diff options
author | David Zeuthen <zeuthen@google.com> | 2020-01-30 16:20:07 -0500 |
---|---|---|
committer | David Zeuthen <zeuthen@google.com> | 2020-01-31 16:23:30 -0500 |
commit | f2a28671b0dd117d92f480fba3c75375edb34a5d (patch) | |
tree | 9c83505e240dda4f2c38a5607b7ad67bb538eff3 | |
parent | 662e346347345b90298ba73a90749ed29c03c854 (diff) | |
download | security-f2a28671b0dd117d92f480fba3c75375edb34a5d.tar.gz |
Factor keystore_attestation_id into library and also use this in credstore.
This was needed because credstore needs to generate and pass the
generated AttestationApplicationId to the Identity Credential HAL.
Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityCredentialTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: Id22b85ca083e23c7e1fbd3459910fba37a5db137
-rw-r--r-- | identity/Android.bp | 1 | ||||
-rw-r--r-- | identity/WritableCredential.cpp | 21 | ||||
-rw-r--r-- | keystore/Android.bp | 38 | ||||
-rw-r--r-- | keystore/include/keystore/keystore_attestation_id.h (renamed from keystore/keystore_attestation_id.h) | 2 | ||||
-rw-r--r-- | keystore/key_store_service.cpp | 2 | ||||
-rw-r--r-- | keystore/keystore_attestation_id.cpp | 3 | ||||
-rw-r--r-- | keystore/tests/Android.bp | 1 | ||||
-rw-r--r-- | keystore/tests/aaid_truncation_test.cpp | 2 |
8 files changed, 50 insertions, 20 deletions
diff --git a/identity/Android.bp b/identity/Android.bp index 240e107e..ad9bd72d 100644 --- a/identity/Android.bp +++ b/identity/Android.bp @@ -37,6 +37,7 @@ cc_binary { "libhidlbase", "android.hardware.identity-support-lib", "libkeymaster4support", + "libkeystore-attestation-application-id", ], static_libs: [ "libcppbor", diff --git a/identity/WritableCredential.cpp b/identity/WritableCredential.cpp index f58ec166..86c604d2 100644 --- a/identity/WritableCredential.cpp +++ b/identity/WritableCredential.cpp @@ -17,15 +17,12 @@ #define LOG_TAG "WritableCredential" #include <android-base/logging.h> - #include <android/hardware/identity/support/IdentityCredentialSupport.h> - #include <android/security/identity/ICredentialStore.h> - #include <binder/IPCThreadState.h> - #include <cppbor.h> #include <cppbor_parse.h> +#include <keystore/keystore_attestation_id.h> #include "CredentialData.h" #include "Util.h" @@ -60,11 +57,23 @@ Status WritableCredential::ensureAttestationCertificateExists(const vector<uint8 return Status::ok(); } + const int32_t callingUid = IPCThreadState::self()->getCallingUid(); + auto asn1AttestationId = android::security::gather_attestation_application_id(callingUid); + if (!asn1AttestationId.isOk()) { + LOG(ERROR) << "Failed gathering AttestionApplicationId"; + return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC, + "Failed gathering AttestionApplicationId"); + } + Result result; halBinder_->getAttestationCertificate( - challenge, [&](const Result& _result, const hidl_vec<uint8_t>& _attestationCertificate) { + asn1AttestationId.value(), challenge, + [&](const Result& _result, const hidl_vec<hidl_vec<uint8_t>>& _splitCerts) { result = _result; - attestationCertificate = _attestationCertificate; + vector<vector<uint8_t>> splitCerts; + std::copy(_splitCerts.begin(), _splitCerts.end(), std::back_inserter(splitCerts)); + attestationCertificate = + ::android::hardware::identity::support::certificateChainJoin(splitCerts); }); if (result.code != ResultCode::OK) { LOG(ERROR) << "Error calling getAttestationCertificate()"; diff --git a/keystore/Android.bp b/keystore/Android.bp index f3a7531a..c0aeedaa 100644 --- a/keystore/Android.bp +++ b/keystore/Android.bp @@ -29,7 +29,6 @@ cc_binary { defaults: ["keystore_defaults"], srcs: [ - ":IKeyAttestationApplicationIdProvider.aidl", "KeyStore.cpp", "auth_token_table.cpp", "blob.cpp", @@ -41,7 +40,6 @@ cc_binary { "keyblob_utils.cpp", "keymaster_enforcement.cpp", "keymaster_worker.cpp", - "keystore_attestation_id.cpp", "keystore_main.cpp", "keystore_utils.cpp", "legacy_keymaster_device_wrapper.cpp", @@ -64,6 +62,7 @@ cc_binary { "libkeymaster4support", "libkeymaster_messages", "libkeymaster_portable", + "libkeystore-attestation-application-id", "libkeystore_aidl", "libkeystore_binder", "libkeystore_parcelables", @@ -144,13 +143,10 @@ cc_library_shared { defaults: ["keystore_defaults"], export_include_dirs: ["include"], srcs: [ - "KeyAttestationApplicationId.cpp", - "KeyAttestationPackageInfo.cpp", "KeymasterArguments.cpp", "keystore_aidl_hidl_marshalling_utils.cpp", "KeystoreResponse.cpp", "OperationResult.cpp", - "Signature.cpp", ], shared_libs: [ "android.hardware.keymaster@4.0", @@ -161,6 +157,7 @@ cc_library_shared { "liblog", "libprotobuf-cpp-lite", "libutils", + "libkeystore-attestation-application-id", ], export_shared_lib_headers: [ "android.hardware.keymaster@4.0", @@ -210,6 +207,31 @@ cc_library_shared { ], } +// Library used by both keystore and credstore for generating the ASN.1 stored +// in Tag::ATTESTATION_APPLICATION_ID +cc_library_shared { + name: "libkeystore-attestation-application-id", + defaults: ["keystore_defaults"], + + srcs: [ + ":IKeyAttestationApplicationIdProvider.aidl", + "keystore_attestation_id.cpp", + "KeyAttestationApplicationId.cpp", + "KeyAttestationPackageInfo.cpp", + "Signature.cpp", + ], + shared_libs: [ + "libbase", + "libbinder", + "libhidlbase", + "liblog", + "libutils", + "libcrypto", + ], + + export_include_dirs: ["include"], +} + // Library for keystore clients using the WiFi HIDL interface cc_library_shared { name: "libkeystore-wifi-hidl", @@ -235,13 +257,8 @@ cc_library_static { defaults: ["keystore_defaults"], srcs: [ - ":IKeyAttestationApplicationIdProvider.aidl", "auth_token_table.cpp", "blob.cpp", - "keystore_attestation_id.cpp", - "KeyAttestationApplicationId.cpp", - "KeyAttestationPackageInfo.cpp", - "Signature.cpp", ], cflags: [ "-O0", ], static_libs: ["libgtest_main"], @@ -251,6 +268,7 @@ cc_library_static { "libcrypto", "libhidlbase", "libkeymaster4support", + "libkeystore-attestation-application-id", "libutils", "libkeystore_aidl", "libkeystore_parcelables", diff --git a/keystore/keystore_attestation_id.h b/keystore/include/keystore/keystore_attestation_id.h index 63015ee7..238f4b12 100644 --- a/keystore/keystore_attestation_id.h +++ b/keystore/include/keystore/keystore_attestation_id.h @@ -51,7 +51,7 @@ template <typename T> class StatusOr { ::android::status_t status() const { return _status; } - const T& value() const & { return _value; } + const T& value() const& { return _value; } T& value() & { return _value; } T&& value() && { return std::move(_value); } diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index 5bc5a78d..01489d91 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -42,9 +42,9 @@ #include "defaults.h" #include "key_proto_handler.h" -#include "keystore_attestation_id.h" #include "keystore_keymaster_enforcement.h" #include "keystore_utils.h" +#include <keystore/keystore_attestation_id.h> #include <keystore/keystore_hidl_support.h> #include <keystore/keystore_return_types.h> diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp index b48639f3..3d9e87ec 100644 --- a/keystore/keystore_attestation_id.cpp +++ b/keystore/keystore_attestation_id.cpp @@ -13,7 +13,8 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -#include "keystore_attestation_id.h" + +#include <keystore/keystore_attestation_id.h> #define LOG_TAG "keystore_att_id" diff --git a/keystore/tests/Android.bp b/keystore/tests/Android.bp index bbcc1c2f..edeb8e53 100644 --- a/keystore/tests/Android.bp +++ b/keystore/tests/Android.bp @@ -31,6 +31,7 @@ cc_test { shared_libs: [ "libbinder", "libkeymaster_messages", + "libkeystore-attestation-application-id", "libvndksupport", ], sanitize: { diff --git a/keystore/tests/aaid_truncation_test.cpp b/keystore/tests/aaid_truncation_test.cpp index e5d5e9f6..45c54df4 100644 --- a/keystore/tests/aaid_truncation_test.cpp +++ b/keystore/tests/aaid_truncation_test.cpp @@ -19,8 +19,8 @@ #include <string> #include <utils/String16.h> -#include "../keystore_attestation_id.h" #include <keymaster/logger.h> +#include <keystore/keystore_attestation_id.h> #include <keystore/KeyAttestationApplicationId.h> #include <keystore/KeyAttestationPackageInfo.h> |