Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2020, The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #define LOG_TAG "android.hardware.security.keymint-impl" |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 18 | #include <android-base/logging.h> |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 19 | |
| 20 | #include "AndroidKeyMintDevice.h" |
| 21 | |
| 22 | #include <aidl/android/hardware/security/keymint/ErrorCode.h> |
| 23 | |
| 24 | #include <keymaster/android_keymaster.h> |
| 25 | #include <keymaster/contexts/pure_soft_keymaster_context.h> |
| 26 | #include <keymaster/keymaster_configuration.h> |
| 27 | |
| 28 | #include "AndroidKeyMintOperation.h" |
| 29 | #include "KeyMintUtils.h" |
| 30 | |
| 31 | namespace aidl::android::hardware::security::keymint { |
| 32 | |
Shawn Willden | 9a3792e | 2021-04-08 09:38:14 -0600 | [diff] [blame] | 33 | using namespace keymaster; // NOLINT(google-build-using-namespace) |
| 34 | |
| 35 | using km_utils::authToken2AidlVec; |
| 36 | using km_utils::kmBlob2vector; |
| 37 | using km_utils::kmError2ScopedAStatus; |
| 38 | using km_utils::kmParam2Aidl; |
| 39 | using km_utils::KmParamSet; |
| 40 | using km_utils::kmParamSet2Aidl; |
| 41 | using km_utils::legacy_enum_conversion; |
Chirag Pathak | b292e9a | 2021-02-02 07:28:09 +0000 | [diff] [blame] | 42 | using secureclock::TimeStampToken; |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 43 | |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 44 | namespace { |
| 45 | |
| 46 | vector<KeyCharacteristics> convertKeyCharacteristics(SecurityLevel keyMintSecurityLevel, |
| 47 | const AuthorizationSet& sw_enforced, |
| 48 | const AuthorizationSet& hw_enforced) { |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 49 | KeyCharacteristics keyMintEnforced{keyMintSecurityLevel, {}}; |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 50 | |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 51 | if (keyMintSecurityLevel != SecurityLevel::SOFTWARE) { |
Qi Wu | f7c8e9d | 2021-02-11 03:14:52 +0800 | [diff] [blame] | 52 | // We're pretending to be TRUSTED_ENVIRONMENT or STRONGBOX. |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 53 | keyMintEnforced.authorizations = kmParamSet2Aidl(hw_enforced); |
Qi Wu | f7c8e9d | 2021-02-11 03:14:52 +0800 | [diff] [blame] | 54 | // Put all the software authorizations in the keystore list. |
| 55 | KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE, kmParamSet2Aidl(sw_enforced)}; |
| 56 | return {std::move(keyMintEnforced), std::move(keystoreEnforced)}; |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 57 | } |
| 58 | |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 59 | KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE, {}}; |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 60 | CHECK(hw_enforced.empty()) << "Hardware-enforced list is non-empty for pure SW KeyMint"; |
| 61 | |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 62 | // This is a pure software implementation, so all tags are in sw_enforced. |
| 63 | // We need to walk through the SW-enforced list and figure out which tags to |
| 64 | // return in the software list and which in the keystore list. |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 65 | |
| 66 | for (auto& entry : sw_enforced) { |
| 67 | switch (entry.tag) { |
| 68 | /* Invalid and unused */ |
| 69 | case KM_TAG_ECIES_SINGLE_HASH_MODE: |
| 70 | case KM_TAG_INVALID: |
| 71 | case KM_TAG_KDF: |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 72 | case KM_TAG_ROLLBACK_RESISTANCE: |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 73 | CHECK(false) << "We shouldn't see tag " << entry.tag; |
| 74 | break; |
| 75 | |
| 76 | /* Unimplemented */ |
| 77 | case KM_TAG_ALLOW_WHILE_ON_BODY: |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 78 | case KM_TAG_BOOTLOADER_ONLY: |
| 79 | case KM_TAG_EARLY_BOOT_ONLY: |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 80 | case KM_TAG_ROLLBACK_RESISTANT: |
