Keystore 2.0: Add attestation application id on generation and import.
Bug: 173546023
Test: Attestation CTS tests.
Change-Id: Ibe94ff452742ef763adb3c59e575d1ea3fb7abb7
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index cf37fca..8f21c90 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -26,6 +26,7 @@
"android.system.keystore2-rust",
"libanyhow",
"libbinder_rs",
+ "libkeystore2_aaid-rust",
"libkeystore2_apc_compat-rust",
"libkeystore2_crypto_rust",
"libkeystore2_km_compat",
@@ -56,6 +57,7 @@
"libandroid_logger",
"libanyhow",
"libbinder_rs",
+ "libkeystore2_aaid-rust",
"libkeystore2_apc_compat-rust",
"libkeystore2_crypto_rust",
"libkeystore2_km_compat",
diff --git a/keystore2/aaid/Android.bp b/keystore2/aaid/Android.bp
new file mode 100644
index 0000000..2329400
--- /dev/null
+++ b/keystore2/aaid/Android.bp
@@ -0,0 +1,50 @@
+// Copyright 2020, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+cc_library {
+ name: "libkeystore2_aaid",
+ srcs: [
+ "aaid.cpp",
+ ],
+ shared_libs: [
+ "libkeystore-attestation-application-id"
+ ],
+}
+
+rust_bindgen {
+ name: "libkeystore2_aaid_bindgen",
+ wrapper_src: "aaid.hpp",
+ crate_name: "keystore2_aaid_bindgen",
+ source_stem: "bindings",
+
+ bindgen_flags: [
+ "--size_t-is-usize",
+ "--whitelist-function=aaid_keystore_attestation_id",
+ "--whitelist-var=KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE",
+ ],
+}
+
+rust_library {
+ name: "libkeystore2_aaid-rust",
+ crate_name: "keystore2_aaid",
+ srcs: [
+ "lib.rs",
+ ],
+ rustlibs: [
+ "libkeystore2_aaid_bindgen",
+ ],
+ shared_libs: [
+ "libkeystore2_aaid",
+ ],
+}
diff --git a/keystore2/aaid/aaid.cpp b/keystore2/aaid/aaid.cpp
new file mode 100644
index 0000000..fd3faf6
--- /dev/null
+++ b/keystore2/aaid/aaid.cpp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "aaid.hpp"
+
+#include <keystore/keystore_attestation_id.h>
+
+using android::security::gather_attestation_application_id;
+
+uint32_t aaid_keystore_attestation_id(uint32_t uid, uint8_t* aaid, size_t* aaid_size) {
+ static_assert(sizeof(uint32_t) == sizeof(uid_t), "uid_t has unexpected size");
+ static_assert(sizeof(uint32_t) == sizeof(android::status_t), "status_t has unexpected size");
+ static_assert(KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE ==
+ android::security::KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE,
+ "KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE sizes don't match.");
+ auto result = gather_attestation_application_id(uid);
+ if (!result.isOk()) {
+ return result.status();
+ }
+ if (result.value().size() > KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE) {
+ return ::android::NO_MEMORY;
+ }
+ if (*aaid_size != KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE) {
+ return ::android::BAD_VALUE;
+ }
+ std::copy(result.value().begin(), result.value().end(), aaid);
+ *aaid_size = result.value().size();
+ return ::android::OK;
+}
diff --git a/keystore2/aaid/aaid.hpp b/keystore2/aaid/aaid.hpp
new file mode 100644
index 0000000..9e2c148
--- /dev/null
+++ b/keystore2/aaid/aaid.hpp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#pragma once
+
+#include <stdint.h>
+#include <stddef.h>
+
+/**
+ * This is a redefinition of KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE in
+ * system/security/keystore/keystore_attestation_id.h and must be kept in sync.
+ * There is a static assert in aaid.cpp to assure that they are in sync.
+ * We redefine this here to avoid unnecessary build dependencies for
+ * the rust bindgen target.
