identity: Replace RemotelyProvisionedKey with librkp_support
Test: m credstore
Change-Id: I0049d5ba59936943336c7a531d1b022d4d64e4a6
diff --git a/identity/Android.bp b/identity/Android.bp
index ecf667d..f4fcc0a 100644
--- a/identity/Android.bp
+++ b/identity/Android.bp
@@ -36,7 +36,6 @@
"CredentialData.cpp",
"CredentialStore.cpp",
"CredentialStoreFactory.cpp",
- "RemotelyProvisionedKey.cpp",
"Session.cpp",
"Util.cpp",
"WritableCredential.cpp",
@@ -55,6 +54,7 @@
"libhidlbase",
"libkeymaster4support",
"libkeystore-attestation-application-id",
+ "librkp_support",
"libutils",
"libutilscallstack",
"libvintf",
diff --git a/identity/CredentialStore.cpp b/identity/CredentialStore.cpp
index e200cb5..cb2e8c7 100644
--- a/identity/CredentialStore.cpp
+++ b/identity/CredentialStore.cpp
@@ -24,12 +24,12 @@
#include <android/hardware/security/keymint/RpcHardwareInfo.h>
#include <binder/IPCThreadState.h>
#include <binder/IServiceManager.h>
+#include <rkp/support/rkpd_client.h>
#include <vintf/VintfObject.h>
#include "Credential.h"
#include "CredentialData.h"
#include "CredentialStore.h"
-#include "RemotelyProvisionedKey.h"
#include "Session.h"
#include "Util.h"
#include "WritableCredential.h"
@@ -39,7 +39,8 @@
namespace identity {
namespace {
-using ::android::security::rkp::IRemoteProvisioning;
+using ::android::security::rkp::RemotelyProvisionedKey;
+using ::android::security::rkp::support::getRpcKey;
} // namespace
@@ -183,17 +184,7 @@
LOG(INFO) << "Fetching attestation key from RKPD";
uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
- auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid);
- if (!rpcKeyFuture) {
- return Status::fromServiceSpecificError(ERROR_GENERIC, "Error in getRpcKeyFuture()");
- }
-
- if (rpcKeyFuture->wait_for(std::chrono::seconds(10)) != std::future_status::ready) {
- return Status::fromServiceSpecificError(
- ERROR_GENERIC, "Waiting for remotely provisioned attestation key timed out");
- }
-
- std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture->get();
+ std::optional<RemotelyProvisionedKey> key = getRpcKey(rpc_, callingUid);
if (!key) {
return Status::fromServiceSpecificError(
ERROR_GENERIC, "Failed to get remotely provisioned attestation key");
diff --git a/identity/CredentialStore.h b/identity/CredentialStore.h
index 32c9975..8bc02e8 100644
--- a/identity/CredentialStore.h
+++ b/identity/CredentialStore.h
@@ -22,7 +22,6 @@
#include <android/hardware/identity/IIdentityCredentialStore.h>
#include <android/security/identity/BnCredentialStore.h>
-#include <android/security/rkp/IRemoteProvisioning.h>
namespace android {
namespace security {
diff --git a/identity/RemotelyProvisionedKey.cpp b/identity/RemotelyProvisionedKey.cpp
deleted file mode 100644
index 784a680..0000000
--- a/identity/RemotelyProvisionedKey.cpp
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
- * Copyright (c) 2019, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define LOG_TAG "credstore"
-
-#include <atomic>
-
-#include <android-base/logging.h>
-#include <android/security/rkp/BnGetKeyCallback.h>
-#include <android/security/rkp/BnGetRegistrationCallback.h>
-#include <android/security/rkp/IGetKeyCallback.h>
-#include <android/security/rkp/IRemoteProvisioning.h>
-#include <binder/IServiceManager.h>
-#include <binder/Status.h>
-#include <vintf/VintfObject.h>
-
-#include "RemotelyProvisionedKey.h"
-
-namespace android {
-namespace security {
-namespace identity {
-namespace {
-
-using ::android::binder::Status;
-using ::android::hardware::security::keymint::IRemotelyProvisionedComponent;
-using ::android::hardware::security::keymint::RpcHardwareInfo;
-using ::android::security::rkp::BnGetKeyCallback;
-using ::android::security::rkp::BnGetRegistrationCallback;
-using ::android::security::rkp::IGetKeyCallback;
-using ::android::security::rkp::IRegistration;
-using ::android::security::rkp::IRemoteProvisioning;
-using ::android::security::rkp::RemotelyProvisionedKey;
-
-constexpr const char* kRemoteProvisioningServiceName = "remote_provisioning";
-
-std::optional<String16> findRpcNameById(std::string_view targetRpcId) {
- auto deviceManifest = vintf::VintfObject::GetDeviceHalManifest();
- auto instances = deviceManifest->getAidlInstances("android.hardware.security.keymint",
- "IRemotelyProvisionedComponent");
- for (const std::string& instance : instances) {
- auto rpcName =
- IRemotelyProvisionedComponent::descriptor + String16("/") + String16(instance.c_str());
- sp<IRemotelyProvisionedComponent> rpc =
- android::waitForService<IRemotelyProvisionedComponent>(rpcName);
-
- auto rpcId = getRpcId(rpc);
- if (!rpcId) {
- continue;
- }
- if (*rpcId == targetRpcId) {
- return rpcName;
- }
- }
-
- LOG(ERROR) << "Remotely provisioned component with given unique ID: " << targetRpcId
- << " not found";
- return std::nullopt;
-}
-
-std::optional<String16> getRpcName(const sp<IRemotelyProvisionedComponent>& rpc) {
- std::optional<std::string> targetRpcId = getRpcId(rpc);
- if (!targetRpcId) {
