[rkpd] Refactor rkpd_client into an independent lib for reuse

This allows rkpd_client to be reused by both keystore2 and AVF pVM remote attestation. Test: atest keystore2_test librkpd_client.test Bug: 241428146 Change-Id: Ibdf95c4deb2ba499daaecd170c2971cda4e80bba
author: Alice Wang <aliceywang@google.com> 2023-11-07 14:27:49 +0000
committer: Alice Wang <aliceywang@google.com> 2023-11-13 10:31:08 +0000
commit: 01c16b61420530cdb4cad72938f67bfd56762698 (patch)
tree: 0ee25a439050028da1b0b607ee32946f735d8fd9 /keystore2
parent: 849cfe4347e913dfc05ed10cb3db4cad1f729be5 (diff)
download: security-01c16b61420530cdb4cad72938f67bfd56762698.tar.gz
8 files changed, 59 insertions, 5 deletions
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index e59b6f24..c378b426 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -58,6 +58,7 @@ rust_defaults {
         "liblog_rust",
         "libmessage_macro",
         "librand",
+        "librkpd_client",
         "librustutils",
         "libserde",
         "libserde_cbor",
diff --git a/keystore2/TEST_MAPPING b/keystore2/TEST_MAPPING
index 1038bead..57ce78cc 100644
--- a/keystore2/TEST_MAPPING
+++ b/keystore2/TEST_MAPPING
@@ -35,6 +35,9 @@
       "name": "keystore2_client_tests"
     },
     {
+      "name": "librkpd_client.test"
+    },
+    {
       "name": "libwatchdog_rs.test"
     }
   ]
diff --git a/keystore2/rkpd_client/Android.bp b/keystore2/rkpd_client/Android.bp
new file mode 100644
index 00000000..1de333f3
--- /dev/null
+++ b/keystore2/rkpd_client/Android.bp
@@ -0,0 +1,51 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    // See: http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // all of the 'license_kinds' from "system_security_license"
+    // to get the below license kinds:
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["system_security_license"],
+}
+
+rust_defaults {
+    name: "librkpd_client_defaults",
+    crate_name: "rkpd_client",
+    srcs: ["src/lib.rs"],
+    rustlibs: [
+        "android.security.rkp_aidl-rust",
+        "libanyhow",
+        "libbinder_rs",
+        "liblog_rust",
+        "libmessage_macro",
+        "libthiserror",
+        "libtokio",
+    ],
+}
+
+rust_library {
+    name: "librkpd_client",
+    defaults: ["librkpd_client_defaults"],
+}
+
+rust_test {
+    name: "librkpd_client.test",
+    defaults: ["librkpd_client_defaults"],
+    test_suites: ["general-tests"],
+    rustlibs: [
+        "librand",
+    ],
+}
diff --git a/keystore2/src/rkpd_client.rs b/keystore2/rkpd_client/src/lib.rs
index d8a5276c..d8a5276c 100644
--- a/keystore2/src/rkpd_client.rs
+++ b/keystore2/rkpd_client/src/lib.rs
diff --git a/keystore2/src/error.rs b/keystore2/src/error.rs
index ac5ba4c3..b4c57fbd 100644
--- a/keystore2/src/error.rs
+++ b/keystore2/src/error.rs
@@ -27,7 +27,6 @@
 //! Keystore functions should use `anyhow::Result` to return error conditions, and context should
 //! be added every time an error is forwarded.
 
-use crate::rkpd_client::Error as RkpdError;
 pub use android_hardware_security_keymint::aidl::android::hardware::security::keymint::ErrorCode::ErrorCode;
 use android_security_rkp_aidl::aidl::android::security::rkp::IGetKeyCallback::ErrorCode::ErrorCode as GetKeyErrorCode;
 pub use android_system_keystore2::aidl::android::system::keystore2::ResponseCode::ResponseCode;
@@ -35,6 +34,7 @@ use android_system_keystore2::binder::{
     ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode,
 };
 use keystore2_selinux as selinux;
+use rkpd_client::Error as RkpdError;
 use std::cmp::PartialEq;
 use std::ffi::CString;
 
diff --git a/keystore2/src/lib.rs b/keystore2/src/lib.rs
index e51a3195..c0eecd89 100644
--- a/keystore2/src/lib.rs
+++ b/keystore2/src/lib.rs
@@ -37,7 +37,6 @@ pub mod operation;
 pub mod permission;
 pub mod raw_device;
 pub mod remote_provisioning;
-pub mod rkpd_client;
 pub mod security_level;
 pub mod service;
 pub mod shared_secret_negotiation;
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index 14c61fb0..a386d969 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -35,9 +35,9 @@ use crate::error::wrapped_rkpd_error_to_ks_error;
 use crate::globals::get_remotely_provisioned_component_name;
 use crate::ks_err;
 use crate::metrics_store::log_rkp_error_stats;
-use crate::rkpd_client::get_rkpd_attestation_key;
 use crate::watchdog_helper::watchdog as wd;
 use android_security_metrics::aidl::android::security::metrics::RkpError::RkpError as MetricsRkpError;
+use rkpd_client::get_rkpd_attestation_key;
 
 /// Contains helper functions to check if remote provisioning is enabled on the system and, if so,
 /// to assign and retrieve attestation keys and certificate chains.
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index f2b332b0..7a27452a 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -30,7 +30,6 @@ use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
 use crate::ks_err;
 use crate::metrics_store::log_key_creation_event_stats;
 use crate::remote_provisioning::RemProvState;
-use crate::rkpd_client::store_rkpd_attestation_key;
 use crate::super_key::{KeyBlob, SuperKeyManager};
 use crate::utils::{
     check_device_attestation_permissions, check_key_permission,
@@ -64,6 +63,7 @@ use android_system_keystore2::aidl::android::system::keystore2::{
     KeyMetadata::KeyMetadata, KeyParameters::KeyParameters, ResponseCode::ResponseCode,
 };
 use anyhow::{anyhow, Context, Result};
+use rkpd_client::store_rkpd_attestation_key;
 use std::convert::TryInto;
 use std::time::SystemTime;
 
@@ -1073,13 +1073,13 @@ mod tests {
     use super::*;
     use crate::error::map_km_error;
     use crate::globals::get_keymint_device;
-    use crate::rkpd_client::{get_rkpd_attestation_key, store_rkpd_attestation_key};
     use crate::utils::upgrade_keyblob_if_required_with;
     use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
         Algorithm::Algorithm, AttestationKey::AttestationKey, KeyParameter::KeyParameter,
         KeyParameterValue::KeyParameterValue, Tag::Tag,
     };
     use keystore2_crypto::parse_subject_from_certificate;
+    use rkpd_client::get_rkpd_attestation_key;
 
     #[test]
     // This is a helper for a manual test. We want to check that after a system upgrade RKPD
author	Alice Wang <aliceywang@google.com>	2023-11-07 14:27:49 +0000
committer	Alice Wang <aliceywang@google.com>	2023-11-13 10:31:08 +0000
commit	01c16b61420530cdb4cad72938f67bfd56762698 (patch)
tree	0ee25a439050028da1b0b607ee32946f735d8fd9 /keystore2
parent	849cfe4347e913dfc05ed10cb3db4cad1f729be5 (diff)
download	security-01c16b61420530cdb4cad72938f67bfd56762698.tar.gz