Merge changes I0049d5ba,I28ebc5a2
* changes:
identity: Replace RemotelyProvisionedKey with librkp_support
Add helper library to get remotely provisioned key
diff --git a/keystore2/src/crypto/tests/certificate_utils_test.cpp b/keystore2/src/crypto/tests/certificate_utils_test.cpp
index bd94928..a851798 100644
--- a/keystore2/src/crypto/tests/certificate_utils_test.cpp
+++ b/keystore2/src/crypto/tests/certificate_utils_test.cpp
@@ -313,7 +313,15 @@
const uint8_t* p = encCert.data();
X509_Ptr decoded_cert(d2i_X509(nullptr, &p, (long)encCert.size()));
EVP_PKEY_Ptr decoded_pkey(X509_get_pubkey(decoded_cert.get()));
- ASSERT_TRUE(X509_verify(decoded_cert.get(), decoded_pkey.get()));
+ if ((padding == Padding::PSS) && (digest == Digest::SHA1 || digest == Digest::SHA224)) {
+ // BoringSSL after https://boringssl-review.googlesource.com/c/boringssl/+/53865
+ // does not support these PSS combinations, so skip certificate verification for them
+ // and just check _something_ was returned.
+ EXPECT_NE(decoded_cert.get(), nullptr);
+ EXPECT_NE(decoded_pkey.get(), nullptr);
+ } else {
+ ASSERT_TRUE(X509_verify(decoded_cert.get(), decoded_pkey.get()));
+ }
}
TEST(TimeStringTests, toTimeStringTest) {
diff --git a/keystore2/src/fuzzers/Android.bp b/keystore2/src/fuzzers/Android.bp
index 9a2d98d..4ac83e3 100644
--- a/keystore2/src/fuzzers/Android.bp
+++ b/keystore2/src/fuzzers/Android.bp
@@ -20,6 +20,7 @@
name: "keystore2_unsafe_fuzzer",
srcs: ["keystore2_unsafe_fuzzer.rs"],
rustlibs: [
+ "libbinder_rs",
"libkeystore2",
"libkeystore2_crypto_rust",
"libkeystore2_vintf_rust",
diff --git a/keystore2/src/fuzzers/keystore2_unsafe_fuzzer.rs b/keystore2/src/fuzzers/keystore2_unsafe_fuzzer.rs
index 1a385e7..0dca3a2 100644
--- a/keystore2/src/fuzzers/keystore2_unsafe_fuzzer.rs
+++ b/keystore2/src/fuzzers/keystore2_unsafe_fuzzer.rs
@@ -14,10 +14,9 @@
//! Fuzzes unsafe APIs of libkeystore2 module
-#![feature(slice_internals)]
#![no_main]
-use core::slice::memchr;
+use binder::get_declared_instances;
use keystore2::{legacy_blob::LegacyBlobLoader, utils::ui_opts_2_compat};
use keystore2_aaid::get_aaid;
use keystore2_apc_compat::ApcHal;
@@ -28,7 +27,7 @@
hmac_sha256, parse_subject_from_certificate, Password, ZVec,
};
use keystore2_selinux::{check_access, getpidcon, setcon, Backend, Context, KeystoreKeyBackend};
-use keystore2_vintf::{get_aidl_instances, get_hidl_instances};
+use keystore2_vintf::get_hidl_instances;
use libfuzzer_sys::{arbitrary::Arbitrary, fuzz_target};
use std::{ffi::CString, sync::Arc};
@@ -37,7 +36,7 @@
/// CString does not contain any internal 0 bytes
fn get_valid_cstring_data(data: &[u8]) -> &[u8] {
- match memchr::memchr(0, data) {
+ match data.iter().position(|&b| b == 0) {
Some(idx) => &data[0..idx],
None => data,
}