- return std::nullopt;
- }
- return findRpcNameById(*targetRpcId);
-}
-
-class GetKeyCallback : public BnGetKeyCallback {
- public:
- GetKeyCallback(std::promise<std::optional<RemotelyProvisionedKey>> keyPromise)
- : keyPromise_(std::move(keyPromise)), called_() {}
-
- Status onSuccess(const RemotelyProvisionedKey& key) override {
- if (called_.test_and_set()) {
- return Status::ok();
- }
- keyPromise_.set_value(key);
- return Status::ok();
- }
- Status onCancel() override {
- if (called_.test_and_set()) {
- return Status::ok();
- }
- LOG(ERROR) << "GetKeyCallback cancelled";
- keyPromise_.set_value(std::nullopt);
- return Status::ok();
- }
- Status onError(IGetKeyCallback::ErrorCode error, const String16& description) override {
- if (called_.test_and_set()) {
- return Status::ok();
- }
- LOG(ERROR) << "GetKeyCallback failed: " << static_cast<int>(error) << ", " << description;
- keyPromise_.set_value(std::nullopt);
- return Status::ok();
- }
-
- private:
- std::promise<std::optional<RemotelyProvisionedKey>> keyPromise_;
- // This callback can only be called into once
- std::atomic_flag called_;
-};
-
-class GetRegistrationCallback : public BnGetRegistrationCallback {
- public:
- GetRegistrationCallback(std::promise<std::optional<RemotelyProvisionedKey>> keyPromise,
- uint32_t keyId)
- : keyPromise_(std::move(keyPromise)), keyId_(keyId), called_() {}
-
- Status onSuccess(const sp<IRegistration>& registration) override {
- if (called_.test_and_set()) {
- return Status::ok();
- }
- auto cb = sp<GetKeyCallback>::make(std::move(keyPromise_));
- auto status = registration->getKey(keyId_, cb);
- if (!status.isOk()) {
- cb->onError(IGetKeyCallback::ErrorCode::ERROR_UNKNOWN,
- String16("Failed to register GetKeyCallback"));
- }
- return Status::ok();
- }
- Status onCancel() override {
- if (called_.test_and_set()) {
- return Status::ok();
- }
- LOG(ERROR) << "GetRegistrationCallback cancelled";
- keyPromise_.set_value(std::nullopt);
- return Status::ok();
- }
- Status onError(const String16& error) override {
- if (called_.test_and_set()) {
- return Status::ok();
- }
- LOG(ERROR) << "GetRegistrationCallback failed: " << error;
- keyPromise_.set_value(std::nullopt);
- return Status::ok();
- }
-
- private:
- std::promise<std::optional<RemotelyProvisionedKey>> keyPromise_;
- int32_t keyId_;
- // This callback can only be called into once
- std::atomic_flag called_;
-};
-
-} // namespace
-
-std::optional<std::string> getRpcId(const sp<IRemotelyProvisionedComponent>& rpc) {
- RpcHardwareInfo rpcHwInfo;
- Status status = rpc->getHardwareInfo(&rpcHwInfo);
- if (!status.isOk()) {
- LOG(ERROR) << "Error getting remotely provisioned component hardware info: " << status;
- return std::nullopt;
- }
-
- if (!rpcHwInfo.uniqueId) {
- LOG(ERROR) << "Remotely provisioned component is missing a unique id, which is "
- << "required for credential key remotely provisioned attestation keys. "
- << "This is a bug in the vendor implementation.";
- return std::nullopt;
- }
-
- return *rpcHwInfo.uniqueId;
-}
-
-std::optional<std::future<std::optional<RemotelyProvisionedKey>>>
-getRpcKeyFuture(const sp<IRemotelyProvisionedComponent>& rpc, int32_t keyId) {
- std::promise<std::optional<RemotelyProvisionedKey>> keyPromise;
- auto keyFuture = keyPromise.get_future();
-
- auto rpcName = getRpcName(rpc);
- if (!rpcName) {
- LOG(ERROR) << "Failed to get IRemotelyProvisionedComponent name";
- return std::nullopt;
- }
-
- sp<IRemoteProvisioning> remoteProvisioning =
- android::waitForService<IRemoteProvisioning>(String16(kRemoteProvisioningServiceName));
- if (!remoteProvisioning) {
- LOG(ERROR) << "Failed to get IRemoteProvisioning HAL";
- return std::nullopt;
- }
-
- auto cb = sp<GetRegistrationCallback>::make(std::move(keyPromise), keyId);
- Status status = remoteProvisioning->getRegistration(*rpcName, cb);
- if (!status.isOk()) {
- LOG(ERROR) << "Failed getRegistration()";
- return std::nullopt;
- }
-
- return keyFuture;
-}
-
-} // namespace identity
-} // namespace security
-} // namespace android
diff --git a/identity/RemotelyProvisionedKey.h b/identity/RemotelyProvisionedKey.h
deleted file mode 100644
index e7ddfca..0000000
--- a/identity/RemotelyProvisionedKey.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (c) 2022, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#pragma once
-
-#include <future>
-#include <optional>
-
-#include <android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
-
-namespace android {
-namespace security {
-namespace identity {
-
-using ::android::hardware::security::keymint::IRemotelyProvisionedComponent;
-using ::android::security::rkp::RemotelyProvisionedKey;
-
-std::optional<std::string> getRpcId(const sp<IRemotelyProvisionedComponent>& rpc);
-
-std::optional<std::future<std::optional<RemotelyProvisionedKey>>>
-getRpcKeyFuture(const sp<IRemotelyProvisionedComponent>& rpc, int32_t keyId);
-
-} // namespace identity
-} // namespace security
-} // namespace android