Split rkp_factory_extraction_tool into a library + binary
This way, we can unit test the library in preparation for up-coming
changes that will verify the outputs. This will serve as an extra
layer of checking for factory lines, where they want to be extra
sure that a device is outputing correct information at various stages
of the pipe.
Bug: 239838563
Test: rkp_factory_extraction_lib_test
Change-Id: I018194673820d2b31c18d30057aa533cb4fe090e
diff --git a/provisioner/Android.bp b/provisioner/Android.bp
index 665a9e7..87f39d0 100644
--- a/provisioner/Android.bp
+++ b/provisioner/Android.bp
@@ -43,12 +43,10 @@
},
}
-cc_binary {
- name: "rkp_factory_extraction_tool",
- vendor: true,
- srcs: ["rkp_factory_extraction_tool.cpp"],
+cc_defaults {
+ name: "rkp_factory_extraction_defaults",
defaults: [
- "keymint_use_latest_hal_aidl_ndk_shared",
+ "keymint_use_latest_hal_aidl_ndk_static",
],
shared_libs: [
"libbinder",
@@ -60,8 +58,42 @@
"libbase",
"libcppbor_external",
"libcppcose_rkp",
- "libgflags",
"libjsoncpp",
"libkeymint_remote_prov_support",
],
}
+
+cc_library_static {
+ name: "librkp_factory_extraction",
+ defaults: [
+ "rkp_factory_extraction_defaults",
+ ],
+ srcs: ["rkp_factory_extraction_lib.cpp"],
+ vendor_available: true,
+}
+
+cc_test {
+ name: "librkp_factory_extraction_test",
+ defaults: [
+ "rkp_factory_extraction_defaults",
+ ],
+ srcs: ["rkp_factory_extraction_lib_test.cpp"],
+ test_suites: ["device-tests"],
+ static_libs: [
+ "libgmock",
+ "librkp_factory_extraction",
+ ],
+}
+
+cc_binary {
+ name: "rkp_factory_extraction_tool",
+ vendor: true,
+ srcs: ["rkp_factory_extraction_tool.cpp"],
+ defaults: [
+ "rkp_factory_extraction_defaults",
+ ],
+ static_libs: [
+ "libgflags",
+ "librkp_factory_extraction",
+ ],
+}
diff --git a/provisioner/TEST_MAPPING b/provisioner/TEST_MAPPING
new file mode 100644
index 0000000..de3f165
--- /dev/null
+++ b/provisioner/TEST_MAPPING
@@ -0,0 +1,7 @@
+{
+ "presubmit": [
+ {
+ "name": "librkp_factory_extraction_test"
+ }
+ ]
+}
diff --git a/provisioner/rkp_factory_extraction_lib.cpp b/provisioner/rkp_factory_extraction_lib.cpp
new file mode 100644
index 0000000..3bf3d7e
--- /dev/null
+++ b/provisioner/rkp_factory_extraction_lib.cpp
@@ -0,0 +1,149 @@
+/*
+ * Copyright 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "rkp_factory_extraction_lib.h"
+
+#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
+#include <android/binder_manager.h>
+#include <cppbor.h>
+#include <keymaster/cppcose/cppcose.h>
+#include <openssl/base64.h>
+#include <remote_prov/remote_prov_utils.h>
+#include <sys/random.h>
+
+#include <memory>
+#include <optional>
+#include <string>
+#include <string_view>
+#include <vector>
+
+#include "cppbor_parse.h"
+
+using aidl::android::hardware::security::keymint::DeviceInfo;
+using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
+using aidl::android::hardware::security::keymint::MacedPublicKey;
+using aidl::android::hardware::security::keymint::ProtectedData;
+using aidl::android::hardware::security::keymint::RpcHardwareInfo;
+using aidl::android::hardware::security::keymint::remote_prov::getProdEekChain;
+using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild;
+
+using namespace cppbor;
+using namespace cppcose;
+
+std::string toBase64(const std::vector<uint8_t>& buffer) {
+ size_t base64Length;
+ int rc = EVP_EncodedLength(&base64Length, buffer.size());
+ if (!rc) {
+ std::cerr << "Error getting base64 length. Size overflow?" << std::endl;
+ exit(-1);
+ }
+
+ std::string base64(base64Length, ' ');
+ rc = EVP_EncodeBlock(reinterpret_cast<uint8_t*>(base64.data()), buffer.data(), buffer.size());
+ ++rc; // Account for NUL, which BoringSSL does not for some reason.