+ */
+constexpr const size_t KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE = 1024;
+
+extern "C" {
+ /**
+ * Fills the buffer at aaid with the attestation application id of the app uid.
+ * The buffer must be exactly KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE bytes in size.
+ * *aaid_size is set to the number of bytes written to aaid.
+ *
+ * @param uid the uid of the app to retrieve the aaid for.
+ * @param aaid output buffer for the attestation id.
+ * @param aaid_size must be set to the size of the output buffer, which must be exactly
+ * KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE bytes in size, by the caller. On success
+ * it is set to the number of bytes written.
+ * @return OK on success.
+ */
+ uint32_t aaid_keystore_attestation_id(uint32_t uid, uint8_t* aaid, size_t* aaid_size);
+}
diff --git a/keystore2/aaid/lib.rs b/keystore2/aaid/lib.rs
new file mode 100644
index 0000000..3187198
--- /dev/null
+++ b/keystore2/aaid/lib.rs
@@ -0,0 +1,35 @@
+// Copyright 2020, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Rust binding for getting the attestation application id.
+
+use keystore2_aaid_bindgen::{
+ aaid_keystore_attestation_id, KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE,
+};
+
+/// Returns the attestation application id for the given uid or an error code
+/// corresponding to ::android::status_t.
+pub fn get_aaid(uid: u32) -> Result<Vec<u8>, u32> {
+ let mut buffer = [0u8; KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE];
+ let mut size = KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE;
+ // Safety:
+ // aaid_keystore_attestation_id expects a buffer of exactly
+ // KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE bytes and returns the number of bytes written
+ // in the second pointer argument.
+ let status = unsafe { aaid_keystore_attestation_id(uid, buffer.as_mut_ptr(), &mut size) };
+ match status {
+ 0 => Ok(buffer[0..size as usize].to_vec()),
+ status => Err(status),
+ }
+}
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index d8787bd..34f07e0 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -50,7 +50,7 @@
utils::key_characteristics_to_internal,
utils::uid_to_android_user,
};
-use anyhow::{Context, Result};
+use anyhow::{anyhow, Context, Result};
use binder::{IBinder, Interface, ThreadState};
/// Implementation of the IKeystoreSecurityLevel Interface.
@@ -293,6 +293,20 @@
})
}
+ fn add_attestation_parameters(uid: u32, params: &[KeyParameter]) -> Result<Vec<KeyParameter>> {
+ let mut result = params.to_vec();
+ if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) {
+ let aaid = keystore2_aaid::get_aaid(uid).map_err(|e| {
+ anyhow!(format!("In add_attestation_parameters: get_aaid returned status {}.", e))
+ })?;
+ result.push(KeyParameter {
+ tag: Tag::ATTESTATION_APPLICATION_ID,
+ value: KeyParameterValue::Blob(aaid),
+ });
+ }
+ Ok(result)
+ }
+
fn generate_key(
&self,
key: &KeyDescriptor,
@@ -320,6 +334,9 @@
// generate_key requires the rebind permission.
check_key_permission(KeyPerm::rebind(), &key, &None).context("In generate_key.")?;
+ let params = Self::add_attestation_parameters(caller_uid, params)
+ .context("In generate_key: Trying to get aaid.")?;
+
let km_dev: Box<dyn IKeyMintDevice> = self.keymint.get_interface()?;
map_km_error(km_dev.addRngEntropy(entropy))?;
let creation_result = map_km_error(km_dev.generateKey(¶ms))?;
@@ -355,6 +372,9 @@
// import_key requires the rebind permission.
check_key_permission(KeyPerm::rebind(), &key, &None).context("In import_key.")?;
+ let params = Self::add_attestation_parameters(caller_uid, params)
+ .context("In import_key: Trying to get aaid.")?;
+
let format = params
.iter()
.find(|p| p.tag == Tag::ALGORITHM)