Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 15d2adf2b04b041a9ddd7eb8e29da90585c8ce8b / . / ng / AndroidKeyMintDevice.cpp
blob: f024fefb75a0666b44fbfef8e06bfc8666448b9b [file] [log] [blame]
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]1/*
2 * Copyright 2020, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "android.hardware.security.keymint-impl"
18#include <log/log.h>
19
20#include "AndroidKeyMintDevice.h"
21
22#include <aidl/android/hardware/security/keymint/ErrorCode.h>
23
24#include <keymaster/android_keymaster.h>
25#include <keymaster/contexts/pure_soft_keymaster_context.h>
26#include <keymaster/keymaster_configuration.h>
27
28#include "AndroidKeyMintOperation.h"
29#include "KeyMintUtils.h"
30
31namespace aidl::android::hardware::security::keymint {
32
33using namespace ::keymaster;
Shawn Willden96d4e8c2020-12-07 17:03:54 -0700[diff] [blame]34using namespace km_utils;
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]35
36constexpr size_t kOperationTableSize = 16;
37
38AndroidKeyMintDevice::AndroidKeyMintDevice(SecurityLevel securityLevel)
39 : impl_(new ::keymaster::AndroidKeymaster(
40 [&]() -> auto {
41 auto context = new PureSoftKeymasterContext(
42 KmVersion::KEYMINT_1, static_cast<keymaster_security_level_t>(securityLevel));
43 context->SetSystemVersion(::keymaster::GetOsVersion(),
44 ::keymaster::GetOsPatchlevel());
45 return context;
46 }(),
47 kOperationTableSize)),
48 securityLevel_(securityLevel) {}
49
50AndroidKeyMintDevice::~AndroidKeyMintDevice() {}
51
52ScopedAStatus AndroidKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) {
53 info->versionNumber = 1;
54 info->securityLevel = securityLevel_;
55 info->keyMintName = "FakeKeyMintDevice";
56 info->keyMintAuthorName = "Google";
57
58 return ScopedAStatus::ok();
59}
60
61ScopedAStatus AndroidKeyMintDevice::verifyAuthorization(int64_t challenge, //
62 const HardwareAuthToken& authToken, //
63 VerificationToken* verificationToken) {
64
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]65 VerifyAuthorizationRequest request(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]66 request.challenge = static_cast<uint64_t>(challenge);
67 request.auth_token.challenge = authToken.challenge;
68 request.auth_token.user_id = authToken.userId;
69 request.auth_token.authenticator_id = authToken.authenticatorId;
70 request.auth_token.authenticator_type = legacy_enum_conversion(authToken.authenticatorType);
71
72 // TODO(seleneh) b/162481130 remove the casting once uint is supported in aidl
73 request.auth_token.timestamp = static_cast<uint64_t>(authToken.timestamp.milliSeconds);
74 KeymasterBlob mac(authToken.mac.data(), authToken.mac.size());
75 request.auth_token.mac = KeymasterBlob(authToken.mac.data(), authToken.mac.size());
76
77 auto response = impl_->VerifyAuthorization(request);
78
79 if (response.error != KM_ERROR_OK) {
80 return kmError2ScopedAStatus(response.error);
81 }
82
83 verificationToken->challenge = response.token.challenge;
84 verificationToken->timestamp.milliSeconds = static_cast<int64_t>(response.token.timestamp);
85 verificationToken->securityLevel = legacy_enum_conversion(response.token.security_level);
86 verificationToken->mac = kmBlob2vector(response.token.mac);
87
88 return ScopedAStatus::ok();
89}
90
91ScopedAStatus AndroidKeyMintDevice::addRngEntropy(const vector<uint8_t>& data) {
92 if (data.size() == 0) {
93 return ScopedAStatus::ok();
94 }
95
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]96 AddEntropyRequest request(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]97 request.random_data.Reinitialize(data.data(), data.size());
98
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]99 AddEntropyResponse response(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]100 impl_->AddRngEntropy(request, &response);
101
102 return kmError2ScopedAStatus(response.error);
103}
104
105ScopedAStatus AndroidKeyMintDevice::generateKey(const vector<KeyParameter>& keyParams,
106 ByteArray* generatedKeyBlob,
107 KeyCharacteristics* generatedKeyCharacteristics,
108 vector<Certificate>* /* certChain */) {
109
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]110 GenerateKeyRequest request(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]111 request.key_description.Reinitialize(KmParamSet(keyParams));
112
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]113 GenerateKeyResponse response(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]114 impl_->GenerateKey(request, &response);
115
116 if (response.error != KM_ERROR_OK) {
117 // Note a key difference between this current aidl and previous hal, is
118 // that hal returns void where as aidl returns the error status. If
119 // aidl returns error, then aidl will not return any change you may make
120 // to the out parameters. This is quite different from hal where all
121 // output variable can be modified due to hal returning void.
122 //
123 // So the caller need to be aware not to expect aidl functions to clear
124 // the output variables for you in case of error. If you left some
125 // wrong data set in the out parameters, they will stay there.
