blob: 34089425a9efeea01701a59c01adb2d41c1b6ae6 [file] [log] [blame]
Janis Danisevskis3541f3e2021-03-20 14:18:52 -07001// Copyright 2021, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! Implements get_attestation_key_info which loads remote provisioned or user
16//! generated attestation keys.
17
18use crate::database::{BlobMetaData, KeyEntryLoadBits, KeyType};
19use crate::database::{KeyIdGuard, KeystoreDB};
20use crate::error::{Error, ErrorCode};
21use crate::permission::KeyPerm;
22use crate::remote_provisioning::RemProvState;
23use crate::utils::check_key_permission;
24use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Max Bires18b1db52021-06-24 20:56:36 -070025 AttestationKey::AttestationKey, Certificate::Certificate, KeyParameter::KeyParameter, Tag::Tag,
Janis Danisevskis3541f3e2021-03-20 14:18:52 -070026};
27use android_system_keystore2::aidl::android::system::keystore2::{
28 Domain::Domain, KeyDescriptor::KeyDescriptor,
29};
30use anyhow::{Context, Result};
31use keystore2_crypto::parse_subject_from_certificate;
32
33/// KeyMint takes two different kinds of attestation keys. Remote provisioned keys
34/// and those that have been generated by the user. Unfortunately, they need to be
35/// handled quite differently, thus the different representations.
36pub enum AttestationKeyInfo {
37 RemoteProvisioned {
Max Bires55620ff2022-02-11 13:34:15 -080038 key_id_guard: KeyIdGuard,
Janis Danisevskis3541f3e2021-03-20 14:18:52 -070039 attestation_key: AttestationKey,
40 attestation_certs: Certificate,
41 },
42 UserGenerated {
43 key_id_guard: KeyIdGuard,
44 blob: Vec<u8>,
45 blob_metadata: BlobMetaData,
46 issuer_subject: Vec<u8>,
47 },
48}
49
50/// This function loads and, optionally, assigns the caller's remote provisioned
Max Bires18b1db52021-06-24 20:56:36 -070051/// attestation key if a challenge is present. Alternatively, if `attest_key_descriptor` is given,
52/// it loads the user generated attestation key from the database.
Janis Danisevskis3541f3e2021-03-20 14:18:52 -070053pub fn get_attest_key_info(
54 key: &KeyDescriptor,
55 caller_uid: u32,
56 attest_key_descriptor: Option<&KeyDescriptor>,
57 params: &[KeyParameter],
58 rem_prov_state: &RemProvState,
59 db: &mut KeystoreDB,
60) -> Result<Option<AttestationKeyInfo>> {
Max Bires18b1db52021-06-24 20:56:36 -070061 let challenge_present = params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE);
Max Bires285db9f2022-06-20 00:03:32 -070062 let is_device_unique_attestation =
63 params.iter().any(|kp| kp.tag == Tag::DEVICE_UNIQUE_ATTESTATION);
Janis Danisevskis3541f3e2021-03-20 14:18:52 -070064 match attest_key_descriptor {
Max Bires285db9f2022-06-20 00:03:32 -070065 // Do not select an RKP key if DEVICE_UNIQUE_ATTESTATION is present.
66 None if challenge_present && !is_device_unique_attestation => rem_prov_state
Chris Wailesd5aaaef2021-07-27 16:04:33 -070067 .get_remotely_provisioned_attestation_key_and_certs(key, caller_uid, params, db)
Janis Danisevskis3541f3e2021-03-20 14:18:52 -070068 .context(concat!(
69 "In get_attest_key_and_cert_chain: ",
70 "Trying to get remotely provisioned attestation key."
71 ))
72 .map(|result| {
Max Bires55620ff2022-02-11 13:34:15 -080073 result.map(|(key_id_guard, attestation_key, attestation_certs)| {
74 AttestationKeyInfo::RemoteProvisioned {
75 key_id_guard,
76 attestation_key,
77 attestation_certs,
78 }
Janis Danisevskis3541f3e2021-03-20 14:18:52 -070079 })
80 }),
Max Bires18b1db52021-06-24 20:56:36 -070081 None => Ok(None),
Chris Wailesd5aaaef2021-07-27 16:04:33 -070082 Some(attest_key) => get_user_generated_attestation_key(attest_key, caller_uid, db)
Janis Danisevskis3541f3e2021-03-20 14:18:52 -070083 .context("In get_attest_key_and_cert_chain: Trying to load attest key")
84 .map(Some),
85 }
86}
87
88fn get_user_generated_attestation_key(
89 key: &KeyDescriptor,
90 caller_uid: u32,
91 db: &mut KeystoreDB,
92) -> Result<AttestationKeyInfo> {
93 let (key_id_guard, blob, cert, blob_metadata) =
Chris Wailesd5aaaef2021-07-27 16:04:33 -070094 load_attest_key_blob_and_cert(key, caller_uid, db)
Janis Danisevskis3541f3e2021-03-20 14:18:52 -070095 .context("In get_user_generated_attestation_key: Failed to load blob and cert")?;
96
97 let issuer_subject: Vec<u8> = parse_subject_from_certificate(&cert).context(
98 "In get_user_generated_attestation_key: Failed to parse subject from certificate.",
99 )?;
100
101 Ok(AttestationKeyInfo::UserGenerated { key_id_guard, blob, issuer_subject, blob_metadata })
102}
103
104fn load_attest_key_blob_and_cert(
105 key: &KeyDescriptor,
106 caller_uid: u32,
107 db: &mut KeystoreDB,
108) -> Result<(KeyIdGuard, Vec<u8>, Vec<u8>, BlobMetaData)> {
109 match key.domain {
110 Domain::BLOB => Err(Error::Km(ErrorCode::INVALID_ARGUMENT)).context(
111 "In load_attest_key_blob_and_cert: Domain::BLOB attestation keys not supported",
112 ),
113 _ => {
114 let (key_id_guard, mut key_entry) = db
115 .load_key_entry(
Chris Wailesd5aaaef2021-07-27 16:04:33 -0700116 key,
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700117 KeyType::Client,
118 KeyEntryLoadBits::BOTH,
119 caller_uid,
Janis Danisevskis39d57e72021-10-19 16:56:20 -0700120 |k, av| check_key_permission(KeyPerm::Use, k, &av),
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700121 )
122 .context("In load_attest_key_blob_and_cert: Failed to load key.")?;
123
124 let (blob, blob_metadata) =
125 key_entry.take_key_blob_info().ok_or_else(Error::sys).context(concat!(
126 "In load_attest_key_blob_and_cert: Successfully loaded key entry,",
127 " but KM blob was missing."
128 ))?;
129 let cert = key_entry.take_cert().ok_or_else(Error::sys).context(concat!(
130 "In load_attest_key_blob_and_cert: Successfully loaded key entry,",
131 " but cert was missing."
132 ))?;
133 Ok((key_id_guard, blob, cert, blob_metadata))
134 }
135 }
136}