Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 190a43b9793714288fff72f88bc310c5fb2056cd / . / identity / CredentialStore.cpp
blob: e200cb57f4f7166f6d5dd10fc6cdf4b4f56cca7a [file] [log] [blame]
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]1/*
2 * Copyright (c) 2019, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
David Zeuthen62d43bf2021-03-31 10:41:27 -0400[diff] [blame]17#define LOG_TAG "credstore"
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]18
19#include <algorithm>
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]20#include <optional>
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]21
22#include <android-base/logging.h>
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]23#include <android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
24#include <android/hardware/security/keymint/RpcHardwareInfo.h>
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]25#include <binder/IPCThreadState.h>
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]26#include <binder/IServiceManager.h>
Tri Vo3ab6f052022-11-22 10:26:16 -0800[diff] [blame]27#include <vintf/VintfObject.h>
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]28
29#include "Credential.h"
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]30#include "CredentialData.h"
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]31#include "CredentialStore.h"
Tri Vo71e8cc12023-01-17 15:37:50 -0800[diff] [blame]32#include "RemotelyProvisionedKey.h"
David Zeuthen045a2c82021-09-11 13:52:17 -0400[diff] [blame]33#include "Session.h"
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]34#include "Util.h"
35#include "WritableCredential.h"
36
37namespace android {
38namespace security {
39namespace identity {
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]40namespace {
41
Tri Vo3ab6f052022-11-22 10:26:16 -0800[diff] [blame]42using ::android::security::rkp::IRemoteProvisioning;
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]43
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]44} // namespace
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]45
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]46CredentialStore::CredentialStore(const std::string& dataPath, sp<IIdentityCredentialStore> hal)
47 : dataPath_(dataPath), hal_(hal) {}
48
49bool CredentialStore::init() {
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]50 Status status = hal_->getHardwareInformation(&hwInfo_);
51 if (!status.isOk()) {
52 LOG(ERROR) << "Error getting hardware information: " << status.toString8();
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]53 return false;
54 }
David Zeuthen472e6c82020-10-16 11:50:13 -0400[diff] [blame]55 halApiVersion_ = hal_->getInterfaceVersion();
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]56
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]57 if (hwInfo_.isRemoteKeyProvisioningSupported) {
Tri Vo3ab6f052022-11-22 10:26:16 -0800[diff] [blame]58 status = hal_->getRemotelyProvisionedComponent(&rpc_);
59 if (!status.isOk()) {
60 LOG(ERROR) << "Error getting remotely provisioned component: " << status;
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]61 return false;
62 }
63 }
64
David Zeuthen472e6c82020-10-16 11:50:13 -0400[diff] [blame]65 LOG(INFO) << "Connected to Identity Credential HAL with API version " << halApiVersion_
66 << " and name '" << hwInfo_.credentialStoreName << "' authored by '"
67 << hwInfo_.credentialStoreAuthorName << "' with chunk size " << hwInfo_.dataChunkSize
Tri Vo71e8cc12023-01-17 15:37:50 -0800[diff] [blame]68 << " directoAccess set to " << (hwInfo_.isDirectAccess ? "true" : "false")
69 << " and remote key provisioning support "
70 << (hwInfo_.isRemoteKeyProvisioningSupported ? "enabled" : "disabled");
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]71 return true;
72}
73
74CredentialStore::~CredentialStore() {}
75
76Status CredentialStore::getSecurityHardwareInfo(SecurityHardwareInfoParcel* _aidl_return) {
77 SecurityHardwareInfoParcel info;
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]78 info.directAccess = hwInfo_.isDirectAccess;
79 info.supportedDocTypes = hwInfo_.supportedDocTypes;
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]80 *_aidl_return = info;
81 return Status::ok();
82};
83
84Status CredentialStore::createCredential(const std::string& credentialName,
85 const std::string& docType,
86 sp<IWritableCredential>* _aidl_return) {
87 uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
88 optional<bool> credentialExists =
89 CredentialData::credentialExists(dataPath_, callingUid, credentialName);
90 if (!credentialExists.has_value()) {
91 return Status::fromServiceSpecificError(
92 ERROR_GENERIC, "Error determining if credential with given name exists");
93 }
94 if (credentialExists.value()) {
95 return Status::fromServiceSpecificError(ERROR_ALREADY_PERSONALIZED,
96 "Credential with given name already exists");
97 }
98
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]99 if (hwInfo_.supportedDocTypes.size() > 0) {
100 if (std::find(hwInfo_.supportedDocTypes.begin(), hwInfo_.supportedDocTypes.end(),
101 docType) == hwInfo_.supportedDocTypes.end()) {
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]102 return Status::fromServiceSpecificError(ERROR_DOCUMENT_TYPE_NOT_SUPPORTED,
103 "No support for given document type");
104 }
105 }
106
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]107 sp<IWritableIdentityCredential> halWritableCredential;
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]108 Status status = hal_->createCredential(docType, false, &halWritableCredential);
109 if (!status.isOk()) {
110 return halStatusToGenericError(status);
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]111 }
112
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]113 if (hwInfo_.isRemoteKeyProvisioningSupported) {
114 status = setRemotelyProvisionedAttestationKey(halWritableCredential.get());
115 if (!status.isOk()) {
Tri Vo71e8cc12023-01-17 15:37:50 -0800[diff] [blame]116 LOG(WARNING) << status.toString8()
117 << "\nUnable to fetch remotely provisioned attestation key, falling back "
118 << "to the factory-provisioned attestation key.";
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]119 }
120 }
121
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]122 sp<IWritableCredential> writableCredential = new WritableCredential(
David Zeuthen27407a52021-03-04 16:32:43 -0500[diff] [blame]123 dataPath_, credentialName, docType, false, hwInfo_, halWritableCredential);
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]124 *_aidl_return = writableCredential;
125 return Status::ok();
126}
127
David Zeuthen045a2c82021-09-11 13:52:17 -0400[diff] [blame]128Status CredentialStore::getCredentialCommon(const std::string& credentialName, int32_t cipherSuite,
129 sp<IPresentationSession> halSessionBinder,
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]130 sp<ICredential>* _aidl_return) {
131 *_aidl_return = nullptr;
132
133 uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
134 optional<bool> credentialExists =
135 CredentialData::credentialExists(dataPath_, callingUid, credentialName);
136 if (!credentialExists.has_value()) {
137 return Status::fromServiceSpecificError(
138 ERROR_GENERIC, "Error determining if credential with given name exists");
139 }
140 if (!credentialExists.value()) {
141 return Status::fromServiceSpecificError(ERROR_NO_SUCH_CREDENTIAL,
142 "Credential with given name doesn't exist");
143 }
144
David Zeuthena6f9fba2020-02-11 22:08:27 -0500[diff] [blame]145 // Note: IdentityCredentialStore.java's CipherSuite enumeration and CipherSuite from the
146 // HAL is manually kept in sync. So this cast is safe.
