Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 407d41282d6b0a7f2d6e2826d44a58b016a5d844 / . / asymmetric_key.cpp
blob: d4cc226c13b9a72b2e2681ef7cfd170769ff7369 [file] [log] [blame]
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willdenf268d742014-08-19 15:36:26 -0600[diff] [blame]17#include <openssl/evp.h>
18#include <openssl/x509.h>
19
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]20#include "asymmetric_key.h"
21#include "dsa_operation.h"
22#include "ecdsa_operation.h"
23#include "key_blob.h"
24#include "keymaster_defs.h"
25#include "openssl_utils.h"
26#include "rsa_operation.h"
27
28namespace keymaster {
29
30const uint32_t RSA_DEFAULT_KEY_SIZE = 2048;
31const uint64_t RSA_DEFAULT_EXPONENT = 65537;
32
33const uint32_t DSA_DEFAULT_KEY_SIZE = 2048;
34
35const uint32_t ECDSA_DEFAULT_KEY_SIZE = 192;
36
37keymaster_error_t AsymmetricKey::LoadKey(const KeyBlob& blob) {
38 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> evp_key(EVP_PKEY_new());
39 if (evp_key.get() == NULL)
40 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
41
42 EVP_PKEY* tmp_pkey = evp_key.get();
43 const uint8_t* key_material = blob.key_material();
44 if (d2i_PrivateKey(evp_key_type(), &tmp_pkey, &key_material, blob.key_material_length()) ==
45 NULL) {
46 return KM_ERROR_INVALID_KEY_BLOB;
47 }
48 if (!EvpToInternal(evp_key.get()))
49 return KM_ERROR_UNKNOWN_ERROR;
50
51 return KM_ERROR_OK;
52}
53
54keymaster_error_t AsymmetricKey::key_material(UniquePtr<uint8_t[]>* material, size_t* size) const {
55 if (material == NULL || size == NULL)
56 return KM_ERROR_OUTPUT_PARAMETER_NULL;
57
58 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new());
59 if (pkey.get() == NULL)
60 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
61
62 if (!InternalToEvp(pkey.get()))
63 return KM_ERROR_UNKNOWN_ERROR;
64
65 *size = i2d_PrivateKey(pkey.get(), NULL /* key_data*/);
66 if (*size <= 0)
67 return KM_ERROR_UNKNOWN_ERROR;
68
69 material->reset(new uint8_t[*size]);
70 uint8_t* tmp = material->get();
71 i2d_PrivateKey(pkey.get(), &tmp);
72
73 return KM_ERROR_OK;
74}
75
Shawn Willdenf268d742014-08-19 15:36:26 -0600[diff] [blame]76keymaster_error_t AsymmetricKey::formatted_key_material(keymaster_key_format_t format,
77 UniquePtr<uint8_t[]>* material,
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]78 size_t* size) const {
Shawn Willdenf268d742014-08-19 15:36:26 -0600[diff] [blame]79 if (format != KM_KEY_FORMAT_X509)
80 return KM_ERROR_UNSUPPORTED_KEY_FORMAT;
81
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]82 if (material == NULL || size == NULL)
83 return KM_ERROR_OUTPUT_PARAMETER_NULL;
84
Shawn Willdenf268d742014-08-19 15:36:26 -0600[diff] [blame]85 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new());
86 if (!InternalToEvp(pkey.get()))
87 return KM_ERROR_UNKNOWN_ERROR;
88
89 int key_data_length = i2d_PUBKEY(pkey.get(), NULL);
90 if (key_data_length <= 0)
91 return KM_ERROR_UNKNOWN_ERROR;
92
93 material->reset(new uint8_t[key_data_length]);
94 if (material->get() == NULL)
95 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
96
97 uint8_t* tmp = material->get();
98 if (i2d_PUBKEY(pkey.get(), &tmp) != key_data_length) {
99 material->reset();
100 return KM_ERROR_UNKNOWN_ERROR;
101 }
102
103 *size = key_data_length;
104 return KM_ERROR_OK;
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]105}
106
107Operation* AsymmetricKey::CreateOperation(keymaster_purpose_t purpose, keymaster_error_t* error) {
108 keymaster_digest_t digest;
