You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

282 lines
11 KiB

/*
* Copyright (c) 2019, The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "credstore"
#include <android-base/logging.h>
#include <android/hardware/identity/support/IdentityCredentialSupport.h>
#include <android/security/identity/ICredentialStore.h>
#include <binder/IPCThreadState.h>
#include <cppbor.h>
#include <cppbor_parse.h>
#include <keystore/keystore_attestation_id.h>
#include "CredentialData.h"
#include "Util.h"
#include "WritableCredential.h"
namespace android {
namespace security {
namespace identity {
using ::std::pair;
using ::android::hardware::identity::SecureAccessControlProfile;
using ::android::hardware::identity::support::chunkVector;
WritableCredential::WritableCredential(const string& dataPath, const string& credentialName,
const string& docType, bool isUpdate,
HardwareInformation hwInfo,
sp<IWritableIdentityCredential> halBinder)
: dataPath_(dataPath), credentialName_(credentialName), docType_(docType), isUpdate_(isUpdate),
hwInfo_(std::move(hwInfo)), halBinder_(halBinder) {}
WritableCredential::~WritableCredential() {}
void WritableCredential::setCredentialToReloadWhenUpdated(sp<Credential> credential) {
credentialToReloadWhenUpdated_ = credential;
}
Status WritableCredential::ensureAttestationCertificateExists(const vector<uint8_t>& challenge) {
if (!attestationCertificate_.empty()) {
return Status::ok();
}
const int32_t callingUid = IPCThreadState::self()->getCallingUid();
auto asn1AttestationId = android::security::gather_attestation_application_id(callingUid);
if (!asn1AttestationId.isOk()) {
LOG(ERROR) << "Failed gathering AttestionApplicationId";
return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC,
"Failed gathering AttestionApplicationId");
}
vector<Certificate> certificateChain;
Status status = halBinder_->getAttestationCertificate(asn1AttestationId.value(), challenge,
&certificateChain);
if (!status.isOk()) {
LOG(ERROR) << "Error calling getAttestationCertificate()";
return halStatusToGenericError(status);
}
vector<vector<uint8_t>> splitCerts;
for (const auto& cert : certificateChain) {
splitCerts.push_back(cert.encodedCertificate);
}
attestationCertificate_ =
::android::hardware::identity::support::certificateChainJoin(splitCerts);
return Status::ok();
}
Status WritableCredential::getCredentialKeyCertificateChain(const vector<uint8_t>& challenge,
vector<uint8_t>* _aidl_return) {
if (isUpdate_) {
return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC,
"Cannot be called for an update");
}
Status ensureStatus = ensureAttestationCertificateExists(challenge);
if (!ensureStatus.isOk()) {
return ensureStatus;
}
*_aidl_return = attestationCertificate_;
return Status::ok();
}
void WritableCredential::setAttestationCertificate(const vector<uint8_t>& attestationCertificate) {
attestationCertificate_ = attestationCertificate;
}
void WritableCredential::setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey) {
keyCount_ = keyCount;
maxUsesPerKey_ = maxUsesPerKey;
}
ssize_t WritableCredential::calcExpectedProofOfProvisioningSize(
const vector<AccessControlProfileParcel>& accessControlProfiles,
const vector<EntryNamespaceParcel>& entryNamespaces) {
// Right now, we calculate the size by simply just calculating the
// CBOR. There's a little bit of overhead associated with this (as compared
// to just adding up sizes) but it's a lot simpler and robust. In the future
// if this turns out to be a problem, we can optimize it.
//
cppbor::Array acpArray;
for (const AccessControlProfileParcel& profile : accessControlProfiles) {
cppbor::Map map;
map.add("id", profile.id);
if (profile.readerCertificate.size() > 0) {
map.add("readerCertificate", cppbor::Bstr(profile.readerCertificate));
}
if (profile.userAuthenticationRequired) {
map.add("userAuthenticationRequired", profile.userAuthenticationRequired);
map.add("timeoutMillis", profile.userAuthenticationTimeoutMillis);
}
acpArray.add(std::move(map));
}
cppbor::Map dataMap;
for (const EntryNamespaceParcel& ensParcel : entryNamespaces) {
cppbor::Array entriesArray;
for (const EntryParcel& eParcel : ensParcel.entries) {
// TODO: ideally do do this without parsing the data (but still validate data is valid
// CBOR).
