| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 1 | // Copyright 2021, The Android Open Source Project |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
| 15 | //! Implements get_attestation_key_info which loads remote provisioned or user |
| 16 | //! generated attestation keys. |
| 17 | |
| 18 | use crate::database::{BlobMetaData, KeyEntryLoadBits, KeyType}; |
| 19 | use crate::database::{KeyIdGuard, KeystoreDB}; |
| 20 | use crate::error::{Error, ErrorCode}; |
| Shaquille Johnson | 9da2e1c | 2022-09-19 12:39:01 +0000 | [diff] [blame] | 21 | use crate::ks_err; |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 22 | use crate::permission::KeyPerm; |
| 23 | use crate::remote_provisioning::RemProvState; |
| 24 | use crate::utils::check_key_permission; |
| 25 | use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ |
| Max Bires | 18b1db5 | 2021-06-24 20:56:36 -0700 | [diff] [blame] | 26 | AttestationKey::AttestationKey, Certificate::Certificate, KeyParameter::KeyParameter, Tag::Tag, |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 27 | }; |
| 28 | use android_system_keystore2::aidl::android::system::keystore2::{ |
| Rajesh Nyamagoud | 2d532d9 | 2022-10-21 18:59:40 +0000 | [diff] [blame] | 29 | Domain::Domain, KeyDescriptor::KeyDescriptor, ResponseCode::ResponseCode, |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 30 | }; |
| 31 | use anyhow::{Context, Result}; |
| 32 | use keystore2_crypto::parse_subject_from_certificate; |
| 33 | |
| 34 | /// KeyMint takes two different kinds of attestation keys. Remote provisioned keys |
| 35 | /// and those that have been generated by the user. Unfortunately, they need to be |
| 36 | /// handled quite differently, thus the different representations. |
| 37 | pub enum AttestationKeyInfo { |
| 38 | RemoteProvisioned { |
| Max Bires | 55620ff | 2022-02-11 13:34:15 -0800 | [diff] [blame] | 39 | key_id_guard: KeyIdGuard, |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 40 | attestation_key: AttestationKey, |
| 41 | attestation_certs: Certificate, |
| 42 | }, |
| Tri Vo | b5e43d1 | 2022-12-21 08:54:14 -0800 | [diff] [blame^] | 43 | RkpdProvisioned { |
| 44 | attestation_key: AttestationKey, |
| 45 | attestation_certs: Certificate, |
| 46 | }, |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 47 | UserGenerated { |
| 48 | key_id_guard: KeyIdGuard, |
| 49 | blob: Vec<u8>, |
| 50 | blob_metadata: BlobMetaData, |
| 51 | issuer_subject: Vec<u8>, |
| 52 | }, |
| 53 | } |
| 54 | |
| Tri Vo | b5e43d1 | 2022-12-21 08:54:14 -0800 | [diff] [blame^] | 55 | fn use_rkpd() -> bool { |
| 56 | let property_name = "persist.device_config.remote_key_provisioning_native.enable_rkpd"; |
| 57 | let default_value = false; |
| 58 | rustutils::system_properties::read_bool(property_name, default_value).unwrap_or(default_value) |
| 59 | } |
| 60 | |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 61 | /// This function loads and, optionally, assigns the caller's remote provisioned |
| Max Bires | 18b1db5 | 2021-06-24 20:56:36 -0700 | [diff] [blame] | 62 | /// attestation key if a challenge is present. Alternatively, if `attest_key_descriptor` is given, |
| 63 | /// it loads the user generated attestation key from the database. |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 64 | pub fn get_attest_key_info( |
| 65 | key: &KeyDescriptor, |
| 66 | caller_uid: u32, |
| 67 | attest_key_descriptor: Option<&KeyDescriptor>, |
| 68 | params: &[KeyParameter], |
| 69 | rem_prov_state: &RemProvState, |
| 70 | db: &mut KeystoreDB, |
| 71 | ) -> Result<Option<AttestationKeyInfo>> { |
| Max Bires | 18b1db5 | 2021-06-24 20:56:36 -0700 | [diff] [blame] | 72 | let challenge_present = params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE); |
| Max Bires | 285db9f | 2022-06-20 00:03:32 -0700 | [diff] [blame] | 73 | let is_device_unique_attestation = |
| 74 | params.iter().any(|kp| kp.tag == Tag::DEVICE_UNIQUE_ATTESTATION); |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 75 | match attest_key_descriptor { |
| Max Bires | 285db9f | 2022-06-20 00:03:32 -0700 | [diff] [blame] | 76 | // Do not select an RKP key if DEVICE_UNIQUE_ATTESTATION is present. |
| Tri Vo | b5e43d1 | 2022-12-21 08:54:14 -0800 | [diff] [blame^] | 77 | None if challenge_present && !is_device_unique_attestation => { |
| 78 | if use_rkpd() { |
| 79 | rem_prov_state |
| 80 | .get_rkpd_attestation_key_and_certs(key, caller_uid, params) |
