identity: Replace RemotelyProvisionedKey with librkp_support
Test: m credstore Change-Id: I0049d5ba59936943336c7a531d1b022d4d64e4a6
This commit is contained in:
parent
a9ebcd24e1
commit
1054237787
5 changed files with 5 additions and 261 deletions
|
@ -36,7 +36,6 @@ cc_binary {
|
|||
"CredentialData.cpp",
|
||||
"CredentialStore.cpp",
|
||||
"CredentialStoreFactory.cpp",
|
||||
"RemotelyProvisionedKey.cpp",
|
||||
"Session.cpp",
|
||||
"Util.cpp",
|
||||
"WritableCredential.cpp",
|
||||
|
@ -55,6 +54,7 @@ cc_binary {
|
|||
"libhidlbase",
|
||||
"libkeymaster4support",
|
||||
"libkeystore-attestation-application-id",
|
||||
"librkp_support",
|
||||
"libutils",
|
||||
"libutilscallstack",
|
||||
"libvintf",
|
||||
|
|
|
@ -24,12 +24,12 @@
|
|||
#include <android/hardware/security/keymint/RpcHardwareInfo.h>
|
||||
#include <binder/IPCThreadState.h>
|
||||
#include <binder/IServiceManager.h>
|
||||
#include <rkp/support/rkpd_client.h>
|
||||
#include <vintf/VintfObject.h>
|
||||
|
||||
#include "Credential.h"
|
||||
#include "CredentialData.h"
|
||||
#include "CredentialStore.h"
|
||||
#include "RemotelyProvisionedKey.h"
|
||||
#include "Session.h"
|
||||
#include "Util.h"
|
||||
#include "WritableCredential.h"
|
||||
|
@ -39,7 +39,8 @@ namespace security {
|
|||
namespace identity {
|
||||
namespace {
|
||||
|
||||
using ::android::security::rkp::IRemoteProvisioning;
|
||||
using ::android::security::rkp::RemotelyProvisionedKey;
|
||||
using ::android::security::rkp::support::getRpcKey;
|
||||
|
||||
} // namespace
|
||||
|
||||
|
@ -183,17 +184,7 @@ Status CredentialStore::setRemotelyProvisionedAttestationKey(
|
|||
LOG(INFO) << "Fetching attestation key from RKPD";
|
||||
|
||||
uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
|
||||
auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid);
|
||||
if (!rpcKeyFuture) {
|
||||
return Status::fromServiceSpecificError(ERROR_GENERIC, "Error in getRpcKeyFuture()");
|
||||
}
|
||||
|
||||
if (rpcKeyFuture->wait_for(std::chrono::seconds(10)) != std::future_status::ready) {
|
||||
return Status::fromServiceSpecificError(
|
||||
ERROR_GENERIC, "Waiting for remotely provisioned attestation key timed out");
|
||||
}
|
||||
|
||||
std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture->get();
|
||||
std::optional<RemotelyProvisionedKey> key = getRpcKey(rpc_, callingUid);
|
||||
if (!key) {
|
||||
return Status::fromServiceSpecificError(
|
||||
ERROR_GENERIC, "Failed to get remotely provisioned attestation key");
|
||||
|
|
|
@ -22,7 +22,6 @@
|
|||
|
||||
#include <android/hardware/identity/IIdentityCredentialStore.h>
|
||||
#include <android/security/identity/BnCredentialStore.h>
|
||||
#include <android/security/rkp/IRemoteProvisioning.h>
|
||||
|
||||
namespace android {
|
||||
namespace security {
|
||||
|
|
|
@ -1,208 +0,0 @@
|
|||
/*
|
||||
* Copyright (c) 2019, The Android Open Source Project
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#define LOG_TAG "credstore"
|
||||
|
||||
#include <atomic>
|
||||
|
||||
#include <android-base/logging.h>
|
||||
#include <android/security/rkp/BnGetKeyCallback.h>
|
||||
#include <android/security/rkp/BnGetRegistrationCallback.h>
|
||||
#include <android/security/rkp/IGetKeyCallback.h>
|
||||
#include <android/security/rkp/IRemoteProvisioning.h>
|
||||
#include <binder/IServiceManager.h>
|
||||
#include <binder/Status.h>
|
||||
#include <vintf/VintfObject.h>
|
||||
|
||||
#include "RemotelyProvisionedKey.h"
|
||||
|
||||
namespace android {
|
||||
namespace security {
|
||||
namespace identity {
|
||||
namespace {
|
||||
|
||||
using ::android::binder::Status;
|
||||