109 if (!authorizations().GetTagValue(TAG_DIGEST, &digest) || digest != KM_DIGEST_NONE) {
110 *error = KM_ERROR_UNSUPPORTED_DIGEST;
111 return NULL;
112 }
113
114 keymaster_padding_t padding;
115 if (!authorizations().GetTagValue(TAG_PADDING, &padding) || padding != KM_PAD_NONE) {
116 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
117 return NULL;
118 }
119
120 return CreateOperation(purpose, digest, padding, error);
121}
122
123/* static */
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]124RsaKey* RsaKey::GenerateKey(const AuthorizationSet& key_description, const Logger& logger,
125 keymaster_error_t* error) {
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]126 if (!error)
127 return NULL;
128
129 AuthorizationSet authorizations(key_description);
130
131 uint64_t public_exponent = RSA_DEFAULT_EXPONENT;
132 if (!authorizations.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &public_exponent))
133 authorizations.push_back(Authorization(TAG_RSA_PUBLIC_EXPONENT, public_exponent));
134
135 uint32_t key_size = RSA_DEFAULT_KEY_SIZE;
136 if (!authorizations.GetTagValue(TAG_KEY_SIZE, &key_size))
137 authorizations.push_back(Authorization(TAG_KEY_SIZE, key_size));
138
139 UniquePtr<BIGNUM, BIGNUM_Delete> exponent(BN_new());
140 UniquePtr<RSA, RSA_Delete> rsa_key(RSA_new());
141 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new());
142 if (rsa_key.get() == NULL || pkey.get() == NULL) {
143 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
144 return NULL;
145 }
146
147 if (!BN_set_word(exponent.get(), public_exponent) ||
148 !RSA_generate_key_ex(rsa_key.get(), key_size, exponent.get(), NULL /* callback */)) {
149 *error = KM_ERROR_UNKNOWN_ERROR;
150 return NULL;
151 }
152
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]153 RsaKey* new_key = new RsaKey(rsa_key.release(), authorizations, logger);
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]154 *error = new_key ? KM_ERROR_OK : KM_ERROR_MEMORY_ALLOCATION_FAILED;
155 return new_key;
156}
157
Shawn Willden437fbd12014-08-20 11:59:49 -0600[diff] [blame]158/* static */
159RsaKey* RsaKey::ImportKey(const AuthorizationSet& key_description, EVP_PKEY* pkey,
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]160 const Logger& logger, keymaster_error_t* error) {
Shawn Willden437fbd12014-08-20 11:59:49 -0600[diff] [blame]161 if (!error)
162 return NULL;
163 *error = KM_ERROR_UNKNOWN_ERROR;
164
165 UniquePtr<RSA, RSA_Delete> rsa_key(EVP_PKEY_get1_RSA(pkey));
166 if (!rsa_key.get())
167 return NULL;
168
169 AuthorizationSet authorizations(key_description);
170
171 uint64_t public_exponent;
172 if (authorizations.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &public_exponent)) {
173 // public_exponent specified, make sure it matches the key
174 UniquePtr<BIGNUM, BIGNUM_Delete> public_exponent_bn(BN_new());
175 if (!BN_set_word(public_exponent_bn.get(), public_exponent))
176 return NULL;
177 if (BN_cmp(public_exponent_bn.get(), rsa_key->e) != 0) {
178 *error = KM_ERROR_IMPORT_PARAMETER_MISMATCH;
179 return NULL;
180 }
181 } else {
182 // public_exponent not specified, use the one from the key.
183 public_exponent = BN_get_word(rsa_key->e);
184 if (public_exponent == 0xffffffffL) {
185 *error = KM_ERROR_IMPORT_PARAMETER_MISMATCH;
186 return NULL;
187 }
188 authorizations.push_back(TAG_RSA_PUBLIC_EXPONENT, public_exponent);
189 }
190
191 uint32_t key_size;
192 if (authorizations.GetTagValue(TAG_KEY_SIZE, &key_size)) {
193 // key_size specified, make sure it matches the key.
