[rkpd] Refactor rkpd_client into an independent lib for reuse
This allows rkpd_client to be reused by both keystore2 and
AVF pVM remote attestation.
Test: atest keystore2_test librkpd_client.test
Bug: 241428146
Change-Id: Ibdf95c4deb2ba499daaecd170c2971cda4e80bba
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index e59b6f2..c378b42 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -58,6 +58,7 @@
"liblog_rust",
"libmessage_macro",
"librand",
+ "librkpd_client",
"librustutils",
"libserde",
"libserde_cbor",
diff --git a/keystore2/TEST_MAPPING b/keystore2/TEST_MAPPING
index 1038bea..57ce78c 100644
--- a/keystore2/TEST_MAPPING
+++ b/keystore2/TEST_MAPPING
@@ -35,6 +35,9 @@
"name": "keystore2_client_tests"
},
{
+ "name": "librkpd_client.test"
+ },
+ {
"name": "libwatchdog_rs.test"
}
]
diff --git a/keystore2/rkpd_client/Android.bp b/keystore2/rkpd_client/Android.bp
new file mode 100644
index 0000000..1de333f
--- /dev/null
+++ b/keystore2/rkpd_client/Android.bp
@@ -0,0 +1,51 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_security_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_security_license"],
+}
+
+rust_defaults {
+ name: "librkpd_client_defaults",
+ crate_name: "rkpd_client",
+ srcs: ["src/lib.rs"],
+ rustlibs: [
+ "android.security.rkp_aidl-rust",
+ "libanyhow",
+ "libbinder_rs",
+ "liblog_rust",
+ "libmessage_macro",
+ "libthiserror",
+ "libtokio",
+ ],
+}
+
+rust_library {
+ name: "librkpd_client",
+ defaults: ["librkpd_client_defaults"],
+}
+
+rust_test {
+ name: "librkpd_client.test",
+ defaults: ["librkpd_client_defaults"],
+ test_suites: ["general-tests"],
+ rustlibs: [
+ "librand",
+ ],
+}
diff --git a/keystore2/src/rkpd_client.rs b/keystore2/rkpd_client/src/lib.rs
similarity index 100%
rename from keystore2/src/rkpd_client.rs
rename to keystore2/rkpd_client/src/lib.rs
diff --git a/keystore2/src/error.rs b/keystore2/src/error.rs
index ac5ba4c..b4c57fb 100644
--- a/keystore2/src/error.rs
+++ b/keystore2/src/error.rs
@@ -27,7 +27,6 @@
//! Keystore functions should use `anyhow::Result` to return error conditions, and context should
//! be added every time an error is forwarded.
-use crate::rkpd_client::Error as RkpdError;
pub use android_hardware_security_keymint::aidl::android::hardware::security::keymint::ErrorCode::ErrorCode;
use android_security_rkp_aidl::aidl::android::security::rkp::IGetKeyCallback::ErrorCode::ErrorCode as GetKeyErrorCode;
pub use android_system_keystore2::aidl::android::system::keystore2::ResponseCode::ResponseCode;
@@ -35,6 +34,7 @@
ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode,
};
use keystore2_selinux as selinux;
+use rkpd_client::Error as RkpdError;
use std::cmp::PartialEq;
use std::ffi::CString;
diff --git a/keystore2/src/lib.rs b/keystore2/src/lib.rs
index e51a319..c0eecd8 100644
--- a/keystore2/src/lib.rs
+++ b/keystore2/src/lib.rs
@@ -37,7 +37,6 @@
pub mod permission;
pub mod raw_device;
pub mod remote_provisioning;
-pub mod rkpd_client;
pub mod security_level;
pub mod service;
pub mod shared_secret_negotiation;
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index 14c61fb..a386d96 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -35,9 +35,9 @@
use crate::globals::get_remotely_provisioned_component_name;
use crate::ks_err;
use crate::metrics_store::log_rkp_error_stats;
-use crate::rkpd_client::get_rkpd_attestation_key;
use crate::watchdog_helper::watchdog as wd;
use android_security_metrics::aidl::android::security::metrics::RkpError::RkpError as MetricsRkpError;
+use rkpd_client::get_rkpd_attestation_key;
/// Contains helper functions to check if remote provisioning is enabled on the system and, if so,
/// to assign and retrieve attestation keys and certificate chains.
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index f2b332b..7a27452 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -30,7 +30,6 @@
use crate::ks_err;
use crate::metrics_store::log_key_creation_event_stats;
use crate::remote_provisioning::RemProvState;
-use crate::rkpd_client::store_rkpd_attestation_key;
use crate::super_key::{KeyBlob, SuperKeyManager};
use crate::utils::{
check_device_attestation_permissions, check_key_permission,
@@ -64,6 +63,7 @@
KeyMetadata::KeyMetadata, KeyParameters::KeyParameters, ResponseCode::ResponseCode,
};
use anyhow::{anyhow, Context, Result};
+use rkpd_client::store_rkpd_attestation_key;
use std::convert::TryInto;
use std::time::SystemTime;
@@ -1073,13 +1073,13 @@
use super::*;
use crate::error::map_km_error;
use crate::globals::get_keymint_device;
- use crate::rkpd_client::{get_rkpd_attestation_key, store_rkpd_attestation_key};
use crate::utils::upgrade_keyblob_if_required_with;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, AttestationKey::AttestationKey, KeyParameter::KeyParameter,
KeyParameterValue::KeyParameterValue, Tag::Tag,
};
use keystore2_crypto::parse_subject_from_certificate;
+ use rkpd_client::get_rkpd_attestation_key;
#[test]
// This is a helper for a manual test. We want to check that after a system upgrade RKPD