auto [itemForValue, _, _2] = cppbor::parse(eParcel.value);
if (itemForValue == nullptr) {
return -1;
}
cppbor::Map entryMap;
entryMap.add("name", eParcel.name);
entryMap.add("value", std::move(itemForValue));
cppbor::Array acpIdsArray;
for (int32_t id : eParcel.accessControlProfileIds) {
acpIdsArray.add(id);
}
entryMap.add("accessControlProfiles", std::move(acpIdsArray));
entriesArray.add(std::move(entryMap));
}
dataMap.add(ensParcel.namespaceName, std::move(entriesArray));
}
cppbor::Array array;
array.add("ProofOfProvisioning");
array.add(docType_);
array.add(std::move(acpArray));
array.add(std::move(dataMap));
array.add(false); // testCredential
return array.encode().size();
}
Status
WritableCredential::personalize(const vector<AccessControlProfileParcel>& accessControlProfiles,
const vector<EntryNamespaceParcel>& entryNamespaces,
int64_t secureUserId, vector<uint8_t>* _aidl_return) {
if (!isUpdate_) {
Status ensureStatus =
ensureAttestationCertificateExists({0x00}); // Challenge cannot be empty.
if (!ensureStatus.isOk()) {
return ensureStatus;
}
}
uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
CredentialData data = CredentialData(dataPath_, callingUid, credentialName_);
// Note: The value 0 is used to convey that no user-authentication is needed for this
// credential. This is to allow creating credentials w/o user authentication on devices
// where Secure lock screen is not enabled.
data.setSecureUserId(secureUserId);
data.setAttestationCertificate(attestationCertificate_);
vector<int32_t> entryCounts;
for (const EntryNamespaceParcel& ensParcel : entryNamespaces) {
entryCounts.push_back(ensParcel.entries.size());
}
ssize_t expectedPoPSize =
calcExpectedProofOfProvisioningSize(accessControlProfiles, entryNamespaces);
if (expectedPoPSize < 0) {
return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC,
"Data is not valid CBOR");
}
// This is not catastrophic, we might be dealing with a version 1 implementation which
// doesn't have this method.
Status status = halBinder_->setExpectedProofOfProvisioningSize(expectedPoPSize);
if (!status.isOk()) {
LOG(INFO) << "Failed setting expected ProofOfProvisioning size, assuming V1 HAL "
<< "and continuing";
}
status = halBinder_->startPersonalization(accessControlProfiles.size(), entryCounts);
if (!status.isOk()) {
return halStatusToGenericError(status);
}
for (const AccessControlProfileParcel& acpParcel : accessControlProfiles) {
Certificate certificate;
certificate.encodedCertificate = acpParcel.readerCertificate;
SecureAccessControlProfile profile;
status = halBinder_->addAccessControlProfile(
acpParcel.id, certificate, acpParcel.userAuthenticationRequired,
acpParcel.userAuthenticationTimeoutMillis, secureUserId, &profile);
if (!status.isOk()) {
return halStatusToGenericError(status);
}
data.addSecureAccessControlProfile(profile);
}
for (const EntryNamespaceParcel& ensParcel : entryNamespaces) {
for (const EntryParcel& eParcel : ensParcel.entries) {
vector<vector<uint8_t>> chunks = chunkVector(eParcel.value, hwInfo_.dataChunkSize);
vector<int32_t> ids;
std::copy(eParcel.accessControlProfileIds.begin(),
eParcel.accessControlProfileIds.end(), std::back_inserter(ids));
status = halBinder_->beginAddEntry(ids, ensParcel.namespaceName, eParcel.name,
eParcel.value.size());
if (!status.isOk()) {
return halStatusToGenericError(status);
}
vector<vector<uint8_t>> encryptedChunks;
for (const auto& chunk : chunks) {
vector<uint8_t> encryptedChunk;
status = halBinder_->addEntryValue(chunk, &encryptedChunk);
if (!status.isOk()) {
return halStatusToGenericError(status);
}
encryptedChunks.push_back(encryptedChunk);
}
EntryData eData;
eData.size = eParcel.value.size();
eData.accessControlProfileIds = std::move(ids);
eData.encryptedChunks = std::move(encryptedChunks);
data.addEntryData(ensParcel.namespaceName, eParcel.name, eData);
}
}
vector<uint8_t> credentialData;
vector<uint8_t> proofOfProvisioningSignature;
status = halBinder_->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
if (!status.isOk()) {
return halStatusToGenericError(status);
}
data.setCredentialData(credentialData);
data.setAvailableAuthenticationKeys(keyCount_, maxUsesPerKey_);
if (!data.saveToDisk()) {
return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC,
"Error saving credential data to disk");
}
if (credentialToReloadWhenUpdated_) {
credentialToReloadWhenUpdated_->writableCredentialPersonalized();
credentialToReloadWhenUpdated_.clear();
}
*_aidl_return = proofOfProvisioningSignature;
return Status::ok();
}
} // namespace identity
} // namespace security
} // namespace android