provisioner/rkp_factory_extraction_tool.cpp - android_system_security - Gitiles

 /*
  * Copyright 2021 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <string>
 #include <vector>

 #include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
 #include <android/binder_manager.h>
 #include <cppbor.h>
 #include <gflags/gflags.h>
 #include <keymaster/cppcose/cppcose.h>
 #include <log/log.h>
 #include <remote_prov/remote_prov_utils.h>
 #include <sys/random.h>
 #include <vintf/VintfObject.h>

 using std::set;
 using std::string;
 using std::vector;

 using aidl::android::hardware::security::keymint::DeviceInfo;
 using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
 using aidl::android::hardware::security::keymint::MacedPublicKey;
 using aidl::android::hardware::security::keymint::ProtectedData;
 using aidl::android::hardware::security::keymint::remote_prov::generateEekChain;
 using aidl::android::hardware::security::keymint::remote_prov::getProdEekChain;
 using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild;

 using android::vintf::HalManifest;
 using android::vintf::VintfObject;

 using namespace cppbor;
 using namespace cppcose;

 DEFINE_bool(test_mode, false, "If enabled, a fake EEK key/cert are used.");

 DEFINE_string(output_format, "csr", "How to format the output. Defaults to 'csr'.");

 namespace {

 const string kPackage = "android.hardware.security.keymint";
 const string kInterface = "IRemotelyProvisionedComponent";
 const string kFormattedName = kPackage + "." + kInterface + "/";

 // Various supported --output_format values.
 constexpr std::string_view kBinaryCsrOutput = "csr";     // Just the raw csr as binary
 constexpr std::string_view kBuildPlusCsr = "build+csr";  // Text-encoded (JSON) build
                                                          // fingerprint plus CSR.

 constexpr size_t kChallengeSize = 16;

 std::vector<uint8_t> generateChallenge() {
     std::vector<uint8_t> challenge(kChallengeSize);

     ssize_t bytesRemaining = static_cast<ssize_t>(challenge.size());
     uint8_t* writePtr = challenge.data();
     while (bytesRemaining > 0) {
         int bytesRead = getrandom(writePtr, bytesRemaining, /*flags=*/0);
         if (bytesRead < 0) {
             LOG_FATAL_IF(errno != EINTR, "%d - %s", errno, strerror(errno));
         }
         bytesRemaining -= bytesRead;
         writePtr += bytesRead;
     }

     return challenge;
 }

 Array composeCertificateRequest(ProtectedData&& protectedData, DeviceInfo&& deviceInfo,
                                 const std::vector<uint8_t>& challenge) {
     Array emptyMacedKeysToSign;
     emptyMacedKeysToSign
         .add(std::vector<uint8_t>(0))   // empty protected headers as bstr
         .add(Map())                     // empty unprotected headers
         .add(Null())                    // nil for the payload
         .add(std::vector<uint8_t>(0));  // empty tag as bstr
     Array certificateRequest;
     certificateRequest.add(EncodedItem(std::move(deviceInfo.deviceInfo)))
         .add(challenge)
         .add(EncodedItem(std::move(protectedData.protectedData)))
         .add(std::move(emptyMacedKeysToSign));
     return certificateRequest;
 }

 int32_t errorMsg(string name) {
     std::cerr << "Failed for rkp instance: " << name;
     return -1;
 }

 std::vector<uint8_t> getEekChain() {
     if (FLAGS_test_mode) {
         const std::vector<uint8_t> kFakeEekId = {'f', 'a', 'k', 'e', 0};
         auto eekOrErr = generateEekChain(3 /* chainlength */, kFakeEekId);
         LOG_FATAL_IF(!eekOrErr, "Failed to generate test EEK somehow: %s",
                      eekOrErr.message().c_str());
         auto [eek, ignored_pubkey, ignored_privkey] = eekOrErr.moveValue();
         return eek;
     }

     return getProdEekChain();
 }

 void writeOutput(const Array& csr) {
     if (FLAGS_output_format == kBinaryCsrOutput) {
         auto bytes = csr.encode();
         std::copy(bytes.begin(), bytes.end(), std::ostream_iterator<char>(std::cout));
     } else if (FLAGS_output_format == kBuildPlusCsr) {
         auto [json, error] = jsonEncodeCsrWithBuild(csr);
         if (!error.empty()) {
             std::cerr << "Error JSON encoding the output: " << error;
             exit(1);
         }
         std::cout << json << std::endl;
     } else {
         std::cerr << "Unexpected output_format '" << FLAGS_output_format << "'" << std::endl;
         std::cerr << "Valid formats:" << std::endl;
         std::cerr << "  " << kBinaryCsrOutput << std::endl;
         std::cerr << "  " << kBuildPlusCsr << std::endl;
         exit(1);
     }
 }