+ if (rc != base64Length) {
+ std::cerr << "Error writing base64. Expected " << base64Length
+ << " bytes to be written, but " << rc << " bytes were actually written."
+ << std::endl;
+ exit(-1);
+ }
+
+ // BoringSSL automatically adds a NUL -- remove it from the string data
+ base64.pop_back();
+
+ return base64;
+}
+
+std::vector<uint8_t> generateChallenge() {
+ std::vector<uint8_t> challenge(kChallengeSize);
+
+ ssize_t bytesRemaining = static_cast<ssize_t>(challenge.size());
+ uint8_t* writePtr = challenge.data();
+ while (bytesRemaining > 0) {
+ int bytesRead = getrandom(writePtr, bytesRemaining, /*flags=*/0);
+ if (bytesRead < 0) {
+ if (errno == EINTR) {
+ continue;
+ } else {
+ std::cerr << errno << ": " << strerror(errno) << std::endl;
+ exit(-1);
+ }
+ }
+ bytesRemaining -= bytesRead;
+ writePtr += bytesRead;
+ }
+
+ return challenge;
+}
+
+CsrResult composeCertificateRequest(const ProtectedData& protectedData,
+ const DeviceInfo& verifiedDeviceInfo,
+ const std::vector<uint8_t>& challenge,
+ const std::vector<uint8_t>& keysToSignMac) {
+ Array macedKeysToSign = Array()
+ .add(Map().add(1, 5).encode()) // alg: hmac-sha256
+ .add(Map()) // empty unprotected headers
+ .add(Null()) // nil for the payload
+ .add(keysToSignMac); // MAC as returned from the HAL
+
+ auto [parsedVerifiedDeviceInfo, ignore1, errMsg] = parse(verifiedDeviceInfo.deviceInfo);
+ if (!parsedVerifiedDeviceInfo) {
+ std::cerr << "Error parsing device info: '" << errMsg << "'" << std::endl;
+ return {nullptr, errMsg};
+ }
+
+ auto [parsedProtectedData, ignore2, errMsg2] = parse(protectedData.protectedData);
+ if (!parsedProtectedData) {
+ std::cerr << "Error parsing protected data: '" << errMsg2 << "'" << std::endl;
+ return {nullptr, errMsg};
+ }
+
+ Array deviceInfo = Array().add(std::move(parsedVerifiedDeviceInfo)).add(Map());
+
+ auto certificateRequest = std::make_unique<Array>();
+ (*certificateRequest)
+ .add(std::move(deviceInfo))
+ .add(challenge)
+ .add(std::move(parsedProtectedData))
+ .add(std::move(macedKeysToSign));
+ return {std::move(certificateRequest), std::nullopt};
+}
+
+CsrResult getCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc) {
+ std::vector<uint8_t> keysToSignMac;
+ std::vector<MacedPublicKey> emptyKeys;
+ DeviceInfo verifiedDeviceInfo;
+ ProtectedData protectedData;
+ RpcHardwareInfo hwInfo;
+ ::ndk::ScopedAStatus status = irpc->getHardwareInfo(&hwInfo);
+ if (!status.isOk()) {
+ std::cerr << "Failed to get hardware info for '" << componentName
+ << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
+ exit(-1);
+ }
+
+ const std::vector<uint8_t> eek = getProdEekChain(hwInfo.supportedEekCurve);
+ const std::vector<uint8_t> challenge = generateChallenge();
+ status = irpc->generateCertificateRequest(
+ /*test_mode=*/false, emptyKeys, eek, challenge, &verifiedDeviceInfo, &protectedData,
+ &keysToSignMac);
+ if (!status.isOk()) {
+ std::cerr << "Bundle extraction failed for '" << componentName
+ << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
+ exit(-1);
+ }
+ return composeCertificateRequest(protectedData, verifiedDeviceInfo, challenge, keysToSignMac);
+}
diff --git a/provisioner/rkp_factory_extraction_lib.h b/provisioner/rkp_factory_extraction_lib.h
new file mode 100644
index 0000000..fe15402
--- /dev/null
+++ b/provisioner/rkp_factory_extraction_lib.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
+#include <android/binder_manager.h>
+#include <cppbor.h>
+#include <keymaster/cppcose/cppcose.h>
+
+#include <cstdint>
+#include <memory>
+#include <optional>
+#include <string>
+#include <vector>
+
+constexpr size_t kChallengeSize = 16;
+
+// Contains the result of CSR generation, bundling up the result (on success)
+// with an error message (on failure).
