From 35b757c26ad3df2b5185d46d74bd68f4878af062 Mon Sep 17 00:00:00 2001 From: Shawn Willden Date: Thu, 28 Jan 2016 07:55:52 +0000 Subject: Revert "Add attestation support to KeymasterContext" This reverts commit 7989c2bf8ad56518465b96bba61432de1a66bbf1. Change-Id: Ia7f1aef880187c3ef7c399121edb11cf7d16b654 --- include/keymaster/android_keymaster_utils.h | 11 - include/keymaster/keymaster_context.h | 16 -- include/keymaster/soft_keymaster_context.h | 5 - soft_keymaster_context.cpp | 325 ---------------------------- sw_rsa_attest_root.key.pem | 15 -- 5 files changed, 372 deletions(-) delete mode 100644 sw_rsa_attest_root.key.pem diff --git a/include/keymaster/android_keymaster_utils.h b/include/keymaster/android_keymaster_utils.h index c190e04..9f0cf6a 100644 --- a/include/keymaster/android_keymaster_utils.h +++ b/include/keymaster/android_keymaster_utils.h @@ -314,17 +314,6 @@ struct Malloc_Delete { void operator()(void* p) { free(p); } }; -struct CertificateChainDelete { - void operator()(keymaster_cert_chain_t* p) { - if (!p) - return; - for (size_t i = 0; i < p->entry_count; ++i) - delete[] p->entries[i].data; - delete[] p->entries; - delete p; - } -}; - } // namespace keymaster #endif // SYSTEM_KEYMASTER_ANDROID_KEYMASTER_UTILS_H_ diff --git a/include/keymaster/keymaster_context.h b/include/keymaster/keymaster_context.h index c9802e4..338b408 100644 --- a/include/keymaster/keymaster_context.h +++ b/include/keymaster/keymaster_context.h @@ -19,8 +19,6 @@ #include -#include - #include #include @@ -129,20 +127,6 @@ class KeymasterContext { */ virtual KeymasterEnforcement* enforcement_policy() = 0; - /** - * Return the attestation signing key of the specified algorithm (KM_ALGORITHM_RSA or - * KM_ALGORITHM_EC). - */ - virtual EVP_PKEY* AttestationKey(keymaster_algorithm_t algorithm, - keymaster_error_t* error) const = 0; - - /** - * Return the certificate chain of the attestation signing key of the specified algorithm - * (KM_ALGORITHM_RSA or KM_ALGORITHM_EC). - */ - virtual keymaster_cert_chain_t* AttestationChain(keymaster_algorithm_t algorithm, - keymaster_error_t* error) const = 0; - private: // Uncopyable. KeymasterContext(const KeymasterContext&); diff --git a/include/keymaster/soft_keymaster_context.h b/include/keymaster/soft_keymaster_context.h index d9c02f2..413117a 100644 --- a/include/keymaster/soft_keymaster_context.h +++ b/include/keymaster/soft_keymaster_context.h @@ -71,11 +71,6 @@ class SoftKeymasterContext : public KeymasterContext { keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override; keymaster_error_t GenerateRandom(uint8_t* buf, size_t length) const override; - EVP_PKEY* AttestationKey(keymaster_algorithm_t algorithm, - keymaster_error_t* error) const override; - keymaster_cert_chain_t* AttestationChain(keymaster_algorithm_t algorithm, - keymaster_error_t* error) const override; - KeymasterEnforcement* enforcement_policy() override { // SoftKeymaster does no enforcement; it's all done by Keystore. return nullptr; diff --git a/soft_keymaster_context.cpp b/soft_keymaster_context.cpp index ab68760..a703b4b 100644 --- a/soft_keymaster_context.cpp +++ b/soft_keymaster_context.cpp @@ -45,242 +45,6 @@ namespace keymaster { namespace { static uint8_t master_key_bytes[AES_BLOCK_SIZE] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; const KeymasterKeyBlob MASTER_KEY(master_key_bytes, array_length(master_key_bytes)); - -static uint8_t kRsaAttestKey[] = { - 0x30, 0x82, 0x02, 0x5d, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xc0, 0x83, 0x23, 0xdc, 0x56, - 0x88, 0x1b, 0xb8, 0x30, 0x20, 0x69, 0xf5, 0xb0, 0x85, 0x61, 0xc6, 0xee, 0xbe, 0x7f, 0x05, 0xe2, - 0xf5, 0xa8, 0x42, 0x04, 0x8a, 0xbe, 0x8b, 0x47, 0xbe, 0x76, 0xfe, 0xae, 0xf2, 0x5c, 0xf2, 0x9b, - 0x2a, 0xfa, 0x32, 0x00, 0x14, 0x16, 0x01, 0x42, 0x99, 0x89, 0xa1, 0x5f, 0xcf, 0xc6, 0x81, 0x5e, - 0xb3, 0x63, 0x58, 0x3c, 0x2f, 0xd2, 0xf2, 0x0b, 0xe4, 0x98, 0x32, 0x83, 0xdd, 0x81, 0x4b, 0x16, - 0xd7, 0xe1, 0x85, 0x41, 0x7a, 0xe5, 0x4a, 0xbc, 0x29, 0x6a, 0x3a, 0x6d, 0xb5, 0xc0, 0x04, 0x08, - 0x3b, 0x68, 0xc5, 0x56, 0xc1, 0xf0, 0x23, 0x39, 0x91, 0x64, 0x19, 0x86, 0x4d, 0x50, 0xb7, 0x4d, - 0x40, 0xae, 0xca, 0x48, 0x4c, 0x77, 0x35, 0x6c, 0x89, 0x5a, 0x0c, 0x27, 0x5a, 0xbf, 0xac, 0x49, - 0x9d, 0x5d, 0x7d, 0x23, 0x62, 0xf2, 0x9c, 0x5e, 0x02, 0xe8, 0x71, 0x02, 0x03, 0x01, 0x00, 0x01, - 0x02, 0x81, 0x81, 0x00, 0xbe, 0x86, 0x0b, 0x0b, 0x99, 0xa8, 0x02, 0xa6, 0xfb, 0x1a, 0x59, 0x43, - 0x8a, 0x7b, 0xb7, 0x15, 0x06, 0x5b, 0x09, 0xa3, 0x6d, 0xc6, 0xe9, 0xca, 0xcc, 0x6b, 0xf3, 0xc0, - 0x2c, 0x34, 0xd7, 0xd7, 0x9e, 0x94, 0xc6, 0x60, 0x64, 0x28, 0xd8, 0x8c, 0x7b, 0x7f, 0x65, 0x77, - 0xc1, 0xcd, 0xea, 0x64, 0x07, 0x4a, 0xbe, 0x8e, 0x72, 0x86, 0xdf, 0x1f, 0x08, 0x11, 0xdc, 0x97, - 0x28, 0x26, 0x08, 0x68, 0xde, 0x95, 0xd3, 0x2e, 0xfc, 0x96, 0xb6, 0xd0, 0x84, 0xff, 0x27, 0x1a, - 0x5f, 0x60, 0xde, 0xfc, 0xc7, 0x03, 0xe7, 0xa3, 0x8e, 0x6e, 0x29, 0xba, 0x9a, 0x3c, 0x5f, 0xc2, - 0xc2, 0x80, 0x76, 0xb6, 0xa8, 0x96, 0xaf, 0x1d, 0x34, 0xd7, 0x88, 0x28, 0xce, 0x9b, 0xdd, 0xb1, - 0xf3, 0x4f, 0x9c, 0x94, 0x04, 0x43, 0x07, 0x81, 0x29, 0x8e, 0x20, 0x13, 0x16, 0x72, 0x5b, 0xbd, - 0xbc, 0x99, 0x3a, 0x41, 0x02, 0x41, 0x00, 0xe1, 0xc6, 0xd9, 0x27, 0x64, 0x6c, 0x09, 0x16, 0xec, - 0x36, 0x82, 0x6d, 0x59, 0x49, 0x83, 0x74, 0x0c, 0x21, 0xf1, 0xb0, 0x74, 0xc4, 0xa1, 0xa5, 0x98, - 0x67, 0xc6, 0x69, 0x79, 0x5c, 0x85, 0xd3, 0xdc, 0x46, 0x4c, 0x5b, 0x92, 0x9e, 0x94, 0xbf, 0xb3, - 0x4e, 0x0d, 0xcc, 0x50, 0x14, 0xb1, 0x0f, 0x13, 0x34, 0x1a, 0xb7, 0xfd, 0xd5, 0xf6, 0x04, 0x14, - 0xd2, 0xa3, 0x26, 0xca, 0xd4, 0x1c, 0xc5, 0x02, 0x41, 0x00, 0xda, 0x48, 0x59, 0x97, 0x78, 0x5c, - 0xd5, 0x63, 0x0f, 0xb0, 0xfd, 0x8c, 0x52, 0x54, 0xf9, 0x8e, 0x53, 0x8e, 0x18, 0x98, 0x3a, 0xae, - 0x9e, 0x6b, 0x7e, 0x6a, 0x5a, 0x7b, 0x5d, 0x34, 0x37, 0x55, 0xb9, 0x21, 0x8e, 0xbd, 0x40, 0x32, - 0x0d, 0x28, 0x38, 0x7d, 0x78, 0x9f, 0x76, 0xfa, 0x21, 0x8b, 0xcc, 0x2d, 0x8b, 0x68, 0xa5, 0xf6, - 0x41, 0x8f, 0xbb, 0xec, 0xa5, 0x17, 0x9a, 0xb3, 0xaf, 0xbd, 0x02, 0x40, 0x50, 0xfe, 0xfc, 0x32, - 0x64, 0x95, 0x59, 0x61, 0x6e, 0xd6, 0x53, 0x4e, 0x15, 0x45, 0x09, 0x32, 0x9d, 0x93, 0xa3, 0xd8, - 0x10, 0xdb, 0xe5, 0xbd, 0xb9, 0x82, 0x29, 0x2c, 0xf7, 0x8b, 0xd8, 0xba, 0xdb, 0x80, 0x20, 0xae, - 0x8d, 0x57, 0xf4, 0xb7, 0x1d, 0x05, 0x38, 0x6f, 0xfe, 0x9e, 0x9d, 0xb2, 0x71, 0xca, 0x34, 0x77, - 0xa3, 0x49, 0x99, 0xdb, 0x76, 0xf8, 0xe5, 0xec, 0xe9, 0xc0, 0xd4, 0x9d, 0x02, 0x40, 0x15, 0xb7, - 0x4c, 0xf2, 0x7c, 0xce, 0xff, 0x8b, 0xb3, 0x6b, 0xf0, 0x4d, 0x9d, 0x83, 0x46, 0xb0, 0x9a, 0x2f, - 0x70, 0xd2, 0xf4, 0x43, 0x9b, 0x0f, 0x26, 0xac, 0x7e, 0x03, 0xf7, 0xe9, 0xd1, 0xf7, 0x7d, 0x4b, - 0x91, 0x5f, 0xd2, 0x9b, 0x28, 0x23, 0xf0, 0x3a, 0xcb, 0x5d, 0x52, 0x00, 0xe0, 0x85, 0x7f, 0xf2, - 0xa8, 0x03, 0xe9, 0x3e, 0xee, 0x96, 0xd6, 0x23, 0x5c, 0xe9, 0x54, 0x42, 0xbc, 