 }  // namespace

 int main(int argc, char** argv) {
     gflags::ParseCommandLineFlags(&argc, &argv, /*remove_flags=*/true);

     const std::vector<uint8_t> eek_chain = getEekChain();
     const std::vector<uint8_t> challenge = generateChallenge();

     std::shared_ptr<const HalManifest> manifest = VintfObject::GetDeviceHalManifest();
     set<string> rkpNames = manifest->getAidlInstances(kPackage, kInterface);
     for (auto name : rkpNames) {
         string fullName = kFormattedName + name;
         if (!AServiceManager_isDeclared(fullName.c_str())) {
             ALOGE("Could not find the following instance declared in the manifest: %s\n",
                   fullName.c_str());
             return errorMsg(name);
         }
         AIBinder* rkpAiBinder = AServiceManager_getService(fullName.c_str());
         ::ndk::SpAIBinder rkp_binder(rkpAiBinder);
         auto rkp_service = IRemotelyProvisionedComponent::fromBinder(rkp_binder);
         std::vector<uint8_t> keysToSignMac;
         std::vector<MacedPublicKey> emptyKeys;

         DeviceInfo deviceInfo;
         ProtectedData protectedData;
         if (rkp_service) {
             ALOGE("extracting bundle");
             ::ndk::ScopedAStatus status = rkp_service->generateCertificateRequest(
                 FLAGS_test_mode, emptyKeys, eek_chain, challenge, &deviceInfo, &protectedData,
                 &keysToSignMac);
             if (!status.isOk()) {
                 ALOGE("Bundle extraction failed. Error code: %d", status.getServiceSpecificError());
                 return errorMsg(name);
             }
             writeOutput(composeCertificateRequest(std::move(protectedData), std::move(deviceInfo),
                                                   challenge));
         }
     }
 }
	/*
	* Copyright 2021 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <string>
	#include <vector>

	#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
	#include <android/binder_manager.h>
	#include <cppbor.h>
	#include <gflags/gflags.h>
	#include <keymaster/cppcose/cppcose.h>
	#include <log/log.h>
	#include <remote_prov/remote_prov_utils.h>
	#include <sys/random.h>
	#include <vintf/VintfObject.h>

	using std::set;
	using std::string;
	using std::vector;

	using aidl::android::hardware::security::keymint::DeviceInfo;
	using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
	using aidl::android::hardware::security::keymint::MacedPublicKey;
	using aidl::android::hardware::security::keymint::ProtectedData;
	using aidl::android::hardware::security::keymint::remote_prov::generateEekChain;
	using aidl::android::hardware::security::keymint::remote_prov::getProdEekChain;
	using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild;

	using android::vintf::HalManifest;
	using android::vintf::VintfObject;

	using namespace cppbor;
	using namespace cppcose;

	DEFINE_bool(test_mode, false, "If enabled, a fake EEK key/cert are used.");

	DEFINE_string(output_format, "csr", "How to format the output. Defaults to 'csr'.");

	namespace {

	const string kPackage = "android.hardware.security.keymint";
	const string kInterface = "IRemotelyProvisionedComponent";
	const string kFormattedName = kPackage + "." + kInterface + "/";

	// Various supported --output_format values.
	constexpr std::string_view kBinaryCsrOutput = "csr"; // Just the raw csr as binary
	constexpr std::string_view kBuildPlusCsr = "build+csr"; // Text-encoded (JSON) build
	// fingerprint plus CSR.

