tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_security/keystore/keystore_attestation_id.cpp
Eran Messeri 03fc4c8769 KeyStore: Limit the Attestation Application ID 
Limit the size of the Application ID attestation vector _prior_ to
sending it for attestation by Keymaster.
Previously, the Attestation Application ID vector would be DER-encoded
to contain all packages belonging to the caller UID, and only then
truncated to the max value that could be sent to Keymaster (1K),
potentially resulting in malformed DER-encoded data.

This makes clients' lives hard, as they would have to deal with
malformed DER, and breaks CTS tests that expect to parse this field in
the attestation record, when the device has too many packages running on
the system UID.

This change limits the size of the DER-encoded vector that would be
passed into Keymaster by estimating the encoded size and refraining from
adding any more package information into it if it'd exceed 1K when
encoded.

Also, cope with PackageManager failure to provide the list of packages.

Merged-In: I39ab9338922f7be358d27e1b2dae5d0a36009109

Test: keystore_unit_tests (adb pushed to /data/local/tmp, then: LD_LIBRARY_PATH=/data/local/tmp /data/local/tmp/keystore_unit_tests)
Test: runtest --path cts/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement
Bug: 112179406
Bug: 112061724
Bug: 111260028
Change-Id: I0759a632fbf678814f6b1c258f0b2e2524edb85c
2018-08-16 18:53:15 +01:00

