Blame - keystore/keystore_attestation_id.cpp - android_system_security

blob: 36c692f78b46c65525d0013e691a6a3729ca2b03 [file] [log] [blame]

Janis Danisevskis	18f27ad	2016-06-01 13:57:40 -0700	[diff] [blame]	1	/*
				2	* Copyright (C) 2016 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16	#include "keystore_attestation_id.h"
				17
				18	#define LOG_TAG "keystore_att_id"
				19
				20	#include <cutils/log.h>
				21
				22	#include <memory>
				23	#include <string>
				24	#include <vector>
				25
				26	#include <binder/IServiceManager.h>
				27	#include <binder/Parcel.h>
				28	#include <binder/Parcelable.h>
				29	#include <binder/PersistableBundle.h>
				30
				31	#include <android/security/keymaster/BpKeyAttestationApplicationIdProvider.h>
				32	#include <android/security/keymaster/IKeyAttestationApplicationIdProvider.h>
				33	#include <keystore/KeyAttestationApplicationId.h>
				34	#include <keystore/KeyAttestationPackageInfo.h>
				35	#include <keystore/Signature.h>
				36
				37	#include <openssl/asn1t.h>
				38	#include <openssl/sha.h>
				39
				40	#include <utils/String8.h>
				41
				42	namespace android {
				43
				44	namespace {
				45
				46	static std::vector<uint8_t> signature2SHA256(const content::pm::Signature& sig) {
				47	std::vector<uint8_t> digest_buffer(SHA256_DIGEST_LENGTH);
				48	SHA256(sig.data().data(), sig.data().size(), digest_buffer.data());
				49	return digest_buffer;
				50	}
				51
				52	using ::android::security::keymaster::BpKeyAttestationApplicationIdProvider;
				53
				54	class KeyAttestationApplicationIdProvider : public BpKeyAttestationApplicationIdProvider {
				55	public:
				56	KeyAttestationApplicationIdProvider();
				57
				58	static KeyAttestationApplicationIdProvider& get();
				59
				60	private:
				61	android::sp<android::IServiceManager> service_manager_;
				62	};
				63
				64	KeyAttestationApplicationIdProvider& KeyAttestationApplicationIdProvider::get() {
				65	static KeyAttestationApplicationIdProvider mpm;
				66	return mpm;
				67	}
				68
				69	KeyAttestationApplicationIdProvider::KeyAttestationApplicationIdProvider()
				70	: BpKeyAttestationApplicationIdProvider(
				71	android::defaultServiceManager()->getService(String16("sec_key_att_app_id_provider"))) {}
				72
				73	DECLARE_STACK_OF(ASN1_OCTET_STRING);
				74
				75	typedef struct km_attestation_package_info {
				76	ASN1_OCTET_STRING* package_name;
				77	ASN1_INTEGER* version;
				78	STACK_OF(ASN1_OCTET_STRING) * signature_digests;
				79	} KM_ATTESTATION_PACKAGE_INFO;
				80
				81	ASN1_SEQUENCE(KM_ATTESTATION_PACKAGE_INFO) = {
				82	ASN1_SIMPLE(KM_ATTESTATION_PACKAGE_INFO, package_name, ASN1_OCTET_STRING),
				83	ASN1_SIMPLE(KM_ATTESTATION_PACKAGE_INFO, version, ASN1_INTEGER),
				84	ASN1_SET_OF(KM_ATTESTATION_PACKAGE_INFO, signature_digests, ASN1_OCTET_STRING),
				85	} ASN1_SEQUENCE_END(KM_ATTESTATION_PACKAGE_INFO);
				86	IMPLEMENT_ASN1_FUNCTIONS(KM_ATTESTATION_PACKAGE_INFO);
				87
				88	DECLARE_STACK_OF(KM_ATTESTATION_PACKAGE_INFO);
				89
				90	typedef struct km_attestation_application_id {
				91	STACK_OF(KM_ATTESTATION_PACKAGE_INFO) * package_infos;
				92	} KM_ATTESTATION_APPLICATION_ID;
				93
				94	ASN1_SEQUENCE(KM_ATTESTATION_APPLICATION_ID) = {
				95	ASN1_SET_OF(KM_ATTESTATION_APPLICATION_ID, package_infos, KM_ATTESTATION_PACKAGE_INFO),
				96	} ASN1_SEQUENCE_END(KM_ATTESTATION_APPLICATION_ID);
				97	IMPLEMENT_ASN1_FUNCTIONS(KM_ATTESTATION_APPLICATION_ID);
				98	}
				99
				100	} // namespace android
				101
				102	namespace std {
				103	template <> struct default_delete<android::KM_ATTESTATION_PACKAGE_INFO> {
				104	void operator()(android::KM_ATTESTATION_PACKAGE_INFO* p) {
				105	android::KM_ATTESTATION_PACKAGE_INFO_free(p);
				106	}
				107	};
				108	template <> struct default_delete<ASN1_OCTET_STRING> {
				109	void operator()(ASN1_OCTET_STRING* p) { ASN1_OCTET_STRING_free(p); }
				110	};
				111	template <> struct default_delete<android::KM_ATTESTATION_APPLICATION_ID> {
				112	void operator()(android::KM_ATTESTATION_APPLICATION_ID* p) {
				113	android::KM_ATTESTATION_APPLICATION_ID_free(p);
				114	}
				115	};
				116	} // namespace std
				117
				118	namespace android {
				119	namespace security {
				120	namespace {
				121
				122	using ::android::security::keymaster::KeyAttestationApplicationId;
				123	using ::android::security::keymaster::KeyAttestationPackageInfo;
				124
				125	status_t build_attestation_package_info(
				126	const std::string& pkg_name, const uint32_t pkg_version,
				127	const std::vector<std::vector<uint8_t>>& signature_digests,
				128	std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO>* attestation_package_info_ptr) {
				129
				130	if (!attestation_package_info_ptr) return BAD_VALUE;
