diff options
author | Tri Vo <trong@google.com> | 2023-01-31 14:11:15 -0800 |
---|---|---|
committer | Tri Vo <trong@google.com> | 2023-03-03 15:26:16 -0800 |
commit | 190a43b9793714288fff72f88bc310c5fb2056cd (patch) | |
tree | 986617ce3a47516b2bb18a74f3c2031781bbac69 /identity | |
parent | 467f8980bdd416cb683c41f23ebe31ed83639781 (diff) | |
download | security-190a43b9793714288fff72f88bc310c5fb2056cd.tar.gz |
identity: Remove IRemotelyProvisionedKeyPool usage
Test: m credstore
Change-Id: I5aa0a389083b28cb51dbd47297403b955104b8a6
Diffstat (limited to 'identity')
-rw-r--r-- | identity/Android.bp | 1 | ||||
-rw-r--r-- | identity/CredentialStore.cpp | 79 | ||||
-rw-r--r-- | identity/CredentialStore.h | 2 |
3 files changed, 21 insertions, 61 deletions
diff --git a/identity/Android.bp b/identity/Android.bp index 4f203e6a..ecf667db 100644 --- a/identity/Android.bp +++ b/identity/Android.bp @@ -47,7 +47,6 @@ cc_binary { "android.hardware.identity-support-lib", "android.hardware.keymaster@4.0", "android.security.authorization-ndk", - "android.security.remoteprovisioning-cpp", "libbase", "libbinder", "libbinder_ndk", diff --git a/identity/CredentialStore.cpp b/identity/CredentialStore.cpp index e2b3cf46..e200cb57 100644 --- a/identity/CredentialStore.cpp +++ b/identity/CredentialStore.cpp @@ -20,11 +20,8 @@ #include <optional> #include <android-base/logging.h> -#include <android-base/properties.h> #include <android/hardware/security/keymint/IRemotelyProvisionedComponent.h> #include <android/hardware/security/keymint/RpcHardwareInfo.h> -#include <android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.h> -#include <android/security/remoteprovisioning/RemotelyProvisionedKey.h> #include <binder/IPCThreadState.h> #include <binder/IServiceManager.h> #include <vintf/VintfObject.h> @@ -42,14 +39,8 @@ namespace security { namespace identity { namespace { -using ::android::security::remoteprovisioning::IRemotelyProvisionedKeyPool; using ::android::security::rkp::IRemoteProvisioning; -bool useRkpd() { - return android::base::GetBoolProperty("remote_provisioning.enable_rkpd", - /*default_value=*/true); -} - } // namespace CredentialStore::CredentialStore(const std::string& dataPath, sp<IIdentityCredentialStore> hal) @@ -189,61 +180,33 @@ Status CredentialStore::setRemotelyProvisionedAttestationKey( std::vector<uint8_t> encodedCertChain; Status status; - if (useRkpd()) { - LOG(INFO) << "Fetching attestation key from RKPD"; - - uid_t callingUid = android::IPCThreadState::self()->getCallingUid(); - auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid); - if (!rpcKeyFuture) { - return Status::fromServiceSpecificError(ERROR_GENERIC, "Error in getRpcKeyFuture()"); - } - - if (rpcKeyFuture->wait_for(std::chrono::seconds(10)) != std::future_status::ready) { - return Status::fromServiceSpecificError( - ERROR_GENERIC, "Waiting for remotely provisioned attestation key timed out"); - } - - std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture->get(); - if (!key) { - return Status::fromServiceSpecificError( - ERROR_GENERIC, "Failed to get remotely provisioned attestation key"); - } - - if (key->keyBlob.empty()) { - return Status::fromServiceSpecificError( - ERROR_GENERIC, "Remotely provisioned attestation key blob is empty"); - } + LOG(INFO) << "Fetching attestation key from RKPD"; - keyBlob = std::move(key->keyBlob); - encodedCertChain = std::move(key->encodedCertChain); - } else { - LOG(INFO) << "Fetching attestation key from remotely provisioned key pool."; - - sp<IRemotelyProvisionedKeyPool> keyPool = - android::waitForService<IRemotelyProvisionedKeyPool>( - IRemotelyProvisionedKeyPool::descriptor); - if (!keyPool) { - return Status::fromServiceSpecificError( - ERROR_GENERIC, "Error getting IRemotelyProvisionedKeyPool HAL"); - } + uid_t callingUid = android::IPCThreadState::self()->getCallingUid(); + auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid); + if (!rpcKeyFuture) { + return Status::fromServiceSpecificError(ERROR_GENERIC, "Error in getRpcKeyFuture()"); + } - std::optional<std::string> rpcId = getRpcId(rpc_); - if (!rpcId) { - return Status::fromServiceSpecificError( - ERROR_GENERIC, "Error getting remotely provisioned component id"); - } + if (rpcKeyFuture->wait_for(std::chrono::seconds(10)) != std::future_status::ready) { + return Status::fromServiceSpecificError( + ERROR_GENERIC, "Waiting for remotely provisioned attestation key timed out"); + } - uid_t callingUid = android::IPCThreadState::self()->getCallingUid(); - ::android::security::remoteprovisioning::RemotelyProvisionedKey key; - Status status = keyPool->getAttestationKey(callingUid, *rpcId, &key); - if (!status.isOk()) { - return status; - } + std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture->get(); + if (!key) { + return Status::fromServiceSpecificError( + ERROR_GENERIC, "Failed to get remotely provisioned attestation key"); + } - keyBlob = std::move(key.keyBlob); - encodedCertChain = std::move(key.encodedCertChain); + if (key->keyBlob.empty()) { + return Status::fromServiceSpecificError( + ERROR_GENERIC, "Remotely provisioned attestation key blob is empty"); } + keyBlob = std::move(key->keyBlob); + encodedCertChain = std::move(key->encodedCertChain); + status = halWritableCredential->setRemotelyProvisionedAttestationKey(keyBlob, encodedCertChain); if (!status.isOk()) { LOG(ERROR) << "Error setting remotely provisioned attestation key on credential"; diff --git a/identity/CredentialStore.h b/identity/CredentialStore.h index 57c94e04..32c99755 100644 --- a/identity/CredentialStore.h +++ b/identity/CredentialStore.h @@ -22,7 +22,6 @@ #include <android/hardware/identity/IIdentityCredentialStore.h> #include <android/security/identity/BnCredentialStore.h> -#include <android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.h> #include <android/security/rkp/IRemoteProvisioning.h> namespace android { @@ -41,7 +40,6 @@ using ::android::hardware::identity::IIdentityCredentialStore; using ::android::hardware::identity::IPresentationSession; using ::android::hardware::identity::IWritableIdentityCredential; using ::android::hardware::security::keymint::IRemotelyProvisionedComponent; -using ::android::security::remoteprovisioning::IRemotelyProvisionedKeyPool; class CredentialStore : public BnCredentialStore { public: |