@@ -97,7 +96,6 @@
},
GetAidlInstances {
aidl_package: &'a str,
- version: usize,
aidl_interface_name: &'a str,
},
GetAaid {
@@ -191,8 +189,11 @@
} => {
get_hidl_instances(hidl_package, major_version, minor_version, hidl_interface_name);
}
- FuzzCommand::GetAidlInstances { aidl_package, version, aidl_interface_name } => {
- get_aidl_instances(aidl_package, version, aidl_interface_name);
+ FuzzCommand::GetAidlInstances { aidl_package, aidl_interface_name } => {
+ get_declared_instances(
+ format!("{}.{}", aidl_package, aidl_interface_name).as_str(),
+ )
+ .unwrap();
}
FuzzCommand::GetAaid { aaid_uid } => {
let _res = get_aaid(aaid_uid);
diff --git a/keystore2/src/globals.rs b/keystore2/src/globals.rs
index bd60f04..8b26ceb 100644
--- a/keystore2/src/globals.rs
+++ b/keystore2/src/globals.rs
@@ -41,7 +41,7 @@
use android_security_compat::aidl::android::security::compat::IKeystoreCompatService::IKeystoreCompatService;
use anyhow::{Context, Result};
use binder::FromIBinder;
-use keystore2_vintf::get_aidl_instances;
+use binder::get_declared_instances;
use lazy_static::lazy_static;
use std::sync::{Arc, Mutex, RwLock};
use std::{cell::RefCell, sync::Once};
@@ -183,7 +183,7 @@
version: i32,
) -> Result<Option<(i32, String)>> {
let keymint_instances =
- get_aidl_instances("android.hardware.security.keymint", version as usize, "IKeyMintDevice");
+ get_declared_instances("android.hardware.security.keymint.IKeyMintDevice").unwrap();
let service_name = match *security_level {
SecurityLevel::TRUSTED_ENVIRONMENT => {
@@ -229,7 +229,7 @@
Ok(sl)
}
})
- .context(ks_err!())?;
+ .context(ks_err!("Get service name by version"))?;
let (keymint, hal_version) = if let Some((version, service_name)) = service_name {
let km: Strong<dyn IKeyMintDevice> =
@@ -334,7 +334,8 @@
if let Some((dev, hw_info, uuid)) = devices_map.dev_by_sec_level(security_level) {
Ok((dev, hw_info, uuid))
} else {
- let (dev, hw_info) = connect_keymint(security_level).context(ks_err!())?;
+ let (dev, hw_info) =
+ connect_keymint(security_level).context(ks_err!("Cannot connect to Keymint"))?;
devices_map.insert(*security_level, dev, hw_info);
// Unwrap must succeed because we just inserted it.
Ok(devices_map.dev_by_sec_level(security_level).unwrap())
@@ -368,7 +369,7 @@
/// to connect to the legacy wrapper.
fn connect_secureclock() -> Result<Strong<dyn ISecureClock>> {
let secureclock_instances =
- get_aidl_instances("android.hardware.security.secureclock", 1, "ISecureClock");
+ get_declared_instances("android.hardware.security.secureclock.ISecureClock").unwrap();
let secure_clock_available =
secureclock_instances.iter().any(|instance| *instance == "default");
@@ -419,7 +420,7 @@
/// Get the service name of a remotely provisioned component corresponding to given security level.
