src/com/android/remoteprovisioner/Provisioner.java - platform/packages/apps/RemoteProvisioner - Git at Google

 /**
  * Copyright (C) 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package com.android.remoteprovisioner;

 import android.annotation.NonNull;
 import android.content.BroadcastReceiver;
 import android.content.Context;
 import android.content.Intent;
 import android.os.RemoteException;
 import android.security.remoteprovisioning.IRemoteProvisioning;
 import android.util.Log;

 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.security.KeyStore;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.ArrayList;

 /**
  * Provides an easy package to run the provisioning process from start to finish, interfacing
  * with the remote provisioning system service and the server backend in order to provision
  * attestation certificates to the device.
  */
 public class Provisioner {
     private static final String PROVISIONING_URL = "";
     private static final String GEEK_URL = PROVISIONING_URL + "/v1/eekchain";
     private static final String CERTIFICATE_SIGNING_URL =
             PROVISIONING_URL + "/v1:signCertificates?challenge=";
     private static final String TAG = "RemoteProvisioningService";

     /**
      * Takes a byte stream composed of PEM encoded certificates and returns the X.509 certificates
      * contained within as an X509Certificate array.
      */
     private static X509Certificate[] formatX509Certs(byte[] certStream)
             throws CertificateException {
         CertificateFactory fact = CertificateFactory.getInstance("X.509");
         ByteArrayInputStream in = new ByteArrayInputStream(certStream);
         ArrayList<Certificate> certs = new ArrayList<Certificate>(fact.generateCertificates(in));
         return certs.toArray(new X509Certificate[certs.size()]);
     }

     /**
      * Calls out to the specified backend servers to retrieve an Endpoint Encryption Key and
      * corresponding certificate chain to provide to KeyMint. This public key will be used to
      * perform an ECDH computation, using the shared secret to encrypt privacy sensitive components
      * in the bundle that the server needs from the device in order to provision certificates.
      *
      * A challenge is also returned from the server so that it can check freshness of the follow-up
      * request to get keys signed.
      */
     private static GeekResponse fetchGeek() {
         try {
             URL url = new URL(GEEK_URL);
             HttpURLConnection con = (HttpURLConnection) url.openConnection();
             con.setRequestMethod("GET");
             if (con.getResponseCode() != HttpURLConnection.HTTP_OK) {
                 Log.w(TAG, "Server connection for GEEK failed, response code: "
                         + con.getResponseCode());
             }

             BufferedInputStream inputStream = new BufferedInputStream(con.getInputStream());
             ByteArrayOutputStream cborBytes = new ByteArrayOutputStream();
             byte[] buffer = new byte[1024];
             int read = 0;
             while((read = inputStream.read(buffer, 0, buffer.length)) != -1) {
                 cborBytes.write(buffer, 0, read);
             }
             inputStream.close();
             return CborUtils.parseGeekResponse(cborBytes.toByteArray());
         } catch (IOException e) {
             Log.e(TAG, "Failed to fetch GEEK from the servers.", e);
             return null;
         }
     }

     /**
      * Ferries the CBOR blobs returned by KeyMint to the provisioning server. The data sent to the
      * provisioning server contains the MAC'ed CSRs and encrypted bundle containing the MAC key and
      * the hardware unique public key.
      *
      * @param cborBlob The CBOR encoded data containing the relevant pieces needed for the server to
      *                    sign the CSRs. The data encoded within comes from Keystore / KeyMint.
      *
      * @param challenge The challenge that was sent from the server. It is included here even though
      *                    it is also included in `cborBlob` in order to allow the server to more
      *                    easily reject bad requests.
      *
      * @return A List of byte arrays, where each array contains an entire PEM-encoded certificate
      *                    for one attestation key pair.
      */
     private static List<byte[]> requestSignedCertificates(byte[] cborBlob, byte[] challenge) {
         try {
             URL url = new URL(CERTIFICATE_SIGNING_URL + new String(challenge, "UTF-8"));
             HttpURLConnection con = (HttpURLConnection) url.openConnection();
             con.setRequestMethod("POST");
             con.setDoOutput(true);
             if (con.getResponseCode() != HttpURLConnection.HTTP_OK) {
                 Log.e(TAG, "Server connection for signing failed, response code: "
                         + con.getResponseCode());
             }
             // May not be able to use try-with-resources here if the connection gets closed due to
             // the output stream being automatically closed.
             try (OutputStream os = con.getOutputStream()) {
                 os.write(cborBlob, 0, cborBlob.length);
             } catch (Exception e) {
                 return null;
             }

             BufferedInputStream inputStream = new BufferedInputStream(con.getInputStream());
             ByteArrayOutputStream cborBytes = new ByteArrayOutputStream();
             byte[] buffer = new byte[1024];
             int read = 0;
             while((read = inputStream.read(buffer, 0, buffer.length)) != -1) {
                 cborBytes.write(buffer, 0, read);
             }
             return CborUtils.parseSignedCertificates(cborBytes.toByteArray());
         } catch (IOException e) {
             Log.w(TAG, "Failed to request signed certificates from the server", e);
             return null;
         }
     }