194 if (RSA_size(rsa_key.get()) != (int)key_size) {
195 *error = KM_ERROR_IMPORT_PARAMETER_MISMATCH;
196 return NULL;
197 }
198 } else {
199 key_size = RSA_size(rsa_key.get()) * 8;
200 authorizations.push_back(TAG_KEY_SIZE, key_size);
201 }
202
203 keymaster_algorithm_t algorithm;
204 if (authorizations.GetTagValue(TAG_ALGORITHM, &algorithm)) {
205 if (algorithm != KM_ALGORITHM_RSA) {
206 *error = KM_ERROR_IMPORT_PARAMETER_MISMATCH;
207 return NULL;
208 }
209 } else {
210 authorizations.push_back(TAG_ALGORITHM, KM_ALGORITHM_RSA);
211 }
212
213 // Don't bother with the other parameters. If the necessary padding, digest, purpose, etc. are
214 // missing, the error will be diagnosed when the key is used (when auth checking is
215 // implemented).
216 *error = KM_ERROR_OK;
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]217 return new RsaKey(rsa_key.release(), authorizations, logger);
Shawn Willden437fbd12014-08-20 11:59:49 -0600[diff] [blame]218}
219
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]220RsaKey::RsaKey(const KeyBlob& blob, const Logger& logger, keymaster_error_t* error)
221 : AsymmetricKey(blob, logger) {
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]222 if (error)
223 *error = LoadKey(blob);
224}
225
226Operation* RsaKey::CreateOperation(keymaster_purpose_t purpose, keymaster_digest_t digest,
227 keymaster_padding_t padding, keymaster_error_t* error) {
228 Operation* op;
229 switch (purpose) {
230 case KM_PURPOSE_SIGN:
231 op = new RsaSignOperation(purpose, digest, padding, rsa_key_.release());
232 break;
233 case KM_PURPOSE_VERIFY:
234 op = new RsaVerifyOperation(purpose, digest, padding, rsa_key_.release());
235 break;
236 default:
237 *error = KM_ERROR_UNIMPLEMENTED;
238 return NULL;
239 }
240 *error = op ? KM_ERROR_OK : KM_ERROR_MEMORY_ALLOCATION_FAILED;
241 return op;
242}
243
244bool RsaKey::EvpToInternal(const EVP_PKEY* pkey) {
245 rsa_key_.reset(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(pkey)));
246 return rsa_key_.get() != NULL;
247}
248
249bool RsaKey::InternalToEvp(EVP_PKEY* pkey) const {
250 return EVP_PKEY_set1_RSA(pkey, rsa_key_.get()) == 1;
251}
252
253template <keymaster_tag_t Tag>
254static void GetDsaParamData(const AuthorizationSet& auths, TypedTag<KM_BIGNUM, Tag> tag,
255 keymaster_blob_t* blob) {
256 if (!auths.GetTagValue(tag, blob))
257 blob->data = NULL;
258}
259
260// Store the specified DSA param in auths
261template <keymaster_tag_t Tag>
262static void SetDsaParamData(AuthorizationSet* auths, TypedTag<KM_BIGNUM, Tag> tag, BIGNUM* number) {
263 keymaster_blob_t blob;
264 convert_bn_to_blob(number, &blob);
265 auths->push_back(Authorization(tag, blob));
266 delete[] blob.data;
267}
268
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]269DsaKey* DsaKey::GenerateKey(const AuthorizationSet& key_description, const Logger& logger,
270 keymaster_error_t* error) {
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]271 if (!error)
272 return NULL;
273
274 AuthorizationSet authorizations(key_description);
275
276 keymaster_blob_t g_blob;
277 GetDsaParamData(authorizations, TAG_DSA_GENERATOR, &g_blob);
278
279 keymaster_blob_t p_blob;
280 GetDsaParamData(authorizations, TAG_DSA_P, &p_blob);
281
282 keymaster_blob_t q_blob;
283 GetDsaParamData(authorizations, TAG_DSA_Q, &q_blob);
284
285 uint32_t key_size = DSA_DEFAULT_KEY_SIZE;
286 if (!authorizations.GetTagValue(TAG_KEY_SIZE, &key_size))
287 authorizations.push_back(Authorization(TAG_KEY_SIZE, key_size));
288
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]289 UniquePtr<DSA, DSA_Delete> dsa_key(DSA_new());
290 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new());
291 if (dsa_key.get() == NULL || pkey.get() == NULL) {
292 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
293 return NULL;
294 }
295
296 // If anything goes wrong in the next section, it's a param problem.