pub fn get_remotely_provisioned_component_name(security_level: &SecurityLevel) -> Result<String> {
let remotely_prov_instances =
- get_aidl_instances("android.hardware.security.keymint", 1, "IRemotelyProvisionedComponent");
+ get_declared_instances(REMOTE_PROVISIONING_HAL_SERVICE_NAME).unwrap();
match *security_level {
SecurityLevel::TRUSTED_ENVIRONMENT => {
diff --git a/keystore2/src/shared_secret_negotiation.rs b/keystore2/src/shared_secret_negotiation.rs
index 81644ec..739f4ba 100644
--- a/keystore2/src/shared_secret_negotiation.rs
+++ b/keystore2/src/shared_secret_negotiation.rs
@@ -23,7 +23,8 @@
};
use android_security_compat::aidl::android::security::compat::IKeystoreCompatService::IKeystoreCompatService;
use anyhow::Result;
-use keystore2_vintf::{get_aidl_instances, get_hidl_instances};
+use binder::get_declared_instances;
+use keystore2_vintf::get_hidl_instances;
use std::fmt::{self, Display, Formatter};
use std::time::Duration;
@@ -111,6 +112,8 @@
static KEYMASTER_INTERFACE_NAME: &str = "IKeymasterDevice";
static SHARED_SECRET_PACKAGE_NAME: &str = "android.hardware.security.sharedsecret";
static SHARED_SECRET_INTERFACE_NAME: &str = "ISharedSecret";
+static SHARED_SECRET_PACKAGE_AND_INTERFACE_NAME: &str =
+ "android.hardware.security.sharedsecret.ISharedSecret";
static COMPAT_PACKAGE_NAME: &str = "android.security.compat";
/// Lists participants.
@@ -141,7 +144,8 @@
.collect::<Vec<SharedSecretParticipant>>()
})
.chain({
- get_aidl_instances(SHARED_SECRET_PACKAGE_NAME, 1, SHARED_SECRET_INTERFACE_NAME)
+ get_declared_instances(SHARED_SECRET_PACKAGE_AND_INTERFACE_NAME)
+ .unwrap()
.into_iter()
.map(SharedSecretParticipant::Aidl)
.collect::<Vec<_>>()
diff --git a/keystore2/src/vintf/lib.rs b/keystore2/src/vintf/lib.rs
index 08384bd..5bb015f 100644
--- a/keystore2/src/vintf/lib.rs
+++ b/keystore2/src/vintf/lib.rs
@@ -27,10 +27,6 @@
minor_version: usize,
interface_name: &str,
) -> Vec<String>;
-
- /// Gets the instances of the given package, version, and interface tuple.
- /// Note that this is not a zero-cost shim: it will make copies of the strings.
- fn get_aidl_instances(package: &str, version: usize, interface_name: &str) -> Vec<String>;
}
}
diff --git a/keystore2/src/vintf/vintf.cpp b/keystore2/src/vintf/vintf.cpp
index a550b10..bf77f5e 100644
--- a/keystore2/src/vintf/vintf.cpp
+++ b/keystore2/src/vintf/vintf.cpp
@@ -34,11 +34,3 @@
static_cast<std::string>(interfaceName));
return convert(names);
}
-
-rust::Vec<rust::String> get_aidl_instances(rust::Str package, size_t version,
- rust::Str interfaceName) {
- const auto manifest = android::vintf::VintfObject::GetDeviceHalManifest();
- const auto names = manifest->getAidlInstances(static_cast<std::string>(package), version,
- static_cast<std::string>(interfaceName));
- return convert(names);
-}
diff --git a/keystore2/src/vintf/vintf.hpp b/keystore2/src/vintf/vintf.hpp
index c4a7ef6..ef1e788 100644
--- a/keystore2/src/vintf/vintf.hpp
+++ b/keystore2/src/vintf/vintf.hpp
@@ -20,5 +20,3 @@
rust::Vec<rust::String> get_hidl_instances(rust::Str package, size_t major_version,
size_t minor_version, rust::Str interfaceName);
-rust::Vec<rust::String> get_aidl_instances(rust::Str package, size_t version,
- rust::Str interfaceName);
diff --git a/prng_seeder/OWNERS b/prng_seeder/OWNERS
index 9202b90..51b7f38 100644
--- a/prng_seeder/OWNERS
+++ b/prng_seeder/OWNERS
@@ -1,2 +1,2 @@
