diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2021-06-30 19:14:12 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2021-06-30 19:14:12 +0000 |
commit | 90a2b2780fe1c88935e5614c3c6c34c54e266c79 (patch) | |
tree | 83912dfd6bfa9c722fdcd56959c2bb0fdebd64be | |
parent | ff8321a2efa2b9abdf1ef6009af99b9737f5717b (diff) | |
parent | c76cd824fd767e6fad40594ca83b35f4e6a7a403 (diff) | |
download | security-90a2b2780fe1c88935e5614c3c6c34c54e266c79.tar.gz |
Merge "Add JSON output to the RKP factory tool" into sc-dev
-rw-r--r-- | provisioner/rkp_factory_extraction_tool.cpp | 41 |
1 files changed, 33 insertions, 8 deletions
diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp index a6c7d728..bf6b9a6b 100644 --- a/provisioner/rkp_factory_extraction_tool.cpp +++ b/provisioner/rkp_factory_extraction_tool.cpp @@ -37,6 +37,7 @@ using aidl::android::hardware::security::keymint::MacedPublicKey; using aidl::android::hardware::security::keymint::ProtectedData; using aidl::android::hardware::security::keymint::remote_prov::generateEekChain; using aidl::android::hardware::security::keymint::remote_prov::getProdEekChain; +using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild; using android::vintf::HalManifest; using android::vintf::VintfObject; @@ -46,12 +47,19 @@ using namespace cppcose; DEFINE_bool(test_mode, false, "If enabled, a fake EEK key/cert are used."); +DEFINE_string(output_format, "csr", "How to format the output. Defaults to 'csr'."); + namespace { const string kPackage = "android.hardware.security.keymint"; const string kInterface = "IRemotelyProvisionedComponent"; const string kFormattedName = kPackage + "." + kInterface + "/"; +// Various supported --output_format values. +constexpr std::string_view kBinaryCsrOutput = "csr"; // Just the raw csr as binary +constexpr std::string_view kBuildPlusCsr = "build+csr"; // Text-encoded (JSON) build + // fingerprint plus CSR. + constexpr size_t kChallengeSize = 16; std::vector<uint8_t> generateChallenge() { @@ -71,9 +79,8 @@ std::vector<uint8_t> generateChallenge() { return challenge; } -std::vector<uint8_t> composeCertificateRequest(ProtectedData&& protectedData, - DeviceInfo&& deviceInfo, - const std::vector<uint8_t>& challenge) { +Array composeCertificateRequest(ProtectedData&& protectedData, DeviceInfo&& deviceInfo, + const std::vector<uint8_t>& challenge) { Array emptyMacedKeysToSign; emptyMacedKeysToSign .add(std::vector<uint8_t>(0)) // empty protected headers as bstr @@ -85,7 +92,7 @@ std::vector<uint8_t> composeCertificateRequest(ProtectedData&& protectedData, .add(challenge) .add(EncodedItem(std::move(protectedData.protectedData))) .add(std::move(emptyMacedKeysToSign)); - return certificateRequest.encode(); + return certificateRequest; } int32_t errorMsg(string name) { @@ -106,6 +113,26 @@ std::vector<uint8_t> getEekChain() { return getProdEekChain(); } +void writeOutput(const Array& csr) { + if (FLAGS_output_format == kBinaryCsrOutput) { + auto bytes = csr.encode(); + std::copy(bytes.begin(), bytes.end(), std::ostream_iterator<char>(std::cout)); + } else if (FLAGS_output_format == kBuildPlusCsr) { + auto [json, error] = jsonEncodeCsrWithBuild(csr); + if (!error.empty()) { + std::cerr << "Error JSON encoding the output: " << error; + exit(1); + } + std::cout << json << std::endl; + } else { + std::cerr << "Unexpected output_format '" << FLAGS_output_format << "'" << std::endl; + std::cerr << "Valid formats:" << std::endl; + std::cerr << " " << kBinaryCsrOutput << std::endl; + std::cerr << " " << kBuildPlusCsr << std::endl; + exit(1); + } +} + } // namespace int main(int argc, char** argv) { @@ -140,10 +167,8 @@ int main(int argc, char** argv) { ALOGE("Bundle extraction failed. Error code: %d", status.getServiceSpecificError()); return errorMsg(name); } - std::vector<uint8_t> certificateRequest = composeCertificateRequest( - std::move(protectedData), std::move(deviceInfo), challenge); - std::copy(certificateRequest.begin(), certificateRequest.end(), - std::ostream_iterator<char>(std::cout)); + writeOutput(composeCertificateRequest(std::move(protectedData), std::move(deviceInfo), + challenge)); } } } |