using ::android::hardware::security::keymint::IRemotelyProvisionedComponent;
|
||||
using ::android::hardware::security::keymint::RpcHardwareInfo;
|
||||
using ::android::security::rkp::BnGetKeyCallback;
|
||||
using ::android::security::rkp::BnGetRegistrationCallback;
|
||||
using ::android::security::rkp::IGetKeyCallback;
|
||||
using ::android::security::rkp::IRegistration;
|
||||
using ::android::security::rkp::IRemoteProvisioning;
|
||||
using ::android::security::rkp::RemotelyProvisionedKey;
|
||||
|
||||
constexpr const char* kRemoteProvisioningServiceName = "remote_provisioning";
|
||||
|
||||
std::optional<String16> findRpcNameById(std::string_view targetRpcId) {
|
||||
auto deviceManifest = vintf::VintfObject::GetDeviceHalManifest();
|
||||
auto instances = deviceManifest->getAidlInstances("android.hardware.security.keymint",
|
||||
"IRemotelyProvisionedComponent");
|
||||
for (const std::string& instance : instances) {
|
||||
auto rpcName =
|
||||
IRemotelyProvisionedComponent::descriptor + String16("/") + String16(instance.c_str());
|
||||
sp<IRemotelyProvisionedComponent> rpc =
|
||||
android::waitForService<IRemotelyProvisionedComponent>(rpcName);
|
||||
|
||||
auto rpcId = getRpcId(rpc);
|
||||
if (!rpcId) {
|
||||
continue;
|
||||
}
|
||||
if (*rpcId == targetRpcId) {
|
||||
return rpcName;
|
||||
}
|
||||
}
|
||||
|
||||
LOG(ERROR) << "Remotely provisioned component with given unique ID: " << targetRpcId
|
||||
<< " not found";
|
||||
return std::nullopt;
|
||||
}
|
||||
|
||||
std::optional<String16> getRpcName(const sp<IRemotelyProvisionedComponent>& rpc) {
|
||||
std::optional<std::string> targetRpcId = getRpcId(rpc);
|
||||
if (!targetRpcId) {
|
||||
return std::nullopt;
|
||||
}
|
||||
return findRpcNameById(*targetRpcId);
|
||||
}
|
||||
|
||||
class GetKeyCallback : public BnGetKeyCallback {
|
||||
public:
|
||||
GetKeyCallback(std::promise<std::optional<RemotelyProvisionedKey>> keyPromise)
|
||||
: keyPromise_(std::move(keyPromise)), called_() {}
|
||||
|
||||
Status onSuccess(const RemotelyProvisionedKey& key) override {
|
||||
if (called_.test_and_set()) {
|
||||
return Status::ok();
|
||||
}
|
||||
keyPromise_.set_value(key);
|
||||
return Status::ok();
|
||||
}
|
||||
Status onCancel() override {
|
||||
if (called_.test_and_set()) {
|
||||
return Status::ok();
|
||||
}
|
||||
LOG(ERROR) << "GetKeyCallback cancelled";
|
||||
keyPromise_.set_value(std::nullopt);
|
||||
return Status::ok();
|
||||
}
|
||||
Status onError(IGetKeyCallback::ErrorCode error, const String16& description) override {
|
||||
if (called_.test_and_set()) {
|
||||
return Status::ok();
|
||||
}
|
||||
LOG(ERROR) << "GetKeyCallback failed: " << static_cast<int>(error) << ", " << description;
|
||||
keyPromise_.set_value(std::nullopt);
|
||||
return Status::ok();
|
||||
}
|
||||
|
||||
private:
|
||||
std::promise<std::optional<RemotelyProvisionedKey>> keyPromise_;
|
||||
// This callback can only be called into once
|
||||
std::atomic_flag called_;
|
||||
};
|
||||
|
||||
class GetRegistrationCallback : public BnGetRegistrationCallback {
|
||||
public:
|
||||
GetRegistrationCallback(std::promise<std::optional<RemotelyProvisionedKey>> keyPromise,
|
||||
uint32_t keyId)
|
||||
: keyPromise_(std::move(keyPromise)), keyId_(keyId), called_() {}
|
||||
|
||||
Status onSuccess(const sp<IRegistration>& registration) override {
|
||||
if (called_.test_and_set()) {
|
||||
return Status::ok();
|
||||
}
|
||||
auto cb = sp<GetKeyCallback>::make(std::move(keyPromise_));
|
||||
auto status = registration->getKey(keyId_, cb);
|
||||
if (!status.isOk()) {
|
||||
cb->onError(IGetKeyCallback::ErrorCode::ERROR_UNKNOWN,
|
||||
