You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
378 lines
15 KiB
378 lines
15 KiB
/*
|
|
* Copyright 2020, The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#include "EicProvisioning.h"
|
|
|
|
bool eicProvisioningInit(EicProvisioning* ctx, bool testCredential) {
|
|
eicMemSet(ctx, '\0', sizeof(EicProvisioning));
|
|
ctx->testCredential = testCredential;
|
|
if (!eicOpsRandom(ctx->storageKey, EIC_AES_128_KEY_SIZE)) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
bool eicProvisioningInitForUpdate(EicProvisioning* ctx, bool testCredential, const char* docType,
|
|
const uint8_t* encryptedCredentialKeys,
|
|
size_t encryptedCredentialKeysSize) {
|
|
uint8_t credentialKeys[86];
|
|
|
|
// For feature version 202009 it's 52 bytes long and for feature version 202101 it's 86
|
|
// bytes (the additional data is the ProofOfProvisioning SHA-256). We need
|
|
// to support loading all feature versions.
|
|
//
|
|
bool expectPopSha256 = false;
|
|
if (encryptedCredentialKeysSize == 52 + 28) {
|
|
/* do nothing */
|
|
} else if (encryptedCredentialKeysSize == 86 + 28) {
|
|
expectPopSha256 = true;
|
|
} else {
|
|
eicDebug("Unexpected size %zd for encryptedCredentialKeys", encryptedCredentialKeysSize);
|
|
return false;
|
|
}
|
|
|
|
eicMemSet(ctx, '\0', sizeof(EicProvisioning));
|
|
ctx->testCredential = testCredential;
|
|
|
|
if (!eicOpsDecryptAes128Gcm(eicOpsGetHardwareBoundKey(testCredential), encryptedCredentialKeys,
|
|
encryptedCredentialKeysSize,
|
|
// DocType is the additionalAuthenticatedData
|
|
(const uint8_t*)docType, eicStrLen(docType), credentialKeys)) {
|
|
eicDebug("Error decrypting CredentialKeys");
|
|
return false;
|
|
}
|
|
|
|
// It's supposed to look like this;
|
|
//
|
|
// Feature version 202009:
|
|
//
|
|
// CredentialKeys = [
|
|
// bstr, ; storageKey, a 128-bit AES key
|
|
// bstr, ; credentialPrivKey, the private key for credentialKey
|
|
// ]
|
|
//
|
|
// Feature version 202101:
|
|
//
|
|
// CredentialKeys = [
|
|
// bstr, ; storageKey, a 128-bit AES key
|
|
// bstr, ; credentialPrivKey, the private key for credentialKey
|
|
// bstr ; proofOfProvisioning SHA-256
|
|
// ]
|
|
//
|
|
// where storageKey is 16 bytes, credentialPrivateKey is 32 bytes, and proofOfProvisioning
|
|
// SHA-256 is 32 bytes.
|
|
//
|
|
if (credentialKeys[0] != (expectPopSha256 ? 0x83 : 0x82) || // array of two or three elements
|
|
credentialKeys[1] != 0x50 || // 16-byte bstr
|
|
credentialKeys[18] != 0x58 || credentialKeys[19] != 0x20) { // 32-byte bstr
|
|
eicDebug("Invalid CBOR for CredentialKeys");
|
|
return false;
|
|
}
|
|
if (expectPopSha256) {
|
|
if (credentialKeys[52] != 0x58 || credentialKeys[53] != 0x20) { // 32-byte bstr
|
|
eicDebug("Invalid CBOR for CredentialKeys");
|
|
return false;
|
|
}
|
|
}
|
|
eicMemCpy(ctx->storageKey, credentialKeys + 2, EIC_AES_128_KEY_SIZE);
|
|
eicMemCpy(ctx->credentialPrivateKey, credentialKeys + 20, EIC_P256_PRIV_KEY_SIZE);
|
|
// Note: We don't care about the previous ProofOfProvisioning SHA-256
|
|
ctx->isUpdate = true;
|
|
return true;
|
|
}
|
|
|
|
bool eicProvisioningCreateCredentialKey(EicProvisioning* ctx, const uint8_t* challenge,
|
|
size_t challengeSize, const uint8_t* applicationId,
|
|
size_t applicationIdSize, uint8_t* publicKeyCert,
|
|
size_t* publicKeyCertSize) {
|
|
if (ctx->isUpdate) {
|
|
eicDebug("Cannot create CredentialKey on update");
|
|
return false;
|
|
}
|
|
|
|
if (!eicOpsCreateCredentialKey(ctx->credentialPrivateKey, challenge, challengeSize,
|
|
applicationId, applicationIdSize, ctx->testCredential,
|
|
publicKeyCert, publicKeyCertSize)) {