0x21, 0x02, 0x41, - 0x00, 0x90, 0xa7, 0x45, 0xda, 0x89, 0x70, 0xb2, 0xcd, 0x64, 0x96, 0x60, 0x32, 0x42, 0x28, 0xc5, - 0xf8, 0x28, 0x56, 0xff, 0xd6, 0x65, 0xba, 0x9a, 0x85, 0xc8, 0xd6, 0x0f, 0x1b, 0x8b, 0xee, 0x71, - 0x7e, 0xcd, 0x2c, 0x72, 0xea, 0xe0, 0x1d, 0xad, 0x86, 0xba, 0x76, 0x54, 0xd4, 0xcf, 0x45, 0xad, - 0xb5, 0xf1, 0xf2, 0xb3, 0x1d, 0x9f, 0x81, 0x22, 0xcf, 0xa5, 0xf1, 0xa5, 0x57, 0x0f, 0x9b, 0x2d, - 0x25, -}; - -static uint8_t kRsaAttestCert[] = { - 0x30, 0x82, 0x02, 0xb6, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x02, 0x10, - 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, - 0x30, 0x63, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, - 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, - 0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d, - 0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x56, 0x69, 0x65, 0x77, 0x31, 0x15, 0x30, 0x13, - 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2c, 0x20, 0x49, - 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x41, 0x6e, - 0x64, 0x72, 0x6f, 0x69, 0x64, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x31, 0x30, 0x34, 0x31, - 0x32, 0x34, 0x30, 0x35, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x35, 0x31, 0x32, 0x33, 0x30, 0x31, 0x32, - 0x34, 0x30, 0x35, 0x33, 0x5a, 0x30, 0x76, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, - 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, - 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x0c, 0x0c, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, - 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x41, 0x6e, 0x64, 0x72, 0x6f, - 0x69, 0x64, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x20, 0x41, 0x6e, 0x64, - 0x72, 0x6f, 0x69, 0x64, 0x20, 0x53, 0x6f, 0x66, 0x74, 0x77, 0x61, 0x72, 0x65, 0x20, 0x41, 0x74, - 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x4b, 0x65, 0x79, 0x30, 0x81, 0x9f, - 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, - 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xc0, 0x83, 0x23, 0xdc, 0x56, 0x88, - 0x1b, 0xb8, 0x30, 0x20, 0x69, 0xf5, 0xb0, 0x85, 0x61, 0xc6, 0xee, 0xbe, 0x7f, 0x05, 0xe2, 0xf5, - 0xa8, 0x42, 0x04, 0x8a, 0xbe, 0x8b, 0x47, 0xbe, 0x76, 0xfe, 0xae, 0xf2, 0x5c, 0xf2, 0x9b, 0x2a, - 0xfa, 0x32, 0x00, 0x14, 0x16, 0x01, 0x42, 0x99, 0x89, 0xa1, 0x5f, 0xcf, 0xc6, 0x81, 0x5e, 0xb3, - 0x63, 0x58, 0x3c, 0x2f, 0xd2, 0xf2, 0x0b, 0xe4, 0x98, 0x32, 0x83, 0xdd, 0x81, 0x4b, 0x16, 0xd7, - 0xe1, 0x85, 0x41, 0x7a, 0xe5, 0x4a, 0xbc, 0x29, 0x6a, 0x3a, 0x6d, 0xb5, 0xc0, 0x04, 0x08, 0x3b, - 0x68, 0xc5, 0x56, 0xc1, 0xf0, 0x23, 0x39, 0x91, 0x64, 0x19, 0x86, 0x4d, 0x50, 0xb7, 0x4d, 0x40, - 0xae, 0xca, 0x48, 0x4c, 0x77, 0x35, 0x6c, 0x89, 0x5a, 0x0c, 0x27, 0x5a, 0xbf, 0xac, 0x49, 0x9d, - 0x5d, 0x7d, 0x23, 0x62, 0xf2, 0x9c, 0x5e, 0x02, 0xe8, 0x71, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, - 0x66, 0x30, 0x64, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xd4, 0x0c, - 0x10, 0x1b, 0xf8, 0xcd, 0x63, 0xb9, 0xf7, 0x39, 0x52, 0xb5, 0x0e, 0x13, 0x5c, 0xa6, 0xd7, 0x99, - 0x93, 0x86, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x29, - 0xfa, 0xf1, 0xac, 0xcc, 0x4d, 0xd2, 0x4c, 0x96, 0x40, 0x27, 0x75, 0xb6, 0xb0, 0xe9, 0x32, 0xe5, - 0x07, 0xfe, 0x2e, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, - 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, - 0xff, 0x04, 0x04, 0x03, 0x02, 0x02, 0x84, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x9e, 0x2d, 0x48, 0x5f, 0x8c, 0x67, - 0x33, 0xdc, 0x1a, 0x85, 0xad, 0x99, 0xd7, 0x50, 0x23, 0xea, 0x14, 0xec, 0x43, 0xb0, 0xe1, 0x9d, - 0xea, 0xc2, 0x23, 0x46, 0x1e, 0x72, 0xb5, 0x19, 0xdc, 0x60, 0x22, 0xe4, 0xa5, 0x68, 0x31, 0x6c, - 0x0b, 0x55, 0xc4, 0xe6, 0x9c, 0xa2, 0x2d, 0x9f, 0x3a, 0x4f, 0x93, 0x6b, 0x31, 0x8b, 0x16, 0x78, - 0x16, 0x0d, 0x88, 0xcb, 0xd9, 0x8b, 0xcc, 0x80, 0x9d, 0x84, 0xf0, 0xc2, 0x27, 0xe3, 0x6b, 0x38, - 0xf1, 0xfd, 0xd1, 0xe7, 0x17, 0x72, 0x31, 0x59, 0x35, 0x7d, 0x96, 0xf3, 0xc5, 0x7f, 0xab, 0x9d, - 0x8f, 0x96, 0x61, 0x26, 0x4f, 0xb2, 0xbe, 0x81, 0xbb, 0x0d, 0x49, 0x04, 0x22, 0x8a, 0xce, 0x9f, - 0xf7, 0xf5, 0x42, 0x2e, 0x25, 0x44, 0xfa, 0x21, 0x07, 0x12, 0x5a, 0x83, 0xb5, 0x55, 0xad, 0x18, - 0x82, 0xf8, 0x40, 0x14, 0x9b, 0x9c, 0x20, 0x63, 0x04, 0x7f, -}; - -static uint8_t kRsaAttestRootCert[] = { - 0x30, 0x82, 0x02, 0xa7, 0x30, 0x82, 0x02, 0x10, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, - 0xff, 0x94, 0xd9, 0xdd, 0x9f, 0x07, 0xc8, 0x0c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x63, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, - 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, - 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14, 0x06, - 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x56, - 0x69, 0x65, 0x77, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x47, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, - 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x41, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x30, 0x1e, 0x17, 0x0d, - 0x31, 0x36, 0x30, 0x31, 0x30, 0x34, 0x31, 0x32, 0x33, 0x31, 0x30, 0x38, 0x5a, 0x17, 0x0d, 0x33, - 0x35, 0x31, 0x32, 0x33, 0x30, 0x31, 0x32, 0x33, 0x31, 0x30, 0x38, 0x5a, 0x30, 0x63, 0x31, 0x0b, - 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, - 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, - 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d, 0x6f, 0x75, 0x6e, 0x74, - 0x61, 0x69, 0x6e, 0x20, 0x56, 0x69, 0x65, 0x77, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, - 0x0a, 0x0c, 0x0c, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, - 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x41, 0x6e, 0x64, 0x72, 0x6f, 0x69, - 0x64, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xa2, 0x6b, - 0xad, 0xeb, 0x6e, 0x2e, 0x44, 0x61, 0xef, 0xd5, 0x0e, 0x82, 0xe6, 0xb7, 0x94, 0xd1, 0x75, 0x23, - 0x1f, 0x77, 0x9b, 0x63, 0x91, 0x63, 0xff, 0xf7, 0xaa, 0xff, 0x0b, 0x72, 0x47, 0x4e, 0xc0, 0x2c, - 0x43, 0xec, 0x33, 0x7c, 0xd7, 0xac, 0xed, 0x40, 0x3e, 0x8c, 0x28, 0xa0, 0x66, 0xd5, 0xf7, 0x87, - 0x0b, 0x33, 0x97, 0xde, 0x0e, 0xb8, 0x4e, 0x13, 0x40, 0xab, 0xaf, 0xa5, 0x27, 0xbf, 0x95, 0x69, - 0xa0, 0x31, 0xdb, 0x06, 0x52, 0x65, 0xf8, 0x44, 0x59, 0x57, 0x61, 0xf0, 0xbb, 0xf2, 0x17, 0x4b, - 0xb7, 0x41, 0x80, 0x64, 0xc0, 0x28, 0x0e, 0x8f, 0x52, 0x77, 0x8e, 0xdb, 0xd2, 0x47, 0xb6, 0x45, - 0xe9, 0x19, 0xc8, 0xe9, 0x8b, 0xc3, 0xdb, 0xc2, 0x91, 0x3f, 0xd7, 0xd7, 0x50, 0xc4, 0x1d, 0x35, - 0x66, 0xf9, 0x57, 0xe4, 0x97, 0x96, 0x0b, 0x09, 0xac, 0xce, 0x92, 0x35, 0x85, 0x9b, 0x02, 0x03, - 0x01, 0x00, 0x01, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, - 0x04, 0x14, 0x29, 0xfa, 0xf1, 0xac, 0xcc, 0x4d, 0xd2, 0x4c, 0x96, 0x40, 0x27, 0x75, 0xb6, 0xb0, - 0xe9, 0x32, 0xe5, 0x07, 0xfe, 0x2e, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, - 0x16, 0x80, 0x14, 0x29, 