String16("Failed to register GetKeyCallback"));
|
||||
}
|
||||
return Status::ok();
|
||||
}
|
||||
Status onCancel() override {
|
||||
if (called_.test_and_set()) {
|
||||
return Status::ok();
|
||||
}
|
||||
LOG(ERROR) << "GetRegistrationCallback cancelled";
|
||||
keyPromise_.set_value(std::nullopt);
|
||||
return Status::ok();
|
||||
}
|
||||
Status onError(const String16& error) override {
|
||||
if (called_.test_and_set()) {
|
||||
return Status::ok();
|
||||
}
|
||||
LOG(ERROR) << "GetRegistrationCallback failed: " << error;
|
||||
keyPromise_.set_value(std::nullopt);
|
||||
return Status::ok();
|
||||
}
|
||||
|
||||
private:
|
||||
std::promise<std::optional<RemotelyProvisionedKey>> keyPromise_;
|
||||
int32_t keyId_;
|
||||
// This callback can only be called into once
|
||||
std::atomic_flag called_;
|
||||
};
|
||||
|
||||
} // namespace
|
||||
|
||||
std::optional<std::string> getRpcId(const sp<IRemotelyProvisionedComponent>& rpc) {
|
||||
RpcHardwareInfo rpcHwInfo;
|
||||
Status status = rpc->getHardwareInfo(&rpcHwInfo);
|
||||
if (!status.isOk()) {
|
||||
LOG(ERROR) << "Error getting remotely provisioned component hardware info: " << status;
|
||||
return std::nullopt;
|
||||
}
|
||||
|
||||
if (!rpcHwInfo.uniqueId) {
|
||||
LOG(ERROR) << "Remotely provisioned component is missing a unique id, which is "
|
||||
<< "required for credential key remotely provisioned attestation keys. "
|
||||
<< "This is a bug in the vendor implementation.";
|
||||
return std::nullopt;
|
||||
}
|
||||
|
||||
return *rpcHwInfo.uniqueId;
|
||||
}
|
||||
|
||||
std::optional<std::future<std::optional<RemotelyProvisionedKey>>>
|
||||
getRpcKeyFuture(const sp<IRemotelyProvisionedComponent>& rpc, int32_t keyId) {
|
||||
std::promise<std::optional<RemotelyProvisionedKey>> keyPromise;
|
||||
auto keyFuture = keyPromise.get_future();
|
||||
|
||||
auto rpcName = getRpcName(rpc);
|
||||
if (!rpcName) {
|
||||
LOG(ERROR) << "Failed to get IRemotelyProvisionedComponent name";
|
||||
return std::nullopt;
|
||||
}
|
||||
|
||||
sp<IRemoteProvisioning> remoteProvisioning =
|
||||
android::waitForService<IRemoteProvisioning>(String16(kRemoteProvisioningServiceName));
|
||||
if (!remoteProvisioning) {
|
||||
LOG(ERROR) << "Failed to get IRemoteProvisioning HAL";
|
||||
return std::nullopt;
|
||||
}
|
||||
|
||||
auto cb = sp<GetRegistrationCallback>::make(std::move(keyPromise), keyId);
|
||||
Status status = remoteProvisioning->getRegistration(*rpcName, cb);
|
||||
if (!status.isOk()) {
|
||||
LOG(ERROR) << "Failed getRegistration()";
|
||||
return std::nullopt;
|
||||
}
|
||||
|
||||
return keyFuture;
|
||||
}
|
||||
|
||||
} // namespace identity
|
||||
} // namespace security
|
||||
} // namespace android
|
|
@ -1,38 +0,0 @@
|
|||
/*
|
||||
* Copyright (c) 2022, The Android Open Source Project
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#pragma once
|
||||
|
||||
#include <future>
|
||||
#include <optional>
|
||||
|
||||
#include <android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
|
||||
|
||||
namespace android {
|
||||
namespace security {
|
||||
namespace identity {
|
||||
|
||||
using ::android::hardware::security::keymint::IRemotelyProvisionedComponent;
|
||||
using ::android::security::rkp::RemotelyProvisionedKey;
|
||||
|
||||
std::optional<std::string> getRpcId(const sp<IRemotelyProvisionedComponent>& rpc);
|
||||
|
||||
std::optional<std::future<std::optional<RemotelyProvisionedKey>>>
|
||||
getRpcKeyFuture(const sp<IRemotelyProvisionedComponent>& rpc, int32_t keyId);
|
||||
|
||||
} // namespace identity
|
||||
} // namespace security
|
||||
} // namespace android
|
Loading…
Reference in a new issue