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool eicProvisioningStartPersonalization(EicProvisioning* ctx, int accessControlProfileCount,
|
|
const int* entryCounts, size_t numEntryCounts,
|
|
const char* docType,
|
|
size_t expectedProofOfProvisioningSize) {
|
|
if (numEntryCounts >= EIC_MAX_NUM_NAMESPACES) {
|
|
return false;
|
|
}
|
|
if (accessControlProfileCount >= EIC_MAX_NUM_ACCESS_CONTROL_PROFILE_IDS) {
|
|
return false;
|
|
}
|
|
|
|
ctx->numEntryCounts = numEntryCounts;
|
|
if (numEntryCounts > EIC_MAX_NUM_NAMESPACES) {
|
|
return false;
|
|
}
|
|
for (size_t n = 0; n < numEntryCounts; n++) {
|
|
if (entryCounts[n] >= 256) {
|
|
return false;
|
|
}
|
|
ctx->entryCounts[n] = entryCounts[n];
|
|
}
|
|
ctx->curNamespace = -1;
|
|
ctx->curNamespaceNumProcessed = 0;
|
|
|
|
eicCborInit(&ctx->cbor, NULL, 0);
|
|
|
|
// What we're going to sign is the COSE ToBeSigned structure which
|
|
// looks like the following:
|
|
//
|
|
// Sig_structure = [
|
|
// context : "Signature" / "Signature1" / "CounterSignature",
|
|
// body_protected : empty_or_serialized_map,
|
|
// ? sign_protected : empty_or_serialized_map,
|
|
// external_aad : bstr,
|
|
// payload : bstr
|
|
// ]
|
|
//
|
|
eicCborAppendArray(&ctx->cbor, 4);
|
|
eicCborAppendString(&ctx->cbor, "Signature1");
|
|
|
|
// The COSE Encoded protected headers is just a single field with
|
|
// COSE_LABEL_ALG (1) -> COSE_ALG_ECSDA_256 (-7). For simplicitly we just
|
|
// hard-code the CBOR encoding:
|
|
static const uint8_t coseEncodedProtectedHeaders[] = {0xa1, 0x01, 0x26};
|
|
eicCborAppendByteString(&ctx->cbor, coseEncodedProtectedHeaders,
|
|
sizeof(coseEncodedProtectedHeaders));
|
|
|
|
// We currently don't support Externally Supplied Data (RFC 8152 section 4.3)
|
|
// so external_aad is the empty bstr
|
|
static const uint8_t externalAad[0] = {};
|
|
eicCborAppendByteString(&ctx->cbor, externalAad, sizeof(externalAad));
|
|
|
|
// For the payload, the _encoded_ form follows here. We handle this by simply
|
|
// opening a bstr, and then writing the CBOR. This requires us to know the
|
|
// size of said bstr, ahead of time.
|
|
eicCborBegin(&ctx->cbor, EIC_CBOR_MAJOR_TYPE_BYTE_STRING, expectedProofOfProvisioningSize);
|
|
ctx->expectedCborSizeAtEnd = expectedProofOfProvisioningSize + ctx->cbor.size;
|
|
|
|
eicOpsSha256Init(&ctx->proofOfProvisioningDigester);
|
|
eicCborEnableSecondaryDigesterSha256(&ctx->cbor, &ctx->proofOfProvisioningDigester);
|
|
|
|
eicCborAppendArray(&ctx->cbor, 5);
|
|
eicCborAppendString(&ctx->cbor, "ProofOfProvisioning");
|
|
eicCborAppendString(&ctx->cbor, docType);
|
|
|
|
eicCborAppendArray(&ctx->cbor, accessControlProfileCount);
|
|
|
|
return true;
|
|
}
|
|
|
|
bool eicProvisioningAddAccessControlProfile(EicProvisioning* ctx, int id,
|
|
const uint8_t* readerCertificate,
|
|
size_t readerCertificateSize,
|
|
bool userAuthenticationRequired, uint64_t timeoutMillis,
|
|
uint64_t secureUserId, uint8_t outMac[28]) {
|
|
uint8_t cborBuffer[EIC_MAX_CBOR_SIZE_FOR_ACCESS_CONTROL_PROFILE];
|
|
EicCbor cborBuilder;
|
|
|
|
eicCborInit(&cborBuilder, cborBuffer, EIC_MAX_CBOR_SIZE_FOR_ACCESS_CONTROL_PROFILE);
|
|
|
|
if (!eicCborCalcAccessControl(&cborBuilder, id, readerCertificate, readerCertificateSize,
|
|
userAuthenticationRequired, timeoutMillis, secureUserId)) {
|
|
return false;
|
|
}
|
|
|
|
// Calculate and return MAC
|
|
uint8_t nonce[12];
|
|
if (!eicOpsRandom(nonce, 12)) {
|
|
return false;
|
|
}
|
|
if (!eicOpsEncryptAes128Gcm(ctx->storageKey, nonce, NULL, 0, cborBuilder.buffer,
|
|
cborBuilder.size, outMac)) {
|
|
return false;
|
|
}
|
|
|
|
// The ACP CBOR in the provisioning receipt doesn't include secureUserId so build
|
|
// it again.
