203 lines
8.1 KiB
C++
203 lines
8.1 KiB
C++
/*
|
|
* Copyright 2021 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#include <string>
|
|
#include <vector>
|
|
|
|
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
|
|
#include <android/binder_manager.h>
|
|
#include <cppbor.h>
|
|
#include <gflags/gflags.h>
|
|
#include <keymaster/cppcose/cppcose.h>
|
|
#include <openssl/base64.h>
|
|
#include <remote_prov/remote_prov_utils.h>
|
|
#include <sys/random.h>
|
|
|
|
using aidl::android::hardware::security::keymint::DeviceInfo;
|
|
using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
|
|
using aidl::android::hardware::security::keymint::MacedPublicKey;
|
|
using aidl::android::hardware::security::keymint::ProtectedData;
|
|
using aidl::android::hardware::security::keymint::RpcHardwareInfo;
|
|
using aidl::android::hardware::security::keymint::remote_prov::generateEekChain;
|
|
using aidl::android::hardware::security::keymint::remote_prov::getProdEekChain;
|
|
using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild;
|
|
|
|
using namespace cppbor;
|
|
using namespace cppcose;
|
|
|
|
DEFINE_bool(test_mode, false, "If enabled, a fake EEK key/cert are used.");
|
|
|
|
DEFINE_string(output_format, "csr", "How to format the output. Defaults to 'csr'.");
|
|
|
|
namespace {
|
|
|
|
// Various supported --output_format values.
|
|
constexpr std::string_view kBinaryCsrOutput = "csr"; // Just the raw csr as binary
|
|
constexpr std::string_view kBuildPlusCsr = "build+csr"; // Text-encoded (JSON) build
|
|
// fingerprint plus CSR.
|
|
|
|
constexpr size_t kChallengeSize = 16;
|
|
|
|
std::string toBase64(const std::vector<uint8_t>& buffer) {
|
|
size_t base64Length;
|
|
int rc = EVP_EncodedLength(&base64Length, buffer.size());
|
|
if (!rc) {
|
|
std::cerr << "Error getting base64 length. Size overflow?" << std::endl;
|
|
exit(-1);
|
|
}
|
|
|
|
std::string base64(base64Length, ' ');
|
|
rc = EVP_EncodeBlock(reinterpret_cast<uint8_t*>(base64.data()), buffer.data(), buffer.size());
|
|
++rc; // Account for NUL, which BoringSSL does not for some reason.
|
|
if (rc != base64Length) {
|
|
std::cerr << "Error writing base64. Expected " << base64Length
|
|
<< " bytes to be written, but " << rc << " bytes were actually written."
|
|
<< std::endl;
|
|
exit(-1);
|
|
}
|
|
return base64;
|
|
}
|
|
|
|
std::vector<uint8_t> generateChallenge() {
|
|
std::vector<uint8_t> challenge(kChallengeSize);
|
|
|
|
ssize_t bytesRemaining = static_cast<ssize_t>(challenge.size());
|
|
uint8_t* writePtr = challenge.data();
|
|
while (bytesRemaining > 0) {
|
|
int bytesRead = getrandom(writePtr, bytesRemaining, /*flags=*/0);
|
|
if (bytesRead < 0) {
|
|
if (errno == EINTR) {
|
|
continue;
|
|
} else {
|
|
std::cerr << errno << ": " << strerror(errno) << std::endl;
|
|
exit(-1);
|
|
}
|
|
}
|
|
bytesRemaining -= bytesRead;
|
|
writePtr += bytesRead;
|
|
}
|
|
|
|
return challenge;
|
|
}
|
|
|
|
Array composeCertificateRequest(const ProtectedData& protectedData,
|
|
const DeviceInfo& verifiedDeviceInfo,
|
|
const std::vector<uint8_t>& challenge,
|
|
const std::vector<uint8_t>& keysToSignMac) {
|
|
Array macedKeysToSign = Array()
|
|
.add(std::vector<uint8_t>(0)) // empty protected headers as bstr
|
|
.add(Map()) // empty unprotected headers
|
|
.add(Null()) // nil for the payload
|
|
.add(keysToSignMac); // MAC as returned from the HAL
|
|
|
|
Array deviceInfo =
|
|
Array().add(EncodedItem(verifiedDeviceInfo.deviceInfo)).add(Map()); // Empty device info
|
|
|
|
Array certificateRequest = Array()
|
|
.add(std::move(deviceInfo))