126 return kmError2ScopedAStatus(response.error);
127 }
128
129 generatedKeyBlob->data = kmBlob2vector(response.key_blob);
130 generatedKeyCharacteristics->hardwareEnforced = kmParamSet2Aidl(response.enforced);
131 generatedKeyCharacteristics->softwareEnforced = kmParamSet2Aidl(response.unenforced);
132
133 return ScopedAStatus::ok();
134}
135
136ScopedAStatus AndroidKeyMintDevice::importKey(const vector<KeyParameter>& keyParams,
137 KeyFormat keyFormat, const vector<uint8_t>& keyData,
138 ByteArray* importedKeyBlob,
139 KeyCharacteristics* importedKeyCharacteristics,
140 vector<Certificate>* /* certChain */) {
141
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]142 ImportKeyRequest request(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]143 request.key_description.Reinitialize(KmParamSet(keyParams));
144 request.key_format = legacy_enum_conversion(keyFormat);
145 request.SetKeyMaterial(keyData.data(), keyData.size());
146
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]147 ImportKeyResponse response(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]148 impl_->ImportKey(request, &response);
149
150 if (response.error != KM_ERROR_OK) {
151 return kmError2ScopedAStatus(response.error);
152 }
153
154 importedKeyBlob->data = kmBlob2vector(response.key_blob);
155 importedKeyCharacteristics->hardwareEnforced = kmParamSet2Aidl(response.enforced);
156 importedKeyCharacteristics->softwareEnforced = kmParamSet2Aidl(response.unenforced);
157
158 return ScopedAStatus::ok();
159}
160
161ScopedAStatus AndroidKeyMintDevice::importWrappedKey(
162 const vector<uint8_t>& wrappedKeyData, const vector<uint8_t>& wrappingKeyBlob,
163 const vector<uint8_t>& maskingKey, const vector<KeyParameter>& unwrappingParams,
164 int64_t passwordSid, int64_t biometricSid, ByteArray* importedKeyBlob,
165 KeyCharacteristics* importedKeyCharacteristics) {
166
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]167 ImportWrappedKeyRequest request(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]168 request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size());
169 request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size());
170 request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size());
171 request.additional_params.Reinitialize(KmParamSet(unwrappingParams));
172 request.password_sid = static_cast<uint64_t>(passwordSid);
173 request.biometric_sid = static_cast<uint64_t>(biometricSid);
174
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]175 ImportWrappedKeyResponse response(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]176 impl_->ImportWrappedKey(request, &response);
177
178 if (response.error != KM_ERROR_OK) {
179 return kmError2ScopedAStatus(response.error);
180 }
181
182 importedKeyBlob->data = kmBlob2vector(response.key_blob);
183 importedKeyCharacteristics->hardwareEnforced = kmParamSet2Aidl(response.enforced);
184 importedKeyCharacteristics->softwareEnforced = kmParamSet2Aidl(response.unenforced);
185
186 return ScopedAStatus::ok();
187}
188
189ScopedAStatus AndroidKeyMintDevice::upgradeKey(const vector<uint8_t>& keyBlobToUpgrade,
190 const vector<KeyParameter>& upgradeParams,
191 vector<uint8_t>* keyBlob) {
192
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]193 UpgradeKeyRequest request(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]194 request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size());
195 request.upgrade_params.Reinitialize(KmParamSet(upgradeParams));
196
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]197 UpgradeKeyResponse response(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]198 impl_->UpgradeKey(request, &response);
199
200 if (response.error != KM_ERROR_OK) {
201 return kmError2ScopedAStatus(response.error);
202 }
203
204 *keyBlob = kmBlob2vector(response.upgraded_key);
205 return ScopedAStatus::ok();
206}
207
208ScopedAStatus AndroidKeyMintDevice::deleteKey(const vector<uint8_t>& keyBlob) {
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]209 DeleteKeyRequest request(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]210 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
211
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]212 DeleteKeyResponse response(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]213 impl_->DeleteKey(request, &response);
214
215 return kmError2ScopedAStatus(response.error);
216}
217
218ScopedAStatus AndroidKeyMintDevice::deleteAllKeys() {
219 // There's nothing to be done to delete software key blobs.
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]220 DeleteAllKeysRequest request(impl_->message_version());
221 DeleteAllKeysResponse response(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]222 impl_->DeleteAllKeys(request, &response);
223
224 return kmError2ScopedAStatus(response.error);
225}
226
227ScopedAStatus AndroidKeyMintDevice::destroyAttestationIds() {
228 return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
229}
230
231ScopedAStatus AndroidKeyMintDevice::begin(KeyPurpose purpose, const vector<uint8_t>& keyBlob,
232 const vector<KeyParameter>& params,
233 const HardwareAuthToken& authToken, BeginResult* result) {
234
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]235 BeginOperationRequest request(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]236 request.purpose = legacy_enum_conversion(purpose);
237 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
238 request.additional_params.Reinitialize(KmParamSet(params));
239
240 vector<uint8_t> vector_token = authToken2AidlVec(authToken);
241 request.additional_params.push_back(
242 TAG_AUTH_TOKEN, reinterpret_cast<uint8_t*>(vector_token.data()), vector_token.size());
243
Shawn Willden15d2adf2020-12-20 12:46:52 -0700[diff] [blame^]244 BeginOperationResponse response(impl_->message_version());
Shawn Willden815e8962020-12-11 13:05:27 +0000[diff] [blame]245 impl_->BeginOperation(request, &response);
246
247 if (response.error != KM_ERROR_OK) {
248 return kmError2ScopedAStatus(response.error);
249 }
250
251 result->params = kmParamSet2Aidl(response.output_params);
252 result->challenge = response.op_handle;
253 result->operation =
254 ndk::SharedRefBase::make<AndroidKeyMintOperation>(impl_, response.op_handle);
255 return ScopedAStatus::ok();
256}
257
258IKeyMintDevice* CreateKeyMintDevice(SecurityLevel securityLevel) {
259
260 return ::new AndroidKeyMintDevice(securityLevel);
261}
262
263} // namespace aidl::android::hardware::security::keymint