You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
300 lines
11 KiB
300 lines
11 KiB
/*
|
|
* Copyright (C) 2016 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#include <keystore/keystore_attestation_id.h>
|
|
|
|
#define LOG_TAG "keystore_att_id"
|
|
|
|
#include <log/log.h>
|
|
|
|
#include <memory>
|
|
#include <string>
|
|
#include <vector>
|
|
|
|
#include <binder/IServiceManager.h>
|
|
#include <binder/Parcel.h>
|
|
#include <binder/Parcelable.h>
|
|
#include <binder/PersistableBundle.h>
|
|
|
|
#include <android/security/keymaster/BpKeyAttestationApplicationIdProvider.h>
|
|
#include <android/security/keymaster/IKeyAttestationApplicationIdProvider.h>
|
|
#include <keystore/KeyAttestationApplicationId.h>
|
|
#include <keystore/KeyAttestationPackageInfo.h>
|
|
#include <keystore/Signature.h>
|
|
|
|
#include <private/android_filesystem_config.h> /* for AID_SYSTEM */
|
|
|
|
#include <openssl/asn1t.h>
|
|
#include <openssl/bn.h>
|
|
#include <openssl/sha.h>
|
|
|
|
#include <utils/String8.h>
|
|
|
|
namespace android {
|
|
|
|
namespace {
|
|
|
|
constexpr const char* kAttestationSystemPackageName = "AndroidSystem";
|
|
constexpr const char* kUnknownPackageName = "UnknownPackage";
|
|
|
|
std::vector<uint8_t> signature2SHA256(const content::pm::Signature& sig) {
|
|
std::vector<uint8_t> digest_buffer(SHA256_DIGEST_LENGTH);
|
|
SHA256(sig.data().data(), sig.data().size(), digest_buffer.data());
|
|
return digest_buffer;
|
|
}
|
|
|
|
using ::android::security::keymaster::BpKeyAttestationApplicationIdProvider;
|
|
|
|
class KeyAttestationApplicationIdProvider : public BpKeyAttestationApplicationIdProvider {
|
|
public:
|
|
KeyAttestationApplicationIdProvider();
|
|
|
|
static KeyAttestationApplicationIdProvider& get();
|
|
|
|
private:
|
|
android::sp<android::IServiceManager> service_manager_;
|
|
};
|
|
|
|
KeyAttestationApplicationIdProvider& KeyAttestationApplicationIdProvider::get() {
|
|
static KeyAttestationApplicationIdProvider mpm;
|
|
return mpm;
|
|
}
|
|
|
|
KeyAttestationApplicationIdProvider::KeyAttestationApplicationIdProvider()
|
|
: BpKeyAttestationApplicationIdProvider(
|
|
android::defaultServiceManager()->getService(String16("sec_key_att_app_id_provider"))) {}
|
|
|
|
DECLARE_STACK_OF(ASN1_OCTET_STRING);
|
|
|
|
typedef struct km_attestation_package_info {
|
|
ASN1_OCTET_STRING* package_name;
|
|
ASN1_INTEGER* version;
|
|
} KM_ATTESTATION_PACKAGE_INFO;
|
|
|
|
// Estimated size:
|
|
// 4 bytes for the package name + package_name length
|
|
// 11 bytes for the version (2 bytes header and up to 9 bytes of data).
|
|
constexpr size_t AAID_PKG_INFO_OVERHEAD = 15;
|
|
ASN1_SEQUENCE(KM_ATTESTATION_PACKAGE_INFO) = {
|
|
ASN1_SIMPLE(KM_ATTESTATION_PACKAGE_INFO, package_name, ASN1_OCTET_STRING),
|
|
ASN1_SIMPLE(KM_ATTESTATION_PACKAGE_INFO, version, ASN1_INTEGER),
|
|
} ASN1_SEQUENCE_END(KM_ATTESTATION_PACKAGE_INFO);
|
|
IMPLEMENT_ASN1_FUNCTIONS(KM_ATTESTATION_PACKAGE_INFO);
|
|
|
|
DECLARE_STACK_OF(KM_ATTESTATION_PACKAGE_INFO);
|
|
|
|
// Estimated size:
|
|
// See estimate above for the stack of package infos.
|
|
// 34 (32 + 2) bytes for each signature digest.
|
|
constexpr size_t AAID_SIGNATURE_SIZE = 34;
|
|
typedef struct km_attestation_application_id {
|
|
STACK_OF(KM_ATTESTATION_PACKAGE_INFO) * package_infos;
|
|
STACK_OF(ASN1_OCTET_STRING) * signature_digests;
|
|
} KM_ATTESTATION_APPLICATION_ID;
|
|
|
|
// Estimated overhead:
|
|
// 4 for the header of the octet string containing the fully-encoded data.
|
|
// 4 for the sequence header.
|
|
// 4 for the header of the package info set.
