blob: 97d81c5527c0934d0d3702be088da7e68067e334 [file] [log] [blame]
Janis Danisevskis18f27ad2016-06-01 13:57:40 -07001/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16#include "keystore_attestation_id.h"
17
18#define LOG_TAG "keystore_att_id"
19
20#include <cutils/log.h>
21
22#include <memory>
23#include <string>
24#include <vector>
25
26#include <binder/IServiceManager.h>
27#include <binder/Parcel.h>
28#include <binder/Parcelable.h>
29#include <binder/PersistableBundle.h>
30
31#include <android/security/keymaster/BpKeyAttestationApplicationIdProvider.h>
32#include <android/security/keymaster/IKeyAttestationApplicationIdProvider.h>
33#include <keystore/KeyAttestationApplicationId.h>
34#include <keystore/KeyAttestationPackageInfo.h>
35#include <keystore/Signature.h>
36
Eran Messeriea47d3f2017-12-06 12:01:42 +000037#include <private/android_filesystem_config.h> /* for AID_SYSTEM */
38
Janis Danisevskis18f27ad2016-06-01 13:57:40 -070039#include <openssl/asn1t.h>
40#include <openssl/sha.h>
41
42#include <utils/String8.h>
43
44namespace android {
45
46namespace {
47
48static std::vector<uint8_t> signature2SHA256(const content::pm::Signature& sig) {
49 std::vector<uint8_t> digest_buffer(SHA256_DIGEST_LENGTH);
50 SHA256(sig.data().data(), sig.data().size(), digest_buffer.data());
51 return digest_buffer;
52}
53
54using ::android::security::keymaster::BpKeyAttestationApplicationIdProvider;
55
56class KeyAttestationApplicationIdProvider : public BpKeyAttestationApplicationIdProvider {
57 public:
58 KeyAttestationApplicationIdProvider();
59
60 static KeyAttestationApplicationIdProvider& get();
61
62 private:
63 android::sp<android::IServiceManager> service_manager_;
64};
65
66KeyAttestationApplicationIdProvider& KeyAttestationApplicationIdProvider::get() {
67 static KeyAttestationApplicationIdProvider mpm;
68 return mpm;
69}
70
71KeyAttestationApplicationIdProvider::KeyAttestationApplicationIdProvider()
72 : BpKeyAttestationApplicationIdProvider(
73 android::defaultServiceManager()->getService(String16("sec_key_att_app_id_provider"))) {}
74
75DECLARE_STACK_OF(ASN1_OCTET_STRING);
76
77typedef struct km_attestation_package_info {
78 ASN1_OCTET_STRING* package_name;
79 ASN1_INTEGER* version;
Janis Danisevskis18f27ad2016-06-01 13:57:40 -070080} KM_ATTESTATION_PACKAGE_INFO;
81
82ASN1_SEQUENCE(KM_ATTESTATION_PACKAGE_INFO) = {
83 ASN1_SIMPLE(KM_ATTESTATION_PACKAGE_INFO, package_name, ASN1_OCTET_STRING),
84 ASN1_SIMPLE(KM_ATTESTATION_PACKAGE_INFO, version, ASN1_INTEGER),
Janis Danisevskis18f27ad2016-06-01 13:57:40 -070085} ASN1_SEQUENCE_END(KM_ATTESTATION_PACKAGE_INFO);
86IMPLEMENT_ASN1_FUNCTIONS(KM_ATTESTATION_PACKAGE_INFO);
87
88DECLARE_STACK_OF(KM_ATTESTATION_PACKAGE_INFO);
89
90typedef struct km_attestation_application_id {
91 STACK_OF(KM_ATTESTATION_PACKAGE_INFO) * package_infos;
Janis Danisevskis011675d2016-09-01 11:41:29 +010092 STACK_OF(ASN1_OCTET_STRING) * signature_digests;
Janis Danisevskis18f27ad2016-06-01 13:57:40 -070093} KM_ATTESTATION_APPLICATION_ID;
94
95ASN1_SEQUENCE(KM_ATTESTATION_APPLICATION_ID) = {
96 ASN1_SET_OF(KM_ATTESTATION_APPLICATION_ID, package_infos, KM_ATTESTATION_PACKAGE_INFO),
Janis Danisevskis011675d2016-09-01 11:41:29 +010097 ASN1_SET_OF(KM_ATTESTATION_APPLICATION_ID, signature_digests, ASN1_OCTET_STRING),
Janis Danisevskis18f27ad2016-06-01 13:57:40 -070098} ASN1_SEQUENCE_END(KM_ATTESTATION_APPLICATION_ID);
99IMPLEMENT_ASN1_FUNCTIONS(KM_ATTESTATION_APPLICATION_ID);
100}
101
102} // namespace android
103
104namespace std {
105template <> struct default_delete<android::KM_ATTESTATION_PACKAGE_INFO> {
106 void operator()(android::KM_ATTESTATION_PACKAGE_INFO* p) {