| 81 | case KM_TAG_STORAGE_KEY: |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 82 | case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED: |
| 83 | case KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED: |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 84 | break; |
| 85 | |
| 86 | /* Unenforceable */ |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 87 | case KM_TAG_CREATION_DATETIME: |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 88 | break; |
| 89 | |
| 90 | /* Disallowed in KeyCharacteristics */ |
| 91 | case KM_TAG_APPLICATION_DATA: |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 92 | case KM_TAG_ATTESTATION_APPLICATION_ID: |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 93 | break; |
| 94 | |
| 95 | /* Not key characteristics */ |
| 96 | case KM_TAG_ASSOCIATED_DATA: |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 97 | case KM_TAG_ATTESTATION_CHALLENGE: |
| 98 | case KM_TAG_ATTESTATION_ID_BRAND: |
| 99 | case KM_TAG_ATTESTATION_ID_DEVICE: |
| 100 | case KM_TAG_ATTESTATION_ID_IMEI: |
| 101 | case KM_TAG_ATTESTATION_ID_MANUFACTURER: |
| 102 | case KM_TAG_ATTESTATION_ID_MEID: |
| 103 | case KM_TAG_ATTESTATION_ID_MODEL: |
| 104 | case KM_TAG_ATTESTATION_ID_PRODUCT: |
| 105 | case KM_TAG_ATTESTATION_ID_SERIAL: |
| 106 | case KM_TAG_AUTH_TOKEN: |
| 107 | case KM_TAG_CERTIFICATE_SERIAL: |
| 108 | case KM_TAG_CERTIFICATE_SUBJECT: |
Janis Danisevskis | a5780e2 | 2021-01-31 22:05:22 -0800 | [diff] [blame] | 109 | case KM_TAG_CERTIFICATE_NOT_AFTER: |
| 110 | case KM_TAG_CERTIFICATE_NOT_BEFORE: |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 111 | case KM_TAG_CONFIRMATION_TOKEN: |
| 112 | case KM_TAG_DEVICE_UNIQUE_ATTESTATION: |
| 113 | case KM_TAG_IDENTITY_CREDENTIAL_KEY: |
| 114 | case KM_TAG_MAC_LENGTH: |
| 115 | case KM_TAG_NONCE: |
| 116 | case KM_TAG_RESET_SINCE_ID_ROTATION: |
| 117 | case KM_TAG_ROOT_OF_TRUST: |
| 118 | case KM_TAG_UNIQUE_ID: |
| 119 | break; |
| 120 | |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 121 | /* KeyMint-enforced */ |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 122 | case KM_TAG_ALGORITHM: |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 123 | case KM_TAG_APPLICATION_ID: |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 124 | case KM_TAG_AUTH_TIMEOUT: |
| 125 | case KM_TAG_BLOB_USAGE_REQUIREMENTS: |
| 126 | case KM_TAG_BLOCK_MODE: |
| 127 | case KM_TAG_BOOT_PATCHLEVEL: |
| 128 | case KM_TAG_CALLER_NONCE: |
| 129 | case KM_TAG_DIGEST: |
| 130 | case KM_TAG_EC_CURVE: |
| 131 | case KM_TAG_EXPORTABLE: |
| 132 | case KM_TAG_INCLUDE_UNIQUE_ID: |
| 133 | case KM_TAG_KEY_SIZE: |
| 134 | case KM_TAG_MAX_USES_PER_BOOT: |
| 135 | case KM_TAG_MIN_MAC_LENGTH: |
| 136 | case KM_TAG_MIN_SECONDS_BETWEEN_OPS: |
| 137 | case KM_TAG_NO_AUTH_REQUIRED: |
| 138 | case KM_TAG_ORIGIN: |
| 139 | case KM_TAG_OS_PATCHLEVEL: |
| 140 | case KM_TAG_OS_VERSION: |
| 141 | case KM_TAG_PADDING: |
| 142 | case KM_TAG_PURPOSE: |
| 143 | case KM_TAG_RSA_OAEP_MGF_DIGEST: |
| 144 | case KM_TAG_RSA_PUBLIC_EXPONENT: |
| 145 | case KM_TAG_UNLOCKED_DEVICE_REQUIRED: |
| 146 | case KM_TAG_USER_AUTH_TYPE: |
| 147 | case KM_TAG_USER_SECURE_ID: |
| 148 | case KM_TAG_VENDOR_PATCHLEVEL: |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 149 | keyMintEnforced.authorizations.push_back(kmParam2Aidl(entry)); |
| 150 | break; |
| 151 | |
| 152 | /* Keystore-enforced */ |
| 153 | case KM_TAG_ACTIVE_DATETIME: |
| 154 | case KM_TAG_ALL_APPLICATIONS: |
| 155 | case KM_TAG_ALL_USERS: |
Paul Crowley | 8384653 | 2021-02-10 11:24:50 -0800 | [diff] [blame] | 156 | case KM_TAG_MAX_BOOT_LEVEL: |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 157 | case KM_TAG_ORIGINATION_EXPIRE_DATETIME: |
| 158 | case KM_TAG_USAGE_EXPIRE_DATETIME: |
| 159 | case KM_TAG_USER_ID: |
| 160 | case KM_TAG_USAGE_COUNT_LIMIT: |
| 161 | keystoreEnforced.authorizations.push_back(kmParam2Aidl(entry)); |
| 162 | break; |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 163 | } |
| 164 | } |
| 165 | |
