1 /*
2  * Copyright 2020, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <openssl/x509v3.h>
20 
21 #include <hardware/keymaster_defs.h>
22 
23 #include <keymaster/km_openssl/openssl_utils.h>
24 #include <keymaster/km_version.h>
25 
26 namespace keymaster {
27 
28 class AsymmetricKey;
29 class AuthorizationSet;
30 
31 keymaster_error_t make_name_from_str(const char name[], X509_NAME_Ptr* name_out);
32 
33 keymaster_error_t make_name_from_der(const keymaster_blob_t& name, X509_NAME_Ptr* name_out);
34 
35 keymaster_error_t get_common_name(X509_NAME* name, UniquePtr<const char[]>* name_out);
36 
37 // CertificateParams encapsulates a set of certificate parameters that may be provided by the
38 // caller, or may be defaulted.
39 struct CertificateCallerParams {
40     BIGNUM_Ptr serial;
41     X509_NAME_Ptr subject_name;
42     int64_t active_date_time;  // Time since epoch in ms
43     int64_t expire_date_time;  // Time since epoch in ms
44     bool is_signing_key = false;
45     bool is_encryption_key = false;
46     bool is_agreement_key = false;
47 };
48 
49 keymaster_error_t get_certificate_params(const AuthorizationSet& caller_params,
50                                          CertificateCallerParams* cert_params, KmVersion kmVersion);
51 
52 keymaster_error_t make_key_usage_extension(bool is_signing_key, bool is_encryption_key,
53                                            bool is_key_agreement_key,
54                                            X509_EXTENSION_Ptr* usage_extension_out);
55 
56 // Creates a rump certificate structure with serial, subject and issuer names, as well as activation
57 // and expiry date.  Callers should pass an empty X509_Ptr and check the return value for
58 // KM_ERROR_OK (0) before accessing the result.
59 keymaster_error_t make_cert_rump(const uint32_t serial, const X509_NAME* issuer,
60                                  const CertificateCallerParams& cert_params, X509_Ptr* cert_out);
61 
62 keymaster_error_t make_cert(const EVP_PKEY* evp_pkey, const X509_NAME* issuer,
63                             const CertificateCallerParams& cert_params, X509_Ptr* cert_out);
64 
65 // Sign the certificate with the provided signing key.
66 keymaster_error_t sign_cert(X509* certificate, const EVP_PKEY* signing_key);
67 
68 // Generate a certificate for the provided asymmetric key, with params.  The certificate will be
69 // self-signed unless `fake_signature` is set, in which case a fake signature will be placed in the
70 // certificate.  Specifically, the signature algorithm will be set to RSA PKCS#1 v1.5 with digest
71 // SHA-256, but the signature field will contain a single zero byte.
72 CertificateChain generate_self_signed_cert(const AsymmetricKey& key, const AuthorizationSet& params,
73                                            bool fake_signature, keymaster_error_t* error);
74 
75 keymaster_error_t encode_certificate(X509* certificate, keymaster_blob_t* derCert);
76 
77 }  // namespace keymaster
78