297 *error = KM_ERROR_INVALID_DSA_PARAMS;
298
299 if (g_blob.data == NULL && p_blob.data == NULL && q_blob.data == NULL) {
Shawn Willden407d4122014-08-25 16:49:13 -0600[diff] [blame^]300 logger.log("DSA parameters unspecified, generating them for key size %d\n", key_size);
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]301 if (!DSA_generate_parameters_ex(dsa_key.get(), key_size, NULL /* seed */, 0 /* seed_len */,
302 NULL /* counter_ret */, NULL /* h_ret */,
Shawn Willden407d4122014-08-25 16:49:13 -0600[diff] [blame^]303 NULL /* callback */)) {
304 logger.log("DSA parameter generation failed.\n");
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]305 return NULL;
Shawn Willden407d4122014-08-25 16:49:13 -0600[diff] [blame^]306 }
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]307
308 SetDsaParamData(&authorizations, TAG_DSA_GENERATOR, dsa_key->g);
309 SetDsaParamData(&authorizations, TAG_DSA_P, dsa_key->p);
310 SetDsaParamData(&authorizations, TAG_DSA_Q, dsa_key->q);
311 } else if (g_blob.data == NULL || p_blob.data == NULL || q_blob.data == NULL) {
Shawn Willden407d4122014-08-25 16:49:13 -0600[diff] [blame^]312 logger.log("Some DSA parameters provided. Provide all or none\n");
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]313 return NULL;
314 } else {
315 // All params provided. Use them.
316 dsa_key->g = BN_bin2bn(g_blob.data, g_blob.data_length, NULL);
317 dsa_key->p = BN_bin2bn(p_blob.data, p_blob.data_length, NULL);
318 dsa_key->q = BN_bin2bn(q_blob.data, q_blob.data_length, NULL);
319
Shawn Willden407d4122014-08-25 16:49:13 -0600[diff] [blame^]320 if (dsa_key->g == NULL || dsa_key->p == NULL || dsa_key->q == NULL) {
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]321 return NULL;
Shawn Willden407d4122014-08-25 16:49:13 -0600[diff] [blame^]322 }
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]323 }
324
325 if (!DSA_generate_key(dsa_key.get())) {
326 *error = KM_ERROR_UNKNOWN_ERROR;
327 return NULL;
328 }
329
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]330 DsaKey* new_key = new DsaKey(dsa_key.release(), authorizations, logger);
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]331 *error = new_key ? KM_ERROR_OK : KM_ERROR_MEMORY_ALLOCATION_FAILED;
332 return new_key;
333}
334
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]335DsaKey::DsaKey(const KeyBlob& blob, const Logger& logger, keymaster_error_t* error)
336 : AsymmetricKey(blob, logger) {
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]337 if (error)
338 *error = LoadKey(blob);
339}
340
341Operation* DsaKey::CreateOperation(keymaster_purpose_t purpose, keymaster_digest_t digest,
342 keymaster_padding_t padding, keymaster_error_t* error) {
343 Operation* op;
344 switch (purpose) {
345 case KM_PURPOSE_SIGN:
346 op = new DsaSignOperation(purpose, digest, padding, dsa_key_.release());
347 break;
348 case KM_PURPOSE_VERIFY:
349 op = new DsaVerifyOperation(purpose, digest, padding, dsa_key_.release());
350 break;
351 default:
352 *error = KM_ERROR_UNIMPLEMENTED;
353 return NULL;
354 }
355 *error = op ? KM_ERROR_OK : KM_ERROR_MEMORY_ALLOCATION_FAILED;
356 return op;
357}
358
359bool DsaKey::EvpToInternal(const EVP_PKEY* pkey) {
360 dsa_key_.reset(EVP_PKEY_get1_DSA(const_cast<EVP_PKEY*>(pkey)));
361 return dsa_key_.get() != NULL;
362}
363
364bool DsaKey::InternalToEvp(EVP_PKEY* pkey) const {
365 return EVP_PKEY_set1_DSA(pkey, dsa_key_.get()) == 1;
366}
367
368/* static */
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]369EcdsaKey* EcdsaKey::GenerateKey(const AuthorizationSet& key_description, const Logger& logger,
370 keymaster_error_t* error) {
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]371 if (!error)
372 return NULL;
373
374 AuthorizationSet authorizations(key_description);
375
376 uint32_t key_size = ECDSA_DEFAULT_KEY_SIZE;
377 if (!authorizations.GetTagValue(TAG_KEY_SIZE, &key_size))
378 authorizations.push_back(Authorization(TAG_KEY_SIZE, key_size));
379
380 UniquePtr<EC_KEY, ECDSA_Delete> ecdsa_key(EC_KEY_new());
381 UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKEY_new());
382 if (ecdsa_key.get() == NULL || pkey.get() == NULL) {
383 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
384 return NULL;
385 }
386
387 UniquePtr<EC_GROUP, EC_GROUP_Delete> group(choose_group(key_size));
388 if (group.get() == NULL) {
389 // Technically, could also have been a memory allocation problem.