|
|
eicCborInit(&cborBuilder, cborBuffer, EIC_MAX_CBOR_SIZE_FOR_ACCESS_CONTROL_PROFILE);
|
|
if (!eicCborCalcAccessControl(&cborBuilder, id, readerCertificate, readerCertificateSize,
|
|
userAuthenticationRequired, timeoutMillis,
|
|
0 /* secureUserId */)) {
|
|
return false;
|
|
}
|
|
|
|
// Append the CBOR from the local builder to the digester.
|
|
eicCborAppend(&ctx->cbor, cborBuilder.buffer, cborBuilder.size);
|
|
|
|
return true;
|
|
}
|
|
|
|
bool eicProvisioningBeginAddEntry(EicProvisioning* ctx, const int* accessControlProfileIds,
|
|
size_t numAccessControlProfileIds, const char* nameSpace,
|
|
const char* name, uint64_t entrySize, uint8_t* scratchSpace,
|
|
size_t scratchSpaceSize) {
|
|
uint8_t* additionalDataCbor = scratchSpace;
|
|
const size_t additionalDataCborBufSize = scratchSpaceSize;
|
|
size_t additionalDataCborSize;
|
|
|
|
// We'll need to calc and store a digest of additionalData to check that it's the same
|
|
// additionalData being passed in for every eicProvisioningAddEntryValue() call...
|
|
if (!eicCborCalcEntryAdditionalData(accessControlProfileIds, numAccessControlProfileIds,
|
|
nameSpace, name, additionalDataCbor,
|
|
additionalDataCborBufSize, &additionalDataCborSize,
|
|
ctx->additionalDataSha256)) {
|
|
return false;
|
|
}
|
|
|
|
if (ctx->curNamespace == -1) {
|
|
ctx->curNamespace = 0;
|
|
ctx->curNamespaceNumProcessed = 0;
|
|
// Opens the main map: { * Namespace => [ + Entry ] }
|
|
eicCborAppendMap(&ctx->cbor, ctx->numEntryCounts);
|
|
eicCborAppendString(&ctx->cbor, nameSpace);
|
|
// Opens the per-namespace array: [ + Entry ]
|
|
eicCborAppendArray(&ctx->cbor, ctx->entryCounts[ctx->curNamespace]);
|
|
}
|
|
|
|
if (ctx->curNamespaceNumProcessed == ctx->entryCounts[ctx->curNamespace]) {
|
|
ctx->curNamespace += 1;
|
|
ctx->curNamespaceNumProcessed = 0;
|
|
eicCborAppendString(&ctx->cbor, nameSpace);
|
|
// Opens the per-namespace array: [ + Entry ]
|
|
eicCborAppendArray(&ctx->cbor, ctx->entryCounts[ctx->curNamespace]);
|
|
}
|
|
|
|
eicCborAppendMap(&ctx->cbor, 3);
|
|
eicCborAppendString(&ctx->cbor, "name");
|
|
eicCborAppendString(&ctx->cbor, name);
|
|
|
|
ctx->curEntrySize = entrySize;
|
|
ctx->curEntryNumBytesReceived = 0;
|
|
|
|
eicCborAppendString(&ctx->cbor, "value");
|
|
|
|
ctx->curNamespaceNumProcessed += 1;
|
|
return true;
|
|
}
|
|
|
|
bool eicProvisioningAddEntryValue(EicProvisioning* ctx, const int* accessControlProfileIds,
|
|
size_t numAccessControlProfileIds, const char* nameSpace,
|
|
const char* name, const uint8_t* content, size_t contentSize,
|
|
uint8_t* outEncryptedContent, uint8_t* scratchSpace,
|
|
size_t scratchSpaceSize) {
|
|
uint8_t* additionalDataCbor = scratchSpace;
|
|
const size_t additionalDataCborBufSize = scratchSpaceSize;
|
|
size_t additionalDataCborSize;
|
|
|
|
uint8_t calculatedSha256[EIC_SHA256_DIGEST_SIZE];
|
|
if (!eicCborCalcEntryAdditionalData(accessControlProfileIds, numAccessControlProfileIds,
|
|
nameSpace, name, additionalDataCbor,
|
|
additionalDataCborBufSize, &additionalDataCborSize,
|
|
calculatedSha256)) {
|
|
return false;
|
|
}
|
|
