commit 743f1785ea33ced47c93294b0ac5e522d49ecce3
author Vikram Gaur <vikramgaur@google.com> Fri Sep 06 05:45:08 2024 +0000
committer Vikram Gaur <vikramgaur@google.com> Tue Oct 22 04:47:34 2024 +0000
tree e57c842c6718fa7b3b7845e22c82f948e481e91a
parent 2b19b792feec685e20d8682f2b369bba82c4e587

Add code to support keystore certificate post processing.

Adds the AIDL needed for the post processing service.
Also adds the client which would communicate via the post processing
service. The call to post processing depends on the presence of a
boolean system property which is set during build time.

Bug: 361877215
Test: manual testing
Change-Id: Icfc11d0d83187e036902ed1060038fc627512879

keystore2/src/security_level.rs

diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 89c0e97..233f2ae 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -64,7 +64,9 @@
     KeyMetadata::KeyMetadata, KeyParameters::KeyParameters, ResponseCode::ResponseCode,
 };
 use anyhow::{anyhow, Context, Result};
+use postprocessor_client::process_certificate_chain;
 use rkpd_client::store_rkpd_attestation_key;
+use rustutils::system_properties::read_bool;
 use std::convert::TryInto;
 use std::time::SystemTime;
 
@@ -632,14 +634,30 @@
                     log_security_safe_params(&params)
                 ))
                 .map(|(mut result, _)| {
-                    // The `certificateChain` in a `KeyCreationResult` should normally have one
-                    // `Certificate` for each certificate in the chain. To avoid having to
-                    // unnecessarily parse the RKP chain (which is concatenated DER-encoded certs),
-                    // stuff the whole concatenated chain into a single `Certificate`.
-                    // This is untangled by `store_new_key()`.
-                    result
-                        .certificateChain
-                        .push(Certificate { encodedCertificate: attestation_certs });
+                    if read_bool("remote_provisioning.use_cert_processor", false).unwrap_or(false) {
+                        let _wp = self.watch_millis(
+                            concat!(
+                                "KeystoreSecurityLevel::generate_key (RkpdProvisioned): ",
+                                "calling KeystorePostProcessor::process_certificate_chain",
+                            ),
+                            1000, // Post processing may take a little while due to network call.
+                        );
+                        // process_certificate_chain would either replace the certificate chain if
+                        // post-processing is successful or it would fallback to the original chain
+                        // on failure. In either case, we should get back the certificate chain
+                        // that is fit for storing with the newly generated key.
+                        result.certificateChain =
+                            process_certificate_chain(result.certificateChain, attestation_certs);
+                    } else {
+                        // The `certificateChain` in a `KeyCreationResult` should normally have one
+                        // `Certificate` for each certificate in the chain. To avoid having to
+                        // unnecessarily parse the RKP chain (which is concatenated DER-encoded
+                        // certs), stuff the whole concatenated chain into a single `Certificate`.
+                        // This is untangled by `store_new_key()`.
+                        result
+                            .certificateChain
+                            .push(Certificate { encodedCertificate: attestation_certs });
+                    }
                     result
                 })
             }