Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 890f1156060a6601fc6ccd4f350baf0ec88e279b / . / provisioner / rkp_factory_extraction_tool.cpp
blob: d4842b1e21a3866b918cf8700653b241a09741c6 [file] [log] [blame]
/*
* Copyright 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <string>
#include <vector>
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include <android/binder_manager.h>
#include <cppbor.h>
#include <keymaster/cppcose/cppcose.h>
#include <log/log.h>
#include <vintf/VintfObject.h>
using std::set;
using std::string;
using std::vector;
using aidl::android::hardware::security::keymint::DeviceInfo;
using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
using aidl::android::hardware::security::keymint::MacedPublicKey;
using aidl::android::hardware::security::keymint::ProtectedData;
using android::vintf::HalManifest;
using android::vintf::VintfObject;
using namespace cppbor;
using namespace cppcose;
namespace {
const string kPackage = "android.hardware.security.keymint";
const string kInterface = "IRemotelyProvisionedComponent";
const string kFormattedName = kPackage + "." + kInterface + "/";
ErrMsgOr<vector<uint8_t>> generateEekChain(size_t length, const vector<uint8_t>& eekId) {
auto eekChain = cppbor::Array();
vector<uint8_t> prevPrivKey;
for (size_t i = 0; i < length - 1; ++i) {
vector<uint8_t> pubKey(ED25519_PUBLIC_KEY_LEN);
vector<uint8_t> privKey(ED25519_PRIVATE_KEY_LEN);
ED25519_keypair(pubKey.data(), privKey.data());
// The first signing key is self-signed.
if (prevPrivKey.empty()) prevPrivKey = privKey;
auto coseSign1 = constructCoseSign1(prevPrivKey,
cppbor::Map() /* payload CoseKey */
.add(CoseKey::KEY_TYPE, OCTET_KEY_PAIR)
.add(CoseKey::ALGORITHM, EDDSA)
.add(CoseKey::CURVE, ED25519)
.add(CoseKey::PUBKEY_X, pubKey)
.canonicalize()
.encode(),
{} /* AAD */);
if (!coseSign1) return coseSign1.moveMessage();
eekChain.add(coseSign1.moveValue());
prevPrivKey = privKey;
}
vector<uint8_t> pubKey(X25519_PUBLIC_VALUE_LEN);
vector<uint8_t> privKey(X25519_PRIVATE_KEY_LEN);
X25519_keypair(pubKey.data(), privKey.data());
auto coseSign1 = constructCoseSign1(prevPrivKey,
cppbor::Map() /* payload CoseKey */
.add(CoseKey::KEY_TYPE, OCTET_KEY_PAIR)
.add(CoseKey::KEY_ID, eekId)
.add(CoseKey::ALGORITHM, ECDH_ES_HKDF_256)
.add(CoseKey::CURVE, cppcose::X25519)
.add(CoseKey::PUBKEY_X, pubKey)
.canonicalize()
.encode(),
{} /* AAD */);
if (!coseSign1) return coseSign1.moveMessage();
eekChain.add(coseSign1.moveValue());
return eekChain.encode();
}
std::vector<uint8_t> getChallenge() {
return std::vector<uint8_t>(0);
}
std::vector<uint8_t> composeCertificateRequest(ProtectedData&& protectedData,
DeviceInfo&& deviceInfo) {
Array emptyMacedKeysToSign;
emptyMacedKeysToSign
.add(std::vector<uint8_t>(0)) // empty protected headers as bstr
.add(Map()) // empty unprotected headers
.add(Null()) // nil for the payload
.add(std::vector<uint8_t>(0)); // empty tag as bstr
Array certificateRequest;
certificateRequest.add(EncodedItem(std::move(deviceInfo.deviceInfo)))
.add(getChallenge()) // fake challenge
.add(EncodedItem(std::move(protectedData.protectedData)))
.add(std::move(emptyMacedKeysToSign));
return certificateRequest.encode();
}
int32_t errorMsg(string name) {
std::cerr << "Failed for rkp instance: " << name;
return -1;
}
} // namespace
int main() {
std::shared_ptr<const HalManifest> manifest = VintfObject::GetDeviceHalManifest();
set<string> rkpNames = manifest->getAidlInstances(kPackage, kInterface);
for (auto name : rkpNames) {
string fullName = kFormattedName + name;
if (!AServiceManager_isDeclared(fullName.c_str())) {
ALOGE("Could not find the following instance declared in the manifest: %s\n",
fullName.c_str());
return errorMsg(name);
}
AIBinder* rkpAiBinder = AServiceManager_getService(fullName.c_str());
::ndk::SpAIBinder rkp_binder(rkpAiBinder);
auto rkp_service = IRemotelyProvisionedComponent::fromBinder(rkp_binder);
std::vector<uint8_t> keysToSignMac;
std::vector<MacedPublicKey> emptyKeys;
// Replace this eek chain generation with the actual production GEEK
std::vector<uint8_t> eekId(10); // replace with real KID later (EEK fingerprint)
auto eekOrErr = generateEekChain(3 /* chainlength */, eekId);
if (!eekOrErr) {
ALOGE("Failed to generate test EEK somehow: %s", eekOrErr.message().c_str());
return errorMsg(name);
}
std::vector<uint8_t> eek = eekOrErr.moveValue();
DeviceInfo deviceInfo;
ProtectedData protectedData;
if (rkp_service) {
ALOGE("extracting bundle");
::ndk::ScopedAStatus status = rkp_service->generateCertificateRequest(
true /* testMode */, emptyKeys, eek, getChallenge(), &deviceInfo, &protectedData,
&keysToSignMac);
if (!status.isOk()) {
ALOGE("Bundle extraction failed. Error code: %d", status.getServiceSpecificError());
return errorMsg(name);
}
std::cout << "\n";
std::vector<uint8_t> certificateRequest =
composeCertificateRequest(std::move(protectedData), std::move(deviceInfo));
std::copy(certificateRequest.begin(), certificateRequest.end(),
std::ostream_iterator<char>(std::cout));
}
}
}