1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <keymaster/soft_keymaster_device.h>
18 
19 #include <assert.h>
20 #include <stddef.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include <time.h>
25 
26 #include <algorithm>
27 #include <vector>
28 
29 #include <type_traits>
30 
31 #include <openssl/x509.h>
32 
33 #include <hardware/keymaster1.h>
34 #define LOG_TAG "SoftKeymasterDevice"
35 #include <log/log.h>
36 
37 #include <keymaster/android_keymaster.h>
38 #include <keymaster/android_keymaster_messages.h>
39 #include <keymaster/android_keymaster_utils.h>
40 #include <keymaster/authorization_set.h>
41 #include <keymaster/contexts/soft_keymaster_context.h>
42 #include <keymaster/key.h>
43 #include <keymaster/km_openssl/openssl_utils.h>
44 #include <keymaster/soft_keymaster_logger.h>
45 
46 struct keystore_module soft_keymaster1_device_module = {
47     .common =
48         {
49             .tag = HARDWARE_MODULE_TAG,
50             .module_api_version = KEYMASTER_MODULE_API_VERSION_1_0,
51             .hal_api_version = HARDWARE_HAL_API_VERSION,
52             .id = KEYSTORE_HARDWARE_MODULE_ID,
53             .name = "OpenSSL-based SoftKeymaster HAL",
54             .author = "The Android Open Source Project",
55             .methods = nullptr,
56             .dso = nullptr,
57             .reserved = {},
58         },
59 };
60 
61 struct keystore_module soft_keymaster2_device_module = {
62     .common =
63         {
64             .tag = HARDWARE_MODULE_TAG,
65             .module_api_version = KEYMASTER_MODULE_API_VERSION_2_0,
66             .hal_api_version = HARDWARE_HAL_API_VERSION,
67             .id = KEYSTORE_HARDWARE_MODULE_ID,
68             .name = "OpenSSL-based SoftKeymaster HAL",
69             .author = "The Android Open Source Project",
70             .methods = nullptr,
71             .dso = nullptr,
72             .reserved = {},
73         },
74 };
75 
76 namespace keymaster {
77 
78 const size_t kMaximumAttestationChallengeLength = 128;
79 const size_t kOperationTableSize = 16;
80 
make_vector(const T * array,size_t len)81 template <typename T> std::vector<T> make_vector(const T* array, size_t len) {
82     return std::vector<T>(array, array + len);
83 }
84 
85 // This helper class implements just enough of the C++ standard collection interface to be able to
86 // accept push_back calls, and it does nothing but count them.  It's useful when you want to count
87 // insertions but not actually store anything.  It's used in digest_set_is_full below to count the
88 // size of a set intersection.
89 struct PushbackCounter {
90     struct value_type {
91         // NOLINTNEXTLINE(google-explicit-constructor)
value_typekeymaster::PushbackCounter::value_type92         template <typename T> value_type(const T&) {}
93     };
push_backkeymaster::PushbackCounter94     void push_back(const value_type&) { ++count; }
95     size_t count = 0;
96 };
97 
98 static std::vector<keymaster_digest_t> full_digest_list = {
99     KM_DIGEST_MD5,       KM_DIGEST_SHA1,      KM_DIGEST_SHA_2_224,
100     KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
101 
digest_set_is_full(Iter begin,Iter end)102 template <typename Iter> static bool digest_set_is_full(Iter begin, Iter end) {
103     PushbackCounter counter;
104     std::set_intersection(begin, end, full_digest_list.begin(), full_digest_list.end(),
105                           std::back_inserter(counter));
106     return counter.count == full_digest_list.size();
107 }
108 
add_digests(keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,SoftKeymasterDevice::DigestMap * map,bool * supports_all)109 static keymaster_error_t add_digests(keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
110                                      keymaster_purpose_t purpose,
111                                      SoftKeymasterDevice::DigestMap* map, bool* supports_all) {
112     auto key = std::make_pair(algorithm, purpose);
113 
114     keymaster_digest_t* digests;
115     size_t digests_length;
116     keymaster_error_t error =
117         dev->get_supported_digests(dev, algorithm, purpose, &digests, &digests_length);
118     if (error != KM_ERROR_OK) {
119         LOG_E("Error %d getting supported digests from keymaster1 device", error);
120         return error;
121     }
122     std::unique_ptr<keymaster_digest_t, Malloc_Delete> digests_deleter(digests);
123 
124     auto digest_vec = make_vector(digests, digests_length);
125     *supports_all = digest_set_is_full(digest_vec.begin(), digest_vec.end());
126     (*map)[key] = std::move(digest_vec);
127     return error;
128 }
129 
map_digests(keymaster1_device_t * dev,SoftKeymasterDevice::DigestMap * map,bool * supports_all)130 static keymaster_error_t map_digests(keymaster1_device_t* dev, SoftKeymasterDevice::DigestMap* map,
131                                      bool* supports_all) {
132     map->clear();
133     *supports_all = true;
134 
135     keymaster_algorithm_t sig_algorithms[] = {KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_HMAC};
136     keymaster_purpose_t sig_purposes[] = {KM_PURPOSE_SIGN, KM_PURPOSE_VERIFY};
137     for (auto algorithm : sig_algorithms)
138         for (auto purpose : sig_purposes) {
139             bool alg_purpose_supports_all;
140             keymaster_error_t error =
141                 add_digests(dev, algorithm, purpose, map, &alg_purpose_supports_all);
142             if (error != KM_ERROR_OK) return error;
143             *supports_all &= alg_purpose_supports_all;
144         }
145 
146     keymaster_algorithm_t crypt_algorithms[] = {KM_ALGORITHM_RSA};
147     keymaster_purpose_t crypt_purposes[] = {KM_PURPOSE_ENCRYPT, KM_PURPOSE_DECRYPT};
148     for (auto algorithm : crypt_algorithms)
149         for (auto purpose : crypt_purposes) {
150             bool alg_purpose_supports_all;
151             keymaster_error_t error =
152                 add_digests(dev, algorithm, purpose, map, &alg_purpose_supports_all);
153             if (error != KM_ERROR_OK) return error;
154             *supports_all &= alg_purpose_supports_all;
155         }
156 
157     return KM_ERROR_OK;
158 }
159 
SoftKeymasterDevice(KmVersion version)160 SoftKeymasterDevice::SoftKeymasterDevice(KmVersion version)
161     : wrapped_km1_device_(nullptr), context_(new SoftKeymasterContext(version)),
162       impl_(new AndroidKeymaster(context_, kOperationTableSize)), configured_(false) {
163     LOG_I("Creating device", 0);
164     LOG_D("Device address: %p", this);
165 
166     initialize_device_struct(KEYMASTER_SOFTWARE_ONLY | KEYMASTER_BLOBS_ARE_STANDALONE |
167                              KEYMASTER_SUPPORTS_EC);
168 }
169 
SoftKeymasterDevice(SoftKeymasterContext * context)170 SoftKeymasterDevice::SoftKeymasterDevice(SoftKeymasterContext* context)
171     : wrapped_km1_device_(nullptr), context_(context),
172       impl_(new AndroidKeymaster(context_, kOperationTableSize)), configured_(false) {
173     LOG_I("Creating test device", 0);
174     LOG_D("Device address: %p", this);
175 
176     initialize_device_struct(KEYMASTER_SOFTWARE_ONLY | KEYMASTER_BLOBS_ARE_STANDALONE |
177                              KEYMASTER_SUPPORTS_EC);
178 }
179 
SetHardwareDevice(keymaster1_device_t * keymaster1_device)180 keymaster_error_t SoftKeymasterDevice::SetHardwareDevice(keymaster1_device_t* keymaster1_device) {
181     assert(keymaster1_device);
182     LOG_D("Reinitializing SoftKeymasterDevice to use HW keymaster1", 0);
183 
184     if (!context_) return KM_ERROR_UNEXPECTED_NULL_POINTER;
185 
186     keymaster_error_t error =
187         map_digests(keymaster1_device, &km1_device_digests_, &supports_all_digests_);
188     if (error != KM_ERROR_OK) return error;
189 
190     error = context_->SetHardwareDevice(keymaster1_device);
191     if (error != KM_ERROR_OK) return error;
192 
193     initialize_device_struct(keymaster1_device->flags);
194 
195     module_name_ = km1_device_.common.module->name;
196     module_name_.append(" (Wrapping ");
197     module_name_.append(keymaster1_device->common.module->name);
198     module_name_.append(")");
199 
200     updated_module_ = *km1_device_.common.module;
201     updated_module_.name = module_name_.c_str();
202 
203     km1_device_.common.module = &updated_module_;
204 
205     wrapped_km1_device_ = keymaster1_device;
206     return KM_ERROR_OK;
207 }
208 
Keymaster1DeviceIsGood()209 bool SoftKeymasterDevice::Keymaster1DeviceIsGood() {
210     std::vector<keymaster_digest_t> expected_rsa_digests = {
211         KM_DIGEST_NONE,      KM_DIGEST_MD5,       KM_DIGEST_SHA1,     KM_DIGEST_SHA_2_224,
212         KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
213     std::vector<keymaster_digest_t> expected_ec_digests = {
214         KM_DIGEST_NONE,      KM_DIGEST_SHA1,      KM_DIGEST_SHA_2_224,
