Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3200496e authored by Seth Moore's avatar Seth Moore
Browse files

Refactor IC support for RKP 

Remote key provisioning means that attestation keys and certs are
passed in, and not pulled directly from the factory-provisioned data.

In anticipation of RKP support, parameterize/refactor some existing
functions so that we can pass keys to them. Also new extern functions
for generating an RKP-attested key as well as keypair/cert for testing.

Test: VtsHalIdentityTargetTest
Bug: 194696876
Change-Id: I7d2906de04835906682455952ebe238c3fa57321
parent 51efd9e0

identity/support/include/android/hardware/identity/support/IdentityCredentialSupport.h

+18 −0
Original line number Diff line number Diff line
@@ -17,6 +17,8 @@ 
#ifndef IDENTITY_SUPPORT_INCLUDE_IDENTITY_CREDENTIAL_UTILS_H_

#define IDENTITY_SUPPORT_INCLUDE_IDENTITY_CREDENTIAL_UTILS_H_



#include <openssl/evp.h>



#include <cstdint>

#include <map>

#include <optional>
@@ -128,6 +130,15 @@ optional<std::pair<vector<uint8_t>, vector<vector<uint8_t>>>> createEcKeyPairAnd 
        const vector<uint8_t>& challenge, const vector<uint8_t>& applicationId,

        bool isTestCredential);



// Alternate version of createEcKeyPairAndAttestation that accepts an attestation key

// blob to sign the generated key. Only a single certificate is returned, rather than

// a full chain.

//

optional<std::pair<vector<uint8_t>, vector<uint8_t>>> createEcKeyPairWithAttestationKey(

        const vector<uint8_t>& challenge, const vector<uint8_t>& applicationId,

        const vector<uint8_t>& attestationKeyBlob, const vector<uint8_t>& attestationKeyCert,

        bool isTestCredential);



// (TODO: remove when no longer used by 3rd party.)

optional<vector<vector<uint8_t>>> createAttestationForEcPublicKey(

        const vector<uint8_t>& publicKey, const vector<uint8_t>& challenge,
@@ -240,6 +251,13 @@ optional<vector<uint8_t>> ecPublicKeyGenerateCertificate( 
        time_t validityNotBefore, time_t validityNotAfter,

        const map<string, vector<uint8_t>>& extensions);



// Identical behavior to the above version of ecPublicKeyGenerateCertificate, except this

// overload takes OpenSSL key parameters instead of key bitstrings as inputs.

optional<vector<uint8_t>> ecPublicKeyGenerateCertificate(

        EVP_PKEY* publicKey, EVP_PKEY* signingKey, const string& serialDecimal,

        const string& issuer, const string& subject, time_t validityNotBefore,

        time_t validityNotAfter, const map<string, vector<uint8_t>>& extensions);



// Performs Elliptic-curve Diffie-Helman using |publicKey| (which must be in the

// format returned by ecKeyPairGetPublicKey()) and |privateKey| (which must be

// in the format returned by ecKeyPairGetPrivateKey()).

identity/support/src/IdentityCredentialSupport.cpp

+338 −195

File changed.

Preview size limit exceeded, changes collapsed.