Shikha Panwar | eb223ba | 2023-10-19 14:54:06 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2023 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | use binder::{BinderFeatures, Interface}; |
| 18 | use log::{error, info, Level}; |
| 19 | use secretkeeper_comm::data_types::error::SecretkeeperError; |
| 20 | use secretkeeper_comm::data_types::packet::{RequestPacket, ResponsePacket}; |
| 21 | use secretkeeper_comm::data_types::request::Request; |
| 22 | use secretkeeper_comm::data_types::request_response_impl::{ |
| 23 | GetVersionRequest, GetVersionResponse, Opcode, |
| 24 | }; |
| 25 | use secretkeeper_comm::data_types::response::Response; |
| 26 | |
| 27 | use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::ISecretkeeper::{ |
| 28 | BnSecretkeeper, BpSecretkeeper, ISecretkeeper, |
| 29 | }; |
| 30 | |
| 31 | const CURRENT_VERSION: u64 = 1; |
| 32 | |
| 33 | #[derive(Debug, Default)] |
| 34 | pub struct NonSecureSecretkeeper; |
| 35 | |
| 36 | impl Interface for NonSecureSecretkeeper {} |
| 37 | |
| 38 | impl ISecretkeeper for NonSecureSecretkeeper { |
| 39 | fn processSecretManagementRequest(&self, request: &[u8]) -> binder::Result<Vec<u8>> { |
| 40 | Ok(self.process_opaque_request(request)) |
| 41 | } |
| 42 | } |
| 43 | |
| 44 | impl NonSecureSecretkeeper { |
| 45 | // A set of requests to Secretkeeper are 'opaque' - encrypted bytes with inner structure |
| 46 | // described by CDDL. They need to be decrypted, deserialized and processed accordingly. |
| 47 | fn process_opaque_request(&self, request: &[u8]) -> Vec<u8> { |
| 48 | // TODO(b/291224769) The request will need to be decrypted & response need to be encrypted |
| 49 | // with key & related artifacts pre-shared via Authgraph Key Exchange HAL. |
| 50 | self.process_opaque_request_unhandled_error(request) |
| 51 | .unwrap_or_else( |
| 52 | // SecretkeeperError is also a valid 'Response', serialize to a response packet. |
| 53 | |sk_err| { |
| 54 | Response::serialize_to_packet(&sk_err) |
| 55 | .into_bytes() |
| 56 | .expect("Panicking due to serialization failing") |
| 57 | }, |
| 58 | ) |
| 59 | } |
| 60 | |
| 61 | fn process_opaque_request_unhandled_error( |
| 62 | &self, |
| 63 | request: &[u8], |
| 64 | ) -> Result<Vec<u8>, SecretkeeperError> { |
| 65 | let request_packet = RequestPacket::from_bytes(request).map_err(|e| { |
| 66 | error!("Failed to get Request packet from bytes: {:?}", e); |
| 67 | SecretkeeperError::RequestMalformed |
| 68 | })?; |
| 69 | let response_packet = match request_packet |
| 70 | .opcode() |
| 71 | .map_err(|_| SecretkeeperError::RequestMalformed)? |
| 72 | { |
| 73 | Opcode::GetVersion => Self::process_get_version_request(request_packet)?, |
| 74 | _ => todo!("TODO(b/291224769): Unimplemented operations"), |
| 75 | }; |
| 76 | |
| 77 | response_packet |
| 78 | .into_bytes() |
| 79 | .map_err(|_| SecretkeeperError::UnexpectedServerError) |
| 80 | } |
| 81 | |
| 82 | fn process_get_version_request( |
| 83 | request: RequestPacket, |
| 84 | ) -> Result<ResponsePacket, SecretkeeperError> { |
| 85 | // Deserialization really just verifies the structural integrity of the request such |
| 86 | // as args being empty. |
| 87 | let _request = GetVersionRequest::deserialize_from_packet(request) |
| 88 | .map_err(|_| SecretkeeperError::RequestMalformed)?; |
| 89 | let response = GetVersionResponse::new(CURRENT_VERSION); |
| 90 | Ok(response.serialize_to_packet()) |
| 91 | } |
| 92 | } |
| 93 | |
| 94 | fn main() { |
| 95 | // Initialize Android logging. |
| 96 | android_logger::init_once( |
| 97 | android_logger::Config::default() |
| 98 | .with_tag("NonSecureSecretkeeper") |
| 99 | .with_min_level(Level::Info) |
| 100 | .with_log_id(android_logger::LogId::System), |
| 101 | ); |
| 102 | // Redirect panic messages to logcat. |
| 103 | std::panic::set_hook(Box::new(|panic_info| { |
| 104 | error!("{}", panic_info); |
| 105 | })); |
| 106 | |
| 107 | let service = NonSecureSecretkeeper::default(); |
| 108 | let service_binder = BnSecretkeeper::new_binder(service, BinderFeatures::default()); |
| 109 | let service_name = format!( |
| 110 | "{}/nonsecure", |
| 111 | <BpSecretkeeper as ISecretkeeper>::get_descriptor() |
| 112 | ); |
| 113 | binder::add_service(&service_name, service_binder.as_binder()).unwrap_or_else(|e| { |
| 114 | panic!( |
| 115 | "Failed to register service {} because of {:?}.", |
| 116 | service_name, e |
| 117 | ); |
| 118 | }); |
| 119 | info!("Registered Binder service, joining threadpool."); |
| 120 | binder::ProcessState::join_thread_pool(); |
| 121 | } |