215         KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
216 
217     for (auto& entry : km1_device_digests_) {
218         if (entry.first.first == KM_ALGORITHM_RSA)
219             if (!std::is_permutation(entry.second.begin(), entry.second.end(),
220                                      expected_rsa_digests.begin()))
221                 return false;
222         if (entry.first.first == KM_ALGORITHM_EC)
223             if (!std::is_permutation(entry.second.begin(), entry.second.end(),
224                                      expected_ec_digests.begin()))
225                 return false;
226     }
227     return true;
228 }
229 
initialize_device_struct(uint32_t flags)230 void SoftKeymasterDevice::initialize_device_struct(uint32_t flags) {
231     memset(&km1_device_, 0, sizeof(km1_device_));
232 
233     km1_device_.common.tag = HARDWARE_DEVICE_TAG;
234     km1_device_.common.version = 1;
235     km1_device_.common.module = reinterpret_cast<hw_module_t*>(&soft_keymaster1_device_module);
236     km1_device_.common.close = &close_device;
237 
238     km1_device_.flags = flags;
239 
240     km1_device_.context = this;
241 
242     // keymaster0 APIs
243     km1_device_.generate_keypair = nullptr;
244     km1_device_.import_keypair = nullptr;
245     km1_device_.get_keypair_public = nullptr;
246     km1_device_.delete_keypair = nullptr;
247     km1_device_.delete_all = nullptr;
248     km1_device_.sign_data = nullptr;
249     km1_device_.verify_data = nullptr;
250 
251     // keymaster1 APIs
252     km1_device_.get_supported_algorithms = get_supported_algorithms;
253     km1_device_.get_supported_block_modes = get_supported_block_modes;
254     km1_device_.get_supported_padding_modes = get_supported_padding_modes;
255     km1_device_.get_supported_digests = get_supported_digests;
256     km1_device_.get_supported_import_formats = get_supported_import_formats;
257     km1_device_.get_supported_export_formats = get_supported_export_formats;
258     km1_device_.add_rng_entropy = add_rng_entropy;
259     km1_device_.generate_key = generate_key;
260     km1_device_.get_key_characteristics = get_key_characteristics;
261     km1_device_.import_key = import_key;
262     km1_device_.export_key = export_key;
263     km1_device_.delete_key = delete_key;
264     km1_device_.delete_all_keys = delete_all_keys;
265     km1_device_.begin = begin;
266     km1_device_.update = update;
267     km1_device_.finish = finish;
268     km1_device_.abort = abort;
269 
270     // keymaster2 APIs
271     memset(&km2_device_, 0, sizeof(km2_device_));
272 
273     km2_device_.flags = flags;
274     km2_device_.context = this;
275 
276     km2_device_.common.tag = HARDWARE_DEVICE_TAG;
277     km2_device_.common.version = 1;
278     km2_device_.common.module = reinterpret_cast<hw_module_t*>(&soft_keymaster2_device_module);
279     km2_device_.common.close = &close_device;
280 
281     km2_device_.configure = configure;
282     km2_device_.add_rng_entropy = add_rng_entropy;
283     km2_device_.generate_key = generate_key;
284     km2_device_.get_key_characteristics = get_key_characteristics;
285     km2_device_.import_key = import_key;
286     km2_device_.export_key = export_key;
287     km2_device_.attest_key = attest_key;
288     km2_device_.upgrade_key = upgrade_key;
289     km2_device_.delete_key = delete_key;
290     km2_device_.delete_all_keys = delete_all_keys;
291     km2_device_.begin = begin;
292     km2_device_.update = update;
293     km2_device_.finish = finish;
294     km2_device_.abort = abort;
295 }
296 
hw_device()297 hw_device_t* SoftKeymasterDevice::hw_device() {
298     return &km1_device_.common;
299 }
300 
keymaster_device()301 keymaster1_device_t* SoftKeymasterDevice::keymaster_device() {
302     return &km1_device_;
303 }
304 
keymaster2_device()305 keymaster2_device_t* SoftKeymasterDevice::keymaster2_device() {
306     return &km2_device_;
307 }
308 
309 namespace {
310 
BuildCharacteristics(const AuthorizationSet & hw_enforced,const AuthorizationSet & sw_enforced)311 keymaster_key_characteristics_t* BuildCharacteristics(const AuthorizationSet& hw_enforced,
312                                                       const AuthorizationSet& sw_enforced) {
313     keymaster_key_characteristics_t* characteristics =
314         reinterpret_cast<keymaster_key_characteristics_t*>(
315             malloc(sizeof(keymaster_key_characteristics_t)));
316     if (characteristics) {
317         hw_enforced.CopyToParamSet(&characteristics->hw_enforced);
318         sw_enforced.CopyToParamSet(&characteristics->sw_enforced);
319     }
320     return characteristics;
321 }
322 
323 template <typename RequestType>
AddClientAndAppData(const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,RequestType * request)324 void AddClientAndAppData(const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
325                          RequestType* request) {
326     request->additional_params.Clear();
327     if (client_id) request->additional_params.push_back(TAG_APPLICATION_ID, *client_id);
328     if (app_data) request->additional_params.push_back(TAG_APPLICATION_DATA, *app_data);
329 }
330 
convert_device(const T * dev)331 template <typename T> SoftKeymasterDevice* convert_device(const T* dev) {
332     static_assert((std::is_same<T, keymaster1_device_t>::value ||
333                    std::is_same<T, keymaster2_device_t>::value),
334                   "convert_device should only be applied to keymaster devices");
335     return reinterpret_cast<SoftKeymasterDevice*>(dev->context);
336 }
337 
338 template <keymaster_tag_t Tag, keymaster_tag_type_t Type, typename KeymasterEnum>
FindTagValue(const keymaster_key_param_set_t & params,TypedEnumTag<Type,Tag,KeymasterEnum> tag,KeymasterEnum * value)339 bool FindTagValue(const keymaster_key_param_set_t& params,
340                   TypedEnumTag<Type, Tag, KeymasterEnum> tag, KeymasterEnum* value) {
341     for (size_t i = 0; i < params.length; ++i)
342         if (params.params[i].tag == tag) {
343             *value = static_cast<KeymasterEnum>(params.params[i].enumerated);
344             return true;
345         }
346     return false;
347 }
348 
349 }  // namespace
350 
351 /* static */
close_device(hw_device_t * dev)352 int SoftKeymasterDevice::close_device(hw_device_t* dev) {
353     switch (dev->module->module_api_version) {
354     case KEYMASTER_MODULE_API_VERSION_2_0: {
355         delete convert_device(reinterpret_cast<keymaster2_device_t*>(dev));
356         break;
357     }
358 
359     case KEYMASTER_MODULE_API_VERSION_1_0: {
360         delete convert_device(reinterpret_cast<keymaster1_device_t*>(dev));
361         break;
362     }
363 
364     default:
365         return -1;
366     }
367 
368     return 0;
369 }
370 
371 /* static */
get_supported_algorithms(const keymaster1_device_t * dev,keymaster_algorithm_t ** algorithms,size_t * algorithms_length)372 keymaster_error_t SoftKeymasterDevice::get_supported_algorithms(const keymaster1_device_t* dev,
373                                                                 keymaster_algorithm_t** algorithms,
374                                                                 size_t* algorithms_length) {
375     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
376 
377     if (!algorithms || !algorithms_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
378 
379     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
380     if (km1_dev) return km1_dev->get_supported_algorithms(km1_dev, algorithms, algorithms_length);
381 
382     auto& impl_ = convert_device(dev)->impl_;
383     SupportedAlgorithmsRequest request(impl_->message_version());
384     SupportedAlgorithmsResponse response(impl_->message_version());
385     impl_->SupportedAlgorithms(request, &response);
386     if (response.error != KM_ERROR_OK) {
387         LOG_E("get_supported_algorithms failed with %d", response.error);
388 
389         return response.error;
390     }
391 
392     *algorithms_length = response.results_length;
393     *algorithms =
394         reinterpret_cast<keymaster_algorithm_t*>(malloc(*algorithms_length * sizeof(**algorithms)));
395     if (!*algorithms) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
396     std::copy(response.results, response.results + response.results_length, *algorithms);
397     return KM_ERROR_OK;
398 }
399 
400 /* static */
get_supported_block_modes(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_block_mode_t ** modes,size_t * modes_length)401 keymaster_error_t SoftKeymasterDevice::get_supported_block_modes(const keymaster1_device_t* dev,
402                                                                  keymaster_algorithm_t algorithm,
403                                                                  keymaster_purpose_t purpose,
