Implement Unique ID support.

Change-Id: Ie1ee2e701a7f10da31a9b448987953dd025f8a11

6 files changed, 56 insertions, 10 deletions

diff --git a/attestation_record.cpp b/attestation_record.cpp
index ead45e7..4edac3e 100644
--- a/attestation_record.cpp
+++ b/attestation_record.cpp
@@ -444,15 +444,32 @@ keymaster_error_t build_attestation_record(const AuthorizationSet& attestation_p
     if (error != KM_ERROR_OK)
         return error;
 
-    if (sw_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID) ||
-        tee_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID)) {
+    // Only check tee_enforced for TAG_INCLUDE_UNIQUE_ID.  If we don't have hardware we can't
+    // generate unique IDs.
+    if (tee_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID)) {
+        uint64_t creation_datetime;
+        // Only check sw_enforced for TAG_CREATION_DATETIME, since it shouldn't be in tee_enforced,
+        // since this implementation has no secure wall clock.
+        if (!sw_enforced.GetTagValue(TAG_CREATION_DATETIME, &creation_datetime)) {
+            LOG_E("Unique ID cannot be created without creation datetime", 0);
+            return KM_ERROR_INVALID_KEY_BLOB;
+        }
+
+        keymaster_blob_t application_id = {};
+        sw_enforced.GetTagValue(TAG_APPLICATION_ID, &application_id);
+
+        Buffer unique_id;
+        error = context.GenerateUniqueId(
+            creation_datetime, application_id,
+            attestation_params.GetTagValue(TAG_RESET_SINCE_ID_ROTATION), &unique_id);
+        if (error != KM_ERROR_OK)
+            return error;
+
         key_desc->unique_id = ASN1_OCTET_STRING_new();
-        if (!key_desc->unique_id)
+        if (!key_desc->unique_id ||
+            !ASN1_OCTET_STRING_set(key_desc->unique_id, unique_id.peek_read(),
+                                   unique_id.available_read()))
             return TranslateLastOpenSslError();
-        // TODO(swillden): Calculate actual unique ID
-        const char* non_unique_id = "non-unique ID";
-        ASN1_OCTET_STRING_set(key_desc->unique_id, reinterpret_cast<const uint8_t*>(non_unique_id),
-                              strlen(non_unique_id));
     }
 
     int len = i2d_KM_KEY_DESCRIPTION(key_desc.get(), nullptr);
diff --git a/attestation_record_test.cpp b/attestation_record_test.cpp
index e417105..1cf8630 100644
--- a/attestation_record_test.cpp
+++ b/attestation_record_test.cpp
@@ -23,6 +23,8 @@
 #include "android_keymaster_test_utils.h"
 #include "attestation_record.h"
 
+#include <keymaster/keymaster_context.h>
+
 namespace keymaster {
 namespace test {
 
@@ -84,6 +86,13 @@ class TestContext : public KeymasterContext {
                                              keymaster_error_t* /* error */) const override {
         return nullptr;
     }
+    keymaster_error_t GenerateUniqueId(uint64_t /* creation_date_time */,
+                                       const keymaster_blob_t& /* application_id */,
+                                       bool /* reset_since_rotation */, Buffer* unique_id) const {
+        // Finally, the reason for defining this class:
+        unique_id->Reinitialize("foo", 3);
+        return KM_ERROR_OK;
+    }
 };
 
 TEST(AttestTest, Simple) {
diff --git a/include/keymaster/keymaster_context.h b/include/keymaster/keymaster_context.h
index efd06e8..104e874 100644
--- a/include/keymaster/keymaster_context.h
+++ b/include/keymaster/keymaster_context.h
@@ -161,18 +161,27 @@ class KeymasterContext {
 
     /**
      * Return the attestation signing key of the specified algorithm (KM_ALGORITHM_RSA or
-     * KM_ALGORITHM_EC).
+     * KM_ALGORITHM_EC).  Caller does not acquire ownership and should not delete.
      */
     virtual EVP_PKEY* AttestationKey(keymaster_algorithm_t algorithm,
                                      keymaster_error_t* error) const = 0;
 
