| /* |
| * Copyright 2020, The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include "EicProvisioning.h" |
| #include "EicCommon.h" |
| |
| bool eicProvisioningInit(EicProvisioning* ctx, bool testCredential) { |
| eicMemSet(ctx, '\0', sizeof(EicProvisioning)); |
| ctx->testCredential = testCredential; |
| if (!eicOpsRandom(ctx->storageKey, EIC_AES_128_KEY_SIZE)) { |
| return false; |
| } |
| |
| return true; |
| } |
| |
| bool eicProvisioningInitForUpdate(EicProvisioning* ctx, bool testCredential, |
| const char* docType, size_t docTypeLength, |
| const uint8_t* encryptedCredentialKeys, |
| size_t encryptedCredentialKeysSize) { |
| uint8_t credentialKeys[EIC_CREDENTIAL_KEYS_CBOR_SIZE_FEATURE_VERSION_202101]; |
| |
| // For feature version 202009 it's 52 bytes long and for feature version |
| // 202101 it's 86 bytes (the additional data is the ProofOfProvisioning |
| // SHA-256). We need to support loading all feature versions. |
| // |
| bool expectPopSha256 = false; |
| if (encryptedCredentialKeysSize == |
| EIC_CREDENTIAL_KEYS_CBOR_SIZE_FEATURE_VERSION_202009 + 28) { |
| /* do nothing */ |
| } else if (encryptedCredentialKeysSize == |
| EIC_CREDENTIAL_KEYS_CBOR_SIZE_FEATURE_VERSION_202101 + 28) { |
| expectPopSha256 = true; |
| } else { |
| eicDebug("Unexpected size %zd for encryptedCredentialKeys", |
| encryptedCredentialKeysSize); |
| return false; |
| } |
| |
| eicMemSet(ctx, '\0', sizeof(EicProvisioning)); |
| ctx->testCredential = testCredential; |
| |
| if (!eicOpsDecryptAes128Gcm( |
| eicOpsGetHardwareBoundKey(testCredential), encryptedCredentialKeys, |
| encryptedCredentialKeysSize, |
| // DocType is the additionalAuthenticatedData |
| (const uint8_t*)docType, docTypeLength, credentialKeys)) { |
| eicDebug("Error decrypting CredentialKeys"); |
| return false; |
| } |
| |
| // It's supposed to look like this; |
| // |
| // Feature version 202009: |
| // |
| // CredentialKeys = [ |
| // bstr, ; storageKey, a 128-bit AES key |
| // bstr, ; credentialPrivKey, the private key for credentialKey |
| // ] |
| // |
| // Feature version 202101: |
| // |
| // CredentialKeys = [ |
| // bstr, ; storageKey, a 128-bit AES key |
| // bstr, ; credentialPrivKey, the private key for credentialKey |
| // bstr ; proofOfProvisioning SHA-256 |
| // ] |
| // |
| // where storageKey is 16 bytes, credentialPrivateKey is 32 bytes, and |
| // proofOfProvisioning SHA-256 is 32 bytes. |
| // |
| if (credentialKeys[0] != |
| (expectPopSha256 ? 0x83 : 0x82) || // array of two or three elements |
| credentialKeys[1] != 0x50 || // 16-byte bstr |
| credentialKeys[18] != 0x58 || |
| credentialKeys[19] != 0x20) { // 32-byte bstr |
| eicDebug("Invalid CBOR for CredentialKeys"); |
| return false; |
| } |
| if (expectPopSha256) { |
| if (credentialKeys[52] != 0x58 || |
| credentialKeys[53] != 0x20) { // 32-byte bstr |
| eicDebug("Invalid CBOR for CredentialKeys"); |
| return false; |
| } |
| } |
| eicMemCpy(ctx->storageKey, credentialKeys + 2, EIC_AES_128_KEY_SIZE); |
| eicMemCpy(ctx->credentialPrivateKey, credentialKeys + 20, |
| EIC_P256_PRIV_KEY_SIZE); |
| // Note: We don't care about the previous ProofOfProvisioning SHA-256 |
| ctx->isUpdate = true; |
| return true; |
| } |
| |
| bool eicProvisioningCreateCredentialKey( |
| EicProvisioning* ctx, const uint8_t* challenge, size_t challengeSize, |
| const uint8_t* applicationId, size_t applicationIdSize, |
| uint8_t* publicKeyCert, size_t* publicKeyCertSize) { |
| if (ctx->isUpdate) { |