390 *error = KM_ERROR_UNSUPPORTED_KEY_SIZE;
391 return NULL;
392 }
393
394 EC_GROUP_set_point_conversion_form(group.get(), POINT_CONVERSION_UNCOMPRESSED);
395 EC_GROUP_set_asn1_flag(group.get(), OPENSSL_EC_NAMED_CURVE);
396
397 if (EC_KEY_set_group(ecdsa_key.get(), group.get()) != 1 ||
398 EC_KEY_generate_key(ecdsa_key.get()) != 1 || EC_KEY_check_key(ecdsa_key.get()) < 0) {
399 *error = KM_ERROR_UNKNOWN_ERROR;
400 return NULL;
401 }
402
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]403 EcdsaKey* new_key = new EcdsaKey(ecdsa_key.release(), authorizations, logger);
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]404 *error = new_key ? KM_ERROR_OK : KM_ERROR_MEMORY_ALLOCATION_FAILED;
405 return new_key;
406}
407
408/* static */
409EC_GROUP* EcdsaKey::choose_group(size_t key_size_bits) {
410 switch (key_size_bits) {
411 case 192:
412 return EC_GROUP_new_by_curve_name(NID_X9_62_prime192v1);
413 break;
414 case 224:
415 return EC_GROUP_new_by_curve_name(NID_secp224r1);
416 break;
417 case 256:
418 return EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
419 break;
420 case 384:
421 return EC_GROUP_new_by_curve_name(NID_secp384r1);
422 break;
423 case 521:
424 return EC_GROUP_new_by_curve_name(NID_secp521r1);
425 break;
426 default:
427 return NULL;
428 break;
429 }
430}
431
Shawn Willden2f3be362014-08-25 11:31:39 -0600[diff] [blame]432EcdsaKey::EcdsaKey(const KeyBlob& blob, const Logger& logger, keymaster_error_t* error)
433 : AsymmetricKey(blob, logger) {
Shawn Willdend67afae2014-08-19 12:36:27 -0600[diff] [blame]434 if (error)
435 *error = LoadKey(blob);
436}
437
438Operation* EcdsaKey::CreateOperation(keymaster_purpose_t purpose, keymaster_digest_t digest,
439 keymaster_padding_t padding, keymaster_error_t* error) {
440 Operation* op;
441 switch (purpose) {
442 case KM_PURPOSE_SIGN:
443 op = new EcdsaSignOperation(purpose, digest, padding, ecdsa_key_.release());
444 break;
445 case KM_PURPOSE_VERIFY:
446 op = new EcdsaVerifyOperation(purpose, digest, padding, ecdsa_key_.release());
447 break;
448 default:
449 *error = KM_ERROR_UNIMPLEMENTED;
450 return NULL;
451 }
452 *error = op ? KM_ERROR_OK : KM_ERROR_MEMORY_ALLOCATION_FAILED;
453 return op;
454}
455
456bool EcdsaKey::EvpToInternal(const EVP_PKEY* pkey) {
457 ecdsa_key_.reset(EVP_PKEY_get1_EC_KEY(const_cast<EVP_PKEY*>(pkey)));
458 return ecdsa_key_.get() != NULL;
459}
460
461bool EcdsaKey::InternalToEvp(EVP_PKEY* pkey) const {
462 return EVP_PKEY_set1_EC_KEY(pkey, ecdsa_key_.get()) == 1;
463}
464
465} // namespace keymaster