     /**
      * Drives the process of provisioning certs. The method first contacts the provided backend
      * server to retrieve an Endpoing Encryption Key with an accompanying certificate chain and a
      * challenge. It passes this data and the requested number of keys to the remote provisioning
      * system backend, which then works with KeyMint in order to get a CSR bundle generated, along
      * with an encrypted package containing metadata that the server needs in order to make
      * decisions about provisioning.
      *
      * This method then passes that bundle back out to the server backend, waits for the response,
      * and, if successful, passes the certificate chains back to the remote provisioning service to
      * be stored and later assigned to apps requesting a key attestation.
      *
      * @param numKeys The number of keys to be signed. The service will do a best-effort to
      *                     provision the number requested, but if the number requested is larger
      *                     than the number of unsigned attestation key pairs available, it will
      *                     only sign the number that is available at time of calling.
      *
      * @param binder The IRemoteProvisioning binder interface needed by the method to handle talking
      *                     to the remote provisioning system component.
      *
      * @return True if certificates were successfully provisioned for the signing keys.
      */
     public static boolean provisionCerts(int numKeys, @NonNull IRemoteProvisioning binder) {
         if (numKeys < 1) {
             Log.e(TAG, "Request at least 1 key to be signed. Num requested: " + numKeys);
             return false;
         }
         GeekResponse geek = fetchGeek();
         if (geek == null) {
             Log.e(TAG, "The geek is null");
             return false;
         }
         byte[] payload = null;
         try {
             payload = binder.generateCsr(false /* testMode */,
                     numKeys,
                     geek.geek,
                     geek.challenge);
         } catch (RemoteException e) {
             Log.e(TAG, "Failed to generate CSR blob", e);
             return false;
         }
         if (payload == null) {
             Log.e(TAG, "Keystore failed to generate a payload");
             return false;
         }
         ArrayList<byte[]> certChains =
             new ArrayList<byte[]>(requestSignedCertificates(payload, geek.challenge));
         // TODO: Fix AIDL here to add a matching scheme, since public key in KeyStore is a CBOR
         // blob
         //binder.provisionCertChain();
         return true;
     }
 }
	/**
	* Copyright (C) 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package com.android.remoteprovisioner;

	import android.annotation.NonNull;
	import android.content.BroadcastReceiver;
	import android.content.Context;
	import android.content.Intent;
	import android.os.RemoteException;
	import android.security.remoteprovisioning.IRemoteProvisioning;
	import android.util.Log;

	import java.io.BufferedInputStream;
	import java.io.BufferedReader;
	import java.io.ByteArrayInputStream;
	import java.io.ByteArrayOutputStream;
	import java.io.IOException;
	import java.io.InputStreamReader;
	import java.io.OutputStream;
	import java.net.HttpURLConnection;
	import java.net.URL;
	import java.security.KeyStore;
	import java.security.cert.Certificate;
	import java.security.cert.CertificateException;
	import java.security.cert.CertificateFactory;
	import java.security.cert.X509Certificate;
	import java.util.List;
	import java.util.ArrayList;

	/**
	* Provides an easy package to run the provisioning process from start to finish, interfacing
	* with the remote provisioning system service and the server backend in order to provision
	* attestation certificates to the device.
	*/
	public class Provisioner {
	private static final String PROVISIONING_URL = "";
	private static final String GEEK_URL = PROVISIONING_URL + "/v1/eekchain";
	private static final String CERTIFICATE_SIGNING_URL =
	PROVISIONING_URL + "/v1:signCertificates?challenge=";
	private static final String TAG = "RemoteProvisioningService";

	/**
	* Takes a byte stream composed of PEM encoded certificates and returns the X.509 certificates
	* contained within as an X509Certificate array.
	*/
	private static X509Certificate[] formatX509Certs(byte[] certStream)
	throws CertificateException {
	CertificateFactory fact = CertificateFactory.getInstance("X.509");
	ByteArrayInputStream in = new ByteArrayInputStream(certStream);
	ArrayList<Certificate> certs = new ArrayList<Certificate>(fact.generateCertificates(in));
	return certs.toArray(new X509Certificate[certs.size()]);
	}

	/**
	* Calls out to the specified backend servers to retrieve an Endpoint Encryption Key and
	* corresponding certificate chain to provide to KeyMint. This public key will be used to
	* perform an ECDH computation, using the shared secret to encrypt privacy sensitive components
	* in the bundle that the server needs from the device in order to provision certificates.
	*
	* A challenge is also returned from the server so that it can check freshness of the follow-up
	* request to get keys signed.
	*/
	private static GeekResponse fetchGeek() {
	try {
	URL url = new URL(GEEK_URL);
	HttpURLConnection con = (HttpURLConnection) url.openConnection();
	con.setRequestMethod("GET");
	if (con.getResponseCode() != HttpURLConnection.HTTP_OK) {
	Log.w(TAG, "Server connection for GEEK failed, response code: "
	+ con.getResponseCode());
	}