+struct CsrResult {
+ std::unique_ptr<cppbor::Array> csr;
+ std::optional<std::string> errMsg;
+};
+
+// Return `buffer` encoded as a base64 string.
+std::string toBase64(const std::vector<uint8_t>& buffer);
+
+// Generate a random challenge containing `kChallengeSize` bytes.
+std::vector<uint8_t> generateChallenge();
+
+// Get a certificate signing request for the given IRemotelyProvisionedComponent.
+// On error, the csr Array is null, and the string field contains a description of
+// what went wrong.
+CsrResult getCsr(std::string_view componentName,
+ aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent* irpc);
\ No newline at end of file
diff --git a/provisioner/rkp_factory_extraction_lib_test.cpp b/provisioner/rkp_factory_extraction_lib_test.cpp
new file mode 100644
index 0000000..c611097
--- /dev/null
+++ b/provisioner/rkp_factory_extraction_lib_test.cpp
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "rkp_factory_extraction_lib.h"
+
+#include <aidl/android/hardware/security/keymint/DeviceInfo.h>
+#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
+#include <aidl/android/hardware/security/keymint/MacedPublicKey.h>
+#include <aidl/android/hardware/security/keymint/RpcHardwareInfo.h>
+#include <gmock/gmock.h>
+#include <gtest/gtest.h>
+
+#include <cstdint>
+#include <ostream>
+#include <set>
+#include <vector>
+
+#include "aidl/android/hardware/security/keymint/ProtectedData.h"
+#include "android/binder_auto_utils.h"
+#include "android/binder_interface_utils.h"
+#include "cppbor.h"
+
+using ::ndk::ScopedAStatus;
+using ::ndk::SharedRefBase;
+
+using namespace ::aidl::android::hardware::security::keymint;
+using namespace ::cppbor;
+using namespace ::testing;
+
+namespace cppbor {
+
+std::ostream& operator<<(std::ostream& os, const Item& item) {
+ return os << prettyPrint(&item);
+}
+
+std::ostream& operator<<(std::ostream& os, const std::unique_ptr<Item>& item) {
+ return os << *item;
+}
+
+std::ostream& operator<<(std::ostream& os, const Item* item) {
+ return os << *item;
+}
+
+} // namespace cppbor
+
+class MockIRemotelyProvisionedComponent : public IRemotelyProvisionedComponentDefault {
+ public:
+ MOCK_METHOD(ScopedAStatus, getHardwareInfo, (RpcHardwareInfo * _aidl_return), (override));
+ MOCK_METHOD(ScopedAStatus, generateEcdsaP256KeyPair,
+ (bool in_testMode, MacedPublicKey* out_macedPublicKey,
+ std::vector<uint8_t>* _aidl_return),
+ (override));
+ MOCK_METHOD(ScopedAStatus, generateCertificateRequest,
+ (bool in_testMode, const std::vector<MacedPublicKey>& in_keysToSign,
+ const std::vector<uint8_t>& in_endpointEncryptionCertChain,
+ const std::vector<uint8_t>& in_challenge, DeviceInfo* out_deviceInfo,
+ ProtectedData* out_protectedData, std::vector<uint8_t>* _aidl_return),
+ (override));
+ MOCK_METHOD(ScopedAStatus, getInterfaceVersion, (int32_t * _aidl_return), (override));
+ MOCK_METHOD(ScopedAStatus, getInterfaceHash, (std::string * _aidl_return), (override));
+};
+
+TEST(LibRkpFactoryExtractionTests, ToBase64) {
+ std::vector<uint8_t> input(UINT8_MAX + 1);
+ for (int i = 0; i < input.size(); ++i) {
+ input[i] = i;
+ }
+
+ // Test three lengths so we get all the different paddding options
+ EXPECT_EQ("AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4"
+ "vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV"
+ "5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMj"
+ "Y6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8"
+ "vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uv"
+ "s7e7v8PHy8/T19vf4+fr7/P3+/w==",
+ toBase64(input));
+
+ input.push_back(42);
+ EXPECT_EQ("AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4"
+ "vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV"
+ "5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMj"
+ "Y6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8"
+ "vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uv"
+ "s7e7v8PHy8/T19vf4+fr7/P3+/yo=",
+ toBase64(input));
+
+ input.push_back(42);
+ EXPECT_EQ("AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4"
+ "vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV"
+ "5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMj"
+ "Y6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8"
+ "vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uv"
+ "s7e7v8PHy8/T19vf4+fr7/P3+/yoq",
+ toBase64(input));
+}
+
+TEST(LibRkpFactoryExtractionTests, UniqueChallengeSmokeTest) {
+ // This will at least catch VERY broken implementations.