0xfa, 0xf1, 0xac, 0xcc, 0x4d, 0xd2, 0x4c, 0x96, 0x40, 0x27, 0x75, 0xb6, - 0xb0, 0xe9, 0x32, 0xe5, 0x07, 0xfe, 0x2e, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, - 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, - 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x02, 0x84, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x4f, 0x72, 0xf3, 0x36, 0x59, - 0x8d, 0x0e, 0xc1, 0xb9, 0x74, 0x5b, 0x31, 0x59, 0xf6, 0xf0, 0x8d, 0x25, 0x49, 0x30, 0x9e, 0xa3, - 0x1c, 0x1c, 0x29, 0xd2, 0x45, 0x2d, 0x20, 0xb9, 0x4d, 0x5f, 0x64, 0xb4, 0xe8, 0x80, 0xc7, 0x78, - 0x7a, 0x9c, 0x39, 0xde, 0xa8, 0xb3, 0xf5, 0xbf, 0x2f, 0x70, 0x5f, 0x47, 0x10, 0x5c, 0xc5, 0xe6, - 0xeb, 0x4d, 0x06, 0x99, 0x61, 0xd2, 0xae, 0x9a, 0x07, 0xff, 0xf7, 0x7c, 0xb8, 0xab, 0xeb, 0x9c, - 0x0f, 0x24, 0x07, 0x5e, 0xb1, 0x7f, 0xba, 0x79, 0x71, 0xfd, 0x4d, 0x5b, 0x9e, 0xdf, 0x14, 0xa9, - 0xfe, 0xdf, 0xed, 0x7c, 0xc0, 0x88, 0x5d, 0xf8, 0xdd, 0x9b, 0x64, 0x32, 0x56, 0xd5, 0x35, 0x9a, - 0xe2, 0x13, 0xf9, 0x8f, 0xce, 0xc1, 0x7c, 0xdc, 0xef, 0xa4, 0xaa, 0xb2, 0x55, 0xc3, 0x83, 0xa9, - 0x2e, 0xfb, 0x5c, 0xf6, 0x62, 0xf5, 0x27, 0x52, 0x17, 0xbe, 0x63, -}; - -static uint8_t kEcAttestKey[] = { - 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x21, 0xe0, 0x86, 0x43, 0x2a, 0x15, 0x19, 0x84, 0x59, - 0xcf, 0x36, 0x3a, 0x50, 0xfc, 0x14, 0xc9, 0xda, 0xad, 0xf9, 0x35, 0xf5, 0x27, 0xc2, 0xdf, 0xd7, - 0x1e, 0x4d, 0x6d, 0xbc, 0x42, 0xe5, 0x44, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, - 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xeb, 0x9e, 0x79, 0xf8, 0x42, 0x63, 0x59, - 0xac, 0xcb, 0x2a, 0x91, 0x4c, 0x89, 0x86, 0xcc, 0x70, 0xad, 0x90, 0x66, 0x93, 0x82, 0xa9, 0x73, - 0x26, 0x13, 0xfe, 0xac, 0xcb, 0xf8, 0x21, 0x27, 0x4c, 0x21, 0x74, 0x97, 0x4a, 0x2a, 0xfe, 0xa5, - 0xb9, 0x4d, 0x7f, 0x66, 0xd4, 0xe0, 0x65, 0x10, 0x66, 0x35, 0xbc, 0x53, 0xb7, 0xa0, 0xa3, 0xa6, - 0x71, 0x58, 0x3e, 0xdb, 0x3e, 0x11, 0xae, 0x10, 0x14, -}; - -static uint8_t kEcAttestCert[] = { - 0x30, 0x82, 0x02, 0x78, 0x30, 0x82, 0x02, 0x1e, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x02, 0x10, - 0x01, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81, 0x98, - 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, - 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, - 0x69, 0x61, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d, 0x6f, 0x75, - 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x56, 0x69, 0x65, 0x77, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, - 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, - 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x41, 0x6e, 0x64, 0x72, - 0x6f, 0x69, 0x64, 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x2a, 0x41, 0x6e, - 0x64, 0x72, 0x6f, 0x69, 0x64, 0x20, 0x4b, 0x65, 0x79, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x20, 0x53, - 0x6f, 0x66, 0x74, 0x77, 0x61, 0x72, 0x65, 0x20, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x31, - 0x31, 0x31, 0x30, 0x30, 0x34, 0x36, 0x30, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x31, 0x30, - 0x38, 0x30, 0x30, 0x34, 0x36, 0x30, 0x39, 0x5a, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, - 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, - 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x15, 0x30, - 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2c, 0x20, - 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x41, - 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x31, 0x3b, 0x30, 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, - 0x32, 0x41, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x20, 0x4b, 0x65, 0x79, 0x73, 0x74, 0x6f, 0x72, - 0x65, 0x20, 0x53, 0x6f, 0x66, 0x74, 0x77, 0x61, 0x72, 0x65, 0x20, 0x41, 0x74, 0x74, 0x65, 0x73, - 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6d, 0x65, 0x64, 0x69, - 0x61, 0x74, 0x65, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xeb, 0x9e, - 0x79, 0xf8, 0x42, 0x63, 0x59, 0xac, 0xcb, 0x2a, 0x91, 0x4c, 0x89, 0x86, 0xcc, 0x70, 0xad, 0x90, - 0x66, 0x93, 0x82, 0xa9, 0x73, 0x26, 0x13, 0xfe, 0xac, 0xcb, 0xf8, 0x21, 0x27, 0x4c, 0x21, 0x74, - 0x97, 0x4a, 0x2a, 0xfe, 0xa5, 0xb9, 0x4d, 0x7f, 0x66, 0xd4, 0xe0, 0x65, 0x10, 0x66, 0x35, 0xbc, - 0x53, 0xb7, 0xa0, 0xa3, 0xa6, 0x71, 0x58, 0x3e, 0xdb, 0x3e, 0x11, 0xae, 0x10, 0x14, 0xa3, 0x66, - 0x30, 0x64, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3f, 0xfc, 0xac, - 0xd6, 0x1a, 0xb1, 0x3a, 0x9e, 0x81, 0x20, 0xb8, 0xd5, 0x25, 0x1c, 0xc5, 0x65, 0xbb, 0x1e, 0x91, - 0xa9, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xc8, 0xad, - 0xe9, 0x77, 0x4c, 0x45, 0xc3, 0xa3, 0xcf, 0x0d, 0x16, 0x10, 0xe4, 0x79, 0x43, 0x3a, 0x21, 0x5a, - 0x30, 0xcf, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, - 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, - 0x04, 0x04, 0x03, 0x02, 0x02, 0x84, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, - 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x4b, 0x8a, 0x9b, 0x7b, 0xee, 0x82, 0xbc, - 0xc0, 0x33, 0x87, 0xae, 0x2f, 0xc0, 0x89, 0x98, 0xb4, 0xdd, 0xc3, 0x8d, 0xab, 0x27, 0x2a, 0x45, - 0x9f, 0x69, 0x0c, 0xc7, 0xc3, 0x92, 0xd4, 0x0f, 0x8e, 0x02, 0x21, 0x00, 0xee, 0xda, 0x01, 0x5d, - 0xb6, 0xf4, 0x32, 0xe9, 0xd4, 0x84, 0x3b, 0x62, 0x4c, 0x94, 0x04, 0xef, 0x3a, 0x7c, 0xcc, 0xbd, - 0x5e, 0xfb, 0x22, 0xbb, 0xe7, 0xfe, 0xb9, 0x77, 0x3f, 0x59, 0x3f, 0xfb, -}; - -static uint8_t kEcAttestRootCert[] = { - 0x30, 0x82, 0x02, 0x8b, 0x30, 0x82, 0x02, 0x32, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, - 0xa2, 0x05, 0x9e, 0xd1, 0x0e, 0x43, 0x5b, 0x57, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, - 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81, 0x98, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, - 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, - 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, - 0x04, 0x07, 0x0c, 0x0d, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x56, 0x69, 0x65, - 0x77, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x47, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, - 0x0b, 0x0c, 0x07, 0x41, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, - 0x55, 0x04, 0x03, 0x0c, 0x2a, 0x41, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x20, 0x4b, 0x65, 0x79, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x20, 0x53, 0x6f, 0x66, 0x74, 0x77, 0x61, 0x72, 0x65, 0x20, 0x41, - 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, - 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x31, 0x31, 0x31, 0x30, 0x30, 0x34, 0x33, 0x35, 0x30, 0x5a, - 0x17, 0x0d, 0x33, 0x36, 0x30, 0x31, 0x30, 0x36, 0x30, 0x30, 0x34, 0x33, 0x35, 0x30, 0x5a, 0x30, - 0x81, 0x98, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, - 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, - 0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d, - 