     /**
      * Return the certificate chain of the attestation signing key of the specified algorithm
-     * (KM_ALGORITHM_RSA or KM_ALGORITHM_EC).
+     * (KM_ALGORITHM_RSA or KM_ALGORITHM_EC).  Caller does not acquire ownership and should not
+     * delete.
      */
     virtual keymaster_cert_chain_t* AttestationChain(keymaster_algorithm_t algorithm,
                                                      keymaster_error_t* error) const = 0;
 
+    /**
+     * Generate the current unique ID.
+     */
+    virtual keymaster_error_t GenerateUniqueId(uint64_t creation_date_time,
+                                               const keymaster_blob_t& application_id,
+                                               bool reset_since_rotation,
+                                               Buffer* unique_id) const = 0;
+
   private:
     // Uncopyable.
     KeymasterContext(const KeymasterContext&);
diff --git a/include/keymaster/keymaster_tags.h b/include/keymaster/keymaster_tags.h
index 0b0cc96..2c7ac03 100644
--- a/include/keymaster/keymaster_tags.h
+++ b/include/keymaster/keymaster_tags.h
@@ -165,6 +165,7 @@ DECLARE_KEYMASTER_TAG(KM_UINT, TAG_OS_VERSION);
 DECLARE_KEYMASTER_TAG(KM_UINT, TAG_OS_PATCHLEVEL);
 DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_UNIQUE_ID);
 DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_CHALLENGE);
+DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_RESET_SINCE_ID_ROTATION);
 
 // DECLARE_KEYMASTER_ENUM_TAG is used to declare TypedEnumTag instances for each enum keymaster tag.
 #define DECLARE_KEYMASTER_ENUM_TAG(type, name, enumtype)                                           \
diff --git a/include/keymaster/soft_keymaster_context.h b/include/keymaster/soft_keymaster_context.h
index b3cb8b2..0538071 100644
--- a/include/keymaster/soft_keymaster_context.h
+++ b/include/keymaster/soft_keymaster_context.h
@@ -84,6 +84,9 @@ class SoftKeymasterContext : public KeymasterContext {
                              keymaster_error_t* error) const override;
     keymaster_cert_chain_t* AttestationChain(keymaster_algorithm_t algorithm,
                                              keymaster_error_t* error) const override;
+    keymaster_error_t GenerateUniqueId(uint64_t creation_date_time,
+                                       const keymaster_blob_t& application_id,
+                                       bool reset_since_rotation, Buffer* unique_id) const override;
 
     KeymasterEnforcement* enforcement_policy() override {
         // SoftKeymaster does no enforcement; it's all done by Keystore.
@@ -93,7 +96,6 @@ class SoftKeymasterContext : public KeymasterContext {
     void AddSystemVersionToSet(AuthorizationSet* auth_set) const;
 
   private:
-
     keymaster_error_t ParseOldSoftkeymasterBlob(const KeymasterKeyBlob& blob,
                                                 KeymasterKeyBlob* key_material,
                                                 AuthorizationSet* hw_enforced,
diff --git a/soft_keymaster_context.cpp b/soft_keymaster_context.cpp
index 9df7d2a..087439a 100644
--- a/soft_keymaster_context.cpp
+++ b/soft_keymaster_context.cpp
@@ -20,6 +20,7 @@
 #include <time.h>
 
 #include <openssl/aes.h>
+#include <openssl/hmac.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 
@@ -836,6 +837,13 @@ keymaster_cert_chain_t* SoftKeymasterContext::AttestationChain(keymaster_algorit
     return chain.release();
 }
 
+keymaster_error_t SoftKeymasterContext::GenerateUniqueId(
+    uint64_t /* creation_date_time */, const keymaster_blob_t& /* application_id */,
+    bool /* reset_since_rotation */, Buffer* /* unique_id */) const {
+    // SoftKeymasterDevice cannot generate unique IDs.
+    return KM_ERROR_UNIMPLEMENTED;
+}
+
 keymaster_error_t SoftKeymasterContext::ParseKeymaster1HwBlob(
     const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params,
     KeymasterKeyBlob* key_material, AuthorizationSet* hw_enforced,