commit d0f7b356babbb3864791ea4e28bd3325c86a0210
author Max Bires <jbires@google.com> Thu Jan 27 18:30:46 2022 -0800
committer Max Bires <jbires@google.com> Tue Mar 01 19:43:36 2022 -0800
tree 4c1b7fc61779fe0c1af5571368361d5f558c8e8f
parent aea5a6bea20c32809da97edbdb2547acf22989fc

Modifying extraction tool to support P256.

This change alters the behavior of the factory extraction tool to query
the underlying IRPC HAL implementation for which ECC curve it supports.
The tool then chooses the correct corresponding production EEK chain
based on that to pass back into the HAL implementation for CSR
generation.

Bug: 215445120
Test: run the extraction tool
Change-Id: Ic80e38ec4c30eff970926ed269693ee1167b168c

provisioner/Android.bp

diff --git a/provisioner/Android.bp b/provisioner/Android.bp
index aac4878..665a9e7 100644
--- a/provisioner/Android.bp
+++ b/provisioner/Android.bp
@@ -47,8 +47,10 @@
     name: "rkp_factory_extraction_tool",
     vendor: true,
     srcs: ["rkp_factory_extraction_tool.cpp"],
+    defaults: [
+        "keymint_use_latest_hal_aidl_ndk_shared",
+    ],
     shared_libs: [
-        "android.hardware.security.keymint-V1-ndk",
         "libbinder",
         "libbinder_ndk",
         "libcrypto",

provisioner/rkp_factory_extraction_tool.cpp

diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp
index 9786c3d..c29bacb 100644
--- a/provisioner/rkp_factory_extraction_tool.cpp
+++ b/provisioner/rkp_factory_extraction_tool.cpp
@@ -30,6 +30,7 @@
 using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
 using aidl::android::hardware::security::keymint::MacedPublicKey;
 using aidl::android::hardware::security::keymint::ProtectedData;
+using aidl::android::hardware::security::keymint::RpcHardwareInfo;
 using aidl::android::hardware::security::keymint::remote_prov::generateEekChain;
 using aidl::android::hardware::security::keymint::remote_prov::getProdEekChain;
 using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild;
@@ -113,10 +114,10 @@
     return certificateRequest;
 }
 
-std::vector<uint8_t> getEekChain() {
+std::vector<uint8_t> getEekChain(uint32_t curve) {
     if (FLAGS_test_mode) {
         const std::vector<uint8_t> kFakeEekId = {'f', 'a', 'k', 'e', 0};
-        auto eekOrErr = generateEekChain(3 /* chainlength */, kFakeEekId);
+        auto eekOrErr = generateEekChain(curve, 3 /* chainlength */, kFakeEekId);
         if (!eekOrErr) {
             std::cerr << "Failed to generate test EEK somehow: " << eekOrErr.message() << std::endl;
             exit(-1);
@@ -128,7 +129,7 @@
         return eek;
     }
 
-    return getProdEekChain();
+    return getProdEekChain(curve);
 }
 
 void writeOutput(const Array& csr) {
@@ -169,9 +170,16 @@
     std::vector<MacedPublicKey> emptyKeys;
     DeviceInfo verifiedDeviceInfo;
     ProtectedData protectedData;
-    ::ndk::ScopedAStatus status = rkp_service->generateCertificateRequest(
-        FLAGS_test_mode, emptyKeys, getEekChain(), challenge, &verifiedDeviceInfo, &protectedData,
-        &keysToSignMac);
+    RpcHardwareInfo hwInfo;
+    ::ndk::ScopedAStatus status = rkp_service->getHardwareInfo(&hwInfo);
+    if (!status.isOk()) {
+        std::cerr << "Failed to get hardware info for '" << fullName
+                  << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
+        exit(-1);
+    }
+    status = rkp_service->generateCertificateRequest(
+        FLAGS_test_mode, emptyKeys, getEekChain(hwInfo.supportedEekCurve), challenge,
+        &verifiedDeviceInfo, &protectedData, &keysToSignMac);
     if (!status.isOk()) {
         std::cerr << "Bundle extraction failed for '" << fullName
                   << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;