404                                                                  keymaster_block_mode_t** modes,
405                                                                  size_t* modes_length) {
406     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
407 
408     if (!modes || !modes_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
409 
410     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
411     if (km1_dev)
412         return km1_dev->get_supported_block_modes(km1_dev, algorithm, purpose, modes, modes_length);
413 
414     auto& impl_ = convert_device(dev)->impl_;
415     SupportedBlockModesRequest request(impl_->message_version());
416     request.algorithm = algorithm;
417     request.purpose = purpose;
418     SupportedBlockModesResponse response(impl_->message_version());
419     impl_->SupportedBlockModes(request, &response);
420 
421     if (response.error != KM_ERROR_OK) {
422         LOG_E("get_supported_block_modes failed with %d", response.error);
423 
424         return response.error;
425     }
426 
427     *modes_length = response.results_length;
428     *modes = reinterpret_cast<keymaster_block_mode_t*>(malloc(*modes_length * sizeof(**modes)));
429     if (!*modes) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
430     std::copy(response.results, response.results + response.results_length, *modes);
431     return KM_ERROR_OK;
432 }
433 
434 /* static */
get_supported_padding_modes(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_padding_t ** modes,size_t * modes_length)435 keymaster_error_t SoftKeymasterDevice::get_supported_padding_modes(const keymaster1_device_t* dev,
436                                                                    keymaster_algorithm_t algorithm,
437                                                                    keymaster_purpose_t purpose,
438                                                                    keymaster_padding_t** modes,
439                                                                    size_t* modes_length) {
440     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
441 
442     if (!modes || !modes_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
443 
444     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
445     if (km1_dev)
446         return km1_dev->get_supported_padding_modes(km1_dev, algorithm, purpose, modes,
447                                                     modes_length);
448 
449     auto& impl_ = convert_device(dev)->impl_;
450     SupportedPaddingModesRequest request(impl_->message_version());
451     request.algorithm = algorithm;
452     request.purpose = purpose;
453     SupportedPaddingModesResponse response(impl_->message_version());
454     convert_device(dev)->impl_->SupportedPaddingModes(request, &response);
455 
456     if (response.error != KM_ERROR_OK) {
457         LOG_E("get_supported_padding_modes failed with %d", response.error);
458         return response.error;
459     }
460 
461     *modes_length = response.results_length;
462     *modes = reinterpret_cast<keymaster_padding_t*>(malloc(*modes_length * sizeof(**modes)));
463     if (!*modes) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
464     std::copy(response.results, response.results + response.results_length, *modes);
465     return KM_ERROR_OK;
466 }
467 
468 /* static */
get_supported_digests(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_digest_t ** digests,size_t * digests_length)469 keymaster_error_t SoftKeymasterDevice::get_supported_digests(const keymaster1_device_t* dev,
470                                                              keymaster_algorithm_t algorithm,
471                                                              keymaster_purpose_t purpose,
472                                                              keymaster_digest_t** digests,
473                                                              size_t* digests_length) {
474     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
475 
476     if (!digests || !digests_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
477 
478     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
479     if (km1_dev)
480         return km1_dev->get_supported_digests(km1_dev, algorithm, purpose, digests, digests_length);
481 
482     auto& impl_ = convert_device(dev)->impl_;
483     SupportedDigestsRequest request(impl_->message_version());
484     request.algorithm = algorithm;
485     request.purpose = purpose;
486     SupportedDigestsResponse response(impl_->message_version());
487     impl_->SupportedDigests(request, &response);
488 
489     if (response.error != KM_ERROR_OK) {
490         LOG_E("get_supported_digests failed with %d", response.error);
491         return response.error;
492     }
493 
494     *digests_length = response.results_length;
495     *digests = reinterpret_cast<keymaster_digest_t*>(malloc(*digests_length * sizeof(**digests)));
496     if (!*digests) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
497     std::copy(response.results, response.results + response.results_length, *digests);
498     return KM_ERROR_OK;
499 }
500 
501 /* static */
get_supported_import_formats(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_key_format_t ** formats,size_t * formats_length)502 keymaster_error_t SoftKeymasterDevice::get_supported_import_formats(
503     const keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
504     keymaster_key_format_t** formats, size_t* formats_length) {
505     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
506 
507     if (!formats || !formats_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
508 
509     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
510     if (km1_dev)
511         return km1_dev->get_supported_import_formats(km1_dev, algorithm, formats, formats_length);
512 
513     auto& impl_ = convert_device(dev)->impl_;
514     SupportedImportFormatsRequest request(impl_->message_version());
515     request.algorithm = algorithm;
516     SupportedImportFormatsResponse response(impl_->message_version());
517     impl_->SupportedImportFormats(request, &response);
518 
519     if (response.error != KM_ERROR_OK) {
520         LOG_E("get_supported_import_formats failed with %d", response.error);
521         return response.error;
522     }
523 
524     *formats_length = response.results_length;
525     *formats =
526         reinterpret_cast<keymaster_key_format_t*>(malloc(*formats_length * sizeof(**formats)));
527     if (!*formats) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
528     std::copy(response.results, response.results + response.results_length, *formats);
529     return KM_ERROR_OK;
530 }
531 
532 /* static */
get_supported_export_formats(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_key_format_t ** formats,size_t * formats_length)533 keymaster_error_t SoftKeymasterDevice::get_supported_export_formats(
534     const keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
535     keymaster_key_format_t** formats, size_t* formats_length) {
536     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
537 
538     if (!formats || !formats_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
539 
540     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
541     if (km1_dev)
542         return km1_dev->get_supported_export_formats(km1_dev, algorithm, formats, formats_length);
543 
544     auto& impl_ = convert_device(dev)->impl_;
545     SupportedExportFormatsRequest request(impl_->message_version());
546     request.algorithm = algorithm;
547     SupportedExportFormatsResponse response(impl_->message_version());
548     impl_->SupportedExportFormats(request, &response);
549 
550     if (response.error != KM_ERROR_OK) {
551         LOG_E("get_supported_export_formats failed with %d", response.error);
552         return response.error;
553     }
554 
555     *formats_length = response.results_length;
556     *formats =
557         reinterpret_cast<keymaster_key_format_t*>(malloc(*formats_length * sizeof(**formats)));
558     if (!*formats) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
559     std::copy(response.results, response.results + *formats_length, *formats);
560     return KM_ERROR_OK;
561 }
562 
563 /* static */
configure(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params)564 keymaster_error_t SoftKeymasterDevice::configure(const keymaster2_device_t* dev,
565                                                  const keymaster_key_param_set_t* params) {
566     AuthorizationSet params_copy(*params);
567     auto& impl_ = convert_device(dev)->impl_;
568     ConfigureRequest request(impl_->message_version());
569     if (!params_copy.GetTagValue(TAG_OS_VERSION, &request.os_version) ||
570         !params_copy.GetTagValue(TAG_OS_PATCHLEVEL, &request.os_patchlevel)) {
