Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 105423778731ea55e7af140ff896a27e4ff69c07 / . / identity / CredentialStore.cpp
blob: cb2e8c7f2a65069d85f7d94ec02faf1f47ff728a [file] [log] [blame]
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]1/*
2 * Copyright (c) 2019, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
David Zeuthen62d43bf2021-03-31 10:41:27 -0400[diff] [blame]17#define LOG_TAG "credstore"
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]18
19#include <algorithm>
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]20#include <optional>
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]21
22#include <android-base/logging.h>
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]23#include <android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
24#include <android/hardware/security/keymint/RpcHardwareInfo.h>
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]25#include <binder/IPCThreadState.h>
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]26#include <binder/IServiceManager.h>
Tri Vo10542372023-03-07 21:59:31 -0800[diff] [blame^]27#include <rkp/support/rkpd_client.h>
Tri Vo3ab6f052022-11-22 10:26:16 -0800[diff] [blame]28#include <vintf/VintfObject.h>
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]29
30#include "Credential.h"
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]31#include "CredentialData.h"
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]32#include "CredentialStore.h"
David Zeuthen045a2c82021-09-11 13:52:17 -0400[diff] [blame]33#include "Session.h"
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]34#include "Util.h"
35#include "WritableCredential.h"
36
37namespace android {
38namespace security {
39namespace identity {
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]40namespace {
41
Tri Vo10542372023-03-07 21:59:31 -0800[diff] [blame^]42using ::android::security::rkp::RemotelyProvisionedKey;
43using ::android::security::rkp::support::getRpcKey;
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]44
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]45} // namespace
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]46
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]47CredentialStore::CredentialStore(const std::string& dataPath, sp<IIdentityCredentialStore> hal)
48 : dataPath_(dataPath), hal_(hal) {}
49
50bool CredentialStore::init() {
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]51 Status status = hal_->getHardwareInformation(&hwInfo_);
52 if (!status.isOk()) {
53 LOG(ERROR) << "Error getting hardware information: " << status.toString8();
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]54 return false;
55 }
David Zeuthen472e6c82020-10-16 11:50:13 -0400[diff] [blame]56 halApiVersion_ = hal_->getInterfaceVersion();
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]57
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]58 if (hwInfo_.isRemoteKeyProvisioningSupported) {
Tri Vo3ab6f052022-11-22 10:26:16 -0800[diff] [blame]59 status = hal_->getRemotelyProvisionedComponent(&rpc_);
60 if (!status.isOk()) {
61 LOG(ERROR) << "Error getting remotely provisioned component: " << status;
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]62 return false;
63 }
64 }
65
David Zeuthen472e6c82020-10-16 11:50:13 -0400[diff] [blame]66 LOG(INFO) << "Connected to Identity Credential HAL with API version " << halApiVersion_
67 << " and name '" << hwInfo_.credentialStoreName << "' authored by '"
68 << hwInfo_.credentialStoreAuthorName << "' with chunk size " << hwInfo_.dataChunkSize
Tri Vo71e8cc12023-01-17 15:37:50 -0800[diff] [blame]69 << " directoAccess set to " << (hwInfo_.isDirectAccess ? "true" : "false")
70 << " and remote key provisioning support "
71 << (hwInfo_.isRemoteKeyProvisioningSupported ? "enabled" : "disabled");
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]72 return true;
73}
74
75CredentialStore::~CredentialStore() {}
76
77Status CredentialStore::getSecurityHardwareInfo(SecurityHardwareInfoParcel* _aidl_return) {
78 SecurityHardwareInfoParcel info;
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]79 info.directAccess = hwInfo_.isDirectAccess;
80 info.supportedDocTypes = hwInfo_.supportedDocTypes;
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]81 *_aidl_return = info;
82 return Status::ok();
83};
84
85Status CredentialStore::createCredential(const std::string& credentialName,
86 const std::string& docType,
87 sp<IWritableCredential>* _aidl_return) {
88 uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
89 optional<bool> credentialExists =
90 CredentialData::credentialExists(dataPath_, callingUid, credentialName);
91 if (!credentialExists.has_value()) {
92 return Status::fromServiceSpecificError(
93 ERROR_GENERIC, "Error determining if credential with given name exists");
94 }
95 if (credentialExists.value()) {
96 return Status::fromServiceSpecificError(ERROR_ALREADY_PERSONALIZED,
97 "Credential with given name already exists");
98 }
99
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]100 if (hwInfo_.supportedDocTypes.size() > 0) {
101 if (std::find(hwInfo_.supportedDocTypes.begin(), hwInfo_.supportedDocTypes.end(),
102 docType) == hwInfo_.supportedDocTypes.end()) {
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]103 return Status::fromServiceSpecificError(ERROR_DOCUMENT_TYPE_NOT_SUPPORTED,
104 "No support for given document type");
105 }
106 }
107