| eicDebug("Cannot create CredentialKey on update"); |
| return false; |
| } |
| |
| if (!eicOpsCreateCredentialKey(ctx->credentialPrivateKey, challenge, |
| challengeSize, applicationId, |
| applicationIdSize, ctx->testCredential, |
| publicKeyCert, publicKeyCertSize)) { |
| return false; |
| } |
| return true; |
| } |
| |
| bool eicProvisioningStartPersonalization( |
| EicProvisioning* ctx, int accessControlProfileCount, const int* entryCounts, |
| size_t numEntryCounts, const char* docType, size_t docTypeLength, |
| size_t expectedProofOfProvisioningSize) { |
| if (numEntryCounts >= EIC_MAX_NUM_NAMESPACES) { |
| return false; |
| } |
| if (accessControlProfileCount >= EIC_MAX_NUM_ACCESS_CONTROL_PROFILE_IDS) { |
| return false; |
| } |
| |
| ctx->numEntryCounts = numEntryCounts; |
| if (numEntryCounts > EIC_MAX_NUM_NAMESPACES) { |
| return false; |
| } |
| for (size_t n = 0; n < numEntryCounts; n++) { |
| if (entryCounts[n] >= 256) { |
| return false; |
| } |
| ctx->entryCounts[n] = entryCounts[n]; |
| } |
| ctx->curNamespace = -1; |
| ctx->curNamespaceNumProcessed = 0; |
| |
| eicCborInit(&ctx->cbor, NULL, 0); |
| |
| // What we're going to sign is the COSE ToBeSigned structure which |
| // looks like the following: |
| // |
| // Sig_structure = [ |
| // context : "Signature" / "Signature1" / "CounterSignature", |
| // body_protected : empty_or_serialized_map, |
| // ? sign_protected : empty_or_serialized_map, |
| // external_aad : bstr, |
| // payload : bstr |
| // ] |
| // |
| eicCborAppendArray(&ctx->cbor, 4); |
| eicCborAppendStringZ(&ctx->cbor, "Signature1"); |
| |
| // The COSE Encoded protected headers is just a single field with |
| // COSE_LABEL_ALG (1) -> COSE_ALG_ECSDA_256 (-7). For simplicitly we just |
| // hard-code the CBOR encoding: |
| static const uint8_t coseEncodedProtectedHeaders[] = {0xa1, 0x01, 0x26}; |
| eicCborAppendByteString(&ctx->cbor, coseEncodedProtectedHeaders, |
| sizeof(coseEncodedProtectedHeaders)); |
| |
| // We currently don't support Externally Supplied Data (RFC 8152 section 4.3) |
| // so external_aad is the empty bstr |
| static const uint8_t externalAad[0] = {}; |
| eicCborAppendByteString(&ctx->cbor, externalAad, sizeof(externalAad)); |
| |
| // For the payload, the _encoded_ form follows here. We handle this by simply |
| // opening a bstr, and then writing the CBOR. This requires us to know the |
| // size of said bstr, ahead of time. |
| eicCborBegin(&ctx->cbor, EIC_CBOR_MAJOR_TYPE_BYTE_STRING, |
| expectedProofOfProvisioningSize); |
| ctx->expectedCborSizeAtEnd = expectedProofOfProvisioningSize + ctx->cbor.size; |
| |
| eicOpsSha256Init(&ctx->proofOfProvisioningDigester); |
| eicCborEnableSecondaryDigesterSha256(&ctx->cbor, |
| &ctx->proofOfProvisioningDigester); |
| |
| eicCborAppendArray(&ctx->cbor, 5); |
| eicCborAppendStringZ(&ctx->cbor, "ProofOfProvisioning"); |
| eicCborAppendString(&ctx->cbor, docType, docTypeLength); |
| |
| eicCborAppendArray(&ctx->cbor, accessControlProfileCount); |
| |
| return true; |
| } |
| |
| bool eicProvisioningAddAccessControlProfile( |
| EicProvisioning* ctx, int id, const uint8_t* readerCertificate, |
| size_t readerCertificateSize, bool userAuthenticationRequired, |
| uint64_t timeoutMillis, uint64_t secureUserId, uint8_t outMac[28], |
| uint8_t* scratchSpace, size_t scratchSpaceSize) { |
| EicCbor cborBuilder; |
| eicCborInit(&cborBuilder, scratchSpace, scratchSpaceSize); |
| |
| if (!eicCborCalcAccessControl( |
| &cborBuilder, id, readerCertificate, readerCertificateSize, |