0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x56, 0x69, 0x65, 0x77, 0x31, 0x15, 0x30, 0x13, - 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2c, 0x20, 0x49, - 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x41, 0x6e, - 0x64, 0x72, 0x6f, 0x69, 0x64, 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x2a, - 0x41, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x20, 0x4b, 0x65, 0x79, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x20, 0x53, 0x6f, 0x66, 0x74, 0x77, 0x61, 0x72, 0x65, 0x20, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, - 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, - 0x07, 0x03, 0x42, 0x00, 0x04, 0xee, 0x5d, 0x5e, 0xc7, 0xe1, 0xc0, 0xdb, 0x6d, 0x03, 0xa6, 0x7e, - 0xe6, 0xb6, 0x1b, 0xec, 0x4d, 0x6a, 0x5d, 0x6a, 0x68, 0x2e, 0x0f, 0xff, 0x7f, 0x49, 0x0e, 0x7d, - 0x77, 0x1f, 0x44, 0x22, 0x6d, 0xbd, 0xb1, 0xaf, 0xfa, 0x16, 0xcb, 0xc7, 0xad, 0xc5, 0x77, 0xd2, - 0x56, 0x9c, 0xaa, 0xb7, 0xb0, 0x2d, 0x54, 0x01, 0x5d, 0x3e, 0x43, 0x2b, 0x2a, 0x8e, 0xd7, 0x4e, - 0xec, 0x48, 0x75, 0x41, 0xa4, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, - 0x04, 0x16, 0x04, 0x14, 0xc8, 0xad, 0xe9, 0x77, 0x4c, 0x45, 0xc3, 0xa3, 0xcf, 0x0d, 0x16, 0x10, - 0xe4, 0x79, 0x43, 0x3a, 0x21, 0x5a, 0x30, 0xcf, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, - 0x18, 0x30, 0x16, 0x80, 0x14, 0xc8, 0xad, 0xe9, 0x77, 0x4c, 0x45, 0xc3, 0xa3, 0xcf, 0x0d, 0x16, - 0x10, 0xe4, 0x79, 0x43, 0x3a, 0x21, 0x5a, 0x30, 0xcf, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, - 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, - 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x02, 0x84, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x35, 0x21, 0xa3, - 0xef, 0x8b, 0x34, 0x46, 0x1e, 0x9c, 0xd5, 0x60, 0xf3, 0x1d, 0x58, 0x89, 0x20, 0x6a, 0xdc, 0xa3, - 0x65, 0x41, 0xf6, 0x0d, 0x9e, 0xce, 0x8a, 0x19, 0x8c, 0x66, 0x48, 0x60, 0x7b, 0x02, 0x20, 0x4d, - 0x0b, 0xf3, 0x51, 0xd9, 0x30, 0x7c, 0x7d, 0x5b, 0xda, 0x35, 0x34, 0x1d, 0xa8, 0x47, 0x1b, 0x63, - 0xa5, 0x85, 0x65, 0x3c, 0xad, 0x4f, 0x24, 0xa7, 0xe7, 0x4d, 0xaf, 0x41, 0x7d, 0xf1, 0xbf, -}; - -size_t kCertificateChainLength = 2; - } // anonymous namespace SoftKeymasterContext::SoftKeymasterContext(const std::string& root_of_trust) @@ -657,95 +421,6 @@ keymaster_error_t SoftKeymasterContext::GenerateRandom(uint8_t* buf, size_t leng return KM_ERROR_OK; } -EVP_PKEY* SoftKeymasterContext::AttestationKey(keymaster_algorithm_t algorithm, - keymaster_error_t* error) const { - - const uint8_t* key; - size_t key_length; - int evp_key_type; - - switch (algorithm) { - case KM_ALGORITHM_RSA: - key = kRsaAttestKey; - key_length = array_length(kRsaAttestKey); - evp_key_type = EVP_PKEY_RSA; - break; - - case KM_ALGORITHM_EC: - key = kEcAttestKey; - key_length = array_length(kEcAttestKey); - evp_key_type = EVP_PKEY_EC; - break; - - default: - *error = KM_ERROR_UNSUPPORTED_ALGORITHM; - return nullptr; - } - - EVP_PKEY* pkey = d2i_PrivateKey(evp_key_type, nullptr /* pkey */, &key, key_length); - if (!pkey) - *error = TranslateLastOpenSslError(); - - return pkey; -} - -keymaster_cert_chain_t* SoftKeymasterContext::AttestationChain(keymaster_algorithm_t algorithm, - keymaster_error_t* error) const { - // If we have to bail it will be because of an allocation failure. - *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; - - UniquePtr chain(new keymaster_cert_chain_t); - if (!chain.get()) - return nullptr; - memset(chain.get(), 0, sizeof(keymaster_cert_chain_t)); - - chain->entries = new keymaster_blob_t[kCertificateChainLength]; - if (!chain->entries) - return nullptr; - - memset(chain->entries, 0, sizeof(chain->entries[0]) * kCertificateChainLength); - chain->entry_count = kCertificateChainLength; - - size_t entry = 0; - - switch (algorithm) { - case KM_ALGORITHM_RSA: - chain->entries[entry].data = dup_array(kRsaAttestCert); - if (!chain->entries[entry].data) - return nullptr; - chain->entries[entry].data_length = array_length(kRsaAttestCert); - entry++; - chain->entries[entry].data = dup_array(kRsaAttestRootCert); - if (!chain->entries[entry].data) - return nullptr; - chain->entries[entry].data_length = array_length(kRsaAttestRootCert); - entry++; - break; - - case KM_ALGORITHM_EC: - chain->entries[entry].data = dup_array(kEcAttestCert); - if (!chain->entries[entry].data) - return nullptr; - chain->entries[entry].data_length = array_length(kEcAttestCert); - entry++; - chain->entries[entry].data = dup_array(kEcAttestRootCert); - if (!chain->entries[entry].data) - return nullptr; - chain->entries[entry].data_length = array_length(kEcAttestRootCert); - entry++; - break; - - default: - *error = KM_ERROR_UNSUPPORTED_ALGORITHM; - return nullptr; - }; - - assert(entry == kCertificateChainLength); - - *error = KM_ERROR_OK; - return chain.release(); -} - keymaster_error_t SoftKeymasterContext::ParseKeymaster1HwBlob( const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params, KeymasterKeyBlob* key_material, AuthorizationSet* hw_enforced, diff --git a/sw_rsa_attest_root.key.pem b/sw_rsa_attest_root.key.pem deleted file mode 100644 index 387a852..0000000 --- a/sw_rsa_attest_root.key.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCia63rbi5EYe/VDoLmt5TRdSMfd5tjkWP/96r/C3JHTsAsQ+wz -fNes7UA+jCigZtX3hwszl94OuE4TQKuvpSe/lWmgMdsGUmX4RFlXYfC78hdLt0GA -ZMAoDo9Sd47b0ke2RekZyOmLw9vCkT/X11DEHTVm+Vfkl5YLCazOkjWFmwIDAQAB -AoGAU8dxXchmqzVNbbvff7zgUa63YErk51Yem/EXzhkMaIXRkMO0edaCtZtnkRvg -9OQ2qEiLWaCTlUoyU7H/HUn2lwTQsOXyZI7dHijVDRMIv1mmrHCrGW/JC8FXfPLS -r3L3KoHXQVYL2mslbR8Rpogxq4WwnwK6XqSTH9mynFwQwEkCQQDMX3EZk3ricWVH -ruXD0BpXOMMpZuLu4rg5+1L51WEJvItIMeSjLuNa+g3AI8AYTYYi/aSLk6XEv82L -iXFGmJ2XAkEAy3M8k8Z0QzHae4olduqoHVWEarBtDE+fqFQBWgdm8fZhdHWrvlAc -qwJIXMUVc+dWm/FAQarCjbqWqhCRdaYgnQJBAJ7z7GdUCVNtlrQ2F4ZAqPwFreTZ -nM7njxmpm1Os3hhQiJPSGl3A7huoOGGkbJd6VEWKuRvF7jwkYZ2RfITH1mkCQAvh -X9E1Toa5+4spRwTJsSV9X+0m/kcwwx7+QNH0CrPockptsKi9Xt8xk+4u6BDLmogi -r2DmStQh6DhoHUZkfBUCQQCOgBkqH/15drpdR+BQH3VaP4/ALFfxR9E3G+lS+M5a -IqJEk9kh8vjuGzTaAZyU5keUmpWNc1gI7OvDMaH4+8vQ ------END RSA PRIVATE KEY----- -- cgit v1.2.3 From c9b68db953e4ced11106411b721f750d04ac006b Mon Sep 17 00:00:00 2001 From: Shawn Willden Date: Thu, 28 Jan 2016 08:02:44 +0000 Subject: Revert "Add attestation support to Key classes." This reverts commit 4d0465999644336d636442a86795293298b22035. Change-Id: I53d386e0d95c25e794ef88801d80e80ccfeea768 --- asymmetric_key.cpp | 186 +------------------------------------------------ asymmetric_key.h | 6 -- attestation_record.cpp | 4 ++ key.h | 13 ---- openssl_utils.h | 57 ++++++++------- 5 files changed, 38 insertions(+), 228 deletions(-) diff --git a/asymmetric_key.cpp b/asymmetric_key.cpp index e0af5a5..2ead3c5 100644 --- a/asymmetric_key.cpp +++ b/asymmetric_key.cpp @@ -18,11 +18,8 @@ #include -#include -#include #include -#include "attestation_record.h" #include "openssl_err.h" #include "openssl_utils.h" @@ -37,7 +34,7 @@ keymaster_error_t AsymmetricKey::formatted_key_material(keymaster_key_format_t f if (material == NULL || size == NULL) return KM_ERROR_OUTPUT_PARAMETER_NULL; - EVP_PKEY_Ptr pkey(EVP_PKEY_new()); + UniquePtr pkey(EVP_PKEY_new()); if (!InternalToEvp(pkey.get())) return TranslateLastOpenSslError(); @@ -59,185 +56,4 @@ keymaster_error_t AsymmetricKey::formatted_key_material(keymaster_key_format_t f return KM_ERROR_OK; } -static keymaster_error_t build_attestation_extension(const AuthorizationSet& tee_enforced, - const AuthorizationSet& sw_enforced, - X509_EXTENSION_Ptr* extension) { - ASN1_OBJECT_Ptr oid( - OBJ_txt2obj(kAttestionRecordOid, 1 /* accept numerical dotted string form only */)); - if (!oid.get()) - return TranslateLastOpenSslError(); - - UniquePtr attest_bytes; - size_t attest_bytes_len; - keymaster_error_t error = - build_attestation_record(sw_enforced, tee_enforced, &attest_bytes, &attest_bytes_len); - if (error != KM_ERROR_OK) - return error; - - ASN1_OCTET_STRING_Ptr attest_str(ASN1_OCTET_STRING_new()); - if (!attest_str.get() || - !ASN1_OCTET_STRING_set(attest_str.get(), attest_bytes.get(), attest_bytes_len)) - return TranslateLastOpenSslError(); - - extension->reset( - X509_EXTENSION_create_by_OBJ(nullptr, oid.get(), 0 /* not critical */, attest_str.get())); - if (!extension->get()) - return TranslateLastOpenSslError(); - - return KM_ERROR_OK; -} - -static bool add_public_key(EVP_PKEY* key, X509* certificate, keymaster_error_t* error) { - if (!X509_set_pubkey(certificate, key)) { - *error = TranslateLastOpenSslError(); - return false; - } - return true; -} - -static bool add_attestation_extension(const AuthorizationSet& tee_enforced, - const AuthorizationSet& sw_enforced, X509* certificate, - keymaster_error_t* error) { - X509_EXTENSION_Ptr attest_extension; - *error = build_attestation_extension(tee_enforced, sw_enforced, &attest_extension); - if (*error != KM_ERROR_OK) - return false; - - if (!X509_add_ext(certificate, attest_extension.get() /* Don't release; copied */, - -1 /* insert at end */)) { - *error = TranslateLastOpenSslError(); - return false; - } - - return true; -} - -static keymaster_error_t get_certificate_blob(X509* certificate, keymaster_blob_t* blob) { - int len = i2d_X509(certificate, nullptr); - if (len < 0) - return TranslateLastOpenSslError(); - - uint8_t* data = new uint8_t[len]; - if (!data) - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - - uint8_t* p = data; - i2d_X509(certificate, &p); - - blob->data_length = len; - blob->data = data; - - return KM_ERROR_OK; -} - -static bool allocate_cert_chain(size_t entry_count, keymaster_cert_chain_t* chain, - keymaster_error_t* error) { - if (chain->entries) { - for (size_t i = 0; i < chain->entry_count; ++i) - delete[] chain->entries[i].data; - delete[] chain->entries; - } - - chain->entry_count = entry_count; - chain->entries = new keymaster_blob_t[entry_count]; - if (!chain->entries) { - *error = KM_ERROR_MEMORY_ALLOCATION_FAILED; - return false; - } - return true; -} - -// Copies the intermediate and root certificates into chain, leaving the first slot for the leaf -// certificate. -static bool copy_attestation_chain(const KeymasterContext& context, - keymaster_algorithm_t sign_algorithm, - keymaster_cert_chain_t* chain, keymaster_error_t* error) { - - UniquePtr attest_key_chain( - context.AttestationChain(sign_algorithm, error)); - if (!attest_key_chain.get()) - return false; - - if (!allocate_cert_chain(attest_key_chain->entry_count + 1, chain, error)) - return false; - - chain->entries[0] = {}; // Leave empty for the leaf certificate. - for (size_t i = 0; i < attest_key_chain->entry_count; ++i) { - chain->entries[i + 1] = attest_key_chain->entries[i]; - attest_key_chain->entries[i].data = nullptr; - } - - return true; -} - -keymaster_error_t AsymmetricKey::GenerateAttestation(const KeymasterContext& context, - const AuthorizationSet& attest_params, - const AuthorizationSet& tee_enforced, - const AuthorizationSet& sw_enforced, - keymaster_cert_chain_t* cert_chain) const { - - keymaster_algorithm_t sign_algorithm; - if (!attest_params.GetTagValue(TAG_ALGORITHM, &sign_algorithm) || - (sign_algorithm != KM_ALGORITHM_RSA && sign_algorithm != KM_ALGORITHM_EC)) - return KM_ERROR_INCOMPATIBLE_ALGORITHM; - - EVP_PKEY_Ptr pkey(EVP_PKEY_new()); - if (!InternalToEvp(pkey.get())) - return TranslateLastOpenSslError(); - - X509_Ptr certificate(X509_new()); - if (!certificate.get()) - return TranslateLastOpenSslError(); - - if (!X509_set_version(certificate.get(), 2 /* version 3, but zero-based */)) - return TranslateLastOpenSslError(); - - ASN1_INTEGER_Ptr serialNumber(ASN1_INTEGER_new()); - if (!serialNumber.get() || - !ASN1_INTEGER_set( - serialNumber.get(), - 10000 /* TODO(swillden): Figure out what should go in serial number; probably a random - * value */) || - !X509_set_serialNumber(certificate.get(), serialNumber.get() /* Don't release; copied */)) - return TranslateLastOpenSslError(); - - // TODO(swillden): Find useful values (if possible) for issuerName and subjectName. - X509_NAME_Ptr issuerName(X509_NAME_new()); - if (!issuerName.get() || - !X509_set_subject_name(certificate.get(), issuerName.get() /* Don't release; copied */)) - return TranslateLastOpenSslError(); - - X509_NAME_Ptr subjectName(X509_NAME_new()); - if (!subjectName.get() || - !X509_set_subject_name(certificate.get(), subjectName.get() /* Don't release; copied */)) - return TranslateLastOpenSslError(); - - // TODO(swillden): Use key activity and expiration dates for notBefore and notAfter. - ASN1_TIME_Ptr notBefore(ASN1_TIME_new()); - if (!notBefore.get() || !ASN1_TIME_set(notBefore.get(), 0) || - !X509_set_notBefore(certificate.get(), notBefore.get() /* Don't release; copied */)) - return TranslateLastOpenSslError(); - - ASN1_TIME_Ptr notAfter(ASN1_TIME_new()); - if (!notAfter.get() || !ASN1_TIME_set(notAfter.get(), 10000) || - !X509_set_notAfter(certificate.get(), notAfter.get() /* Don't release; copied */)) - return TranslateLastOpenSslError(); - - keymaster_error_t error = KM_ERROR_OK; - EVP_PKEY_Ptr sign_key(context.AttestationKey(sign_algorithm, &error)); - - if (!sign_key.get() || // - !add_public_key(pkey.get(), certificate.get(), &error) || - !add_attestation_extension(tee_enforced, sw_enforced, certificate.get(), &error)) - return error; - - if (!X509_sign(certificate.get(), sign_key.get(), EVP_sha256())) - return TranslateLastOpenSslError(); - - if (!copy_attestation_chain(context, sign_algorithm, cert_chain, &error)) - return error; - - return get_certificate_blob(certificate.get(), &cert_chain->entries[0]); -} - } // namespace keymaster diff --git