107 android::KM_ATTESTATION_PACKAGE_INFO_free(p);
108 }
109};
110template <> struct default_delete<ASN1_OCTET_STRING> {
111 void operator()(ASN1_OCTET_STRING* p) { ASN1_OCTET_STRING_free(p); }
112};
113template <> struct default_delete<android::KM_ATTESTATION_APPLICATION_ID> {
114 void operator()(android::KM_ATTESTATION_APPLICATION_ID* p) {
115 android::KM_ATTESTATION_APPLICATION_ID_free(p);
116 }
117};
118} // namespace std
119
120namespace android {
121namespace security {
122namespace {
123
124using ::android::security::keymaster::KeyAttestationApplicationId;
125using ::android::security::keymaster::KeyAttestationPackageInfo;
126
Janis Danisevskis011675d2016-09-01 11:41:29 +0100127status_t build_attestation_package_info(const KeyAttestationPackageInfo& pinfo,
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700128 std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO>* attestation_package_info_ptr) {
129
130 if (!attestation_package_info_ptr) return BAD_VALUE;
131 auto& attestation_package_info = *attestation_package_info_ptr;
132
133 attestation_package_info.reset(KM_ATTESTATION_PACKAGE_INFO_new());
134 if (!attestation_package_info.get()) return NO_MEMORY;
135
Janis Danisevskis011675d2016-09-01 11:41:29 +0100136 if (!pinfo.package_name()) {
137 ALOGE("Key attestation package info lacks package name");
138 return BAD_VALUE;
139 }
140
141 std::string pkg_name(String8(*pinfo.package_name()).string());
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700142 if (!ASN1_OCTET_STRING_set(attestation_package_info->package_name,
143 reinterpret_cast<const unsigned char*>(pkg_name.data()),
144 pkg_name.size())) {
145 return UNKNOWN_ERROR;
146 }
147
Janis Danisevskis011675d2016-09-01 11:41:29 +0100148 if (!ASN1_INTEGER_set(attestation_package_info->version, pinfo.version_code())) {
149 return UNKNOWN_ERROR;
150 }
151 return NO_ERROR;
152}
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700153
Janis Danisevskis011675d2016-09-01 11:41:29 +0100154StatusOr<std::vector<uint8_t>>
155build_attestation_application_id(const KeyAttestationApplicationId& key_attestation_id) {
156 auto attestation_id =
157 std::unique_ptr<KM_ATTESTATION_APPLICATION_ID>(KM_ATTESTATION_APPLICATION_ID_new());
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700158
Janis Danisevskis011675d2016-09-01 11:41:29 +0100159 auto attestation_pinfo_stack = reinterpret_cast<_STACK*>(attestation_id->package_infos);
160
161 if (key_attestation_id.pinfos_begin() == key_attestation_id.pinfos_end()) return BAD_VALUE;
162
163 for (auto pinfo = key_attestation_id.pinfos_begin(); pinfo != key_attestation_id.pinfos_end();
164 ++pinfo) {
165 if (!pinfo->package_name()) {
166 ALOGE("Key attestation package info lacks package name");
167 return BAD_VALUE;
168 }
169 std::string package_name(String8(*pinfo->package_name()).string());
170 std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO> attestation_package_info;
171 auto rc = build_attestation_package_info(*pinfo, &attestation_package_info);
172 if (rc != NO_ERROR) {
173 ALOGE("Building DER attestation package info failed %d", rc);
174 return rc;
175 }
176 if (!sk_push(attestation_pinfo_stack, attestation_package_info.get())) {
177 return NO_MEMORY;
178 }
179 // if push succeeded, the stack takes ownership
180 attestation_package_info.release();
181 }
182
183 /** Apps can only share a uid iff they were signed with the same certificate(s). Because the
184 * signature field actually holds the signing certificate, rather than a signature, we can
185 * simply use the set of signature digests of the first package info.