| userAuthenticationRequired, timeoutMillis, secureUserId)) { |
| return false; |
| } |
| |
| // Calculate and return MAC |
| uint8_t nonce[12]; |
| if (!eicOpsRandom(nonce, 12)) { |
| return false; |
| } |
| if (!eicOpsEncryptAes128Gcm(ctx->storageKey, nonce, NULL, 0, |
| cborBuilder.buffer, cborBuilder.size, outMac)) { |
| return false; |
| } |
| |
| // The ACP CBOR in the provisioning receipt doesn't include secureUserId so |
| // build it again. |
| eicCborInit(&cborBuilder, scratchSpace, scratchSpaceSize); |
| if (!eicCborCalcAccessControl( |
| &cborBuilder, id, readerCertificate, readerCertificateSize, |
| userAuthenticationRequired, timeoutMillis, 0 /* secureUserId */)) { |
| return false; |
| } |
| |
| // Append the CBOR from the local builder to the digester. |
| eicCborAppend(&ctx->cbor, cborBuilder.buffer, cborBuilder.size); |
| |
| return true; |
| } |
| |
| bool eicProvisioningBeginAddEntry(EicProvisioning* ctx, |
| const uint8_t* accessControlProfileIds, |
| size_t numAccessControlProfileIds, |
| const char* nameSpace, size_t nameSpaceLength, |
| const char* name, size_t nameLength, |
| uint64_t entrySize, uint8_t* scratchSpace, |
| size_t scratchSpaceSize) { |
| uint8_t* additionalDataCbor = scratchSpace; |
| const size_t additionalDataCborBufSize = scratchSpaceSize; |
| size_t additionalDataCborSize; |
| |
| // We'll need to calc and store a digest of additionalData to check that it's |
| // the same additionalData being passed in for every |
| // eicProvisioningAddEntryValue() call... |
| if (!eicCborCalcEntryAdditionalData( |
| accessControlProfileIds, numAccessControlProfileIds, nameSpace, |
| nameSpaceLength, name, nameLength, additionalDataCbor, |
| additionalDataCborBufSize, &additionalDataCborSize, |
| ctx->additionalDataSha256)) { |
| return false; |
| } |
| |
| if (ctx->curNamespace == -1) { |
| ctx->curNamespace = 0; |
| ctx->curNamespaceNumProcessed = 0; |
| // Opens the main map: { * Namespace => [ + Entry ] } |
| eicCborAppendMap(&ctx->cbor, ctx->numEntryCounts); |
| eicCborAppendString(&ctx->cbor, nameSpace, nameSpaceLength); |
| // Opens the per-namespace array: [ + Entry ] |
| eicCborAppendArray(&ctx->cbor, ctx->entryCounts[ctx->curNamespace]); |
| } |
| |
| if (ctx->curNamespaceNumProcessed == ctx->entryCounts[ctx->curNamespace]) { |
| ctx->curNamespace += 1; |
| ctx->curNamespaceNumProcessed = 0; |
| eicCborAppendString(&ctx->cbor, nameSpace, nameSpaceLength); |
| // Opens the per-namespace array: [ + Entry ] |
| eicCborAppendArray(&ctx->cbor, ctx->entryCounts[ctx->curNamespace]); |
| } |
| |
| eicCborAppendMap(&ctx->cbor, 3); |
| eicCborAppendStringZ(&ctx->cbor, "name"); |
| eicCborAppendString(&ctx->cbor, name, nameLength); |
| |
| ctx->curEntrySize = entrySize; |
| ctx->curEntryNumBytesReceived = 0; |
| |
| eicCborAppendStringZ(&ctx->cbor, "value"); |
| |
| ctx->curNamespaceNumProcessed += 1; |
| return true; |
| } |
| |
| bool eicProvisioningAddEntryValue( |
| EicProvisioning* ctx, const uint8_t* accessControlProfileIds, |
| size_t numAccessControlProfileIds, const char* nameSpace, |
| size_t nameSpaceLength, const char* name, size_t nameLength, |
| const uint8_t* content, size_t contentSize, uint8_t* outEncryptedContent, |
| uint8_t* scratchSpace, size_t scratchSpaceSize) { |
| uint8_t* additionalDataCbor = scratchSpace; |
| const size_t additionalDataCborBufSize = scratchSpaceSize; |
| size_t additionalDataCborSize; |
| uint8_t calculatedSha256[EIC_SHA256_DIGEST_SIZE]; |