+ constexpr size_t NUM_CHALLENGES = 32;
+ std::set<std::vector<uint8_t>> challenges;
+ for (size_t i = 0; i < NUM_CHALLENGES; ++i) {
+ const std::vector<uint8_t> challenge = generateChallenge();
+ const auto [_, wasInserted] = challenges.insert(generateChallenge());
+ EXPECT_TRUE(wasInserted) << "Duplicate challenge: " << toBase64(challenge);
+ }
+}
+
+TEST(LibRkpFactoryExtractionTests, GetCsrWithV2Hal) {
+ ASSERT_TRUE(true);
+
+ const std::vector<uint8_t> kFakeMac = {1, 2, 3, 4};
+
+ Map cborDeviceInfo;
+ cborDeviceInfo.add("product", "gShoe");
+ cborDeviceInfo.add("version", 2);
+ const DeviceInfo kVerifiedDeviceInfo = {cborDeviceInfo.encode()};
+
+ Array cborProtectedData;
+ cborProtectedData.add(Bstr()); // protected
+ cborProtectedData.add(Map()); // unprotected
+ cborProtectedData.add(Bstr()); // ciphertext
+ cborProtectedData.add(Array()); // recipients
+ const ProtectedData kProtectedData = {cborProtectedData.encode()};
+
+ std::vector<uint8_t> eekChain;
+ std::vector<uint8_t> challenge;
+
+ // Set up mock, then call getSCsr
+ auto mockRpc = SharedRefBase::make<MockIRemotelyProvisionedComponent>();
+ EXPECT_CALL(*mockRpc, getHardwareInfo(NotNull())).WillOnce(Return(ByMove(ScopedAStatus::ok())));
+ EXPECT_CALL(*mockRpc,
+ generateCertificateRequest(false, // testMode
+ IsEmpty(), // keysToSign
+ _, // endpointEncryptionCertChain
+ _, // challenge
+ NotNull(), // deviceInfo
+ NotNull(), // protectedData
+ NotNull())) // _aidl_return
+ .WillOnce(DoAll(SaveArg<2>(&eekChain), //
+ SaveArg<3>(&challenge), //
+ SetArgPointee<4>(kVerifiedDeviceInfo), //
+ SetArgPointee<5>(kProtectedData), //
+ SetArgPointee<6>(kFakeMac), //
+ Return(ByMove(ScopedAStatus::ok())))); //
+
+ auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get());
+ ASSERT_THAT(csr, NotNull()) << csrErrMsg.value_or("");
+ ASSERT_THAT(csr->asArray(), Pointee(Property(&Array::size, Eq(4))));
+
+ // Verify the input parameters that we received
+ auto [parsedEek, ignore1, eekParseError] = parse(eekChain);
+ ASSERT_THAT(parsedEek, NotNull()) << eekParseError;
+ EXPECT_THAT(parsedEek->asArray(), Pointee(Property(&Array::size, Gt(1))));
+ EXPECT_THAT(challenge, Property(&std::vector<uint8_t>::size, Eq(kChallengeSize)));
+
+ // Device info consists of (verified info, unverified info)
+ const Array* deviceInfoArray = csr->get(0)->asArray();
+ EXPECT_THAT(deviceInfoArray, Pointee(Property(&Array::size, 2)));
+
+ // Verified device info must match our mock value
+ const Map* actualVerifiedDeviceInfo = deviceInfoArray->get(0)->asMap();
+ EXPECT_THAT(actualVerifiedDeviceInfo, Pointee(Property(&Map::size, Eq(2))));
+ EXPECT_THAT(actualVerifiedDeviceInfo->get("product"), Pointee(Eq(Tstr("gShoe"))));
+ EXPECT_THAT(actualVerifiedDeviceInfo->get("version"), Pointee(Eq(Uint(2))));
+
+ // Empty unverified device info
+ const Map* actualUnverifiedDeviceInfo = deviceInfoArray->get(1)->asMap();
+ EXPECT_THAT(actualUnverifiedDeviceInfo, Pointee(Property(&Map::size, Eq(0))));
+
+ // Challenge must match the call to generateCertificateRequest