298 lines
11 KiB
C++
Raw Blame History

/*
* Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "keystore_attestation_id.h"
#define LOG_TAG "keystore_att_id"
#include <cutils/log.h>
#include <memory>
#include <string>
#include <vector>
#include <binder/IServiceManager.h>
#include <binder/Parcel.h>
#include <binder/Parcelable.h>
#include <binder/PersistableBundle.h>
#include <android/security/keymaster/BpKeyAttestationApplicationIdProvider.h>
#include <android/security/keymaster/IKeyAttestationApplicationIdProvider.h>
#include <keystore/KeyAttestationApplicationId.h>
#include <keystore/KeyAttestationPackageInfo.h>
#include <keystore/Signature.h>
#include <private/android_filesystem_config.h> /* for AID_SYSTEM */
#include <openssl/asn1t.h>
#include <openssl/bn.h>
#include <openssl/sha.h>
#include <utils/String8.h>
namespace android {
namespace {
constexpr const char* kAttestationSystemPackageName = "AndroidSystem";
constexpr const char* kUnknownPackageName = "UnknownPackage";
std::vector<uint8_t> signature2SHA256(const content::pm::Signature& sig) {
std::vector<uint8_t> digest_buffer(SHA256_DIGEST_LENGTH);
SHA256(sig.data().data(), sig.data().size(), digest_buffer.data());
return digest_buffer;
}
using ::android::security::keymaster::BpKeyAttestationApplicationIdProvider;
class KeyAttestationApplicationIdProvider : public BpKeyAttestationApplicationIdProvider {
public:
KeyAttestationApplicationIdProvider();
static KeyAttestationApplicationIdProvider& get();
private:
android::sp<android::IServiceManager> service_manager_;
};
KeyAttestationApplicationIdProvider& KeyAttestationApplicationIdProvider::get() {
static KeyAttestationApplicationIdProvider mpm;
return mpm;
}
KeyAttestationApplicationIdProvider::KeyAttestationApplicationIdProvider()
: BpKeyAttestationApplicationIdProvider(
android::defaultServiceManager()->getService(String16("sec_key_att_app_id_provider"))) {}
DECLARE_STACK_OF(ASN1_OCTET_STRING);
typedef struct km_attestation_package_info {
ASN1_OCTET_STRING* package_name;
ASN1_INTEGER* version;
} KM_ATTESTATION_PACKAGE_INFO;
// Estimated size:
// 4 bytes for the package name + package_name length
// 11 bytes for the version (2 bytes header and up to 9 bytes of data).
constexpr size_t AAID_PKG_INFO_OVERHEAD = 15;
ASN1_SEQUENCE(KM_ATTESTATION_PACKAGE_INFO) = {
ASN1_SIMPLE(KM_ATTESTATION_PACKAGE_INFO, package_name, ASN1_OCTET_STRING),
ASN1_SIMPLE(KM_ATTESTATION_PACKAGE_INFO, version, ASN1_INTEGER),
} ASN1_SEQUENCE_END(KM_ATTESTATION_PACKAGE_INFO);
IMPLEMENT_ASN1_FUNCTIONS(KM_ATTESTATION_PACKAGE_INFO);
DECLARE_STACK_OF(KM_ATTESTATION_PACKAGE_INFO);
// Estimated size:
// See estimate above for the stack of package infos.
// 34 (32 + 2) bytes for each signature digest.
constexpr size_t AAID_SIGNATURE_SIZE = 34;
typedef struct km_attestation_application_id {
STACK_OF(KM_ATTESTATION_PACKAGE_INFO) * package_infos;
STACK_OF(ASN1_OCTET_STRING) * signature_digests;
} KM_ATTESTATION_APPLICATION_ID;
// Estimated overhead:
// 4 for the header of the octet string containing the fully-encoded data.
// 4 for the sequence header.
// 4 for the header of the package info set.
// 4 for the header of the signature set.
constexpr size_t AAID_GENERAL_OVERHEAD = 16;
ASN1_SEQUENCE(KM_ATTESTATION_APPLICATION_ID) = {
ASN1_SET_OF(KM_ATTESTATION_APPLICATION_ID, package_infos, KM_ATTESTATION_PACKAGE_INFO),
ASN1_SET_OF(KM_ATTESTATION_APPLICATION_ID, signature_digests, ASN1_OCTET_STRING),
} ASN1_SEQUENCE_END(KM_ATTESTATION_APPLICATION_ID);
IMPLEMENT_ASN1_FUNCTIONS(KM_ATTESTATION_APPLICATION_ID);
} // namespace
} // namespace android
namespace std {
template <> struct default_delete<android::KM_ATTESTATION_PACKAGE_INFO> {
void operator()(android::KM_ATTESTATION_PACKAGE_INFO* p) {
android::KM_ATTESTATION_PACKAGE_INFO_free(p);
}
};
template <> struct default_delete<ASN1_OCTET_STRING> {
void operator()(ASN1_OCTET_STRING* p) { ASN1_OCTET_STRING_free(p); }
};
template <> struct default_delete<android::KM_ATTESTATION_APPLICATION_ID> {
void operator()(android::KM_ATTESTATION_APPLICATION_ID* p) {
android::KM_ATTESTATION_APPLICATION_ID_free(p);
}
};
} // namespace std
namespace android {
namespace security {
namespace {
using ::android::security::keymaster::KeyAttestationApplicationId;
using ::android::security::keymaster::KeyAttestationPackageInfo;
status_t build_attestation_package_info(const KeyAttestationPackageInfo& pinfo,
std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO>* attestation_package_info_ptr) {
if (!attestation_package_info_ptr) return BAD_VALUE;
auto& attestation_package_info = *attestation_package_info_ptr;
attestation_package_info.reset(KM_ATTESTATION_PACKAGE_INFO_new());
if (!attestation_package_info.get()) return NO_MEMORY;
if (!pinfo.package_name()) {
ALOGE("Key attestation package info lacks package name");
return BAD_VALUE;
}
std::string pkg_name(String8(*pinfo.package_name()).string());
if (!ASN1_OCTET_STRING_set(attestation_package_info->package_name,
reinterpret_cast<const unsigned char*>(pkg_name.data()),
