1 // Copyright 2021, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 //! Implements get_attestation_key_info which loads remote provisioned or user
16 //! generated attestation keys.
17
18 use crate::database::{BlobMetaData, KeyEntryLoadBits, KeyType};
19 use crate::database::{KeyIdGuard, KeystoreDB};
20 use crate::error::{Error, ErrorCode};
21 use crate::ks_err;
22 use crate::permission::KeyPerm;
23 use crate::remote_provisioning::RemProvState;
24 use crate::utils::check_key_permission;
25 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
26 AttestationKey::AttestationKey, KeyParameter::KeyParameter, Tag::Tag,
27 };
28 use android_system_keystore2::aidl::android::system::keystore2::{
29 Domain::Domain, KeyDescriptor::KeyDescriptor, ResponseCode::ResponseCode,
30 };
31 use anyhow::{Context, Result};
32 use keystore2_crypto::parse_subject_from_certificate;
33
34 /// KeyMint takes two different kinds of attestation keys. Remote provisioned keys
35 /// and those that have been generated by the user. Unfortunately, they need to be
36 /// handled quite differently, thus the different representations.
37 pub enum AttestationKeyInfo {
38 RkpdProvisioned {
39 attestation_key: AttestationKey,
40 /// Concatenated chain of DER-encoded certificates (ending with the root).
41 attestation_certs: Vec<u8>,
42 },
43 UserGenerated {
44 key_id_guard: KeyIdGuard,
45 blob: Vec<u8>,
46 blob_metadata: BlobMetaData,
47 issuer_subject: Vec<u8>,
48 },
49 }
50
51 /// This function loads and, optionally, assigns the caller's remote provisioned
52 /// attestation key if a challenge is present. Alternatively, if `attest_key_descriptor` is given,
53 /// it loads the user generated attestation key from the database.
get_attest_key_info( key: &KeyDescriptor, caller_uid: u32, attest_key_descriptor: Option<&KeyDescriptor>, params: &[KeyParameter], rem_prov_state: &RemProvState, db: &mut KeystoreDB, ) -> Result<Option<AttestationKeyInfo>>54 pub fn get_attest_key_info(
55 key: &KeyDescriptor,
56 caller_uid: u32,
57 attest_key_descriptor: Option<&KeyDescriptor>,
58 params: &[KeyParameter],
59 rem_prov_state: &RemProvState,
60 db: &mut KeystoreDB,
61 ) -> Result<Option<AttestationKeyInfo>> {
62 let challenge_present = params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE);
63 let is_device_unique_attestation =
64 params.iter().any(|kp| kp.tag == Tag::DEVICE_UNIQUE_ATTESTATION);
65 match attest_key_descriptor {
66 // Do not select an RKP key if DEVICE_UNIQUE_ATTESTATION is present.
67 None if challenge_present && !is_device_unique_attestation => rem_prov_state
68 .get_rkpd_attestation_key_and_certs(key, caller_uid, params)
69 .context(ks_err!("Trying to get attestation key from RKPD."))
70 .map(|result| {
71 result.map(|(attestation_key, attestation_certs)| {
72 AttestationKeyInfo::RkpdProvisioned { attestation_key, attestation_certs }
73 })
74 }),
75 None => Ok(None),
76 Some(attest_key) => get_user_generated_attestation_key(attest_key, caller_uid, db)
77 .context(ks_err!("Trying to load attest key"))
78 .map(Some),
79 }
80 }
81
get_user_generated_attestation_key( key: &KeyDescriptor, caller_uid: u32, db: &mut KeystoreDB, ) -> Result<AttestationKeyInfo>82 fn get_user_generated_attestation_key(
83 key: &KeyDescriptor,
84 caller_uid: u32,
85 db: &mut KeystoreDB,
86 ) -> Result<AttestationKeyInfo> {
87 let (key_id_guard, blob, cert, blob_metadata) =
88 load_attest_key_blob_and_cert(key, caller_uid, db)
89 .context(ks_err!("Failed to load blob and cert"))?;
90
91 let issuer_subject: Vec<u8> = parse_subject_from_certificate(&cert)
92 .context(ks_err!("Failed to parse subject from certificate"))?;
93
94 Ok(AttestationKeyInfo::UserGenerated { key_id_guard, blob, issuer_subject, blob_metadata })
95 }
96
load_attest_key_blob_and_cert( key: &KeyDescriptor, caller_uid: u32, db: &mut KeystoreDB, ) -> Result<(KeyIdGuard, Vec<u8>, Vec<u8>, BlobMetaData)>97 fn load_attest_key_blob_and_cert(
98 key: &KeyDescriptor,
99 caller_uid: u32,
100 db: &mut KeystoreDB,
101 ) -> Result<(KeyIdGuard, Vec<u8>, Vec<u8>, BlobMetaData)> {
102 match key.domain {
103 Domain::BLOB => Err(Error::Km(ErrorCode::INVALID_ARGUMENT))
104 .context(ks_err!("Domain::BLOB attestation keys not supported")),
105 _ => {
106 let (key_id_guard, mut key_entry) = db
107 .load_key_entry(
108 key,
109 KeyType::Client,
110 KeyEntryLoadBits::BOTH,
111 caller_uid,
112 |k, av| check_key_permission(KeyPerm::Use, k, &av),
113 )
114 .context(ks_err!("Failed to load key."))?;
115
116 let (blob, blob_metadata) = key_entry
117 .take_key_blob_info()
118 .ok_or(Error::Rc(ResponseCode::INVALID_ARGUMENT))
119 .context(ks_err!("Successfully loaded key entry, but KM blob was missing"))?;
120 let cert = key_entry
121 .take_cert()
122 .ok_or(Error::Rc(ResponseCode::INVALID_ARGUMENT))
123 .context(ks_err!("Successfully loaded key entry, but cert was missing"))?;
124 Ok((key_id_guard, blob, cert, blob_metadata))
125 }
126 }
127 }
128