David Zeuthen045a2c82021-09-11 13:52:17 -0400[diff] [blame]147 sp<Credential> credential =
148 new Credential(CipherSuite(cipherSuite), dataPath_, credentialName, callingUid, hwInfo_,
149 hal_, halSessionBinder, halApiVersion_);
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]150
David Zeuthen472e6c82020-10-16 11:50:13 -0400[diff] [blame]151 Status loadStatus = credential->ensureOrReplaceHalBinder();
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]152 if (!loadStatus.isOk()) {
153 LOG(ERROR) << "Error loading credential";
154 } else {
155 *_aidl_return = credential;
156 }
157 return loadStatus;
158}
159
David Zeuthen045a2c82021-09-11 13:52:17 -0400[diff] [blame]160Status CredentialStore::getCredentialByName(const std::string& credentialName, int32_t cipherSuite,
161 sp<ICredential>* _aidl_return) {
162 return getCredentialCommon(credentialName, cipherSuite, nullptr, _aidl_return);
163}
164
165Status CredentialStore::createPresentationSession(int32_t cipherSuite, sp<ISession>* _aidl_return) {
166 sp<IPresentationSession> halPresentationSession;
167 Status status =
168 hal_->createPresentationSession(CipherSuite(cipherSuite), &halPresentationSession);
169 if (!status.isOk()) {
170 return halStatusToGenericError(status);
171 }
172
173 *_aidl_return = new Session(cipherSuite, halPresentationSession, this);
174 return Status::ok();
175}
176
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]177Status CredentialStore::setRemotelyProvisionedAttestationKey(
178 IWritableIdentityCredential* halWritableCredential) {
Tri Vo3ab6f052022-11-22 10:26:16 -0800[diff] [blame]179 std::vector<uint8_t> keyBlob;
180 std::vector<uint8_t> encodedCertChain;
181 Status status;
182
Tri Vo190a43b2023-01-31 14:11:15 -0800[diff] [blame^]183 LOG(INFO) << "Fetching attestation key from RKPD";
Tri Vo71e8cc12023-01-17 15:37:50 -0800[diff] [blame]184
Tri Vo190a43b2023-01-31 14:11:15 -0800[diff] [blame^]185 uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
186 auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid);
187 if (!rpcKeyFuture) {
188 return Status::fromServiceSpecificError(ERROR_GENERIC, "Error in getRpcKeyFuture()");
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]189 }
190
Tri Vo190a43b2023-01-31 14:11:15 -0800[diff] [blame^]191 if (rpcKeyFuture->wait_for(std::chrono::seconds(10)) != std::future_status::ready) {
192 return Status::fromServiceSpecificError(
193 ERROR_GENERIC, "Waiting for remotely provisioned attestation key timed out");
194 }
195
196 std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture->get();
197 if (!key) {
198 return Status::fromServiceSpecificError(
199 ERROR_GENERIC, "Failed to get remotely provisioned attestation key");
200 }
201
202 if (key->keyBlob.empty()) {
203 return Status::fromServiceSpecificError(
204 ERROR_GENERIC, "Remotely provisioned attestation key blob is empty");
205 }
206
207 keyBlob = std::move(key->keyBlob);
208 encodedCertChain = std::move(key->encodedCertChain);
209
Tri Vo3ab6f052022-11-22 10:26:16 -0800[diff] [blame]210 status = halWritableCredential->setRemotelyProvisionedAttestationKey(keyBlob, encodedCertChain);
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]211 if (!status.isOk()) {
212 LOG(ERROR) << "Error setting remotely provisioned attestation key on credential";
213 return status;
214 }
Seth Moore81db3782022-01-18 15:58:47 -0800[diff] [blame]215 return Status::ok();
216}
217
David Zeuthenab3e5652019-10-28 13:32:48 -0400[diff] [blame]218} // namespace identity
219} // namespace security
220} // namespace android