	constexpr size_t kChallengeSize = 16;

	std::vector<uint8_t> generateChallenge() {
	std::vector<uint8_t> challenge(kChallengeSize);

	ssize_t bytesRemaining = static_cast<ssize_t>(challenge.size());
	uint8_t* writePtr = challenge.data();
	while (bytesRemaining > 0) {
	int bytesRead = getrandom(writePtr, bytesRemaining, /flags=/0);
	if (bytesRead < 0) {
	LOG_FATAL_IF(errno != EINTR, "%d - %s", errno, strerror(errno));
	}
	bytesRemaining -= bytesRead;
	writePtr += bytesRead;
	}

	return challenge;
	}

	Array composeCertificateRequest(ProtectedData&& protectedData, DeviceInfo&& deviceInfo,
	const std::vector<uint8_t>& challenge) {
	Array emptyMacedKeysToSign;
	emptyMacedKeysToSign
	.add(std::vector<uint8_t>(0)) // empty protected headers as bstr
	.add(Map()) // empty unprotected headers
	.add(Null()) // nil for the payload
	.add(std::vector<uint8_t>(0)); // empty tag as bstr
	Array certificateRequest;
	certificateRequest.add(EncodedItem(std::move(deviceInfo.deviceInfo)))
	.add(challenge)
	.add(EncodedItem(std::move(protectedData.protectedData)))
	.add(std::move(emptyMacedKeysToSign));
	return certificateRequest;
	}

	int32_t errorMsg(string name) {
	std::cerr << "Failed for rkp instance: " << name;
	return -1;
	}

	std::vector<uint8_t> getEekChain() {
	if (FLAGS_test_mode) {
	const std::vector<uint8_t> kFakeEekId = {'f', 'a', 'k', 'e', 0};
	auto eekOrErr = generateEekChain(3 /* chainlength */, kFakeEekId);
	LOG_FATAL_IF(!eekOrErr, "Failed to generate test EEK somehow: %s",
	eekOrErr.message().c_str());
	auto [eek, ignored_pubkey, ignored_privkey] = eekOrErr.moveValue();
	return eek;
	}

	return getProdEekChain();
	}

	void writeOutput(const Array& csr) {
	if (FLAGS_output_format == kBinaryCsrOutput) {
	auto bytes = csr.encode();
	std::copy(bytes.begin(), bytes.end(), std::ostream_iterator<char>(std::cout));
	} else if (FLAGS_output_format == kBuildPlusCsr) {
	auto [json, error] = jsonEncodeCsrWithBuild(csr);
	if (!error.empty()) {
	std::cerr << "Error JSON encoding the output: " << error;
	exit(1);
	}
	std::cout << json << std::endl;
	} else {
	std::cerr << "Unexpected output_format '" << FLAGS_output_format << "'" << std::endl;
	std::cerr << "Valid formats:" << std::endl;
	std::cerr << " " << kBinaryCsrOutput << std::endl;
	std::cerr << " " << kBuildPlusCsr << std::endl;
	exit(1);
	}
	}

	} // namespace

	int main(int argc, char** argv) {
	gflags::ParseCommandLineFlags(&argc, &argv, /remove_flags=/true);

	const std::vector<uint8_t> eek_chain = getEekChain();
	const std::vector<uint8_t> challenge = generateChallenge();

	std::shared_ptr<const HalManifest> manifest = VintfObject::GetDeviceHalManifest();
	set<string> rkpNames = manifest->getAidlInstances(kPackage, kInterface);
	for (auto name : rkpNames) {
	string fullName = kFormattedName + name;
	if (!AServiceManager_isDeclared(fullName.c_str())) {
	ALOGE("Could not find the following instance declared in the manifest: %s\n",
	fullName.c_str());
	return errorMsg(name);
	}
	AIBinder* rkpAiBinder = AServiceManager_getService(fullName.c_str());
	::ndk::SpAIBinder rkp_binder(rkpAiBinder);
	auto rkp_service = IRemotelyProvisionedComponent::fromBinder(rkp_binder);
	std::vector<uint8_t> keysToSignMac;
	std::vector<MacedPublicKey> emptyKeys;

	DeviceInfo deviceInfo;
	ProtectedData protectedData;
	if (rkp_service) {
	ALOGE("extracting bundle");
	::ndk::ScopedAStatus status = rkp_service->generateCertificateRequest(
	FLAGS_test_mode, emptyKeys, eek_chain, challenge, &deviceInfo, &protectedData,
	&keysToSignMac);
	if (!status.isOk()) {
	ALOGE("Bundle extraction failed. Error code: %d", status.getServiceSpecificError());
	return errorMsg(name);
	}
	writeOutput(composeCertificateRequest(std::move(protectedData), std::move(deviceInfo),
	challenge));
	}
	}
	}