Shawn Willden | 09f4710 | 2021-01-15 15:21:56 -0700 | [diff] [blame] | 166 | vector<KeyCharacteristics> retval; |
| 167 | retval.reserve(2); |
| 168 | if (!keyMintEnforced.authorizations.empty()) retval.push_back(std::move(keyMintEnforced)); |
| 169 | if (!keystoreEnforced.authorizations.empty()) retval.push_back(std::move(keystoreEnforced)); |
| 170 | |
| 171 | return retval; |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 172 | } |
| 173 | |
Shawn Willden | d7d4f31 | 2020-12-21 08:31:01 -0700 | [diff] [blame] | 174 | Certificate convertCertificate(const keymaster_blob_t& cert) { |
| 175 | return {std::vector<uint8_t>(cert.data, cert.data + cert.data_length)}; |
| 176 | } |
| 177 | |
| 178 | vector<Certificate> convertCertificateChain(const CertificateChain& chain) { |
| 179 | vector<Certificate> retval; |
| 180 | retval.reserve(chain.entry_count); |
| 181 | std::transform(chain.begin(), chain.end(), std::back_inserter(retval), convertCertificate); |
| 182 | return retval; |
| 183 | } |
| 184 | |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 185 | } // namespace |
| 186 | |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 187 | constexpr size_t kOperationTableSize = 16; |
| 188 | |
| 189 | AndroidKeyMintDevice::AndroidKeyMintDevice(SecurityLevel securityLevel) |
| 190 | : impl_(new ::keymaster::AndroidKeymaster( |
| 191 | [&]() -> auto { |
| 192 | auto context = new PureSoftKeymasterContext( |
| 193 | KmVersion::KEYMINT_1, static_cast<keymaster_security_level_t>(securityLevel)); |
| 194 | context->SetSystemVersion(::keymaster::GetOsVersion(), |
| 195 | ::keymaster::GetOsPatchlevel()); |
| 196 | return context; |
| 197 | }(), |
| 198 | kOperationTableSize)), |
| 199 | securityLevel_(securityLevel) {} |
| 200 | |
| 201 | AndroidKeyMintDevice::~AndroidKeyMintDevice() {} |
| 202 | |
| 203 | ScopedAStatus AndroidKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) { |
| 204 | info->versionNumber = 1; |
| 205 | info->securityLevel = securityLevel_; |
| 206 | info->keyMintName = "FakeKeyMintDevice"; |
| 207 | info->keyMintAuthorName = "Google"; |
Chirag Pathak | b292e9a | 2021-02-02 07:28:09 +0000 | [diff] [blame] | 208 | info->timestampTokenRequired = false; |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 209 | return ScopedAStatus::ok(); |
| 210 | } |
| 211 | |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 212 | ScopedAStatus AndroidKeyMintDevice::addRngEntropy(const vector<uint8_t>& data) { |
| 213 | if (data.size() == 0) { |
| 214 | return ScopedAStatus::ok(); |
| 215 | } |
| 216 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 217 | AddEntropyRequest request(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 218 | request.random_data.Reinitialize(data.data(), data.size()); |
| 219 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 220 | AddEntropyResponse response(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 221 | impl_->AddRngEntropy(request, &response); |
| 222 | |
| 223 | return kmError2ScopedAStatus(response.error); |
| 224 | } |
| 225 | |
| 226 | ScopedAStatus AndroidKeyMintDevice::generateKey(const vector<KeyParameter>& keyParams, |
Shawn Willden | 44c3888 | 2020-12-21 18:35:13 -0700 | [diff] [blame] | 227 | const optional<AttestationKey>& attestationKey, |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 228 | KeyCreationResult* creationResult) { |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 229 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 230 | GenerateKeyRequest request(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 231 | request.key_description.Reinitialize(KmParamSet(keyParams)); |
Shawn Willden | 44c3888 | 2020-12-21 18:35:13 -0700 | [diff] [blame] | 232 | if (attestationKey) { |
| 233 | request.attestation_signing_key_blob = |
| 234 | KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size()); |
| 235 | request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams)); |
| 236 | request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(), |