pkg_name.size())) {
return UNKNOWN_ERROR;
}
BIGNUM* bn_version = BN_new();
if (bn_version == nullptr) {
return NO_MEMORY;
}
if (BN_set_u64(bn_version, static_cast<uint64_t>(pinfo.version_code())) != 1) {
BN_free(bn_version);
return UNKNOWN_ERROR;
}
status_t retval = NO_ERROR;
if (BN_to_ASN1_INTEGER(bn_version, attestation_package_info->version) == nullptr) {
retval = UNKNOWN_ERROR;
}
BN_free(bn_version);
return retval;
}
/* The following function are not used. They are mentioned here to silence
* warnings about them not being used.
*/
void unused_functions_silencer() __attribute__((unused));
void unused_functions_silencer() {
i2d_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr);
d2i_KM_ATTESTATION_APPLICATION_ID(nullptr, nullptr, 0);
d2i_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr, 0);
}
} // namespace
StatusOr<std::vector<uint8_t>>
build_attestation_application_id(const KeyAttestationApplicationId& key_attestation_id) {
auto attestation_id =
std::unique_ptr<KM_ATTESTATION_APPLICATION_ID>(KM_ATTESTATION_APPLICATION_ID_new());
size_t estimated_encoded_size = AAID_GENERAL_OVERHEAD;
auto attestation_pinfo_stack = reinterpret_cast<_STACK*>(attestation_id->package_infos);
if (key_attestation_id.pinfos_begin() == key_attestation_id.pinfos_end()) return BAD_VALUE;
for (auto pinfo = key_attestation_id.pinfos_begin(); pinfo != key_attestation_id.pinfos_end();
++pinfo) {
if (!pinfo->package_name()) {
ALOGE("Key attestation package info lacks package name");
return BAD_VALUE;
}
std::string package_name(String8(*pinfo->package_name()).string());
std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO> attestation_package_info;
auto rc = build_attestation_package_info(*pinfo, &attestation_package_info);
if (rc != NO_ERROR) {
ALOGE("Building DER attestation package info failed %d", rc);
return rc;
}
estimated_encoded_size += AAID_PKG_INFO_OVERHEAD + package_name.size();
if (estimated_encoded_size > KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE) {
break;
}
if (!sk_push(attestation_pinfo_stack, attestation_package_info.get())) {
return NO_MEMORY;
}
// if push succeeded, the stack takes ownership
attestation_package_info.release();
}
/** Apps can only share a uid iff they were signed with the same certificate(s). Because the
* signature field actually holds the signing certificate, rather than a signature, we can
* simply use the set of signature digests of the first package info.
*/
const auto& pinfo = *key_attestation_id.pinfos_begin();
std::vector<std::vector<uint8_t>> signature_digests;
for (auto sig = pinfo.sigs_begin(); sig != pinfo.sigs_end(); ++sig) {
signature_digests.push_back(signature2SHA256(*sig));
}
auto signature_digest_stack = reinterpret_cast<_STACK*>(attestation_id->signature_digests);
for (auto si : signature_digests) {
estimated_encoded_size += AAID_SIGNATURE_SIZE;
if (estimated_encoded_size > KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE) {
break;
}
auto asn1_item = std::unique_ptr<ASN1_OCTET_STRING>(ASN1_OCTET_STRING_new());
if (!asn1_item) return NO_MEMORY;
if (!ASN1_OCTET_STRING_set(asn1_item.get(), si.data(), si.size())) {
return UNKNOWN_ERROR;
}
if (!sk_push(signature_digest_stack, asn1_item.get())) {
return NO_MEMORY;
}
asn1_item.release(); // if push succeeded, the stack takes ownership
}
int len = i2d_KM_ATTESTATION_APPLICATION_ID(attestation_id.get(), nullptr);
if (len < 0) return UNKNOWN_ERROR;
std::vector<uint8_t> result(len);
uint8_t* p = result.data();
len = i2d_KM_ATTESTATION_APPLICATION_ID(attestation_id.get(), &p);
if (len < 0) return UNKNOWN_ERROR;
return result;
}
StatusOr<std::vector<uint8_t>> gather_attestation_application_id(uid_t uid) {
KeyAttestationApplicationId key_attestation_id;
if (uid == AID_SYSTEM) {
/* Use a fixed ID for system callers */
auto pinfo = std::make_unique<KeyAttestationPackageInfo>(
String16(kAttestationSystemPackageName), 1 /* version code */,
std::make_shared<KeyAttestationPackageInfo::SignaturesVector>());
key_attestation_id = KeyAttestationApplicationId(std::move(pinfo));
} else {
/* Get the attestation application ID from package manager */
auto& pm = KeyAttestationApplicationIdProvider::get();
auto status = pm.getKeyAttestationApplicationId(uid, &key_attestation_id);
// Package Manager call has failed, perform attestation but indicate that the
// caller is unknown.
if (!status.isOk()) {
ALOGW("package manager request for key attestation ID failed with: %s %d",
status.exceptionMessage().string(), status.exceptionCode());
auto pinfo = std::make_unique<KeyAttestationPackageInfo>(
String16(kUnknownPackageName), 1 /* version code */,
std::make_shared<KeyAttestationPackageInfo::SignaturesVector>());
key_attestation_id = KeyAttestationApplicationId(std::move(pinfo));
}
}
/* DER encode the attestation application ID */
return build_attestation_application_id(key_attestation_id);
}
} // namespace security
} // namespace android
Reference in a new issue View git blame Copy permalink