a/asymmetric_key.h b/asymmetric_key.h index 99ee585..1a3b09f 100644 --- a/asymmetric_key.h +++ b/asymmetric_key.h @@ -33,12 +33,6 @@ class AsymmetricKey : public Key { UniquePtr* material, size_t* size) const override; - keymaster_error_t GenerateAttestation(const KeymasterContext& context, - const AuthorizationSet& attest_params, - const AuthorizationSet& tee_enforced, - const AuthorizationSet& sw_enforced, - keymaster_cert_chain_t* certificate_chain) const override; - virtual bool InternalToEvp(EVP_PKEY* pkey) const = 0; virtual bool EvpToInternal(const EVP_PKEY* pkey) = 0; }; diff --git a/attestation_record.cpp b/attestation_record.cpp index 12da6ae..85bec2a 100644 --- a/attestation_record.cpp +++ b/attestation_record.cpp @@ -152,6 +152,10 @@ struct KM_KEY_DESCRIPTION_Delete { void operator()(KM_KEY_DESCRIPTION* p) { KM_KEY_DESCRIPTION_free(p); } }; +struct ASN1_INTEGER_Delete { + void operator()(ASN1_INTEGER* p) { ASN1_INTEGER_free(p); } +}; + static uint32_t get_uint32_value(const keymaster_key_param_t& param) { switch (keymaster_tag_get_type(param.tag)) { case KM_ENUM: diff --git a/key.h b/key.h index 9fb4063..959729e 100644 --- a/key.h +++ b/key.h @@ -20,10 +20,7 @@ #include #include - -#include #include -#include namespace keymaster { @@ -38,16 +35,6 @@ class Key { UniquePtr* material, size_t* size) const = 0; - /** - * Generate an attestation certificate chain. - */ - virtual keymaster_error_t GenerateAttestation( - const KeymasterContext& /* context */, const AuthorizationSet& /* attest_params */, - const AuthorizationSet& /* tee_enforced */, const AuthorizationSet& /* sw_enforced */, - keymaster_cert_chain_t* /* certificate_chain */) const { - return KM_ERROR_INCOMPATIBLE_ALGORITHM; - } - const AuthorizationSet& authorizations() const { return authorizations_; } protected: diff --git a/openssl_utils.h b/openssl_utils.h index 016aea8..db554cb 100644 --- a/openssl_utils.h +++ b/openssl_utils.h @@ -41,32 +41,41 @@ class EvpMdCtxCleaner { EVP_MD_CTX* ctx_; }; -template struct OpenSslObjectDeleter { - void operator()(T* p) { FreeFunc(p); } +struct EC_KEY_Delete { + void operator()(EC_KEY* p) { EC_KEY_free(p); } }; -#define DEFINE_OPENSSL_OBJECT_POINTER(name) \ - typedef OpenSslObjectDeleter name##_Delete; \ - typedef UniquePtr name##_Ptr; - -DEFINE_OPENSSL_OBJECT_POINTER(ASN1_INTEGER) -DEFINE_OPENSSL_OBJECT_POINTER(ASN1_OBJECT) -DEFINE_OPENSSL_OBJECT_POINTER(ASN1_OCTET_STRING) -DEFINE_OPENSSL_OBJECT_POINTER(ASN1_TIME) -DEFINE_OPENSSL_OBJECT_POINTER(BN_CTX); -DEFINE_OPENSSL_OBJECT_POINTER(EC_GROUP); -DEFINE_OPENSSL_OBJECT_POINTER(EC_KEY); -DEFINE_OPENSSL_OBJECT_POINTER(EC_POINT); -DEFINE_OPENSSL_OBJECT_POINTER(ENGINE); -DEFINE_OPENSSL_OBJECT_POINTER(EVP_PKEY); -DEFINE_OPENSSL_OBJECT_POINTER(PKCS8_PRIV_KEY_INFO); -DEFINE_OPENSSL_OBJECT_POINTER(RSA); -DEFINE_OPENSSL_OBJECT_POINTER(X509) -DEFINE_OPENSSL_OBJECT_POINTER(X509_EXTENSION) -DEFINE_OPENSSL_OBJECT_POINTER(X509_NAME) - -typedef OpenSslObjectDeleter BIGNUM_Delete; -typedef UniquePtr BIGNUM_Ptr; +struct EC_POINT_Delete { + void operator()(EC_POINT* p) { EC_POINT_free(p); } +}; + +struct EVP_PKEY_Delete { + void operator()(EVP_PKEY* p) const { EVP_PKEY_free(p); } +}; + +struct BIGNUM_Delete { + void operator()(BIGNUM* p) const { BN_free(p); } +}; + +struct BN_CTX_Delete { + void operator()(BN_CTX* p) const { BN_CTX_free(p); } +}; + +struct PKCS8_PRIV_KEY_INFO_Delete { + void operator()(PKCS8_PRIV_KEY_INFO* p) const { PKCS8_PRIV_KEY_INFO_free(p); } +}; + +struct RSA_Delete { + void operator()(RSA* p) { RSA_free(p); } +}; + +struct EC_GROUP_Delete { + void operator()(EC_GROUP* p) { EC_GROUP_free(p); } +}; + +struct ENGINE_Delete { + void operator()(ENGINE* p) { ENGINE_free(p); } +}; keymaster_error_t ec_get_group_size(const EC_GROUP* group, size_t* key_size_bits); EC_GROUP* ec_get_group(keymaster_ec_curve_t curve); -- cgit v1.2.3 From 9b9cf60715d5f747392369358b915d881ec67600 Mon Sep 17 00:00:00 2001 From: Shawn Willden Date: Thu, 28 Jan 2016 07:56:36 +0000 Subject: Revert "Add attestation support to AndroidKeymaster." This reverts commit d3ee550ac91a5c21343d9885a0e231281057e916. Change-Id: Iac1ec8025d5411050fc599273995baa9cf575dc9 --- android_keymaster.cpp | 17 ----------------- include/keymaster/android_keymaster.h | 3 +-- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/android_keymaster.cpp b/android_keymaster.cpp index c2ff8e6..f60d6ee 100644 --- a/android_keymaster.cpp +++ b/android_keymaster.cpp @@ -364,23 +364,6 @@ void AndroidKeymaster::ExportKey(const ExportKeyRequest& request, ExportKeyRespo } } -void AndroidKeymaster::AttestKey(const AttestKeyRequest& request, AttestKeyResponse* response) { - if (!response) - return; - - AuthorizationSet tee_enforced; - AuthorizationSet sw_enforced; - const KeyFactory* key_factory; - UniquePtr key; - response->error = LoadKey(request.key_blob, request.attest_params, &tee_enforced, &sw_enforced, - &key_factory, &key); - if (response->error != KM_ERROR_OK) - return; - - response->error = key->GenerateAttestation(*context_, request.attest_params, tee_enforced, - sw_enforced, &response->certificate_chain); -} - void AndroidKeymaster::ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response) { if (response == NULL) return; diff --git a/include/keymaster/android_keymaster.h b/include/keymaster/android_keymaster.h index c7ecfad..24954d9 100644 --- a/include/keymaster/android_keymaster.h +++ b/include/keymaster/android_keymaster.h @@ -50,7 +50,6 @@ class AndroidKeymaster { AndroidKeymaster(KeymasterContext* context, size_t operation_table_size); virtual ~AndroidKeymaster(); - void GetVersion(const GetVersionRequest& request, GetVersionResponse* response); void SupportedAlgorithms(const SupportedAlgorithmsRequest& request, SupportedAlgorithmsResponse* response); void SupportedBlockModes(const SupportedBlockModesRequest& request, @@ -70,13 +69,13 @@ class AndroidKeymaster { GetKeyCharacteristicsResponse* response); void ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response); void ExportKey(const ExportKeyRequest& request, ExportKeyResponse* response); - void AttestKey(const AttestKeyRequest& request, AttestKeyResponse* response); void DeleteKey(const DeleteKeyRequest& request, DeleteKeyResponse* response); void DeleteAllKeys(const DeleteAllKeysRequest& request, DeleteAllKeysResponse* response); void BeginOperation(const BeginOperationRequest& request, BeginOperationResponse* response); void UpdateOperation(const UpdateOperationRequest& request, UpdateOperationResponse* response); void FinishOperation(const FinishOperationRequest& request, FinishOperationResponse* response); void AbortOperation(const AbortOperationRequest& request, AbortOperationResponse* response); + void GetVersion(const GetVersionRequest& request, GetVersionResponse* response); bool