| 237 | attestationKey->issuerSubjectName.size()); |
| 238 | } |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 239 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 240 | GenerateKeyResponse response(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 241 | impl_->GenerateKey(request, &response); |
| 242 | |
| 243 | if (response.error != KM_ERROR_OK) { |
| 244 | // Note a key difference between this current aidl and previous hal, is |
| 245 | // that hal returns void where as aidl returns the error status. If |
| 246 | // aidl returns error, then aidl will not return any change you may make |
| 247 | // to the out parameters. This is quite different from hal where all |
| 248 | // output variable can be modified due to hal returning void. |
| 249 | // |
| 250 | // So the caller need to be aware not to expect aidl functions to clear |
| 251 | // the output variables for you in case of error. If you left some |
| 252 | // wrong data set in the out parameters, they will stay there. |
| 253 | return kmError2ScopedAStatus(response.error); |
| 254 | } |
| 255 | |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 256 | creationResult->keyBlob = kmBlob2vector(response.key_blob); |
| 257 | creationResult->keyCharacteristics = |
| 258 | convertKeyCharacteristics(securityLevel_, response.unenforced, response.enforced); |
Shawn Willden | d7d4f31 | 2020-12-21 08:31:01 -0700 | [diff] [blame] | 259 | creationResult->certificateChain = convertCertificateChain(response.certificate_chain); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 260 | return ScopedAStatus::ok(); |
| 261 | } |
| 262 | |
| 263 | ScopedAStatus AndroidKeyMintDevice::importKey(const vector<KeyParameter>& keyParams, |
| 264 | KeyFormat keyFormat, const vector<uint8_t>& keyData, |
Shawn Willden | 44c3888 | 2020-12-21 18:35:13 -0700 | [diff] [blame] | 265 | const optional<AttestationKey>& attestationKey, |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 266 | KeyCreationResult* creationResult) { |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 267 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 268 | ImportKeyRequest request(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 269 | request.key_description.Reinitialize(KmParamSet(keyParams)); |
| 270 | request.key_format = legacy_enum_conversion(keyFormat); |
Shawn Willden | 6e20ea4 | 2020-12-21 18:52:34 -0700 | [diff] [blame] | 271 | request.key_data = KeymasterKeyBlob(keyData.data(), keyData.size()); |
Shawn Willden | 44c3888 | 2020-12-21 18:35:13 -0700 | [diff] [blame] | 272 | if (attestationKey) { |
| 273 | request.attestation_signing_key_blob = |
| 274 | KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size()); |
| 275 | request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams)); |
| 276 | request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(), |
| 277 | attestationKey->issuerSubjectName.size()); |
| 278 | } |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 279 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 280 | ImportKeyResponse response(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 281 | impl_->ImportKey(request, &response); |
| 282 | |
| 283 | if (response.error != KM_ERROR_OK) { |
| 284 | return kmError2ScopedAStatus(response.error); |
| 285 | } |
| 286 | |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 287 | creationResult->keyBlob = kmBlob2vector(response.key_blob); |
| 288 | creationResult->keyCharacteristics = |
| 289 | convertKeyCharacteristics(securityLevel_, response.unenforced, response.enforced); |
Shawn Willden | d7d4f31 | 2020-12-21 08:31:01 -0700 | [diff] [blame] | 290 | creationResult->certificateChain = convertCertificateChain(response.certificate_chain); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 291 | |
| 292 | return ScopedAStatus::ok(); |
| 293 | } |
| 294 | |
Shawn Willden | 44c3888 | 2020-12-21 18:35:13 -0700 | [diff] [blame] | 295 | ScopedAStatus |
| 296 | AndroidKeyMintDevice::importWrappedKey(const vector<uint8_t>& wrappedKeyData, // |