|
|
.add(challenge)
|
|
.add(EncodedItem(protectedData.protectedData))
|
|
.add(std::move(macedKeysToSign));
|
|
return certificateRequest;
|
|
}
|
|
|
|
std::vector<uint8_t> getEekChain(uint32_t curve) {
|
|
if (FLAGS_test_mode) {
|
|
const std::vector<uint8_t> kFakeEekId = {'f', 'a', 'k', 'e', 0};
|
|
auto eekOrErr = generateEekChain(curve, 3 /* chainlength */, kFakeEekId);
|
|
if (!eekOrErr) {
|
|
std::cerr << "Failed to generate test EEK somehow: " << eekOrErr.message() << std::endl;
|
|
exit(-1);
|
|
}
|
|
auto [eek, pubkey, privkey] = eekOrErr.moveValue();
|
|
std::cout << "EEK raw keypair:" << std::endl;
|
|
std::cout << " pub: " << toBase64(pubkey) << std::endl;
|
|
std::cout << " priv: " << toBase64(privkey) << std::endl;
|
|
return eek;
|
|
}
|
|
|
|
return getProdEekChain(curve);
|
|
}
|
|
|
|
void writeOutput(const std::string instance_name, const Array& csr) {
|
|
if (FLAGS_output_format == kBinaryCsrOutput) {
|
|
auto bytes = csr.encode();
|
|
std::copy(bytes.begin(), bytes.end(), std::ostream_iterator<char>(std::cout));
|
|
} else if (FLAGS_output_format == kBuildPlusCsr) {
|
|
auto [json, error] = jsonEncodeCsrWithBuild(instance_name, csr);
|
|
if (!error.empty()) {
|
|
std::cerr << "Error JSON encoding the output: " << error;
|
|
exit(1);
|
|
}
|
|
std::cout << json << std::endl;
|
|
} else {
|
|
std::cerr << "Unexpected output_format '" << FLAGS_output_format << "'" << std::endl;
|
|
std::cerr << "Valid formats:" << std::endl;
|
|
std::cerr << " " << kBinaryCsrOutput << std::endl;
|
|
std::cerr << " " << kBuildPlusCsr << std::endl;
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
// Callback for AServiceManager_forEachDeclaredInstance that writes out a CSR
|
|
// for every IRemotelyProvisionedComponent.
|
|
void getCsrForInstance(const char* name, void* /*context*/) {
|
|
const std::vector<uint8_t> challenge = generateChallenge();
|
|
|
|
auto fullName = std::string(IRemotelyProvisionedComponent::descriptor) + "/" + name;
|
|
AIBinder* rkpAiBinder = AServiceManager_getService(fullName.c_str());
|
|
::ndk::SpAIBinder rkp_binder(rkpAiBinder);
|
|
auto rkp_service = IRemotelyProvisionedComponent::fromBinder(rkp_binder);
|
|
if (!rkp_service) {
|
|
std::cerr << "Unable to get binder object for '" << fullName << "', skipping.";
|
|
exit(-1);
|
|
}
|
|
|
|
std::vector<uint8_t> keysToSignMac;
|
|
std::vector<MacedPublicKey> emptyKeys;
|
|
DeviceInfo verifiedDeviceInfo;
|
|
ProtectedData protectedData;
|
|
RpcHardwareInfo hwInfo;
|
|
::ndk::ScopedAStatus status = rkp_service->getHardwareInfo(&hwInfo);
|
|
if (!status.isOk()) {
|
|
std::cerr << "Failed to get hardware info for '" << fullName
|
|
<< "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
|
|
exit(-1);
|
|
}
|
|
status = rkp_service->generateCertificateRequest(
|
|
FLAGS_test_mode, emptyKeys, getEekChain(hwInfo.supportedEekCurve), challenge,
|
|
&verifiedDeviceInfo, &protectedData, &keysToSignMac);
|
|
if (!status.isOk()) {
|
|
std::cerr << "Bundle extraction failed for '" << fullName
|
|
<< "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
|
|
exit(-1);
|
|
}
|
|
auto request =
|
|
composeCertificateRequest(protectedData, verifiedDeviceInfo, challenge, keysToSignMac);
|
|
writeOutput(std::string(name), request);
|
|
}
|
|
|
|
} // namespace
|
|
|
|
int main(int argc, char** argv) {
|
|
gflags::ParseCommandLineFlags(&argc, &argv, /*remove_flags=*/true);
|
|
|
|
AServiceManager_forEachDeclaredInstance(IRemotelyProvisionedComponent::descriptor,
|
|
/*context=*/nullptr, getCsrForInstance);
|
|
|
|
return 0;
|
|
}
|