paulcrowley@google.com
-prb@google.com
\ No newline at end of file
+prb@google.com
diff --git a/prng_seeder/src/conditioner.rs b/prng_seeder/src/conditioner.rs
index eca8af8..ec1181b 100644
--- a/prng_seeder/src/conditioner.rs
+++ b/prng_seeder/src/conditioner.rs
@@ -12,11 +12,10 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use std::{fs::File, io::Read, os::unix::io::AsRawFd};
+use std::{fs::File, io::Read};
use anyhow::{ensure, Context, Result};
use log::debug;
-use nix::fcntl::{fcntl, FcntlArg::F_SETFL, OFlag};
use tokio::io::AsyncReadExt;
use crate::drbg;
@@ -34,8 +33,6 @@
let mut et: drbg::Entropy = [0; drbg::ENTROPY_LEN];
hwrng.read_exact(&mut et).context("hwrng.read_exact in new")?;
let rg = drbg::Drbg::new(&et)?;
- fcntl(hwrng.as_raw_fd(), F_SETFL(OFlag::O_NONBLOCK))
- .context("setting O_NONBLOCK on hwrng")?;
Ok(ConditionerBuilder { hwrng, rg })
}
diff --git a/provisioner/rkp_factory_extraction_lib.cpp b/provisioner/rkp_factory_extraction_lib.cpp
index d85e85f..8db62e6 100644
--- a/provisioner/rkp_factory_extraction_lib.cpp
+++ b/provisioner/rkp_factory_extraction_lib.cpp
@@ -17,6 +17,7 @@
#include "rkp_factory_extraction_lib.h"
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
+#include <android-base/properties.h>
#include <android/binder_manager.h>
#include <cppbor.h>
#include <cstddef>
@@ -198,6 +199,8 @@
}
CborResult<Array> composeCertificateRequestV3(const std::vector<uint8_t>& csr) {
+ const std::string kFingerprintProp = "ro.build.fingerprint";
+
auto [parsedCsr, _, csrErrMsg] = cppbor::parse(csr);
if (!parsedCsr) {
return {nullptr, csrErrMsg};
@@ -206,6 +209,13 @@
return {nullptr, "CSR is not a CBOR array."};
}
+ if (!::android::base::WaitForPropertyCreation(kFingerprintProp)) {
+ return {nullptr, "Unable to read build fingerprint"};
+ }
+
+ Map unverifiedDeviceInfo =
+ Map().add("fingerprint", ::android::base::GetProperty(kFingerprintProp, /*default=*/""));
+ parsedCsr->asArray()->add(std::move(unverifiedDeviceInfo));
return {std::unique_ptr<Array>(parsedCsr.release()->asArray()), ""};
}
diff --git a/provisioner/rkp_factory_extraction_lib_test.cpp b/provisioner/rkp_factory_extraction_lib_test.cpp
index 05509b3..72d7b71 100644
--- a/provisioner/rkp_factory_extraction_lib_test.cpp
+++ b/provisioner/rkp_factory_extraction_lib_test.cpp
@@ -22,6 +22,7 @@
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include <aidl/android/hardware/security/keymint/MacedPublicKey.h>
#include <aidl/android/hardware/security/keymint/RpcHardwareInfo.h>
+#include <android-base/properties.h>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
@@ -250,10 +251,16 @@
auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get());
ASSERT_THAT(csr, NotNull()) << csrErrMsg;
- ASSERT_THAT(csr, Pointee(Property(&Array::size, Eq(4))));
+ ASSERT_THAT(csr, Pointee(Property(&Array::size, Eq(5))));
EXPECT_THAT(csr->get(0 /* version */), Pointee(Eq(Uint(3))));
EXPECT_THAT(csr->get(1)->asMap(), NotNull());
EXPECT_THAT(csr->get(2)->asArray(), NotNull());
EXPECT_THAT(csr->get(3)->asArray(), NotNull());
+
+ const Map* unverifedDeviceInfo = csr->get(4)->asMap();
+ ASSERT_THAT(unverifedDeviceInfo, NotNull());
+ EXPECT_THAT(unverifedDeviceInfo->get("fingerprint"), NotNull());
+ const Tstr fingerprint(android::base::GetProperty("ro.build.fingerprint", ""));
+ EXPECT_THAT(*unverifedDeviceInfo->get("fingerprint")->asTstr(), Eq(fingerprint));
}