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]108 sp<IWritableIdentityCredential> halWritableCredential;
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]109 Status status = hal_->createCredential(docType, false, &halWritableCredential);
110 if (!status.isOk()) {
111 return halStatusToGenericError(status);
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]112 }
113
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]114 if (hwInfo_.isRemoteKeyProvisioningSupported) {
115 status = setRemotelyProvisionedAttestationKey(halWritableCredential.get());
116 if (!status.isOk()) {
Tri Vo71e8cc12023-01-17 15:37:50 -0800[diff] [blame]117 LOG(WARNING) << status.toString8()
118 << "\nUnable to fetch remotely provisioned attestation key, falling back "
119 << "to the factory-provisioned attestation key.";
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]120 }
121 }
122
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]123 sp<IWritableCredential> writableCredential = new WritableCredential(
David Zeuthen27407a52021-03-04 16:32:43 -0500[diff] [blame]124 dataPath_, credentialName, docType, false, hwInfo_, halWritableCredential);
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]125 *_aidl_return = writableCredential;
126 return Status::ok();
127}
128
David Zeuthen045a2c82021-09-11 13:52:17 -0400[diff] [blame]129Status CredentialStore::getCredentialCommon(const std::string& credentialName, int32_t cipherSuite,
130 sp<IPresentationSession> halSessionBinder,
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]131 sp<ICredential>* _aidl_return) {
132 *_aidl_return = nullptr;
133
134 uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
135 optional<bool> credentialExists =
136 CredentialData::credentialExists(dataPath_, callingUid, credentialName);
137 if (!credentialExists.has_value()) {
138 return Status::fromServiceSpecificError(
139 ERROR_GENERIC, "Error determining if credential with given name exists");
140 }
141 if (!credentialExists.value()) {
142 return Status::fromServiceSpecificError(ERROR_NO_SUCH_CREDENTIAL,
143 "Credential with given name doesn't exist");
144 }
145
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]146 // Note: IdentityCredentialStore.java's CipherSuite enumeration and CipherSuite from the
147 // HAL is manually kept in sync. So this cast is safe.
David Zeuthen045a2c82021-09-11 13:52:17 -0400[diff] [blame]148 sp<Credential> credential =
149 new Credential(CipherSuite(cipherSuite), dataPath_, credentialName, callingUid, hwInfo_,
150 hal_, halSessionBinder, halApiVersion_);
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]151
David Zeuthen472e6c82020-10-16 11:50:13 -0400[diff] [blame]152 Status loadStatus = credential->ensureOrReplaceHalBinder();
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]153 if (!loadStatus.isOk()) {
154 LOG(ERROR) << "Error loading credential";
155 } else {
156 *_aidl_return = credential;
157 }
158 return loadStatus;
159}
160
David Zeuthen045a2c82021-09-11 13:52:17 -0400[diff] [blame]161Status CredentialStore::getCredentialByName(const std::string& credentialName, int32_t cipherSuite,
162 sp<ICredential>* _aidl_return) {
163 return getCredentialCommon(credentialName, cipherSuite, nullptr, _aidl_return);
164}
165
166Status CredentialStore::createPresentationSession(int32_t cipherSuite, sp<ISession>* _aidl_return) {
167 sp<IPresentationSession> halPresentationSession;
168 Status status =
169 hal_->createPresentationSession(CipherSuite(cipherSuite), &halPresentationSession);
170 if (!status.isOk()) {
171 return halStatusToGenericError(status);
172 }
173
174 *_aidl_return = new Session(cipherSuite, halPresentationSession, this);
175 return Status::ok();
176}
177
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]178Status CredentialStore::setRemotelyProvisionedAttestationKey(
179 IWritableIdentityCredential* halWritableCredential) {
Tri Vo3ab6f052022-11-22 10:26:16 -0800[diff] [blame]180 std::vector<uint8_t> keyBlob;
181 std::vector<uint8_t> encodedCertChain;
182 Status status;
183
Tri Vo190a43b2023-01-31 14:11:15 -0800[diff] [blame]184 LOG(INFO) << "Fetching attestation key from RKPD";
Tri Vo71e8cc12023-01-17 15:37:50 -0800[diff] [blame]185
Tri Vo190a43b2023-01-31 14:11:15 -0800[diff] [blame]186 uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
Tri Vo10542372023-03-07 21:59:31 -0800[diff] [blame^]187 std::optional<RemotelyProvisionedKey> key = getRpcKey(rpc_, callingUid);
Tri Vo190a43b2023-01-31 14:11:15 -0800[diff] [blame]188 if (!key) {
189 return Status::fromServiceSpecificError(
190 ERROR_GENERIC, "Failed to get remotely provisioned attestation key");
191 }
192
193 if (key->keyBlob.empty()) {
194 return Status::fromServiceSpecificError(
195 ERROR_GENERIC, "Remotely provisioned attestation key blob is empty");
196 }
197
198 keyBlob = std::move(key->keyBlob);
199 encodedCertChain = std::move(key->encodedCertChain);
200
Tri Vo3ab6f052022-11-22 10:26:16 -0800[diff] [blame]201 status = halWritableCredential->setRemotelyProvisionedAttestationKey(keyBlob, encodedCertChain);
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]202 if (!status.isOk()) {
203 LOG(ERROR) << "Error setting remotely provisioned attestation key on credential";
204 return status;
205 }
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]206 return Status::ok();
207}
208
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]209} // namespace identity
210} // namespace security
211} // namespace android