571         LOG_E("Configuration parameters must contain OS version and patch level", 0);
572         return KM_ERROR_INVALID_ARGUMENT;
573     }
574     ConfigureResponse response(impl_->message_version());
575     impl_->Configure(request, &response);
576     if (response.error == KM_ERROR_OK) convert_device(dev)->configured_ = true;
577     return response.error;
578 }
579 
580 /* static */
add_rng_entropy(const keymaster1_device_t * dev,const uint8_t * data,size_t data_length)581 keymaster_error_t SoftKeymasterDevice::add_rng_entropy(const keymaster1_device_t* dev,
582                                                        const uint8_t* data, size_t data_length) {
583     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
584 
585     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
586     if (km1_dev) return km1_dev->add_rng_entropy(km1_dev, data, data_length);
587 
588     auto& impl_ = convert_device(dev)->impl_;
589     AddEntropyRequest request(impl_->message_version());
590     request.random_data.Reinitialize(data, data_length);
591     AddEntropyResponse response(impl_->message_version());
592     impl_->AddRngEntropy(request, &response);
593     if (response.error != KM_ERROR_OK) LOG_E("add_rng_entropy failed with %d", response.error);
594     return response.error;
595 }
596 
597 /* static */
add_rng_entropy(const keymaster2_device_t * dev,const uint8_t * data,size_t data_length)598 keymaster_error_t SoftKeymasterDevice::add_rng_entropy(const keymaster2_device_t* dev,
599                                                        const uint8_t* data, size_t data_length) {
600     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
601 
602     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
603 
604     SoftKeymasterDevice* sk_dev = convert_device(dev);
605     return add_rng_entropy(&sk_dev->km1_device_, data, data_length);
606 }
607 
contains(const Collection & c,const Value & v)608 template <typename Collection, typename Value> bool contains(const Collection& c, const Value& v) {
609     return std::find(c.begin(), c.end(), v) != c.end();
610 }
611 
FindUnsupportedDigest(keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,const AuthorizationSet & params,keymaster_digest_t * unsupported) const612 bool SoftKeymasterDevice::FindUnsupportedDigest(keymaster_algorithm_t algorithm,
613                                                 keymaster_purpose_t purpose,
614                                                 const AuthorizationSet& params,
615                                                 keymaster_digest_t* unsupported) const {
616     assert(wrapped_km1_device_);
617 
618     auto supported_digests = km1_device_digests_.find(std::make_pair(algorithm, purpose));
619     if (supported_digests == km1_device_digests_.end())
620         // Invalid algorith/purpose pair (e.g. EC encrypt).  Let the error be handled by HW module.
621         return false;
622 
623     for (auto& entry : params)
624         if (entry.tag == TAG_DIGEST)
625             if (!contains(supported_digests->second, entry.enumerated)) {
626                 LOG_I("Digest %d requested but not supported by module %s", entry.enumerated,
627                       wrapped_km1_device_->common.module->name);
628                 *unsupported = static_cast<keymaster_digest_t>(entry.enumerated);
629                 return true;
630             }
631     return false;
632 }
633 
RequiresSoftwareDigesting(keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,const AuthorizationSet & params) const634 bool SoftKeymasterDevice::RequiresSoftwareDigesting(keymaster_algorithm_t algorithm,
635                                                     keymaster_purpose_t purpose,
636                                                     const AuthorizationSet& params) const {
637     assert(wrapped_km1_device_);
638     if (!wrapped_km1_device_) return true;
639 
640     switch (algorithm) {
641     case KM_ALGORITHM_AES:
642     case KM_ALGORITHM_TRIPLE_DES:
643         LOG_D("Not performing software digesting for algorithm %d", algorithm);
644         return false;
645     case KM_ALGORITHM_HMAC:
646     case KM_ALGORITHM_RSA:
647     case KM_ALGORITHM_EC:
648         break;
649     }
650 
651     keymaster_digest_t unsupported;
652     if (!FindUnsupportedDigest(algorithm, purpose, params, &unsupported)) {
653         LOG_D("Requested digest(s) supported for algorithm %d and purpose %d", algorithm, purpose);
654         return false;
655     }
656 
657     return true;
658 }
659 
KeyRequiresSoftwareDigesting(const AuthorizationSet & key_description) const660 bool SoftKeymasterDevice::KeyRequiresSoftwareDigesting(
661     const AuthorizationSet& key_description) const {
662     assert(wrapped_km1_device_);
663     if (!wrapped_km1_device_) return true;
664 
665     keymaster_algorithm_t algorithm;
666     if (!key_description.GetTagValue(TAG_ALGORITHM, &algorithm)) {
667         // The hardware module will return an error during keygen.
668         return false;
669     }
670 
671     for (auto& entry : key_description)
672         if (entry.tag == TAG_PURPOSE) {
673             keymaster_purpose_t purpose = static_cast<keymaster_purpose_t>(entry.enumerated);
674             if (RequiresSoftwareDigesting(algorithm, purpose, key_description)) return true;
675         }
676 
677     return false;
678 }
679 
680 /* static */
generate_key(const keymaster1_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t ** characteristics)681 keymaster_error_t SoftKeymasterDevice::generate_key(
682     const keymaster1_device_t* dev, const keymaster_key_param_set_t* params,
683     keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t** characteristics) {
684     if (!dev || !params) return KM_ERROR_UNEXPECTED_NULL_POINTER;
685 
686     if (!key_blob) return KM_ERROR_OUTPUT_PARAMETER_NULL;
687 
688     SoftKeymasterDevice* sk_dev = convert_device(dev);
689 
690     auto& impl_ = sk_dev->impl_;
691     GenerateKeyRequest request(impl_->message_version());
692     request.key_description.Reinitialize(*params);
693 
694     keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
695     if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description))
696         return km1_dev->generate_key(km1_dev, params, key_blob, characteristics);
697 
698     GenerateKeyResponse response(impl_->message_version());
699     impl_->GenerateKey(request, &response);
700     if (response.error != KM_ERROR_OK) return response.error;
701 
702     key_blob->key_material_size = response.key_blob.key_material_size;
703     uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
704     if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
705     memcpy(tmp, response.key_blob.key_material, response.key_blob.key_material_size);
706     key_blob->key_material = tmp;
707 
708     if (characteristics) {
709         // This is a keymaster1 method, and keymaster1 doesn't include version info, so remove it.
710         response.enforced.erase(response.enforced.find(TAG_OS_VERSION));
711         response.enforced.erase(response.enforced.find(TAG_OS_PATCHLEVEL));
712         response.unenforced.erase(response.unenforced.find(TAG_OS_VERSION));
713         response.unenforced.erase(response.unenforced.find(TAG_OS_PATCHLEVEL));
714 
715         *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
716         if (!*characteristics) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
717     }
718 
719     return KM_ERROR_OK;
720 }
721 
722 keymaster_error_t
generate_key(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)723 SoftKeymasterDevice::generate_key(const keymaster2_device_t* dev,  //
724                                   const keymaster_key_param_set_t* params,
725                                   keymaster_key_blob_t* key_blob,
726                                   keymaster_key_characteristics_t* characteristics) {
727     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
728 
729     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
730 
731     if (!key_blob) return KM_ERROR_OUTPUT_PARAMETER_NULL;
732 
733     SoftKeymasterDevice* sk_dev = convert_device(dev);
734 
735     auto& impl_ = sk_dev->impl_;
736     GenerateKeyRequest request(impl_->message_version());
737     request.key_description.Reinitialize(*params);
738 
739     keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
740     if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description)) {
741         keymaster_ec_curve_t curve;
742         if (request.key_description.Contains(TAG_ALGORITHM, KM_ALGORITHM_EC) &&
743             request.key_description.GetTagValue(TAG_EC_CURVE, &curve)) {
744             // Keymaster1 doesn't know about EC curves. We need to translate to key size.