				131	auto& attestation_package_info = *attestation_package_info_ptr;
				132
				133	attestation_package_info.reset(KM_ATTESTATION_PACKAGE_INFO_new());
				134	if (!attestation_package_info.get()) return NO_MEMORY;
				135
				136	if (!ASN1_OCTET_STRING_set(attestation_package_info->package_name,
				137	reinterpret_cast<const unsigned char*>(pkg_name.data()),
				138	pkg_name.size())) {
				139	return UNKNOWN_ERROR;
				140	}
				141
				142	auto signature_digest_stack =
				143	reinterpret_cast<_STACK*>(attestation_package_info->signature_digests);
				144
				145	assert(signature_digest_stack != nullptr);
				146
				147	for (auto si : signature_digests) {
				148	auto asn1_item = std::unique_ptr<ASN1_OCTET_STRING>(ASN1_OCTET_STRING_new());
				149	if (!asn1_item) return NO_MEMORY;
				150	if (!ASN1_OCTET_STRING_set(asn1_item.get(), si.data(), si.size())) {
				151	return UNKNOWN_ERROR;
				152	}
				153	if (!sk_push(signature_digest_stack, asn1_item.get())) {
				154	return NO_MEMORY;
				155	}
				156	asn1_item.release(); // if push succeeded, the stack takes ownership
				157	}
				158
				159	if (!ASN1_INTEGER_set(attestation_package_info->version, pkg_version)) {
				160	return UNKNOWN_ERROR;
				161	}
				162
				163	return NO_ERROR;
				164	}
				165
				166	inline std::pair<std::vector<uint8_t>, status_t> wraperror(const status_t status) {
				167	return std::pair<std::vector<uint8_t>, status_t>(std::vector<uint8_t>(), status);
				168	}
				169
				170	std::pair<std::vector<uint8_t>, status_t>
				171	build_attestation_application_id(const KeyAttestationApplicationId& key_attestation_id) {
				172	auto attestation_id =
				173	std::unique_ptr<KM_ATTESTATION_APPLICATION_ID>(KM_ATTESTATION_APPLICATION_ID_new());
				174
				175	auto attestation_pinfo_stack = reinterpret_cast<_STACK*>(attestation_id->package_infos);
				176
				177	for (auto pinfo = key_attestation_id.pinfos_begin(); pinfo != key_attestation_id.pinfos_end();
				178	++pinfo) {
				179	std::vector<std::vector<uint8_t>> signature_digests;
				180
				181	for (auto sig = pinfo->sigs_begin(); sig != pinfo->sigs_end(); ++sig) {
				182	signature_digests.push_back(signature2SHA256(*sig));
				183	}
				184
				185	if (!pinfo->package_name()) {
				186	ALOGE("Key attestation package info lacks package name");
				187	return wraperror(BAD_VALUE);
				188	}
				189	std::string package_name(String8(*pinfo->package_name()).string());
				190	std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO> attestation_package_info;
				191	auto rc = build_attestation_package_info(package_name, pinfo->version_code(),
				192	signature_digests, &attestation_package_info);
				193	if (rc != NO_ERROR) {
				194	ALOGE("Building DER attestation package info failed %d", rc);
				195	return wraperror(rc);
				196	}
				197	if (!sk_push(attestation_pinfo_stack, attestation_package_info.get())) {
				198	return wraperror(NO_MEMORY);
				199	}
				200	// if push succeeded, the stack takes ownership
				201	attestation_package_info.release();
				202	}
				203
				204	int len = i2d_KM_ATTESTATION_APPLICATION_ID(attestation_id.get(), nullptr);
				205	if (len < 0) return wraperror(UNKNOWN_ERROR);
				206	auto result = std::make_pair(std::vector<uint8_t>(len), NO_ERROR);
				207	uint8_t* p = result.first.data();
				208	len = i2d_KM_ATTESTATION_APPLICATION_ID(attestation_id.get(), &p);
				209	if (len < 0) return wraperror(UNKNOWN_ERROR);
				210
				211	return result;
				212	}
				213
				214	/* The following function are not used. They are mentioned here to silence
				215	* warnings about them not being used.
				216	*/
				217	void unused_functions_silencer() __attribute__((unused));
				218	void unused_functions_silencer() {
				219	i2d_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr);
				220	d2i_KM_ATTESTATION_APPLICATION_ID(nullptr, nullptr, 0);
				221	d2i_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr, 0);
				222	}
				223
				224	} // namespace
				225
				226	std::pair<std::vector<uint8_t>, status_t> gather_attestation_application_id(uid_t uid) {
				227	auto& pm = KeyAttestationApplicationIdProvider::get();
				228
				229	/* Get the attestation application ID from package manager */
				230	KeyAttestationApplicationId key_attestation_id;
				231	auto status = pm.getKeyAttestationApplicationId(uid, &key_attestation_id);
				232	if (!status.isOk()) {
				233	ALOGE("package manager request for key attestation ID failed with: %s",
				234	status.exceptionMessage().string());
				235	return wraperror(FAILED_TRANSACTION);
				236	}
				237
				238	/* DER encode the attestation application ID */
				239	return build_attestation_application_id(key_attestation_id);
				240	}
				241
				242	} // namespace security
				243	} // namespace android