1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <memory>
20 #include <string>
21 
22 #include <openssl/evp.h>
23 
24 #include <hardware/keymaster1.h>
25 
26 #include <keymaster/attestation_context.h>
27 #include <keymaster/contexts/soft_attestation_context.h>
28 #include <keymaster/keymaster_context.h>
29 #include <keymaster/km_openssl/software_random_source.h>
30 #include <keymaster/random_source.h>
31 #include <keymaster/soft_key_factory.h>
32 
33 namespace keymaster {
34 
35 class SoftKeymasterKeyRegistrations;
36 class Keymaster1Engine;
37 class Key;
38 
39 /**
40  * SoftKeymasterContext provides the context for a non-secure implementation of AndroidKeymaster
41  * that can wrap a Keymaster0 implementation or an incomplete Keymaster1 implementation (one that
42  * lacks support for all required digests).
43  */
44 class SoftKeymasterContext : public KeymasterContext,
45                              SoftwareKeyBlobMaker,
46                              SoftwareRandomSource,
47                              public SoftAttestationContext {
48   public:
49     explicit SoftKeymasterContext(KmVersion version, const std::string& root_of_trust = "SW");
50     ~SoftKeymasterContext() override;
51 
GetKmVersion()52     KmVersion GetKmVersion() const override { return AttestationContext::GetKmVersion(); }
53 
54     /**
55      * Use the specified HW keymaster1 device for performing undigested RSA and EC operations after
56      * digesting has been done in software.  Takes ownership of the specified device (will call
57      * keymaster1_device->common.close());
58      */
59     keymaster_error_t SetHardwareDevice(keymaster1_device_t* keymaster1_device);
60 
61     /*********************************************************************************************
62      * Implement KeymasterContext
63      */
64     keymaster_error_t SetSystemVersion(uint32_t os_version, uint32_t os_patchlevel) override;
65     void GetSystemVersion(uint32_t* os_version, uint32_t* os_patchlevel) const override;
66 
67     KeyFactory* GetKeyFactory(keymaster_algorithm_t algorithm) const override;
68     OperationFactory* GetOperationFactory(keymaster_algorithm_t algorithm,
69                                           keymaster_purpose_t purpose) const override;
70     keymaster_algorithm_t* GetSupportedAlgorithms(size_t* algorithms_count) const override;
71     keymaster_error_t UpgradeKeyBlob(const KeymasterKeyBlob& key_to_upgrade,
72                                      const AuthorizationSet& upgrade_params,
73                                      KeymasterKeyBlob* upgraded_key) const override;
74     keymaster_error_t ParseKeyBlob(const KeymasterKeyBlob& blob,
75                                    const AuthorizationSet& additional_params,
76                                    UniquePtr<Key>* key) const override;
77     keymaster_error_t DeleteKey(const KeymasterKeyBlob& blob) const override;
78     keymaster_error_t DeleteAllKeys() const override;
79     keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override;
80 
81     CertificateChain GenerateAttestation(const Key& key, const AuthorizationSet& attest_params,
82                                          UniquePtr<Key> attest_key,
83                                          const KeymasterBlob& issuer_subject,
84                                          keymaster_error_t* error) const override;
85     CertificateChain GenerateSelfSignedCertificate(const Key& key,
86                                                    const AuthorizationSet& cert_params,
87                                                    bool fake_signature,
88                                                    keymaster_error_t* error) const override;
89 
90     keymaster_error_t
91     UnwrapKey(const KeymasterKeyBlob& wrapped_key_blob, const KeymasterKeyBlob& wrapping_key_blob,
92               const AuthorizationSet& wrapping_key_params, const KeymasterKeyBlob& masking_key,
93               AuthorizationSet* wrapped_key_params, keymaster_key_format_t* wrapped_key_format,
94               KeymasterKeyBlob* wrapped_key_material) const override;
95 
enforcement_policy()96     KeymasterEnforcement* enforcement_policy() override {
97         // SoftKeymaster does no enforcement; it's all done by Keystore.
98         return nullptr;
99     }
100 
101     /*********************************************************************************************
102      * Implement SoftwareKeyBlobMaker
103      */
104     keymaster_error_t CreateKeyBlob(const AuthorizationSet& auths, keymaster_key_origin_t origin,
105                                     const KeymasterKeyBlob& key_material, KeymasterKeyBlob* blob,
106                                     AuthorizationSet* hw_enforced,
107                                     AuthorizationSet* sw_enforced) const override;
108     /*********************************************************************************************/
109 
110   private:
111     keymaster_error_t ParseKeymaster1HwBlob(const KeymasterKeyBlob& blob,
112                                             const AuthorizationSet& additional_params,
113                                             KeymasterKeyBlob* key_material,
114                                             AuthorizationSet* hw_enforced,
115                                             AuthorizationSet* sw_enforced) const;
116 
117     std::unique_ptr<Keymaster1Engine> km1_engine_;
118     std::unique_ptr<KeyFactory> rsa_factory_;
119     std::unique_ptr<KeyFactory> ec_factory_;
120     std::unique_ptr<KeyFactory> aes_factory_;
121     std::unique_ptr<KeyFactory> tdes_factory_;
122     std::unique_ptr<KeyFactory> hmac_factory_;
123     keymaster1_device* km1_dev_;
124     const KeymasterBlob root_of_trust_;
125     uint32_t os_version_;
126     uint32_t os_patchlevel_;
127 };
128 
129 }  // namespace keymaster
130