has_operation(keymaster_operation_handle_t op_handle) const; -- cgit v1.2.3 From c7889d1191ee74d0cec14afcd9696c7c1e4f44f8 Mon Sep 17 00:00:00 2001 From: Shawn Willden Date: Thu, 28 Jan 2016 07:56:53 +0000 Subject: Revert "Add attestation support to SoftKeymaster." This reverts commit fc3cafd487e69c84d83444e1d129d0ab131c4e3d. Change-Id: I1fb38db044c4039be04d1f75fb89ca9a6404321f --- android_keymaster_test.cpp | 126 +--------------------------- android_keymaster_test_utils.cpp | 9 -- android_keymaster_test_utils.h | 5 +- include/keymaster/android_keymaster_utils.h | 18 ++-- include/keymaster/soft_keymaster_device.h | 4 - soft_keymaster_device.cpp | 50 +---------- 6 files changed, 13 insertions(+), 199 deletions(-) diff --git a/android_keymaster_test.cpp b/android_keymaster_test.cpp index b6f5064..8966c04 100644 --- a/android_keymaster_test.cpp +++ b/android_keymaster_test.cpp @@ -28,16 +28,14 @@ #include #include "android_keymaster_test_utils.h" -#include "attestation_record.h" #include "keymaster0_engine.h" #include "openssl_utils.h" using std::ifstream; using std::istreambuf_iterator; -using std::ofstream; using std::string; -using std::unique_ptr; using std::vector; +using std::unique_ptr; extern "C" { int __android_log_print(int prio, const char* tag, const char* fmt); @@ -3446,128 +3444,6 @@ TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlobGetCharacteristics) { EXPECT_EQ(1, GetParam()->keymaster0_calls()); } -typedef Keymaster2Test AttestationTest; -INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AttestationTest, test_params); - -static X509* parse_cert_blob(const keymaster_blob_t& blob) { - const uint8_t* p = blob.data; - return d2i_X509(nullptr, &p, blob.data_length); -} - -static bool verify_chain(const keymaster_cert_chain_t& chain) { - for (size_t i = 0; i < chain.entry_count - 1; ++i) { - keymaster_blob_t& key_cert_blob = chain.entries[i]; - keymaster_blob_t& signing_cert_blob = chain.entries[i + 1]; - - X509_Ptr key_cert(parse_cert_blob(key_cert_blob)); - X509_Ptr signing_cert(parse_cert_blob(signing_cert_blob)); - EXPECT_TRUE(!!key_cert.get() && !!signing_cert.get()); - if (!key_cert.get() || !signing_cert.get()) - return false; - - EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get())); - EXPECT_TRUE(!!signing_pubkey.get()); - if (!signing_pubkey.get()) - return false; - - EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get())) - << "Verification of certificate " << i << " failed"; - } - - return true; -} - -// Extract attestation record from cert. Returned object is still part of cert; don't free it -// separately. -static ASN1_OCTET_STRING* get_attestation_record(X509* certificate) { - ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */)); - EXPECT_TRUE(!!oid.get()); - if (!oid.get()) - return nullptr; - - int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */); - EXPECT_NE(-1, location); - if (location == -1) - return nullptr; - - X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location); - EXPECT_TRUE(!!attest_rec_ext); - if (!attest_rec_ext) - return nullptr; - - ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext); - EXPECT_TRUE(!!attest_rec); - return attest_rec; -} - -static bool verify_attestation_record(AuthorizationSet expected_sw_enforced, - AuthorizationSet expected_tee_enforced, - const keymaster_blob_t& attestation_cert) { - - X509_Ptr cert(parse_cert_blob(attestation_cert)); - EXPECT_TRUE(!!cert.get()); - if (!cert.get()) - return false; - - ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get()); - EXPECT_TRUE(!!attest_rec); - if (!attest_rec) - return false; - - AuthorizationSet att_sw_enforced; - AuthorizationSet att_tee_enforced; - EXPECT_EQ(KM_ERROR_OK, parse_attestation_record(attest_rec->data, attest_rec->length, - &att_sw_enforced, &att_tee_enforced)); - - // Add TAG_USER_ID to the attestation sw-enforced list, because user IDs are not included in - // attestations, since they're meaningless off-device. - uint32_t user_id; - if (expected_sw_enforced.GetTagValue(TAG_USER_ID, &user_id)) - att_sw_enforced.push_back(TAG_USER_ID, user_id); - if (expected_tee_enforced.GetTagValue(TAG_USER_ID, &user_id)) - att_tee_enforced.push_back(TAG_USER_ID, user_id); - - att_sw_enforced.Sort(); - expected_sw_enforced.Sort(); - EXPECT_EQ(expected_sw_enforced, att_sw_enforced); - - att_tee_enforced.Sort(); - expected_tee_enforced.Sort(); - EXPECT_EQ(expected_tee_enforced, att_tee_enforced); - - return true; -} - -TEST_P(AttestationTest, RsaSignedWithRsa) { - ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(256, 3) - .Digest(KM_DIGEST_NONE) - .Padding(KM_PAD_NONE))); - - keymaster_cert_chain_t cert_chain; - EXPECT_EQ(KM_ERROR_OK, AttestKey(KM_ALGORITHM_RSA, &cert_chain)); - EXPECT_EQ(3U, cert_chain.entry_count); - EXPECT_TRUE(verify_chain(cert_chain)); - EXPECT_TRUE(verify_attestation_record(sw_enforced(), hw_enforced(), cert_chain.entries[0])); - - keymaster_free_cert_chain(&cert_chain); -} - -TEST_P(AttestationTest, RsaSignedWithEc) { - ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(256, 3) - .Digest(KM_DIGEST_NONE) - .Padding(KM_PAD_NONE))); - - keymaster_cert_chain_t cert_chain; - EXPECT_EQ(KM_ERROR_OK, AttestKey(KM_ALGORITHM_EC, &cert_chain)); - EXPECT_EQ(3U, cert_chain.entry_count); - EXPECT_TRUE(verify_chain(cert_chain)); - EXPECT_TRUE(verify_attestation_record(sw_enforced(), hw_enforced(), cert_chain.entries[0])); - - keymaster_free_cert_chain(&cert_chain); -} - TEST(SoftKeymasterWrapperTest, CheckKeymaster2Device) { // Make a good fake device, and wrap it. SoftKeymasterDevice* good_fake(new SoftKeymasterDevice(new TestKeymasterContext)); diff --git a/android_keymaster_test_utils.cpp b/android_keymaster_test_utils.cpp index bfe68ff..f62dd66 100644 --- a/android_keymaster_test_utils.cpp +++ b/android_keymaster_test_utils.cpp @@ -328,15 +328,6 @@ keymaster_error_t Keymaster2Test::AbortOperation() { return device()->abort(device(), op_handle_); } -keymaster_error_t Keymaster2Test::AttestKey(keymaster_algorithm_t algorithm, - keymaster_cert_chain_t* cert_chain) { - AuthorizationSet attest_params( - AuthorizationSetBuilder().Authorization(TAG_ALGORITHM, algorithm)); - attest_params.push_back(UserAuthParams()); - attest_params.push_back(ClientParams()); - return device()->attest_key(device(), &blob_, &attest_params, cert_chain); -} - string Keymaster2Test::ProcessMessage(keymaster_purpose_t purpose, const string& message) { EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, client_params(), NULL /* output_params */)); diff --git a/android_keymaster_test_utils.h b/android_keymaster_test_utils.h index cba1467..d1acec0 100644 --- a/android_keymaster_test_utils.h +++ b/android_keymaster_test_utils.h @@ -144,7 +144,7 @@ inline std::string