if (eicCryptoMemCmp(calculatedSha256, ctx->additionalDataSha256, EIC_SHA256_DIGEST_SIZE) != 0) {
|
|
eicDebug("SHA-256 mismatch of additionalData");
|
|
return false;
|
|
}
|
|
|
|
eicCborAppend(&ctx->cbor, content, contentSize);
|
|
|
|
uint8_t nonce[12];
|
|
if (!eicOpsRandom(nonce, 12)) {
|
|
return false;
|
|
}
|
|
if (!eicOpsEncryptAes128Gcm(ctx->storageKey, nonce, content, contentSize, additionalDataCbor,
|
|
additionalDataCborSize, outEncryptedContent)) {
|
|
return false;
|
|
}
|
|
|
|
// If done with this entry, close the map
|
|
ctx->curEntryNumBytesReceived += contentSize;
|
|
if (ctx->curEntryNumBytesReceived == ctx->curEntrySize) {
|
|
eicCborAppendString(&ctx->cbor, "accessControlProfiles");
|
|
eicCborAppendArray(&ctx->cbor, numAccessControlProfileIds);
|
|
for (size_t n = 0; n < numAccessControlProfileIds; n++) {
|
|
eicCborAppendNumber(&ctx->cbor, accessControlProfileIds[n]);
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool eicProvisioningFinishAddingEntries(
|
|
EicProvisioning* ctx, uint8_t signatureOfToBeSigned[EIC_ECDSA_P256_SIGNATURE_SIZE]) {
|
|
uint8_t cborSha256[EIC_SHA256_DIGEST_SIZE];
|
|
|
|
eicCborAppendBool(&ctx->cbor, ctx->testCredential);
|
|
eicCborFinal(&ctx->cbor, cborSha256);
|
|
|
|
// This verifies that the correct expectedProofOfProvisioningSize value was
|
|
// passed in at eicStartPersonalization() time.
|
|
if (ctx->cbor.size != ctx->expectedCborSizeAtEnd) {
|
|
eicDebug("CBOR size is %zd, was expecting %zd", ctx->cbor.size, ctx->expectedCborSizeAtEnd);
|
|
return false;
|
|
}
|
|
|
|
if (!eicOpsEcDsa(ctx->credentialPrivateKey, cborSha256, signatureOfToBeSigned)) {
|
|
eicDebug("Error signing proofOfProvisioning");
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
bool eicProvisioningFinishGetCredentialData(EicProvisioning* ctx, const char* docType,
|
|
uint8_t* encryptedCredentialKeys,
|
|
size_t* encryptedCredentialKeysSize) {
|
|
EicCbor cbor;
|
|
uint8_t cborBuf[86];
|
|
|
|
if (*encryptedCredentialKeysSize < 86 + 28) {
|
|
eicDebug("encryptedCredentialKeysSize is %zd which is insufficient");
|
|
return false;
|
|
}
|
|
|
|
eicCborInit(&cbor, cborBuf, sizeof(cborBuf));
|
|
eicCborAppendArray(&cbor, 3);
|
|
eicCborAppendByteString(&cbor, ctx->storageKey, EIC_AES_128_KEY_SIZE);
|
|
eicCborAppendByteString(&cbor, ctx->credentialPrivateKey, EIC_P256_PRIV_KEY_SIZE);
|
|
uint8_t popSha256[EIC_SHA256_DIGEST_SIZE];
|
|
eicOpsSha256Final(&ctx->proofOfProvisioningDigester, popSha256);
|
|
eicCborAppendByteString(&cbor, popSha256, EIC_SHA256_DIGEST_SIZE);
|
|
if (cbor.size > sizeof(cborBuf)) {
|
|
eicDebug("Exceeded buffer size");
|
|
return false;
|
|
}
|
|
|
|
uint8_t nonce[12];
|
|
if (!eicOpsRandom(nonce, 12)) {
|
|
eicDebug("Error getting random");
|
|
return false;
|
|
}
|
|
if (!eicOpsEncryptAes128Gcm(
|
|
eicOpsGetHardwareBoundKey(ctx->testCredential), nonce, cborBuf, cbor.size,
|
|
// DocType is the additionalAuthenticatedData
|
|
(const uint8_t*)docType, eicStrLen(docType), encryptedCredentialKeys)) {
|
|
eicDebug("Error encrypting CredentialKeys");
|
|
return false;
|
|
}
|
|
*encryptedCredentialKeysSize = cbor.size + 28;
|
|
|
|
return true;
|
|
}
|