745             uint32_t key_size_from_curve;
746             keymaster_error_t error = EcCurveToKeySize(curve, &key_size_from_curve);
747             if (error != KM_ERROR_OK) {
748                 return error;
749             }
750 
751             uint32_t key_size_from_desc;
752             if (request.key_description.GetTagValue(TAG_KEY_SIZE, &key_size_from_desc)) {
753                 if (key_size_from_desc != key_size_from_curve) {
754                     return KM_ERROR_INVALID_ARGUMENT;
755                 }
756             } else {
757                 request.key_description.push_back(TAG_KEY_SIZE, key_size_from_curve);
758             }
759         }
760 
761         keymaster_key_characteristics_t* chars_ptr;
762         keymaster_error_t error = km1_dev->generate_key(km1_dev, &request.key_description, key_blob,
763                                                         characteristics ? &chars_ptr : nullptr);
764         if (error != KM_ERROR_OK) return error;
765 
766         if (characteristics) {
767             *characteristics = *chars_ptr;
768             free(chars_ptr);
769         }
770 
771         return KM_ERROR_OK;
772     }
773 
774     GenerateKeyResponse response(impl_->message_version());
775     impl_->GenerateKey(request, &response);
776     if (response.error != KM_ERROR_OK) return response.error;
777 
778     key_blob->key_material_size = response.key_blob.key_material_size;
779     uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
780     if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
781     memcpy(tmp, response.key_blob.key_material, response.key_blob.key_material_size);
782     key_blob->key_material = tmp;
783 
784     if (characteristics) {
785         response.enforced.CopyToParamSet(&characteristics->hw_enforced);
786         response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
787     }
788 
789     return KM_ERROR_OK;
790 }
791 
792 /* static */
get_key_characteristics(const keymaster1_device_t * dev,const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t ** characteristics)793 keymaster_error_t SoftKeymasterDevice::get_key_characteristics(
794     const keymaster1_device_t* dev, const keymaster_key_blob_t* key_blob,
795     const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
796     keymaster_key_characteristics_t** characteristics) {
797     if (!dev || !key_blob || !key_blob->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
798 
799     if (!characteristics) return KM_ERROR_OUTPUT_PARAMETER_NULL;
800 
801     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
802     if (km1_dev) {
803         keymaster_error_t error = km1_dev->get_key_characteristics(km1_dev, key_blob, client_id,
804                                                                    app_data, characteristics);
805         if (error != KM_ERROR_INVALID_KEY_BLOB) {
806             return error;
807         }
808         // If we got "invalid blob", continue to try with the software device. This might be a
809         // software key blob.
810     }
811 
812     auto& impl_ = convert_device(dev)->impl_;
813     GetKeyCharacteristicsRequest request(impl_->message_version());
814     request.SetKeyMaterial(*key_blob);
815     AddClientAndAppData(client_id, app_data, &request);
816 
817     GetKeyCharacteristicsResponse response(impl_->message_version());
818     impl_->GetKeyCharacteristics(request, &response);
819     if (response.error != KM_ERROR_OK) return response.error;
820 
821     // This is a keymaster1 method, and keymaster1 doesn't include version info, so remove it.
822     response.enforced.erase(response.enforced.find(TAG_OS_VERSION));
823     response.enforced.erase(response.enforced.find(TAG_OS_PATCHLEVEL));
824     response.unenforced.erase(response.unenforced.find(TAG_OS_VERSION));
825     response.unenforced.erase(response.unenforced.find(TAG_OS_PATCHLEVEL));
826 
827     *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
828     if (!*characteristics) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
829 
830     return KM_ERROR_OK;
831 }
832 
833 /* static */
get_key_characteristics(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t * characteristics)834 keymaster_error_t SoftKeymasterDevice::get_key_characteristics(
835     const keymaster2_device_t* dev, const keymaster_key_blob_t* key_blob,
836     const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
837     keymaster_key_characteristics_t* characteristics) {
838     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
839 
840     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
841 
842     if (!characteristics) return KM_ERROR_OUTPUT_PARAMETER_NULL;
843 
844     SoftKeymasterDevice* sk_dev = convert_device(dev);
845 
846     auto& impl_ = sk_dev->impl_;
847     GetKeyCharacteristicsRequest request(impl_->message_version());
848     request.SetKeyMaterial(*key_blob);
849     AddClientAndAppData(client_id, app_data, &request);
850 
851     GetKeyCharacteristicsResponse response(impl_->message_version());
852     impl_->GetKeyCharacteristics(request, &response);
853     if (response.error != KM_ERROR_OK) return response.error;
854 
855     response.enforced.CopyToParamSet(&characteristics->hw_enforced);
856     response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
857 
858     return KM_ERROR_OK;
859 }
860 
861 /* static */
import_key(const keymaster1_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t ** characteristics)862 keymaster_error_t SoftKeymasterDevice::import_key(
863     const keymaster1_device_t* dev, const keymaster_key_param_set_t* params,
864     keymaster_key_format_t key_format, const keymaster_blob_t* key_data,
865     keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t** characteristics) {
866     if (!params || !key_data) return KM_ERROR_UNEXPECTED_NULL_POINTER;
867 
868     if (!key_blob) return KM_ERROR_OUTPUT_PARAMETER_NULL;
869 
870     SoftKeymasterDevice* sk_dev = convert_device(dev);
871 
872     auto& impl_ = sk_dev->impl_;
873     ImportKeyRequest request(impl_->message_version());
874     request.key_description.Reinitialize(*params);
875 
876     keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
877     if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description))
878         return km1_dev->import_key(km1_dev, params, key_format, key_data, key_blob,
879                                    characteristics);
880 
881     if (characteristics) *characteristics = nullptr;
882 
883     request.key_format = key_format;
884     request.key_data = KeymasterKeyBlob(key_data->data, key_data->data_length);
885 
886     ImportKeyResponse response(impl_->message_version());
887     impl_->ImportKey(request, &response);
888     if (response.error != KM_ERROR_OK) return response.error;
889 
890     key_blob->key_material_size = response.key_blob.key_material_size;
891     key_blob->key_material = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
892     if (!key_blob->key_material) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
893     memcpy(const_cast<uint8_t*>(key_blob->key_material), response.key_blob.key_material,
894            response.key_blob.key_material_size);
895 
896     if (characteristics) {
897         *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
898         if (!*characteristics) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
899     }
900     return KM_ERROR_OK;
901 }
902 
903 /* static */
import_key(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)904 keymaster_error_t SoftKeymasterDevice::import_key(
905     const keymaster2_device_t* dev, const keymaster_key_param_set_t* params,
906     keymaster_key_format_t key_format, const keymaster_blob_t* key_data,
907     keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t* characteristics) {
908     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
909 
910     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
911 
912     SoftKeymasterDevice* sk_dev = convert_device(dev);
913 
914     keymaster_error_t error;
915     if (characteristics) {
916         keymaster_key_characteristics_t* characteristics_ptr;
917         error = import_key(&sk_dev->km1_device_, params, key_format, key_data, key_blob,
918                            &characteristics_ptr);
919         if (error == KM_ERROR_OK) {
920             *characteristics = *characteristics_ptr;
921             free(characteristics_ptr);
922         }
923     } else {
924         error = import_key(&sk_dev->km1_device_, params, key_format, key_data, key_blob, nullptr);
925     }
926 
927     return error;
928 }
929 
930 /* static */
export_key(const keymaster1_device_t * dev,keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)931 keymaster_error_t SoftKeymasterDevice::export_key(const keymaster1_device_t* dev,
932                                                   keymaster_key_format_t export_format,
933                                                   const keymaster_key_blob_t* key_to_export,
934                                                   const keymaster_blob_t* client_id,
935                                                   const keymaster_blob_t* app_data,
936                                                   keymaster_blob_t* export_data) {
937     if (!key_to_export || !key_to_export->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
938 
939     if (!export_data) return KM_ERROR_OUTPUT_PARAMETER_NULL;
940 
941     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
942     if (km1_dev)
943         return km1_dev->export_key(km1_dev, export_format, key_to_export, client_id, app_data,
944                                    export_data);
945 
946     export_data->data = nullptr;
947     export_data->data_length = 0;
948 
949     auto& impl_ = convert_device(dev)->impl_;
950     ExportKeyRequest request(impl_->message_version());
951     request.key_format = export_format;
952     request.SetKeyMaterial(*key_to_export);
953     AddClientAndAppData(client_id, app_data, &request);
954 
955     ExportKeyResponse response(impl_->message_version());
956     impl_->ExportKey(request, &response);
957     if (response.error != KM_ERROR_OK) return response.error;
958 
959     export_data->data_length = response.key_data_length;
960     uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(export_data->data_length));
961     if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
962     memcpy(tmp, response.key_data, export_data->data_length);
963     export_data->data = tmp;
964     return KM_ERROR_OK;
965 }
966 
967 /* static */
export_key(const keymaster2_device_t * dev,keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)968 keymaster_error_t SoftKeymasterDevice::export_key(const keymaster2_device_t* dev,
969                                                   keymaster_key_format_t export_format,
970                                                   const keymaster_key_blob_t* key_to_export,
971                                                   const keymaster_blob_t* client_id,
972                                                   const keymaster_blob_t* app_data,
973                                                   keymaster_blob_t* export_data) {
974     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
975 
976     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
977 
978     SoftKeymasterDevice* sk_dev = convert_device(dev);
979     return export_key(&sk_dev->km1_device_, export_format, key_to_export, client_id, app_data,
980                       export_data);
981 }
982 
983 /* static */
attest_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_to_attest,const keymaster_key_param_set_t * attest_params,keymaster_cert_chain_t * cert_chain)984 keymaster_error_t SoftKeymasterDevice::attest_key(const keymaster2_device_t* dev,
985                                                   const keymaster_key_blob_t* key_to_attest,
986                                                   const keymaster_key_param_set_t* attest_params,
987                                                   keymaster_cert_chain_t* cert_chain) {
988     if (!dev || !key_to_attest || !attest_params || !cert_chain)
989         return KM_ERROR_UNEXPECTED_NULL_POINTER;
990 
991     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
992 
993     *cert_chain = {};
994 
995     auto& impl_ = convert_device(dev)->impl_;
996     AttestKeyRequest request(impl_->message_version());
997     request.SetKeyMaterial(*key_to_attest);
998     request.attest_params.Reinitialize(*attest_params);
999 
1000     keymaster_blob_t attestation_challenge = {};
1001     request.attest_params.GetTagValue(TAG_ATTESTATION_CHALLENGE, &attestation_challenge);
1002     if (attestation_challenge.data_length > kMaximumAttestationChallengeLength) {
1003         LOG_E("%d-byte attestation challenge; only %d bytes allowed",
1004               attestation_challenge.data_length, kMaximumAttestationChallengeLength);
1005         return KM_ERROR_INVALID_INPUT_LENGTH;
1006     }
1007 
1008     AttestKeyResponse response(impl_->message_version());
1009     impl_->AttestKey(request, &response);
1010     if (response.error != KM_ERROR_OK) return response.error;
1011 
1012     // Allocate and clear storage for cert_chain.