+ const Bstr* actualChallenge = csr->get(1)->asBstr();
+ EXPECT_THAT(actualChallenge, Pointee(Property(&Bstr::value, Eq(challenge))));
+
+ // Protected data must match the mock value
+ const Array* actualProtectedData = csr->get(2)->asArray();
+ EXPECT_THAT(actualProtectedData, Pointee(Eq(ByRef(cborProtectedData))));
+
+ // Ensure the maced public key matches the expected COSE_mac0
+ const Array* actualMacedKeys = csr->get(3)->asArray();
+ ASSERT_THAT(actualMacedKeys, Pointee(Property(&Array::size, Eq(4))));
+ ASSERT_THAT(actualMacedKeys->get(0)->asBstr(), NotNull());
+ auto [macProtectedParams, ignore2, macParamParseError] =
+ parse(actualMacedKeys->get(0)->asBstr());
+ ASSERT_THAT(macProtectedParams, NotNull()) << macParamParseError;
+ Map expectedMacProtectedParams;
+ expectedMacProtectedParams.add(1, 5);
+ EXPECT_THAT(macProtectedParams, Pointee(Eq(ByRef(expectedMacProtectedParams))));
+ EXPECT_THAT(actualMacedKeys->get(1)->asMap(), Pointee(Property(&Map::size, Eq(0))));
+ EXPECT_THAT(actualMacedKeys->get(2)->asNull(), NotNull());
+ EXPECT_THAT(actualMacedKeys->get(3)->asBstr(), Pointee(Eq(Bstr(kFakeMac))));
+}
diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp
index 0f45531..ee8d851 100644
--- a/provisioner/rkp_factory_extraction_tool.cpp
+++ b/provisioner/rkp_factory_extraction_tool.cpp
@@ -14,9 +14,6 @@
* limitations under the License.
*/
-#include <string>
-#include <vector>
-
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include <android/binder_manager.h>
#include <cppbor.h>
@@ -26,20 +23,17 @@
#include <remote_prov/remote_prov_utils.h>
#include <sys/random.h>
-using aidl::android::hardware::security::keymint::DeviceInfo;
+#include <string>
+#include <vector>
+
+#include "rkp_factory_extraction_lib.h"
+
using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
-using aidl::android::hardware::security::keymint::MacedPublicKey;
-using aidl::android::hardware::security::keymint::ProtectedData;
-using aidl::android::hardware::security::keymint::RpcHardwareInfo;
-using aidl::android::hardware::security::keymint::remote_prov::generateEekChain;
-using aidl::android::hardware::security::keymint::remote_prov::getProdEekChain;
using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild;
using namespace cppbor;
using namespace cppcose;
-DEFINE_bool(test_mode, false, "If enabled, a fake EEK key/cert are used.");
-
DEFINE_string(output_format, "csr", "How to format the output. Defaults to 'csr'.");
namespace {
@@ -51,87 +45,6 @@
constexpr size_t kChallengeSize = 16;
-std::string toBase64(const std::vector<uint8_t>& buffer) {
- size_t base64Length;
- int rc = EVP_EncodedLength(&base64Length, buffer.size());
- if (!rc) {
- std::cerr << "Error getting base64 length. Size overflow?" << std::endl;
- exit(-1);
- }
-
- std::string base64(base64Length, ' ');
- rc = EVP_EncodeBlock(reinterpret_cast<uint8_t*>(base64.data()), buffer.data(), buffer.size());
- ++rc; // Account for NUL, which BoringSSL does not for some reason.
