1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <memory>
20 
21 #include <openssl/ec.h>
22 #include <openssl/engine.h>
23 #include <openssl/ex_data.h>
24 #include <openssl/rsa.h>
25 
26 #include <hardware/keymaster1.h>
27 #include <hardware/keymaster_defs.h>
28 
29 #include <keymaster/android_keymaster_utils.h>
30 #include <keymaster/authorization_set.h>
31 #include <keymaster/km_openssl/openssl_utils.h>
32 
33 namespace keymaster {
34 
35 class Keymaster1Engine {
36   public:
37     /**
38      * Create a Keymaster1Engine, wrapping the provided keymaster1_device.  The engine takes
39      * ownership of the device, and will close it during destruction.
40      */
41     explicit Keymaster1Engine(const keymaster1_device_t* keymaster1_device);
42     ~Keymaster1Engine();
43 
44     keymaster_error_t GenerateKey(const AuthorizationSet& key_description,
45                                   KeymasterKeyBlob* key_material, AuthorizationSet* hw_enforced,
46                                   AuthorizationSet* sw_enforced) const;
47 
48     keymaster_error_t ImportKey(const AuthorizationSet& key_description,
49                                 keymaster_key_format_t input_key_material_format,
50                                 const KeymasterKeyBlob& input_key_material,
51                                 KeymasterKeyBlob* output_key_blob, AuthorizationSet* hw_enforced,
52                                 AuthorizationSet* sw_enforced) const;
53     keymaster_error_t DeleteKey(const KeymasterKeyBlob& blob) const;
54     keymaster_error_t DeleteAllKeys() const;
55 
56     struct KeyData {
KeyDataKeyData57         KeyData(const KeymasterKeyBlob& blob, const AuthorizationSet& params)
58             : op_handle(0), begin_params(params), key_material(blob), error(KM_ERROR_OK),
59               expected_openssl_padding(-1) {}
60 
61         keymaster_operation_handle_t op_handle;
62         AuthorizationSet begin_params;
63         AuthorizationSet finish_params;
64         KeymasterKeyBlob key_material;
65         keymaster_error_t error;
66         int expected_openssl_padding;
67     };
68 
69     RSA* BuildRsaKey(const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params,
70                      keymaster_error_t* error) const;
71     EC_KEY* BuildEcKey(const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params,
72                        keymaster_error_t* error) const;
73 
74     KeyData* GetData(EVP_PKEY* key) const;
75     KeyData* GetData(const RSA* rsa) const;
76     KeyData* GetData(const EC_KEY* rsa) const;
77 
device()78     const keymaster1_device_t* device() const { return keymaster1_device_; }
79 
80     EVP_PKEY* GetKeymaster1PublicKey(const KeymasterKeyBlob& blob,
81                                      const AuthorizationSet& additional_params,
82                                      keymaster_error_t* error) const;
83 
84   private:
85     Keymaster1Engine(const Keymaster1Engine&);  // Uncopyable
86     void operator=(const Keymaster1Engine&);    // Unassignable
87 
88     RSA_METHOD BuildRsaMethod();
89     ECDSA_METHOD BuildEcdsaMethod();
90     void ConfigureEngineForRsa();
91     void ConfigureEngineForEcdsa();
92 
93     keymaster_error_t Keymaster1Finish(const KeyData* key_data, const keymaster_blob_t& input,
94                                        keymaster_blob_t* output);
95 
96     static int duplicate_key_data(CRYPTO_EX_DATA* to, const CRYPTO_EX_DATA* from, void** from_d,
97                                   // NOLINTNEXTLINE(google-runtime-int)
98                                   int index, long argl, void* argp);
99     // NOLINTNEXTLINE(google-runtime-int)
100     static void free_key_data(void* parent, void* ptr, CRYPTO_EX_DATA* data, int index, long argl,
101                               void* argp);
102 
103     static int rsa_sign_raw(RSA* rsa, size_t* out_len, uint8_t* out, size_t max_out,
104                             const uint8_t* in, size_t in_len, int padding);
105     static int rsa_decrypt(RSA* rsa, size_t* out_len, uint8_t* out, size_t max_out,
106                            const uint8_t* in, size_t in_len, int padding);
107     static int ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig,
108                           unsigned int* sig_len, EC_KEY* ec_key);
109 
110     const keymaster1_device_t* const keymaster1_device_;
111     const std::unique_ptr<ENGINE, ENGINE_Delete> engine_;
112     const int rsa_index_;
113     const int ec_key_index_;
114 
115     const RSA_METHOD rsa_method_;
116     const ECDSA_METHOD ecdsa_method_;
117 
118     static Keymaster1Engine* instance_;
119 };
120 
121 }  // namespace keymaster
122