(&ctx_, certX509.data(), certX509.size());
211}
212
213bool FakeSecureHardwarePresentationProxy::validateRequestMessage(
214 const vector<uint8_t>& sessionTranscript, const vector<uint8_t>& requestMessage,
215 int coseSignAlg, const vector<uint8_t>& readerSignatureOfToBeSigned) {
216 return eicPresentationValidateRequestMessage(
217 &ctx_, sessionTranscript.data(), sessionTranscript.size(), requestMessage.data(),
218 requestMessage.size(), coseSignAlg, readerSignatureOfToBeSigned.data(),
219 readerSignatureOfToBeSigned.size());
220}
221
222bool FakeSecureHardwarePresentationProxy::setAuthToken(
223 uint64_t challenge, uint64_t secureUserId, uint64_t authenticatorId,
224 int hardwareAuthenticatorType, uint64_t timeStamp, const vector<uint8_t>& mac,
225 uint64_t verificationTokenChallenge, uint64_t verificationTokenTimestamp,
226 int verificationTokenSecurityLevel, const vector<uint8_t>& verificationTokenMac) {
227 return eicPresentationSetAuthToken(&ctx_, challenge, secureUserId, authenticatorId,
228 hardwareAuthenticatorType, timeStamp, mac.data(), mac.size(),
229 verificationTokenChallenge, verificationTokenTimestamp,
230 verificationTokenSecurityLevel, verificationTokenMac.data(),
231 verificationTokenMac.size());
232}
233
234optional<bool> FakeSecureHardwarePresentationProxy::validateAccessControlProfile(
235 int id, const vector<uint8_t>& readerCertificate, bool userAuthenticationRequired,
236 int timeoutMillis, uint64_t secureUserId, const vector<uint8_t>& mac) {
237 bool accessGranted = false;
238 if (!eicPresentationValidateAccessControlProfile(&ctx_, id, readerCertificate.data(),
239 readerCertificate.size(),
240 userAuthenticationRequired, timeoutMillis,
241 secureUserId, mac.data(), &accessGranted)) {
242 return {};
243 }
244 return accessGranted;
245}
246
247bool FakeSecureHardwarePresentationProxy::startRetrieveEntries() {
248 return eicPresentationStartRetrieveEntries(&ctx_);
249}
250
251bool FakeSecureHardwarePresentationProxy::calcMacKey(
252 const vector<uint8_t>& sessionTranscript, const vector<uint8_t>& readerEphemeralPublicKey,
253 const vector<uint8_t>& signingKeyBlob, const string& docType,
254 unsigned int numNamespacesWithValues, size_t expectedProofOfProvisioningSize) {
255 if (signingKeyBlob.size() != 60) {
256 eicDebug("Unexpected size %zd of signingKeyBlob, expected 60", signingKeyBlob.size());
257 return false;
258 }
259 return eicPresentationCalcMacKey(&ctx_, sessionTranscript.data(), sessionTranscript.size(),
260 readerEphemeralPublicKey.data(), signingKeyBlob.data(),
261 docType.c_str(), numNamespacesWithValues,
262 expectedProofOfProvisioningSize);
263}
264
265AccessCheckResult FakeSecureHardwarePresentationProxy::startRetrieveEntryValue(
266 const string& nameSpace, const string& name, unsigned int newNamespaceNumEntries,
267 int32_t entrySize, const vector<int32_t>& accessControlProfileIds) {
268 uint8_t scratchSpace[512];
269 EicAccessCheckResult result = eicPresentationStartRetrieveEntryValue(
270 &ctx_, nameSpace.c_str(), name.c_str(), newNamespaceNumEntries, entrySize,
271 accessControlProfileIds.data(), accessControlProfileIds.size(), scratchSpace,
272 sizeof scratchSpace);
273 switch (result) {
274 case EIC_ACCESS_CHECK_RESULT_OK:
275 return AccessCheckResult::kOk;
276 case EIC_ACCESS_CHECK_RESULT_NO_ACCESS_CONTROL_PROFILES:
277 return AccessCheckResult::kNoAccessControlProfiles;
278 case EIC_ACCESS_CHECK_RESULT_FAILED:
279 return AccessCheckResult::kFailed;
280 case EIC_ACCESS_CHECK_RESULT_USER_AUTHENTICATION_FAILED:
281 return AccessCheckResult::kUserAuthenticationFailed;
282 case EIC_ACCESS_CHECK_RESULT_READER_AUTHENTICATION_FAILED:
283 return AccessCheckResult::kReaderAuthenticationFailed;
284 }
285 eicDebug("Unknown result with code %d, returning kFailed", (int)result);
286 return AccessCheckResult::kFailed;
287}
288
289optional<vector<uint8_t>> FakeSecureHardwarePresentationProxy::retrieveEntryValue(
290 const vector<uint8_t>& encryptedContent, const string& nameSpace, const string& name,
291 const vector<int32_t>& accessControlProfileIds) {
292 uint8_t scratchSpace[512];
293 vector<uint8_t> content;
294 content.resize(encryptedContent.size() - 28);
295 if (!eicPresentationRetrieveEntryValue(
296 &ctx_, encryptedContent.data(), encryptedContent.size(), content.data(),
297 nameSpace.c_str(), name.c_str(), accessControlProfileIds.data(),
298 accessControlProfileIds.size(), scratchSpace, sizeof scratchSpace)) {
299 return {};
300 }
301 return content;
302}
303
304optional<vector<uint8_t>> FakeSecureHardwarePresentationProxy::finishRetrieval() {
305 vector<uint8_t> mac(32);
306 size_t macSize = 32;
307 if (!eicPresentationFinishRetrieval(&ctx_, mac.data(), &macSize)) {
308 return {};
309 }
310 mac.resize(macSize);
311 return mac;
312}
313
314optional<vector<uint8_t>> FakeSecureHardwarePresentationProxy::deleteCredential(
315 const string& docType, size_t proofOfDeletionCborSize) {
316 vector<uint8_t> signatureOfToBeSigned(EIC_ECDSA_P256_SIGNATURE_SIZE);
317 if (!eicPresentationDeleteCredential(&ctx_, docType.c_str(), proofOfDeletionCborSize,
318 signatureOfToBeSigned.data())) {
319 return {};
320 }
321 return signatureOfToBeSigned;
322}
323
324} // namespace android::hardware::identity