|
|
// 4 for the header of the signature set.
|
|
constexpr size_t AAID_GENERAL_OVERHEAD = 16;
|
|
ASN1_SEQUENCE(KM_ATTESTATION_APPLICATION_ID) = {
|
|
ASN1_SET_OF(KM_ATTESTATION_APPLICATION_ID, package_infos, KM_ATTESTATION_PACKAGE_INFO),
|
|
ASN1_SET_OF(KM_ATTESTATION_APPLICATION_ID, signature_digests, ASN1_OCTET_STRING),
|
|
} ASN1_SEQUENCE_END(KM_ATTESTATION_APPLICATION_ID);
|
|
IMPLEMENT_ASN1_FUNCTIONS(KM_ATTESTATION_APPLICATION_ID);
|
|
|
|
} // namespace
|
|
|
|
} // namespace android
|
|
|
|
namespace std {
|
|
template <> struct default_delete<android::KM_ATTESTATION_PACKAGE_INFO> {
|
|
void operator()(android::KM_ATTESTATION_PACKAGE_INFO* p) {
|
|
android::KM_ATTESTATION_PACKAGE_INFO_free(p);
|
|
}
|
|
};
|
|
template <> struct default_delete<ASN1_OCTET_STRING> {
|
|
void operator()(ASN1_OCTET_STRING* p) { ASN1_OCTET_STRING_free(p); }
|
|
};
|
|
template <> struct default_delete<android::KM_ATTESTATION_APPLICATION_ID> {
|
|
void operator()(android::KM_ATTESTATION_APPLICATION_ID* p) {
|
|
android::KM_ATTESTATION_APPLICATION_ID_free(p);
|
|
}
|
|
};
|
|
} // namespace std
|
|
|
|
namespace android {
|
|
namespace security {
|
|
namespace {
|
|
|
|
using ::android::security::keymaster::KeyAttestationApplicationId;
|
|
using ::android::security::keymaster::KeyAttestationPackageInfo;
|
|
|
|
status_t build_attestation_package_info(const KeyAttestationPackageInfo& pinfo,
|
|
std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO>* attestation_package_info_ptr) {
|
|
|
|
if (!attestation_package_info_ptr) return BAD_VALUE;
|
|
auto& attestation_package_info = *attestation_package_info_ptr;
|
|
|
|
attestation_package_info.reset(KM_ATTESTATION_PACKAGE_INFO_new());
|
|
if (!attestation_package_info.get()) return NO_MEMORY;
|
|
|
|
if (!pinfo.package_name()) {
|
|
ALOGE("Key attestation package info lacks package name");
|
|
return BAD_VALUE;
|
|
}
|
|
|
|
std::string pkg_name(String8(*pinfo.package_name()).string());
|
|
if (!ASN1_OCTET_STRING_set(attestation_package_info->package_name,
|
|
reinterpret_cast<const unsigned char*>(pkg_name.data()),
|
|
pkg_name.size())) {
|
|
return UNKNOWN_ERROR;
|
|
}
|
|
|
|
BIGNUM* bn_version = BN_new();
|
|
if (bn_version == nullptr) {
|
|
return NO_MEMORY;
|
|
}
|
|
if (BN_set_u64(bn_version, static_cast<uint64_t>(pinfo.version_code())) != 1) {
|
|
BN_free(bn_version);
|
|
return UNKNOWN_ERROR;
|
|
}
|
|
status_t retval = NO_ERROR;
|
|
if (BN_to_ASN1_INTEGER(bn_version, attestation_package_info->version) == nullptr) {
|
|
retval = UNKNOWN_ERROR;
|
|
}
|
|
BN_free(bn_version);
|
|
return retval;
|
|
}
|
|
|
|
/* The following function are not used. They are mentioned here to silence
|
|
* warnings about them not being used.