1013     keymaster_cert_chain_t& rsp_chain = response.certificate_chain;
1014     cert_chain->entries = reinterpret_cast<keymaster_blob_t*>(
1015         malloc(rsp_chain.entry_count * sizeof(*cert_chain->entries)));
1016     if (!cert_chain->entries) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1017     cert_chain->entry_count = rsp_chain.entry_count;
1018     for (keymaster_blob_t& entry : array_range(cert_chain->entries, cert_chain->entry_count))
1019         entry = {};
1020 
1021     // Copy cert_chain contents
1022     size_t i = 0;
1023     for (keymaster_blob_t& entry : array_range(rsp_chain.entries, rsp_chain.entry_count)) {
1024         cert_chain->entries[i].data = reinterpret_cast<uint8_t*>(malloc(entry.data_length));
1025         if (!cert_chain->entries[i].data) {
1026             keymaster_free_cert_chain(cert_chain);
1027             return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1028         }
1029         cert_chain->entries[i].data_length = entry.data_length;
1030         memcpy(const_cast<uint8_t*>(cert_chain->entries[i].data), entry.data, entry.data_length);
1031         ++i;
1032     }
1033 
1034     return KM_ERROR_OK;
1035 }
1036 
1037 /* static */
upgrade_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_to_upgrade,const keymaster_key_param_set_t * upgrade_params,keymaster_key_blob_t * upgraded_key)1038 keymaster_error_t SoftKeymasterDevice::upgrade_key(const keymaster2_device_t* dev,
1039                                                    const keymaster_key_blob_t* key_to_upgrade,
1040                                                    const keymaster_key_param_set_t* upgrade_params,
1041                                                    keymaster_key_blob_t* upgraded_key) {
1042     if (!dev || !key_to_upgrade || !upgrade_params) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1043 
1044     if (!upgraded_key) return KM_ERROR_OUTPUT_PARAMETER_NULL;
1045 
1046     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1047 
1048     auto& impl_ = convert_device(dev)->impl_;
1049     UpgradeKeyRequest request(impl_->message_version());
1050     request.SetKeyMaterial(*key_to_upgrade);
1051     request.upgrade_params.Reinitialize(*upgrade_params);
1052 
1053     UpgradeKeyResponse response(impl_->message_version());
1054     impl_->UpgradeKey(request, &response);
1055     if (response.error != KM_ERROR_OK) return response.error;
1056 
1057     upgraded_key->key_material_size = response.upgraded_key.key_material_size;
1058     uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(upgraded_key->key_material_size));
1059     if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1060     memcpy(tmp, response.upgraded_key.key_material, response.upgraded_key.key_material_size);
1061     upgraded_key->key_material = tmp;
1062 
1063     return KM_ERROR_OK;
1064 }
1065 
1066 /* static */
delete_key(const keymaster1_device_t * dev,const keymaster_key_blob_t * key)1067 keymaster_error_t SoftKeymasterDevice::delete_key(const keymaster1_device_t* dev,
1068                                                   const keymaster_key_blob_t* key) {
1069     if (!dev || !key || !key->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1070 
1071     KeymasterKeyBlob blob(*key);
1072     return convert_device(dev)->context_->DeleteKey(blob);
1073 }
1074 
1075 /* static */
delete_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key)1076 keymaster_error_t SoftKeymasterDevice::delete_key(const keymaster2_device_t* dev,
1077                                                   const keymaster_key_blob_t* key) {
1078     if (!dev || !key || !key->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1079 
1080     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1081 
1082     KeymasterKeyBlob blob(*key);
1083     return convert_device(dev)->context_->DeleteKey(blob);
1084 }
1085 
1086 /* static */
delete_all_keys(const keymaster1_device_t * dev)1087 keymaster_error_t SoftKeymasterDevice::delete_all_keys(const keymaster1_device_t* dev) {
1088     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1089 
1090     return convert_device(dev)->context_->DeleteAllKeys();
1091 }
1092 
1093 /* static */
delete_all_keys(const keymaster2_device_t * dev)1094 keymaster_error_t SoftKeymasterDevice::delete_all_keys(const keymaster2_device_t* dev) {
1095     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1096 
1097     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1098 
1099     return convert_device(dev)->context_->DeleteAllKeys();
1100 }
1101 
1102 /* static */
begin(const keymaster1_device_t * dev,keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)1103 keymaster_error_t SoftKeymasterDevice::begin(const keymaster1_device_t* dev,
1104                                              keymaster_purpose_t purpose,
1105                                              const keymaster_key_blob_t* key,
1106                                              const keymaster_key_param_set_t* in_params,
1107                                              keymaster_key_param_set_t* out_params,
1108                                              keymaster_operation_handle_t* operation_handle) {
1109     if (!dev || !key || !key->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1110 
1111     if (!operation_handle) return KM_ERROR_OUTPUT_PARAMETER_NULL;
1112 
1113     SoftKeymasterDevice* skdev = convert_device(dev);
1114     const keymaster1_device_t* km1_dev = skdev->wrapped_km1_device_;
1115 
1116     if (km1_dev) {
1117         AuthorizationSet in_params_set(*in_params);
1118 
1119         UniquePtr<Key> akmKey;  // android keymaster key
1120         skdev->context_->ParseKeyBlob(KeymasterKeyBlob(*key), in_params_set, &akmKey);
1121 
1122         keymaster_algorithm_t algorithm = KM_ALGORITHM_AES;
1123         if (!akmKey->hw_enforced().GetTagValue(TAG_ALGORITHM, &algorithm) &&
1124             !akmKey->sw_enforced().GetTagValue(TAG_ALGORITHM, &algorithm)) {
1125             return KM_ERROR_INVALID_KEY_BLOB;
1126         }
1127 
1128         if (algorithm == KM_ALGORITHM_HMAC) {
1129             // Because HMAC keys can have only one digest, in_params_set doesn't contain it.  We
1130             // need to get the digest from the key and add it to in_params_set.