186 */
187 const auto& pinfo = *key_attestation_id.pinfos_begin();
188 std::vector<std::vector<uint8_t>> signature_digests;
189
190 for (auto sig = pinfo.sigs_begin(); sig != pinfo.sigs_end(); ++sig) {
191 signature_digests.push_back(signature2SHA256(*sig));
192 }
193
194 auto signature_digest_stack = reinterpret_cast<_STACK*>(attestation_id->signature_digests);
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700195 for (auto si : signature_digests) {
196 auto asn1_item = std::unique_ptr<ASN1_OCTET_STRING>(ASN1_OCTET_STRING_new());
197 if (!asn1_item) return NO_MEMORY;
198 if (!ASN1_OCTET_STRING_set(asn1_item.get(), si.data(), si.size())) {
199 return UNKNOWN_ERROR;
200 }
201 if (!sk_push(signature_digest_stack, asn1_item.get())) {
202 return NO_MEMORY;
203 }
204 asn1_item.release(); // if push succeeded, the stack takes ownership
205 }
206
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700207 int len = i2d_KM_ATTESTATION_APPLICATION_ID(attestation_id.get(), nullptr);
Janis Danisevskis011675d2016-09-01 11:41:29 +0100208 if (len < 0) return UNKNOWN_ERROR;
209
210 std::vector<uint8_t> result(len);
211 uint8_t* p = result.data();
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700212 len = i2d_KM_ATTESTATION_APPLICATION_ID(attestation_id.get(), &p);
Janis Danisevskis011675d2016-09-01 11:41:29 +0100213 if (len < 0) return UNKNOWN_ERROR;
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700214
215 return result;
216}
217
218/* The following function are not used. They are mentioned here to silence
219 * warnings about them not being used.
220 */
221void unused_functions_silencer() __attribute__((unused));
222void unused_functions_silencer() {
223 i2d_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr);
224 d2i_KM_ATTESTATION_APPLICATION_ID(nullptr, nullptr, 0);
225 d2i_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr, 0);
226}
227
228} // namespace
229
Janis Danisevskis011675d2016-09-01 11:41:29 +0100230StatusOr<std::vector<uint8_t>> gather_attestation_application_id(uid_t uid) {
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700231 auto& pm = KeyAttestationApplicationIdProvider::get();
232
233 /* Get the attestation application ID from package manager */
Eran Messeriea47d3f2017-12-06 12:01:42 +0000234 KeyAttestationApplicationId* key_attestation_id = nullptr;
235 if (uid == AID_SYSTEM) {
236 KeyAttestationPackageInfo::SharedSignaturesVector signatures(
237 new KeyAttestationPackageInfo::SignaturesVector());
238 signatures->push_back(std::unique_ptr<content::pm::Signature>(
239 new content::pm::Signature()));
240
241 std::unique_ptr<KeyAttestationPackageInfo> package_info(
242 new KeyAttestationPackageInfo(
243 String16("AndroidSystem"), 1, signatures));
244 key_attestation_id = new KeyAttestationApplicationId(std::move(package_info));
245 } else {
246 auto status = pm.getKeyAttestationApplicationId(uid, key_attestation_id);
247 if (!status.isOk()) {
248 ALOGE("package manager request for key attestation ID failed with: %s %d",
249 status.exceptionMessage().string(), status.exceptionCode());
250 return FAILED_TRANSACTION;
251 }
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700252 }
253
254 /* DER encode the attestation application ID */
Eran Messeriea47d3f2017-12-06 12:01:42 +0000255 return build_attestation_application_id(*key_attestation_id);
Janis Danisevskis18f27ad2016-06-01 13:57:40 -0700256}
257
258} // namespace security
259} // namespace android