| |
| if (!eicCborCalcEntryAdditionalData( |
| accessControlProfileIds, numAccessControlProfileIds, nameSpace, |
| nameSpaceLength, name, nameLength, additionalDataCbor, |
| additionalDataCborBufSize, &additionalDataCborSize, |
| calculatedSha256)) { |
| return false; |
| } |
| if (eicCryptoMemCmp(calculatedSha256, ctx->additionalDataSha256, |
| EIC_SHA256_DIGEST_SIZE) != 0) { |
| eicDebug("SHA-256 mismatch of additionalData"); |
| return false; |
| } |
| |
| eicCborAppend(&ctx->cbor, content, contentSize); |
| |
| uint8_t nonce[12]; |
| if (!eicOpsRandom(nonce, 12)) { |
| return false; |
| } |
| if (!eicOpsEncryptAes128Gcm(ctx->storageKey, nonce, content, contentSize, |
| additionalDataCbor, additionalDataCborSize, |
| outEncryptedContent)) { |
| return false; |
| } |
| |
| // If done with this entry, close the map |
| ctx->curEntryNumBytesReceived += contentSize; |
| if (ctx->curEntryNumBytesReceived == ctx->curEntrySize) { |
| eicCborAppendStringZ(&ctx->cbor, "accessControlProfiles"); |
| eicCborAppendArray(&ctx->cbor, numAccessControlProfileIds); |
| for (size_t n = 0; n < numAccessControlProfileIds; n++) { |
| eicCborAppendNumber(&ctx->cbor, accessControlProfileIds[n]); |
| } |
| } |
| return true; |
| } |
| |
| bool eicProvisioningFinishAddingEntries( |
| EicProvisioning* ctx, |
| uint8_t signatureOfToBeSigned[EIC_ECDSA_P256_SIGNATURE_SIZE]) { |
| uint8_t cborSha256[EIC_SHA256_DIGEST_SIZE]; |
| |
| eicCborAppendBool(&ctx->cbor, ctx->testCredential); |
| eicCborFinal(&ctx->cbor, cborSha256); |
| |
| // This verifies that the correct expectedProofOfProvisioningSize value was |
| // passed in at eicStartPersonalization() time. |
| if (ctx->cbor.size != ctx->expectedCborSizeAtEnd) { |
| eicDebug("CBOR size is %zd, was expecting %zd", ctx->cbor.size, |
| ctx->expectedCborSizeAtEnd); |
| return false; |
| } |
| |
| if (!eicOpsEcDsa(ctx->credentialPrivateKey, cborSha256, |
| signatureOfToBeSigned)) { |
| eicDebug("Error signing proofOfProvisioning"); |
| return false; |
| } |
| |
| return true; |
| } |
| |
| bool eicProvisioningFinishGetCredentialData( |
| EicProvisioning* ctx, const char* docType, size_t docTypeLength, |
| uint8_t* encryptedCredentialKeys, size_t* encryptedCredentialKeysSize) { |
| EicCbor cbor; |
| uint8_t cborBuf[86]; |
| |
| if (*encryptedCredentialKeysSize < 86 + 28) { |
| eicDebug("encryptedCredentialKeysSize is %zd which is insufficient"); |
| return false; |
| } |
| |
| eicCborInit(&cbor, cborBuf, sizeof(cborBuf)); |
| eicCborAppendArray(&cbor, 3); |
| eicCborAppendByteString(&cbor, ctx->storageKey, EIC_AES_128_KEY_SIZE); |
| eicCborAppendByteString(&cbor, ctx->credentialPrivateKey, |
| EIC_P256_PRIV_KEY_SIZE); |
| uint8_t popSha256[EIC_SHA256_DIGEST_SIZE]; |
| eicOpsSha256Final(&ctx->proofOfProvisioningDigester, popSha256); |
| eicCborAppendByteString(&cbor, popSha256, EIC_SHA256_DIGEST_SIZE); |
| if (cbor.size > sizeof(cborBuf)) { |
| eicDebug("Exceeded buffer size"); |
| return false; |
| } |
| |
| uint8_t nonce[12]; |
| if (!eicOpsRandom(nonce, 12)) { |
| eicDebug("Error getting random"); |
| return false; |
| } |
| if (!eicOpsEncryptAes128Gcm(eicOpsGetHardwareBoundKey(ctx->testCredential), |
| nonce, cborBuf, cbor.size, |
| // DocType is the additionalAuthenticatedData |
| (const uint8_t*)docType, docTypeLength, |
| encryptedCredentialKeys)) { |
| eicDebug("Error encrypting CredentialKeys"); |
| return false; |
| } |
| *encryptedCredentialKeysSize = cbor.size + 28; |
| |
| return true; |
| } |