|
|
*/
|
|
void unused_functions_silencer() __attribute__((unused));
|
|
void unused_functions_silencer() {
|
|
i2d_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr);
|
|
d2i_KM_ATTESTATION_APPLICATION_ID(nullptr, nullptr, 0);
|
|
d2i_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr, 0);
|
|
}
|
|
|
|
} // namespace
|
|
|
|
StatusOr<std::vector<uint8_t>>
|
|
build_attestation_application_id(const KeyAttestationApplicationId& key_attestation_id) {
|
|
auto attestation_id =
|
|
std::unique_ptr<KM_ATTESTATION_APPLICATION_ID>(KM_ATTESTATION_APPLICATION_ID_new());
|
|
size_t estimated_encoded_size = AAID_GENERAL_OVERHEAD;
|
|
|
|
auto attestation_pinfo_stack = reinterpret_cast<_STACK*>(attestation_id->package_infos);
|
|
|
|
if (key_attestation_id.pinfos_begin() == key_attestation_id.pinfos_end()) return BAD_VALUE;
|
|
|
|
for (auto pinfo = key_attestation_id.pinfos_begin(); pinfo != key_attestation_id.pinfos_end();
|
|
++pinfo) {
|
|
if (!pinfo->package_name()) {
|
|
ALOGE("Key attestation package info lacks package name");
|
|
return BAD_VALUE;
|
|
}
|
|
std::string package_name(String8(*pinfo->package_name()).string());
|
|
std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO> attestation_package_info;
|
|
auto rc = build_attestation_package_info(*pinfo, &attestation_package_info);
|
|
if (rc != NO_ERROR) {
|
|
ALOGE("Building DER attestation package info failed %d", rc);
|
|
return rc;
|
|
}
|
|
estimated_encoded_size += AAID_PKG_INFO_OVERHEAD + package_name.size();
|
|
if (estimated_encoded_size > KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE) {
|
|
break;
|
|
}
|
|
if (!sk_push(attestation_pinfo_stack, attestation_package_info.get())) {
|
|
return NO_MEMORY;
|
|
}
|
|
// if push succeeded, the stack takes ownership
|
|
attestation_package_info.release();
|
|
}
|
|
|
|
/** Apps can only share a uid iff they were signed with the same certificate(s). Because the
|
|
* signature field actually holds the signing certificate, rather than a signature, we can
|
|
* simply use the set of signature digests of the first package info.
|
|
*/
|
|
const auto& pinfo = *key_attestation_id.pinfos_begin();
|
|
std::vector<std::vector<uint8_t>> signature_digests;
|
|
|
|
for (auto sig = pinfo.sigs_begin(); sig != pinfo.sigs_end(); ++sig) {
|
|
signature_digests.push_back(signature2SHA256(*sig));
|
|
}
|
|
|
|
auto signature_digest_stack = reinterpret_cast<_STACK*>(attestation_id->signature_digests);
|
|
for (auto si : signature_digests) {
|
|
estimated_encoded_size += AAID_SIGNATURE_SIZE;
|
|
if (estimated_encoded_size > KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE) {
|
|
break;
|
|
}
|
|
auto asn1_item = std::unique_ptr<ASN1_OCTET_STRING>(ASN1_OCTET_STRING_new());
|
|
if (!asn1_item) return NO_MEMORY;
|
|
if (!ASN1_OCTET_STRING_set(asn1_item.get(), si.data(), si.size())) {
|
|
return UNKNOWN_ERROR;
|
|
}
|
|
if (!sk_push(signature_digest_stack, asn1_item.get())) {
|
|
return NO_MEMORY;
|
|
}
|
|
asn1_item.release(); // if push succeeded, the stack takes ownership
|
|
}
|
|
|
|
int len = i2d_KM_ATTESTATION_APPLICATION_ID(attestation_id.get(), nullptr);
|
|
if (len < 0) return UNKNOWN_ERROR;
|
|
|
|
std::vector<uint8_t> result(len);
|
|
uint8_t* p = result.data();
|
|
len = i2d_KM_ATTESTATION_APPLICATION_ID(attestation_id.get(), &p);
|
|
if (len < 0) return UNKNOWN_ERROR;
|
|
|
|
return result;
|
|
}
|
|
|
|
StatusOr<std::vector<uint8_t>> gather_attestation_application_id(uid_t uid) {
|
|
KeyAttestationApplicationId key_attestation_id;
|
|
|
|
if (uid == AID_SYSTEM) {
|
|
/* Use a fixed ID for system callers */
|
|
auto pinfo = std::make_optional<KeyAttestationPackageInfo>(
|
|
String16(kAttestationSystemPackageName), 1 /* version code */,
|
|
std::make_shared<KeyAttestationPackageInfo::SignaturesVector>());
|
|
key_attestation_id = KeyAttestationApplicationId(std::move(pinfo));
|
|
} else {
|
|
/* Get the attestation application ID from package manager */
|
|
auto& pm = KeyAttestationApplicationIdProvider::get();
|
|
auto status = pm.getKeyAttestationApplicationId(uid, &key_attestation_id);
|
|
// Package Manager call has failed, perform attestation but indicate that the
|
|
// caller is unknown.
|
|
if (!status.isOk()) {
|
|
ALOGW("package manager request for key attestation ID failed with: %s %d",
|
|
status.exceptionMessage().string(), status.exceptionCode());
|
|
auto pinfo = std::make_optional<KeyAttestationPackageInfo>(
|
|
String16(kUnknownPackageName), 1 /* version code */,
|
|
std::make_shared<KeyAttestationPackageInfo::SignaturesVector>());
|
|
key_attestation_id = KeyAttestationApplicationId(std::move(pinfo));
|
|
}
|
|
}
|
|
|
|
/* DER encode the attestation application ID */
|
|
return build_attestation_application_id(key_attestation_id);
|
|
}
|
|
|
|
} // namespace security
|
|
} // namespace android
|