1131             keymaster_digest_t digest;
1132             if (!akmKey->hw_enforced().GetTagValue(TAG_DIGEST, &digest) &&
1133                 !akmKey->sw_enforced().GetTagValue(TAG_DIGEST, &digest)) {
1134                 return KM_ERROR_INVALID_KEY_BLOB;
1135             }
1136             in_params_set.push_back(TAG_DIGEST, digest);
1137         }
1138 
1139         if (!skdev->RequiresSoftwareDigesting(algorithm, purpose, in_params_set)) {
1140             LOG_D("Operation supported by %s, passing through to keymaster1 module",
1141                   km1_dev->common.module->name);
1142             return km1_dev->begin(km1_dev, purpose, key, in_params, out_params, operation_handle);
1143         }
1144         LOG_I("Doing software digesting for keymaster1 module %s", km1_dev->common.module->name);
1145     }
1146 
1147     if (out_params) {
1148         out_params->params = nullptr;
1149         out_params->length = 0;
1150     }
1151 
1152     auto& impl_ = skdev->impl_;
1153     BeginOperationRequest request(impl_->message_version());
1154     request.purpose = purpose;
1155     request.SetKeyMaterial(*key);
1156     request.additional_params.Reinitialize(*in_params);
1157 
1158     BeginOperationResponse response(impl_->message_version());
1159     impl_->BeginOperation(request, &response);
1160     if (response.error != KM_ERROR_OK) return response.error;
1161 
1162     if (response.output_params.size() > 0) {
1163         if (out_params)
1164             response.output_params.CopyToParamSet(out_params);
1165         else
1166             return KM_ERROR_OUTPUT_PARAMETER_NULL;
1167     }
1168 
1169     *operation_handle = response.op_handle;
1170     return KM_ERROR_OK;
1171 }
1172 
1173 /* static */
begin(const keymaster2_device_t * dev,keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)1174 keymaster_error_t SoftKeymasterDevice::begin(const keymaster2_device_t* dev,
1175                                              keymaster_purpose_t purpose,
1176                                              const keymaster_key_blob_t* key,
1177                                              const keymaster_key_param_set_t* in_params,
1178                                              keymaster_key_param_set_t* out_params,
1179                                              keymaster_operation_handle_t* operation_handle) {
1180     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1181 
1182     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1183 
1184     SoftKeymasterDevice* sk_dev = convert_device(dev);
1185     return begin(&sk_dev->km1_device_, purpose, key, in_params, out_params, operation_handle);
1186 }
1187 
1188 /* static */
update(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1189 keymaster_error_t SoftKeymasterDevice::update(const keymaster1_device_t* dev,
1190                                               keymaster_operation_handle_t operation_handle,
1191                                               const keymaster_key_param_set_t* in_params,
1192                                               const keymaster_blob_t* input, size_t* input_consumed,
1193                                               keymaster_key_param_set_t* out_params,
1194                                               keymaster_blob_t* output) {
1195     if (!input) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1196 
1197     if (!input_consumed) return KM_ERROR_OUTPUT_PARAMETER_NULL;
1198 
1199     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1200     if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1201         // This operation is being handled by km1_dev (or doesn't exist).  Pass it through to
1202         // km1_dev.  Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1203         // km1_dev after doing necessary digesting.
1204         return km1_dev->update(km1_dev, operation_handle, in_params, input, input_consumed,
1205                                out_params, output);
1206     }
1207 
1208     if (out_params) {
1209         out_params->params = nullptr;
1210         out_params->length = 0;
1211     }
1212     if (output) {
1213         output->data = nullptr;
1214         output->data_length = 0;
1215     }
1216 
1217     auto& impl_ = convert_device(dev)->impl_;
1218     UpdateOperationRequest request(impl_->message_version());
1219     request.op_handle = operation_handle;
1220     if (input) request.input.Reinitialize(input->data, input->data_length);
1221     if (in_params) request.additional_params.Reinitialize(*in_params);
1222 
1223     UpdateOperationResponse response(impl_->message_version());
1224     impl_->UpdateOperation(request, &response);
1225     if (response.error != KM_ERROR_OK) return response.error;
1226 
1227     if (response.output_params.size() > 0) {
1228         if (out_params)
1229             response.output_params.CopyToParamSet(out_params);
1230         else
1231             return KM_ERROR_OUTPUT_PARAMETER_NULL;
1232     }
1233 
1234     *input_consumed = response.input_consumed;
1235     if (output) {
1236         output->data_length = response.output.available_read();
1237         uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1238         if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1239         memcpy(tmp, response.output.peek_read(), output->data_length);
1240         output->data = tmp;
1241     } else if (response.output.available_read() > 0) {
1242         return KM_ERROR_OUTPUT_PARAMETER_NULL;
1243     }
1244     return KM_ERROR_OK;
1245 }
1246 
1247 /* static */
update(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1248 keymaster_error_t SoftKeymasterDevice::update(const keymaster2_device_t* dev,
1249                                               keymaster_operation_handle_t operation_handle,
1250                                               const keymaster_key_param_set_t* in_params,
1251                                               const keymaster_blob_t* input, size_t* input_consumed,
1252                                               keymaster_key_param_set_t* out_params,
1253                                               keymaster_blob_t* output) {
1254     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1255 
1256     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1257 
1258     SoftKeymasterDevice* sk_dev = convert_device(dev);
1259     return update(&sk_dev->km1_device_, operation_handle, in_params, input, input_consumed,
1260                   out_params, output);
1261 }
1262 
1263 /* static */
finish(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * params,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1264 keymaster_error_t SoftKeymasterDevice::finish(const keymaster1_device_t* dev,
1265                                               keymaster_operation_handle_t operation_handle,
1266                                               const keymaster_key_param_set_t* params,
1267                                               const keymaster_blob_t* signature,
1268                                               keymaster_key_param_set_t* out_params,
1269                                               keymaster_blob_t* output) {
1270     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1271 
1272     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1273     if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1274         // This operation is being handled by km1_dev (or doesn't exist).  Pass it through to
1275         // km1_dev.  Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1276         // km1_dev after doing necessary digesting.
1277         return km1_dev->finish(km1_dev, operation_handle, params, signature, out_params, output);
1278     }
1279 
1280     if (out_params) {
1281         out_params->params = nullptr;
1282         out_params->length = 0;
1283     }
1284 
1285     if (output) {
1286         output->data = nullptr;
1287         output->data_length = 0;
1288     }
1289 
1290     auto& impl_ = convert_device(dev)->impl_;
1291     FinishOperationRequest request(impl_->message_version());
1292     request.op_handle = operation_handle;
1293     if (signature && signature->data_length > 0)
1294         request.signature.Reinitialize(signature->data, signature->data_length);
1295     request.additional_params.Reinitialize(*params);
1296 
1297     FinishOperationResponse response(impl_->message_version());
1298     impl_->FinishOperation(request, &response);
1299     if (response.error != KM_ERROR_OK) return response.error;
1300 
1301     if (response.output_params.size() > 0) {
1302         if (out_params)
1303             response.output_params.CopyToParamSet(out_params);
1304         else
1305             return KM_ERROR_OUTPUT_PARAMETER_NULL;
1306     }
1307     if (output) {
1308         output->data_length = response.output.available_read();
1309         uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1310         if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1311         memcpy(tmp, response.output.peek_read(), output->data_length);
1312         output->data = tmp;
1313     } else if (response.output.available_read() > 0) {
1314         return KM_ERROR_OUTPUT_PARAMETER_NULL;
1315     }
1316 
1317     return KM_ERROR_OK;
1318 }
1319 
1320 struct KeyParamSetContents_Delete {
operator ()keymaster::KeyParamSetContents_Delete1321     void operator()(keymaster_key_param_set_t* p) { keymaster_free_param_set(p); }
1322 };
1323 
1324 /* static */
finish(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * params,const keymaster_blob_t * input,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1325 keymaster_error_t SoftKeymasterDevice::finish(const keymaster2_device_t* dev,
1326                                               keymaster_operation_handle_t operation_handle,
1327                                               const keymaster_key_param_set_t* params,
1328                                               const keymaster_blob_t* input,
1329                                               const keymaster_blob_t* signature,
1330                                               keymaster_key_param_set_t* out_params,
1331                                               keymaster_blob_t* output) {
1332     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1333 
1334     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1335 
1336     if (out_params) *out_params = {};
1337 
1338     if (output) *output = {};
1339 
1340     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1341     if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1342         // This operation is being handled by km1_dev (or doesn't exist).  Pass it through to
1343         // km1_dev.  Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1344         // km1_dev after doing necessary digesting.
