identity: Remove IRemotelyProvisionedKeyPool usage

Test: m credstore Change-Id: I5aa0a389083b28cb51dbd47297403b955104b8a6
author: Tri Vo <trong@google.com> 2023-01-31 14:11:15 -0800
committer: Tri Vo <trong@google.com> 2023-03-03 15:26:16 -0800
commit: 190a43b9793714288fff72f88bc310c5fb2056cd (patch)
tree: 986617ce3a47516b2bb18a74f3c2031781bbac69 /identity
parent: 467f8980bdd416cb683c41f23ebe31ed83639781 (diff)
download: security-190a43b9793714288fff72f88bc310c5fb2056cd.tar.gz
3 files changed, 21 insertions, 61 deletions
diff --git a/identity/Android.bp b/identity/Android.bp
index 4f203e6a..ecf667db 100644
--- a/identity/Android.bp
+++ b/identity/Android.bp
@@ -47,7 +47,6 @@ cc_binary {
         "android.hardware.identity-support-lib",
         "android.hardware.keymaster@4.0",
         "android.security.authorization-ndk",
-        "android.security.remoteprovisioning-cpp",
         "libbase",
         "libbinder",
         "libbinder_ndk",
diff --git a/identity/CredentialStore.cpp b/identity/CredentialStore.cpp
index e2b3cf46..e200cb57 100644
--- a/identity/CredentialStore.cpp
+++ b/identity/CredentialStore.cpp
@@ -20,11 +20,8 @@
 #include <optional>
 
 #include <android-base/logging.h>
-#include <android-base/properties.h>
 #include <android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
 #include <android/hardware/security/keymint/RpcHardwareInfo.h>
-#include <android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.h>
-#include <android/security/remoteprovisioning/RemotelyProvisionedKey.h>
 #include <binder/IPCThreadState.h>
 #include <binder/IServiceManager.h>
 #include <vintf/VintfObject.h>
@@ -42,14 +39,8 @@ namespace security {
 namespace identity {
 namespace {
 
-using ::android::security::remoteprovisioning::IRemotelyProvisionedKeyPool;
 using ::android::security::rkp::IRemoteProvisioning;
 
-bool useRkpd() {
-    return android::base::GetBoolProperty("remote_provisioning.enable_rkpd",
-                                          /*default_value=*/true);
-}
-
 }  // namespace
 
 CredentialStore::CredentialStore(const std::string& dataPath, sp<IIdentityCredentialStore> hal)
@@ -189,61 +180,33 @@ Status CredentialStore::setRemotelyProvisionedAttestationKey(
     std::vector<uint8_t> encodedCertChain;
     Status status;
 
-    if (useRkpd()) {
-        LOG(INFO) << "Fetching attestation key from RKPD";
-
-        uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
-        auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid);
-        if (!rpcKeyFuture) {
-            return Status::fromServiceSpecificError(ERROR_GENERIC, "Error in getRpcKeyFuture()");
-        }
-
-        if (rpcKeyFuture->wait_for(std::chrono::seconds(10)) != std::future_status::ready) {
-            return Status::fromServiceSpecificError(
-                ERROR_GENERIC, "Waiting for remotely provisioned attestation key timed out");
-        }
-
-        std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture->get();
-        if (!key) {
-            return Status::fromServiceSpecificError(
-                ERROR_GENERIC, "Failed to get remotely provisioned attestation key");
-        }
-
-        if (key->keyBlob.empty()) {
-            return Status::fromServiceSpecificError(
-                ERROR_GENERIC, "Remotely provisioned attestation key blob is empty");
-        }
+    LOG(INFO) << "Fetching attestation key from RKPD";
 
-        keyBlob = std::move(key->keyBlob);
-        encodedCertChain = std::move(key->encodedCertChain);
-    } else {
-        LOG(INFO) << "Fetching attestation key from remotely provisioned key pool.";
-
-        sp<IRemotelyProvisionedKeyPool> keyPool =
-            android::waitForService<IRemotelyProvisionedKeyPool>(
-                IRemotelyProvisionedKeyPool::descriptor);
-        if (!keyPool) {
-            return Status::fromServiceSpecificError(
-                ERROR_GENERIC, "Error getting IRemotelyProvisionedKeyPool HAL");
-        }
+    uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
+    auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid);
+    if (!rpcKeyFuture) {
+        return Status::fromServiceSpecificError(ERROR_GENERIC, "Error in getRpcKeyFuture()");
+    }
 
-        std::optional<std::string> rpcId = getRpcId(rpc_);
-        if (!rpcId) {
-            return Status::fromServiceSpecificError(
-                ERROR_GENERIC, "Error getting remotely provisioned component id");
-        }
+    if (rpcKeyFuture->wait_for(std::chrono::seconds(10)) != std::future_status::ready) {
+        return Status::fromServiceSpecificError(
+            ERROR_GENERIC, "Waiting for remotely provisioned attestation key timed out");
+    }
 
-        uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
-        ::android::security::remoteprovisioning::RemotelyProvisionedKey key;
-        Status status = keyPool->getAttestationKey(callingUid, *rpcId, &key);
-        if (!status.isOk()) {
-            return status;
-        }
+    std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture->get();
+    if (!key) {
+        return Status::fromServiceSpecificError(
+            ERROR_GENERIC, "Failed to get remotely provisioned attestation key");
+    }
 
-        keyBlob = std::move(key.keyBlob);
-        encodedCertChain = std::move(key.encodedCertChain);
+    if (key->keyBlob.empty()) {
+        return Status::fromServiceSpecificError(
+            ERROR_GENERIC, "Remotely provisioned attestation key blob is empty");
     }
 
+    keyBlob = std::move(key->keyBlob);
+    encodedCertChain = std::move(key->encodedCertChain);
+
     status = halWritableCredential->setRemotelyProvisionedAttestationKey(keyBlob, encodedCertChain);
     if (!status.isOk()) {
         LOG(ERROR) << "Error setting remotely provisioned attestation key on credential";
diff --git a/identity/CredentialStore.h b/identity/CredentialStore.h
index 57c94e04..32c99755 100644
--- a/identity/CredentialStore.h
+++ b/identity/CredentialStore.h
@@ -22,7 +22,6 @@
 
 #include <android/hardware/identity/IIdentityCredentialStore.h>
 #include <android/security/identity/BnCredentialStore.h>
-#include <android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.h>
 #include <android/security/rkp/IRemoteProvisioning.h>
 
 namespace android {
@@ -41,7 +40,6 @@ using ::android::hardware::identity::IIdentityCredentialStore;
 using ::android::hardware::identity::IPresentationSession;
 using ::android::hardware::identity::IWritableIdentityCredential;
 using ::android::hardware::security::keymint::IRemotelyProvisionedComponent;
-using ::android::security::remoteprovisioning::IRemotelyProvisionedKeyPool;
 
 class CredentialStore : public BnCredentialStore {
   public:
author	Tri Vo <trong@google.com>	2023-01-31 14:11:15 -0800
committer	Tri Vo <trong@google.com>	2023-03-03 15:26:16 -0800
commit	190a43b9793714288fff72f88bc310c5fb2056cd (patch)
tree	986617ce3a47516b2bb18a74f3c2031781bbac69 /identity
parent	467f8980bdd416cb683c41f23ebe31ed83639781 (diff)
download	security-190a43b9793714288fff72f88bc310c5fb2056cd.tar.gz