| 297 | const vector<uint8_t>& wrappingKeyBlob, // |
| 298 | const vector<uint8_t>& maskingKey, // |
| 299 | const vector<KeyParameter>& unwrappingParams, // |
| 300 | int64_t passwordSid, int64_t biometricSid, // |
| 301 | KeyCreationResult* creationResult) { |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 302 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 303 | ImportWrappedKeyRequest request(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 304 | request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size()); |
| 305 | request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size()); |
| 306 | request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size()); |
| 307 | request.additional_params.Reinitialize(KmParamSet(unwrappingParams)); |
| 308 | request.password_sid = static_cast<uint64_t>(passwordSid); |
| 309 | request.biometric_sid = static_cast<uint64_t>(biometricSid); |
| 310 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 311 | ImportWrappedKeyResponse response(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 312 | impl_->ImportWrappedKey(request, &response); |
| 313 | |
| 314 | if (response.error != KM_ERROR_OK) { |
| 315 | return kmError2ScopedAStatus(response.error); |
| 316 | } |
| 317 | |
Shawn Willden | 763166c | 2021-01-10 19:45:01 -0700 | [diff] [blame] | 318 | creationResult->keyBlob = kmBlob2vector(response.key_blob); |
| 319 | creationResult->keyCharacteristics = |
| 320 | convertKeyCharacteristics(securityLevel_, response.unenforced, response.enforced); |
Shawn Willden | d7d4f31 | 2020-12-21 08:31:01 -0700 | [diff] [blame] | 321 | creationResult->certificateChain = convertCertificateChain(response.certificate_chain); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 322 | |
| 323 | return ScopedAStatus::ok(); |
| 324 | } |
| 325 | |
| 326 | ScopedAStatus AndroidKeyMintDevice::upgradeKey(const vector<uint8_t>& keyBlobToUpgrade, |
| 327 | const vector<KeyParameter>& upgradeParams, |
| 328 | vector<uint8_t>* keyBlob) { |
| 329 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 330 | UpgradeKeyRequest request(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 331 | request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size()); |
| 332 | request.upgrade_params.Reinitialize(KmParamSet(upgradeParams)); |
| 333 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 334 | UpgradeKeyResponse response(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 335 | impl_->UpgradeKey(request, &response); |
| 336 | |
| 337 | if (response.error != KM_ERROR_OK) { |
| 338 | return kmError2ScopedAStatus(response.error); |
| 339 | } |
| 340 | |
| 341 | *keyBlob = kmBlob2vector(response.upgraded_key); |
| 342 | return ScopedAStatus::ok(); |
| 343 | } |
| 344 | |
| 345 | ScopedAStatus AndroidKeyMintDevice::deleteKey(const vector<uint8_t>& keyBlob) { |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 346 | DeleteKeyRequest request(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 347 | request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); |
| 348 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 349 | DeleteKeyResponse response(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 350 | impl_->DeleteKey(request, &response); |
| 351 | |
| 352 | return kmError2ScopedAStatus(response.error); |
| 353 | } |
| 354 | |
| 355 | ScopedAStatus AndroidKeyMintDevice::deleteAllKeys() { |
| 356 | // There's nothing to be done to delete software key blobs. |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 357 | DeleteAllKeysRequest request(impl_->message_version()); |
| 358 | DeleteAllKeysResponse response(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 359 | impl_->DeleteAllKeys(request, &response); |
| 360 | |
| 361 | return kmError2ScopedAStatus(response.error); |
| 362 | } |
| 363 | |
| 364 | ScopedAStatus AndroidKeyMintDevice::destroyAttestationIds() { |
| 365 | return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED); |
| 366 | } |
| 367 | |