	BufferedInputStream inputStream = new BufferedInputStream(con.getInputStream());
	ByteArrayOutputStream cborBytes = new ByteArrayOutputStream();
	byte[] buffer = new byte[1024];
	int read = 0;
	while((read = inputStream.read(buffer, 0, buffer.length)) != -1) {
	cborBytes.write(buffer, 0, read);
	}
	inputStream.close();
	return CborUtils.parseGeekResponse(cborBytes.toByteArray());
	} catch (IOException e) {
	Log.e(TAG, "Failed to fetch GEEK from the servers.", e);
	return null;
	}
	}

	/**
	* Ferries the CBOR blobs returned by KeyMint to the provisioning server. The data sent to the
	* provisioning server contains the MAC'ed CSRs and encrypted bundle containing the MAC key and
	* the hardware unique public key.
	*
	* @param cborBlob The CBOR encoded data containing the relevant pieces needed for the server to
	* sign the CSRs. The data encoded within comes from Keystore / KeyMint.
	*
	* @param challenge The challenge that was sent from the server. It is included here even though
	* it is also included in `cborBlob` in order to allow the server to more
	* easily reject bad requests.
	*
	* @return A List of byte arrays, where each array contains an entire PEM-encoded certificate
	* for one attestation key pair.
	*/
	private static List<byte[]> requestSignedCertificates(byte[] cborBlob, byte[] challenge) {
	try {
	URL url = new URL(CERTIFICATE_SIGNING_URL + new String(challenge, "UTF-8"));
	HttpURLConnection con = (HttpURLConnection) url.openConnection();
	con.setRequestMethod("POST");
	con.setDoOutput(true);
	if (con.getResponseCode() != HttpURLConnection.HTTP_OK) {
	Log.e(TAG, "Server connection for signing failed, response code: "
	+ con.getResponseCode());
	}
	// May not be able to use try-with-resources here if the connection gets closed due to
	// the output stream being automatically closed.
	try (OutputStream os = con.getOutputStream()) {
	os.write(cborBlob, 0, cborBlob.length);
	} catch (Exception e) {
	return null;
	}

	BufferedInputStream inputStream = new BufferedInputStream(con.getInputStream());
	ByteArrayOutputStream cborBytes = new ByteArrayOutputStream();
	byte[] buffer = new byte[1024];
	int read = 0;
	while((read = inputStream.read(buffer, 0, buffer.length)) != -1) {
	cborBytes.write(buffer, 0, read);
	}
	return CborUtils.parseSignedCertificates(cborBytes.toByteArray());
	} catch (IOException e) {
	Log.w(TAG, "Failed to request signed certificates from the server", e);
	return null;
	}
	}

	/**
	* Drives the process of provisioning certs. The method first contacts the provided backend
	* server to retrieve an Endpoing Encryption Key with an accompanying certificate chain and a
	* challenge. It passes this data and the requested number of keys to the remote provisioning
	* system backend, which then works with KeyMint in order to get a CSR bundle generated, along
	* with an encrypted package containing metadata that the server needs in order to make
	* decisions about provisioning.
	*
	* This method then passes that bundle back out to the server backend, waits for the response,
	* and, if successful, passes the certificate chains back to the remote provisioning service to
	* be stored and later assigned to apps requesting a key attestation.
	*
	* @param numKeys The number of keys to be signed. The service will do a best-effort to
	* provision the number requested, but if the number requested is larger
	* than the number of unsigned attestation key pairs available, it will
	* only sign the number that is available at time of calling.
	*
	* @param binder The IRemoteProvisioning binder interface needed by the method to handle talking
	* to the remote provisioning system component.
	*
	* @return True if certificates were successfully provisioned for the signing keys.
	*/
	public static boolean provisionCerts(int numKeys, @NonNull IRemoteProvisioning binder) {
	if (numKeys < 1) {
	Log.e(TAG, "Request at least 1 key to be signed. Num requested: " + numKeys);
	return false;
	}
	GeekResponse geek = fetchGeek();
	if (geek == null) {
	Log.e(TAG, "The geek is null");
	return false;
	}
	byte[] payload = null;
	try {
	payload = binder.generateCsr(false /* testMode */,
	numKeys,
	geek.geek,
	geek.challenge);
	} catch (RemoteException e) {
	Log.e(TAG, "Failed to generate CSR blob", e);
	return false;
	}
	if (payload == null) {
	Log.e(TAG, "Keystore failed to generate a payload");
	return false;
	}
	ArrayList<byte[]> certChains =
	new ArrayList<byte[]>(requestSignedCertificates(payload, geek.challenge));
	// TODO: Fix AIDL here to add a matching scheme, since public key in KeyStore is a CBOR
	// blob
	//binder.provisionCertChain();
	return true;
	}
	}