| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 1 | // Copyright 2021, The Android Open Source Project |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
| 15 | //! Implements get_attestation_key_info which loads remote provisioned or user |
| 16 | //! generated attestation keys. |
| 17 | |
| 18 | use crate::database::{BlobMetaData, KeyEntryLoadBits, KeyType}; |
| 19 | use crate::database::{KeyIdGuard, KeystoreDB}; |
| 20 | use crate::error::{Error, ErrorCode}; |
| 21 | use crate::permission::KeyPerm; |
| 22 | use crate::remote_provisioning::RemProvState; |
| 23 | use crate::utils::check_key_permission; |
| 24 | use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ |
| 25 | AttestationKey::AttestationKey, Certificate::Certificate, KeyParameter::KeyParameter, |
| 26 | }; |
| 27 | use android_system_keystore2::aidl::android::system::keystore2::{ |
| 28 | Domain::Domain, KeyDescriptor::KeyDescriptor, |
| 29 | }; |
| 30 | use anyhow::{Context, Result}; |
| 31 | use keystore2_crypto::parse_subject_from_certificate; |
| 32 | |
| 33 | /// KeyMint takes two different kinds of attestation keys. Remote provisioned keys |
| 34 | /// and those that have been generated by the user. Unfortunately, they need to be |
| 35 | /// handled quite differently, thus the different representations. |
| 36 | pub enum AttestationKeyInfo { |
| 37 | RemoteProvisioned { |
| 38 | attestation_key: AttestationKey, |
| 39 | attestation_certs: Certificate, |
| 40 | }, |
| 41 | UserGenerated { |
| 42 | key_id_guard: KeyIdGuard, |
| 43 | blob: Vec<u8>, |
| 44 | blob_metadata: BlobMetaData, |
| 45 | issuer_subject: Vec<u8>, |
| 46 | }, |
| 47 | } |
| 48 | |
| 49 | /// This function loads and, optionally, assigns the caller's remote provisioned |
| 50 | /// attestation key or, if `attest_key_descriptor` is given, it loads the user |
| 51 | /// generated attestation key from the database. |
| 52 | pub fn get_attest_key_info( |
| 53 | key: &KeyDescriptor, |
| 54 | caller_uid: u32, |
| 55 | attest_key_descriptor: Option<&KeyDescriptor>, |
| 56 | params: &[KeyParameter], |
| 57 | rem_prov_state: &RemProvState, |
| 58 | db: &mut KeystoreDB, |
| 59 | ) -> Result<Option<AttestationKeyInfo>> { |
| 60 | match attest_key_descriptor { |
| 61 | None => rem_prov_state |
| 62 | .get_remotely_provisioned_attestation_key_and_certs(&key, caller_uid, params, db) |
| 63 | .context(concat!( |
| 64 | "In get_attest_key_and_cert_chain: ", |
| 65 | "Trying to get remotely provisioned attestation key." |
| 66 | )) |
| 67 | .map(|result| { |
| 68 | result.map(|(attestation_key, attestation_certs)| { |
| 69 | AttestationKeyInfo::RemoteProvisioned { attestation_key, attestation_certs } |
| 70 | }) |
| 71 | }), |
| 72 | Some(attest_key) => get_user_generated_attestation_key(&attest_key, caller_uid, db) |
| 73 | .context("In get_attest_key_and_cert_chain: Trying to load attest key") |
| 74 | .map(Some), |
| 75 | } |
| 76 | } |
| 77 | |
| 78 | fn get_user_generated_attestation_key( |
| 79 | key: &KeyDescriptor, |
| 80 | caller_uid: u32, |
| 81 | db: &mut KeystoreDB, |
| 82 | ) -> Result<AttestationKeyInfo> { |
| 83 | let (key_id_guard, blob, cert, blob_metadata) = |
| 84 | load_attest_key_blob_and_cert(&key, caller_uid, db) |
| 85 | .context("In get_user_generated_attestation_key: Failed to load blob and cert")?; |
| 86 | |
| 87 | let issuer_subject: Vec<u8> = parse_subject_from_certificate(&cert).context( |
| 88 | "In get_user_generated_attestation_key: Failed to parse subject from certificate.", |
| 89 | )?; |
| 90 | |
| 91 | Ok(AttestationKeyInfo::UserGenerated { key_id_guard, blob, issuer_subject, blob_metadata }) |
| 92 | } |
| 93 | |
| 94 | fn load_attest_key_blob_and_cert( |
| 95 | key: &KeyDescriptor, |
| 96 | caller_uid: u32, |
| 97 | db: &mut KeystoreDB, |
| 98 | ) -> Result<(KeyIdGuard, Vec<u8>, Vec<u8>, BlobMetaData)> { |
| 99 | match key.domain { |
| 100 | Domain::BLOB => Err(Error::Km(ErrorCode::INVALID_ARGUMENT)).context( |
| 101 | "In load_attest_key_blob_and_cert: Domain::BLOB attestation keys not supported", |
| 102 | ), |
| 103 | _ => { |
| 104 | let (key_id_guard, mut key_entry) = db |
| 105 | .load_key_entry( |
| 106 | &key, |
| 107 | KeyType::Client, |
| 108 | KeyEntryLoadBits::BOTH, |
| 109 | caller_uid, |
| 110 | |k, av| check_key_permission(KeyPerm::use_(), k, &av), |
| 111 | ) |
| 112 | .context("In load_attest_key_blob_and_cert: Failed to load key.")?; |
| 113 | |
| 114 | let (blob, blob_metadata) = |
| 115 | key_entry.take_key_blob_info().ok_or_else(Error::sys).context(concat!( |
| 116 | "In load_attest_key_blob_and_cert: Successfully loaded key entry,", |
| 117 | " but KM blob was missing." |
| 118 | ))?; |
| 119 | let cert = key_entry.take_cert().ok_or_else(Error::sys).context(concat!( |
| 120 | "In load_attest_key_blob_and_cert: Successfully loaded key entry,", |
| 121 | " but cert was missing." |
| 122 | ))?; |
| 123 | Ok((key_id_guard, blob, cert, blob_metadata)) |
| 124 | } |
| 125 | } |
| 126 | } |