1345 
1346         std::vector<uint8_t> accumulated_output;
1347         AuthorizationSet accumulated_out_params;
1348         AuthorizationSet mutable_params(*params);
1349         if (input && input->data && input->data_length) {
1350             // Keymaster1 doesn't support input to finish().  Call update() to process input.
1351 
1352             accumulated_output.reserve(input->data_length);  // Guess at output size
1353             keymaster_blob_t mutable_input = *input;
1354 
1355             while (mutable_input.data_length > 0) {
1356                 keymaster_key_param_set_t update_out_params = {};
1357                 keymaster_blob_t update_output = {};
1358                 size_t input_consumed = 0;
1359                 keymaster_error_t error =
1360                     km1_dev->update(km1_dev, operation_handle, &mutable_params, &mutable_input,
1361                                     &input_consumed, &update_out_params, &update_output);
1362                 if (error != KM_ERROR_OK) {
1363                     return error;
1364                 }
1365 
1366                 accumulated_output.reserve(accumulated_output.size() + update_output.data_length);
1367                 std::copy(update_output.data, update_output.data + update_output.data_length,
1368                           std::back_inserter(accumulated_output));
1369                 free(const_cast<uint8_t*>(update_output.data));
1370 
1371                 accumulated_out_params.push_back(update_out_params);
1372                 keymaster_free_param_set(&update_out_params);
1373 
1374                 mutable_input.data += input_consumed;
1375                 mutable_input.data_length -= input_consumed;
1376 
1377                 // AAD should only be sent once, so remove it if present.
1378                 int aad_pos = mutable_params.find(TAG_ASSOCIATED_DATA);
1379                 if (aad_pos != -1) {
1380                     mutable_params.erase(aad_pos);
1381                 }
1382 
1383                 if (input_consumed == 0) {
1384                     // Apparently we need more input than we have to complete an operation.
1385                     km1_dev->abort(km1_dev, operation_handle);
1386                     return KM_ERROR_INVALID_INPUT_LENGTH;
1387                 }
1388             }
1389         }
1390 
1391         keymaster_key_param_set_t finish_out_params = {};
1392         keymaster_blob_t finish_output = {};
1393         keymaster_error_t error = km1_dev->finish(km1_dev, operation_handle, &mutable_params,
1394                                                   signature, &finish_out_params, &finish_output);
1395         if (error != KM_ERROR_OK) {
1396             return error;
1397         }
1398 
1399         if (!accumulated_out_params.empty()) {
1400             accumulated_out_params.push_back(finish_out_params);
1401             keymaster_free_param_set(&finish_out_params);
1402             accumulated_out_params.Deduplicate();
1403             accumulated_out_params.CopyToParamSet(&finish_out_params);
1404         }
1405         std::unique_ptr<keymaster_key_param_set_t, KeyParamSetContents_Delete>
1406             finish_out_params_deleter(&finish_out_params);
1407 
1408         if (!accumulated_output.empty()) {
1409             size_t finish_out_length = accumulated_output.size() + finish_output.data_length;
1410             uint8_t* finish_out_buf = reinterpret_cast<uint8_t*>(malloc(finish_out_length));
1411 
1412             std::copy(accumulated_output.begin(), accumulated_output.end(), finish_out_buf);
1413             std::copy(finish_output.data, finish_output.data + finish_output.data_length,
1414                       finish_out_buf + accumulated_output.size());
1415 
1416             free(const_cast<uint8_t*>(finish_output.data));
1417             finish_output.data_length = finish_out_length;
1418             finish_output.data = finish_out_buf;
1419         }
1420         std::unique_ptr<uint8_t, Malloc_Delete> finish_output_deleter(
1421             const_cast<uint8_t*>(finish_output.data));
1422 
1423         if ((!out_params && finish_out_params.length) || (!output && finish_output.data_length)) {
1424             return KM_ERROR_OUTPUT_PARAMETER_NULL;
1425         }
1426 
1427         *out_params = finish_out_params;
1428         *output = finish_output;
1429 
1430         finish_out_params_deleter.release();  // NOLINT(bugprone-unused-return-value)
1431         finish_output_deleter.release();      // NOLINT(bugprone-unused-return-value)
1432 
1433         return KM_ERROR_OK;
1434     }
1435 
1436     auto& impl_ = convert_device(dev)->impl_;
1437     FinishOperationRequest request(impl_->message_version());
1438     request.op_handle = operation_handle;
1439     if (signature && signature->data_length > 0)
1440         request.signature.Reinitialize(signature->data, signature->data_length);
1441     if (input && input->data_length > 0)
1442         request.input.Reinitialize(input->data, input->data_length);
1443     request.additional_params.Reinitialize(*params);
1444 
1445     FinishOperationResponse response(impl_->message_version());
1446     impl_->FinishOperation(request, &response);
1447     if (response.error != KM_ERROR_OK) return response.error;
1448 
1449     if (response.output_params.size() > 0) {
1450         if (out_params)
1451             response.output_params.CopyToParamSet(out_params);
1452         else
1453             return KM_ERROR_OUTPUT_PARAMETER_NULL;
1454     }
1455     if (output) {
1456         output->data_length = response.output.available_read();
1457         uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1458         if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1459         memcpy(tmp, response.output.peek_read(), output->data_length);
1460         output->data = tmp;
1461     } else if (response.output.available_read() > 0) {
1462         return KM_ERROR_OUTPUT_PARAMETER_NULL;
1463     }
1464 
1465     return KM_ERROR_OK;
1466 }
1467 
1468 /* static */
abort(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle)1469 keymaster_error_t SoftKeymasterDevice::abort(const keymaster1_device_t* dev,
1470                                              keymaster_operation_handle_t operation_handle) {
1471     const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1472     if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1473         // This operation is being handled by km1_dev (or doesn't exist).  Pass it through to
1474         // km1_dev.  Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1475         // km1_dev.
1476         return km1_dev->abort(km1_dev, operation_handle);
1477     }
1478 
1479     auto& impl_ = convert_device(dev)->impl_;
1480     AbortOperationRequest request(impl_->message_version());
1481     request.op_handle = operation_handle;
1482     AbortOperationResponse response(impl_->message_version());
1483     impl_->AbortOperation(request, &response);
1484     return response.error;
1485 }
1486 
1487 /* static */
abort(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle)1488 keymaster_error_t SoftKeymasterDevice::abort(const keymaster2_device_t* dev,
1489                                              keymaster_operation_handle_t operation_handle) {
1490     if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1491 
1492     if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1493 
1494     SoftKeymasterDevice* sk_dev = convert_device(dev);
1495     return abort(&sk_dev->km1_device_, operation_handle);
1496 }
1497 
1498 /* static */
StoreDefaultNewKeyParams(keymaster_algorithm_t algorithm,AuthorizationSet * auth_set)1499 void SoftKeymasterDevice::StoreDefaultNewKeyParams(keymaster_algorithm_t algorithm,
1500                                                    AuthorizationSet* auth_set) {
1501     auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_SIGN);
1502     auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_VERIFY);
1503     auth_set->push_back(TAG_ALL_USERS);
1504     auth_set->push_back(TAG_NO_AUTH_REQUIRED);
1505 
1506     // All digests.
1507     auth_set->push_back(TAG_DIGEST, KM_DIGEST_NONE);
1508     auth_set->push_back(TAG_DIGEST, KM_DIGEST_MD5);
1509     auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA1);
1510     auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_224);
1511     auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1512     auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384);
1513     auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_512);
1514 
1515     if (algorithm == KM_ALGORITHM_RSA) {
1516         auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_ENCRYPT);
1517         auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_DECRYPT);
1518         auth_set->push_back(TAG_PADDING, KM_PAD_NONE);
1519         auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1520         auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
1521         auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1522         auth_set->push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
1523     }
1524 }
1525 
1526 }  // namespace keymaster
1527