| 81 | .context(ks_err!("Trying to get attestation key from RKPD.")) |
| 82 | .map(|result| { |
| 83 | result.map(|(attestation_key, attestation_certs)| { |
| 84 | AttestationKeyInfo::RkpdProvisioned { |
| 85 | attestation_key, |
| 86 | attestation_certs, |
| 87 | } |
| 88 | }) |
| 89 | }) |
| 90 | } else { |
| 91 | rem_prov_state |
| 92 | .get_remotely_provisioned_attestation_key_and_certs(key, caller_uid, params, db) |
| 93 | .context(ks_err!("Trying to get remotely provisioned attestation key.")) |
| 94 | .map(|result| { |
| 95 | result.map(|(key_id_guard, attestation_key, attestation_certs)| { |
| 96 | AttestationKeyInfo::RemoteProvisioned { |
| 97 | key_id_guard, |
| 98 | attestation_key, |
| 99 | attestation_certs, |
| 100 | } |
| 101 | }) |
| 102 | }) |
| 103 | } |
| 104 | } |
| Max Bires | 18b1db5 | 2021-06-24 20:56:36 -0700 | [diff] [blame] | 105 | None => Ok(None), |
| Chris Wailes | d5aaaef | 2021-07-27 16:04:33 -0700 | [diff] [blame] | 106 | Some(attest_key) => get_user_generated_attestation_key(attest_key, caller_uid, db) |
| Shaquille Johnson | 9da2e1c | 2022-09-19 12:39:01 +0000 | [diff] [blame] | 107 | .context(ks_err!("Trying to load attest key")) |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 108 | .map(Some), |
| 109 | } |
| 110 | } |
| 111 | |
| 112 | fn get_user_generated_attestation_key( |
| 113 | key: &KeyDescriptor, |
| 114 | caller_uid: u32, |
| 115 | db: &mut KeystoreDB, |
| 116 | ) -> Result<AttestationKeyInfo> { |
| 117 | let (key_id_guard, blob, cert, blob_metadata) = |
| Chris Wailes | d5aaaef | 2021-07-27 16:04:33 -0700 | [diff] [blame] | 118 | load_attest_key_blob_and_cert(key, caller_uid, db) |
| Shaquille Johnson | 9da2e1c | 2022-09-19 12:39:01 +0000 | [diff] [blame] | 119 | .context(ks_err!("Failed to load blob and cert"))?; |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 120 | |
| Shaquille Johnson | 9da2e1c | 2022-09-19 12:39:01 +0000 | [diff] [blame] | 121 | let issuer_subject: Vec<u8> = parse_subject_from_certificate(&cert) |
| 122 | .context(ks_err!("Failed to parse subject from certificate"))?; |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 123 | |
| 124 | Ok(AttestationKeyInfo::UserGenerated { key_id_guard, blob, issuer_subject, blob_metadata }) |
| 125 | } |
| 126 | |
| 127 | fn load_attest_key_blob_and_cert( |
| 128 | key: &KeyDescriptor, |
| 129 | caller_uid: u32, |
| 130 | db: &mut KeystoreDB, |
| 131 | ) -> Result<(KeyIdGuard, Vec<u8>, Vec<u8>, BlobMetaData)> { |
| 132 | match key.domain { |
| Shaquille Johnson | 9da2e1c | 2022-09-19 12:39:01 +0000 | [diff] [blame] | 133 | Domain::BLOB => Err(Error::Km(ErrorCode::INVALID_ARGUMENT)) |
| 134 | .context(ks_err!("Domain::BLOB attestation keys not supported")), |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 135 | _ => { |
| 136 | let (key_id_guard, mut key_entry) = db |
| 137 | .load_key_entry( |
| Chris Wailes | d5aaaef | 2021-07-27 16:04:33 -0700 | [diff] [blame] | 138 | key, |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 139 | KeyType::Client, |
| 140 | KeyEntryLoadBits::BOTH, |
| 141 | caller_uid, |
| Janis Danisevskis | 39d57e7 | 2021-10-19 16:56:20 -0700 | [diff] [blame] | 142 | |k, av| check_key_permission(KeyPerm::Use, k, &av), |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 143 | ) |
| Shaquille Johnson | 9da2e1c | 2022-09-19 12:39:01 +0000 | [diff] [blame] | 144 | .context(ks_err!("Failed to load key."))?; |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 145 | |
| Shaquille Johnson | 9da2e1c | 2022-09-19 12:39:01 +0000 | [diff] [blame] | 146 | let (blob, blob_metadata) = key_entry |
| 147 | .take_key_blob_info() |
| Rajesh Nyamagoud | 2d532d9 | 2022-10-21 18:59:40 +0000 | [diff] [blame] | 148 | .ok_or(Error::Rc(ResponseCode::INVALID_ARGUMENT)) |
| Shaquille Johnson | 9da2e1c | 2022-09-19 12:39:01 +0000 | [diff] [blame] | 149 | .context(ks_err!("Successfully loaded key entry, but KM blob was missing"))?; |
| 150 | let cert = key_entry |
| 151 | .take_cert() |
| Rajesh Nyamagoud | 2d532d9 | 2022-10-21 18:59:40 +0000 | [diff] [blame] | 152 | .ok_or(Error::Rc(ResponseCode::INVALID_ARGUMENT)) |
| Shaquille Johnson | 9da2e1c | 2022-09-19 12:39:01 +0000 | [diff] [blame] | 153 | .context(ks_err!("Successfully loaded key entry, but cert was missing"))?; |
| Janis Danisevskis | 3541f3e | 2021-03-20 14:18:52 -0700 | [diff] [blame] | 154 | Ok((key_id_guard, blob, cert, blob_metadata)) |
| 155 | } |
| 156 | } |
| 157 | } |