use alloc::rc::Rc; use android_desktop_security_boot_params::aidl::android::desktop::security::boot_params::IBootParams::IBootParams; use authgraph_core::{
key::{CertChain, EcSignKey, EcVerifyKey, Identity, PseudoRandKey, EXPLICIT_KEY_DICE_CERT_CHAIN_VERSION, IDENTITY_VERSION},
error::Error as AuthGraphError, traits::CryptoTraitImpl}; use core::cell::RefCell; use coset::{iana, CoseKeyBuilder, ParseSec1OctetStringError}; use log::info; use openssl::{
bn::{BigNum, BigNumContext},
ec::{EcGroup, EcKey, EcPoint},
error::ErrorStack,
nid::Nid}; use secretkeeper_comm::data_types::error::Error as SkInternalError; use secretkeeper_core::{store::KeyValueStore, ta::SecretkeeperTa}; use service_manager::wait_for_interface; use std::fmt;
pubfn secretkeeper_ta(
ag_impls: &mut CryptoTraitImpl,
storage_impl: Box<dyn KeyValueStore>,
) -> Result<Rc<RefCell<SecretkeeperTa>>, Error> {
info!("Retrieving derived session key from boot params"); let bp: binder::Strong<dyn IBootParams> =
wait_for_interface(BP_SERVICE_PORT).map_err(Error::BinderConnectionFailure)?; let salt = b"Secretkeeper"; let prk_vec = bp.deriveSessionKey(salt).map_err(Error::BinderCallFailure)?; let prk_array = <[u8; 32]>::try_from(prk_vec).map_err(|v| {
Error::InternalFailure(format!("PRK size mismatch: expected 32, got {}", v.len()))
})?;
let context = b"AuthGraph Identity Key Derivation"; let derived_material = ag_impls
.hkdf
.expand(&PseudoRandKey(prk_array), context)
.map_err(Error::AuthGraphFailure)?;
info!("Deriving ECDSA P_256 key pair"); let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).map_err(Error::OpenSslFailure)?; letmut ctx = BigNumContext::new().map_err(Error::OpenSslFailure)?; let priv_key_bn = BigNum::from_slice(&derived_material.0).map_err(Error::OpenSslFailure)?; letmut pub_key_point = EcPoint::new(&group).map_err(Error::OpenSslFailure)?; // Derive the public key point by multiplying the Generator point by the private key.
pub_key_point.mul_generator(&group, &priv_key_bn, &ctx).map_err(Error::OpenSslFailure)?; let ec_key = EcKey::from_private_components(&group, &priv_key_bn, &pub_key_point)
.map_err(Error::OpenSslFailure)?; // Secretkeeper expects the private key to be DER-encoded (ASN.1 structure). let priv_key = ec_key.private_key_to_der().map_err(Error::OpenSslFailure)?; let pub_bytes = ec_key
.public_key()
.to_bytes(&group, openssl::ec::PointConversionForm::UNCOMPRESSED, &mut ctx)
.map_err(Error::OpenSslFailure)?; let pub_key_builder =
CoseKeyBuilder::new_ec2_pub_key_sec1_octet_string(iana::EllipticCurve::P_256, &pub_bytes)
.map_err(Error::CosetFailure)?; let pub_key = pub_key_builder.algorithm(iana::Algorithm::ES256).build();
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.