- if (rc != base64Length) {
- std::cerr << "Error writing base64. Expected " << base64Length
- << " bytes to be written, but " << rc << " bytes were actually written."
- << std::endl;
- exit(-1);
- }
- return base64;
-}
-
-std::vector<uint8_t> generateChallenge() {
- std::vector<uint8_t> challenge(kChallengeSize);
-
- ssize_t bytesRemaining = static_cast<ssize_t>(challenge.size());
- uint8_t* writePtr = challenge.data();
- while (bytesRemaining > 0) {
- int bytesRead = getrandom(writePtr, bytesRemaining, /*flags=*/0);
- if (bytesRead < 0) {
- if (errno == EINTR) {
- continue;
- } else {
- std::cerr << errno << ": " << strerror(errno) << std::endl;
- exit(-1);
- }
- }
- bytesRemaining -= bytesRead;
- writePtr += bytesRead;
- }
-
- return challenge;
-}
-
-Array composeCertificateRequest(const ProtectedData& protectedData,
- const DeviceInfo& verifiedDeviceInfo,
- const std::vector<uint8_t>& challenge,
- const std::vector<uint8_t>& keysToSignMac) {
- Array macedKeysToSign = Array()
- .add(std::vector<uint8_t>(0)) // empty protected headers as bstr
- .add(Map()) // empty unprotected headers
- .add(Null()) // nil for the payload
- .add(keysToSignMac); // MAC as returned from the HAL
-
- Array deviceInfo =
- Array().add(EncodedItem(verifiedDeviceInfo.deviceInfo)).add(Map()); // Empty device info
-
- Array certificateRequest = Array()
- .add(std::move(deviceInfo))
- .add(challenge)
- .add(EncodedItem(protectedData.protectedData))
- .add(std::move(macedKeysToSign));
- return certificateRequest;
-}
-
-std::vector<uint8_t> getEekChain(uint32_t curve) {
- if (FLAGS_test_mode) {
- const std::vector<uint8_t> kFakeEekId = {'f', 'a', 'k', 'e', 0};
- auto eekOrErr = generateEekChain(curve, 3 /* chainlength */, kFakeEekId);
- if (!eekOrErr) {
- std::cerr << "Failed to generate test EEK somehow: " << eekOrErr.message() << std::endl;
- exit(-1);
- }
- auto [eek, pubkey, privkey] = eekOrErr.moveValue();
- std::cout << "EEK raw keypair:" << std::endl;
- std::cout << " pub: " << toBase64(pubkey) << std::endl;
- std::cout << " priv: " << toBase64(privkey) << std::endl;
- return eek;
- }
-
- return getProdEekChain(curve);
-}
-
void writeOutput(const std::string instance_name, const Array& csr) {
if (FLAGS_output_format == kBinaryCsrOutput) {
auto bytes = csr.encode();
@@ -166,28 +79,14 @@
exit(-1);
}
- std::vector<uint8_t> keysToSignMac;
- std::vector<MacedPublicKey> emptyKeys;
- DeviceInfo verifiedDeviceInfo;
- ProtectedData protectedData;
- RpcHardwareInfo hwInfo;
- ::ndk::ScopedAStatus status = rkp_service->getHardwareInfo(&hwInfo);
- if (!status.isOk()) {
- std::cerr << "Failed to get hardware info for '" << fullName
- << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
+ auto [request, errMsg] = getCsr(name, rkp_service.get());
+ if (!request) {
+ std::cerr << "Unable to build CSR for '" << fullName << ": "
+ << errMsg.value_or("<Unknown Error>") << std::endl;
exit(-1);
}
- status = rkp_service->generateCertificateRequest(
- FLAGS_test_mode, emptyKeys, getEekChain(hwInfo.supportedEekCurve), challenge,
- &verifiedDeviceInfo, &protectedData, &keysToSignMac);
- if (!status.isOk()) {
- std::cerr << "Bundle extraction failed for '" << fullName
- << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
- exit(-1);
- }
- auto request =
- composeCertificateRequest(protectedData, verifiedDeviceInfo, challenge, keysToSignMac);
- writeOutput(std::string(name), request);
+
+ writeOutput(std::string(name), *request);
}
} // namespace