| 368 | ScopedAStatus AndroidKeyMintDevice::begin(KeyPurpose purpose, const vector<uint8_t>& keyBlob, |
| 369 | const vector<KeyParameter>& params, |
David Drysdale | 8181591 | 2021-04-19 19:11:41 +0100 | [diff] [blame] | 370 | const optional<HardwareAuthToken>& authToken, |
| 371 | BeginResult* result) { |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 372 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 373 | BeginOperationRequest request(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 374 | request.purpose = legacy_enum_conversion(purpose); |
| 375 | request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); |
| 376 | request.additional_params.Reinitialize(KmParamSet(params)); |
| 377 | |
| 378 | vector<uint8_t> vector_token = authToken2AidlVec(authToken); |
| 379 | request.additional_params.push_back( |
| 380 | TAG_AUTH_TOKEN, reinterpret_cast<uint8_t*>(vector_token.data()), vector_token.size()); |
| 381 | |
Shawn Willden | 950eb0b | 2021-01-06 19:15:29 +0000 | [diff] [blame] | 382 | BeginOperationResponse response(impl_->message_version()); |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 383 | impl_->BeginOperation(request, &response); |
| 384 | |
| 385 | if (response.error != KM_ERROR_OK) { |
| 386 | return kmError2ScopedAStatus(response.error); |
| 387 | } |
| 388 | |
| 389 | result->params = kmParamSet2Aidl(response.output_params); |
| 390 | result->challenge = response.op_handle; |
| 391 | result->operation = |
| 392 | ndk::SharedRefBase::make<AndroidKeyMintOperation>(impl_, response.op_handle); |
| 393 | return ScopedAStatus::ok(); |
| 394 | } |
| 395 | |
Chirag Pathak | b292e9a | 2021-02-02 07:28:09 +0000 | [diff] [blame] | 396 | ScopedAStatus AndroidKeyMintDevice::deviceLocked( |
Shawn Willden | 5592969 | 2021-02-19 14:53:02 -0700 | [diff] [blame] | 397 | bool passwordOnly, const std::optional<secureclock::TimeStampToken>& timestampToken) { |
Chirag Pathak | b292e9a | 2021-02-02 07:28:09 +0000 | [diff] [blame] | 398 | DeviceLockedRequest request(impl_->message_version()); |
Shawn Willden | 5592969 | 2021-02-19 14:53:02 -0700 | [diff] [blame] | 399 | request.passwordOnly = passwordOnly; |
| 400 | if (timestampToken.has_value()) { |
| 401 | request.token.challenge = timestampToken->challenge; |
| 402 | request.token.mac = {timestampToken->mac.data(), timestampToken->mac.size()}; |
| 403 | request.token.timestamp = timestampToken->timestamp.milliSeconds; |
Chirag Pathak | b292e9a | 2021-02-02 07:28:09 +0000 | [diff] [blame] | 404 | } |
| 405 | DeviceLockedResponse response = impl_->DeviceLocked(request); |
| 406 | return kmError2ScopedAStatus(response.error); |
| 407 | } |
| 408 | |
| 409 | ScopedAStatus AndroidKeyMintDevice::earlyBootEnded() { |
| 410 | EarlyBootEndedResponse response = impl_->EarlyBootEnded(); |
| 411 | return kmError2ScopedAStatus(response.error); |
| 412 | } |
| 413 | |
Satya Tangirala | 86d2540 | 2021-03-05 16:33:50 -0800 | [diff] [blame] | 414 | ScopedAStatus |
| 415 | AndroidKeyMintDevice::convertStorageKeyToEphemeral(const std::vector<uint8_t>& /* storageKeyBlob */, |
| 416 | std::vector<uint8_t>* /* ephemeralKeyBlob */) { |
| 417 | return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED); |
| 418 | } |
| 419 | |
Paul Crowley | 08641bf | 2021-04-29 12:46:49 -0700 | [diff] [blame] | 420 | ScopedAStatus AndroidKeyMintDevice::getKeyCharacteristics( |
| 421 | const std::vector<uint8_t>& /* storageKeyBlob */, const std::vector<uint8_t>& /* appId */, |
| 422 | const std::vector<uint8_t>& /* appData */, |
| 423 | std::vector<KeyCharacteristics>* /* keyCharacteristics */) { |
| 424 | return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED); |
| 425 | } |
| 426 | |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 427 | IKeyMintDevice* CreateKeyMintDevice(SecurityLevel securityLevel) { |
Shawn Willden | 815e896 | 2020-12-11 13:05:27 +0000 | [diff] [blame] | 428 | return ::new AndroidKeyMintDevice(securityLevel); |
| 429 | } |
| 430 | |
| 431 | } // namespace aidl::android::hardware::security::keymint |