make_string(const uint8_t* data, size_t length) { return std::string(reinterpret_cast(data), length); } -template std::string make_string(const uint8_t (&a)[N]) { +template std::string make_string(const uint8_t(&a)[N]) { return make_string(a, N); } @@ -208,8 +208,6 @@ class Keymaster2Test : public testing::TestWithParam { keymaster_error_t AbortOperation(); - keymaster_error_t AttestKey(keymaster_algorithm_t algorithm, keymaster_cert_chain_t* chain); - keymaster_error_t GetVersion(uint8_t* major, uint8_t* minor, uint8_t* subminor); std::string ProcessMessage(keymaster_purpose_t purpose, const std::string& message); @@ -452,6 +450,7 @@ struct Keymaster0CountingWrapper : public keymaster0_device_t { int counter_; }; + /** * This function takes a keymaster1_device_t and wraps it in an adapter that supports only * KM_DIGEST_SHA_2_256. diff --git a/include/keymaster/android_keymaster_utils.h b/include/keymaster/android_keymaster_utils.h index 9f0cf6a..1964f1f 100644 --- a/include/keymaster/android_keymaster_utils.h +++ b/include/keymaster/android_keymaster_utils.h @@ -50,14 +50,14 @@ inline int64_t java_time(time_t time) { /** * Return the size in bytes of the array \p a. */ -template inline size_t array_size(const T (&a)[N]) { +template inline size_t array_size(const T(&a)[N]) { return sizeof(a); } /** * Return the number of elements in array \p a. */ -template inline size_t array_length(const T (&)[N]) { +template inline size_t array_length(const T(&)[N]) { return N; } @@ -78,7 +78,7 @@ template inline T* dup_array(const T* a, size_t n) { * responsibility. Note that the dup is necessarily returned as a pointer, so size is lost. Call * array_length() on the original array to discover the size. */ -template inline T* dup_array(const T (&a)[N]) { +template inline T* dup_array(const T(&a)[N]) { return dup_array(a, N); } @@ -91,7 +91,7 @@ uint8_t* dup_buffer(const void* buf, size_t size); /** * Copy the contents of array \p arr to \p dest. */ -template inline void copy_array(const T (&arr)[N], T* dest) { +template inline void copy_array(const T(&arr)[N], T* dest) { for (size_t i = 0; i < N; ++i) dest[i] = arr[i]; } @@ -101,7 +101,7 @@ template inline void copy_array(const T (&arr)[N], T* des * early-exit, meaning that it should not be used in contexts where timing analysis attacks could be * a concern. */ -template inline bool array_contains(const T (&a)[N], T val) { +template inline bool array_contains(const T(&a)[N], T val) { for (size_t i = 0; i < N; ++i) { if (a[i] == val) { return true; @@ -144,9 +144,10 @@ class Eraser { template explicit Eraser(T* t); template - explicit Eraser(T& t) : buf_(reinterpret_cast(&t)), size_(sizeof(t)) {} + explicit Eraser(T& t) + : buf_(reinterpret_cast(&t)), size_(sizeof(t)) {} - template explicit Eraser(uint8_t (&arr)[N]) : buf_(arr), size_(N) {} + template explicit Eraser(uint8_t(&arr)[N]) : buf_(arr), size_(N) {} Eraser(void* buf, size_t size) : buf_(static_cast(buf)), size_(size) {} ~Eraser() { memset_s(buf_, 0, size_); } @@ -175,9 +176,6 @@ template class ArrayWrapper { T* begin_; T* end_; }; -template ArrayWrapper array_range(T* begin, size_t length) { - return ArrayWrapper(begin, length); -} /** * Convert any unsigned integer from network to host order. We implement this here rather than diff --git a/include/keymaster/soft_keymaster_device.h b/include/keymaster/soft_keymaster_device.h index e9e325d..c39b326 100644 --- a/include/keymaster/soft_keymaster_device.h +++ b/include/keymaster/soft_keymaster_device.h @@ -200,10 +200,6 @@ class SoftKeymasterDevice { const keymaster_blob_t* client_id, const keymaster_blob_t* app_data, keymaster_blob_t* export_data); - static keymaster_error_t attest_key(const keymaster2_device_t* dev, - const keymaster_key_blob_t* key_to_attest, - const keymaster_key_param_set_t* attest_params, - keymaster_cert_chain_t* cert_chain); static keymaster_error_t delete_key(const keymaster2_device_t* dev, const keymaster_key_blob_t* key); static keymaster_error_t delete_all_keys(const keymaster2_device_t* dev); diff --git a/soft_keymaster_device.cpp b/soft_keymaster_device.cpp index cbeaec7..cff3ebb 100644 --- a/soft_keymaster_device.cpp +++ b/soft_keymaster_device.cpp @@ -280,8 +280,8 @@ void SoftKeymasterDevice::initialize_device_struct(uint32_t flags) { km2_device_.get_key_characteristics = get_key_characteristics; km2_device_.import_key = import_key; km2_device_.export_key = export_key; - km2_device_.agree_key = nullptr; // TODO(swillden) Implement ECDH - km2_device_.attest_key = attest_key; + km2_device_.agree_key = nullptr; // TODO(swillden) Implement ECDH + km2_device_.attest_key = nullptr; // TODO(swillden) Implement attestation km2_device_.upgrade_key = nullptr; // TODO(swillden) Implement upgrade km2_device_.delete_key = delete_key; km2_device_.delete_all_keys = delete_all_keys; @@ -977,52 +977,6 @@ keymaster_error_t SoftKeymasterDevice::export_key(const keymaster2_device_t* dev export_data); } -/* static */ -keymaster_error_t SoftKeymasterDevice::attest_key(const keymaster2_device_t* dev, - const keymaster_key_blob_t* key_to_attest, - const keymaster_key_param_set_t* attest_params, - keymaster_cert_chain_t* cert_chain) { - if (!dev || !key_to_attest || !attest_params || !cert_chain) - return KM_ERROR_UNEXPECTED_NULL_POINTER; - - cert_chain->entry_count = 0; - cert_chain->entries = nullptr; - - AttestKeyRequest request; - request.SetKeyMaterial(*key_to_attest); - request.attest_params.Reinitialize(*attest_params); - - AttestKeyResponse response; - convert_device(dev)->impl_->AttestKey(request, &response); - if (response.error != KM_ERROR_OK) - return response.error; - - // Allocate and clear storage for cert_chain. - keymaster_cert_chain_t& rsp_chain = response.certificate_chain; - cert_chain->entries = reinterpret_cast( - malloc(rsp_chain.entry_count * sizeof(*cert_chain->entries))); - if (!cert_chain->entries) - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - cert_chain->entry_count = rsp_chain.entry_count; - for (keymaster_blob_t& entry : array_range(cert_chain->entries, cert_chain->entry_count)) - entry = {}; - - // Copy cert_chain contents - size_t i = 0; - for (keymaster_blob_t& entry : array_range(rsp_chain.entries, rsp_chain.entry_count)) { - cert_chain->entries[i].data = reinterpret_cast(malloc(entry.data_length)); - if (!cert_chain->entries[i].data) { - keymaster_free_cert_chain(cert_chain); - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - cert_chain->entries[i].data_length = entry.data_length; - memcpy(const_cast(cert_chain->entries[i].data), entry.data, entry.data_length); - ++i; - } - - return KM_ERROR_OK; -} - /* static */ keymaster_error_t SoftKeymasterDevice::delete_key(const keymaster1_device_t* dev, const keymaster_key_blob_t* key) { -- cgit v1.2.3