1 /*
2 **
3 ** Copyright 2018, The Android Open Source Project
4 **
5 ** Licensed under the Apache License, Version 2.0 (the "License");
6 ** you may not use this file except in compliance with the License.
7 ** You may obtain a copy of the License at
8 **
9 **     http://www.apache.org/licenses/LICENSE-2.0
10 **
11 ** Unless required by applicable law or agreed to in writing, software
12 ** distributed under the License is distributed on an "AS IS" BASIS,
13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 ** See the License for the specific language governing permissions and
15 ** limitations under the License.
16 */
17 
18 #ifndef INCLUDE_KEYMASTER_OPENSSL_KEYMASTER_ENFORCEMENT_H_
19 #define INCLUDE_KEYMASTER_OPENSSL_KEYMASTER_ENFORCEMENT_H_
20 
21 #include <keymaster/android_keymaster_messages.h>
22 #include <keymaster/keymaster_enforcement.h>
23 
24 /*
25  * Controls size of KAK used for Strongbox agreement.
26  * This size must match the size of the com.android.trusty.keymint.kak keyslot
27  * Defaults to 32 to allow devices which do not have a Strongbox to use the
28  * keyslot in our sample code without configuration.
29  */
30 #ifndef TRUSTY_KM_KAK_SIZE
31 #define TRUSTY_KM_KAK_SIZE 32
32 #endif
33 
34 namespace keymaster {
35 
36 class OpenSSLKeymasterEnforcement : public KeymasterEnforcement {
37 public:
OpenSSLKeymasterEnforcement(uint32_t max_access_time_map_size,uint32_t max_access_count_map_size)38     OpenSSLKeymasterEnforcement(uint32_t max_access_time_map_size,
39                                 uint32_t max_access_count_map_size)
40             : KeymasterEnforcement(max_access_time_map_size,
41                                    max_access_count_map_size) {}
~OpenSSLKeymasterEnforcement()42     virtual ~OpenSSLKeymasterEnforcement() {}
43 
44     bool CreateKeyId(const keymaster_key_blob_t& key_blob,
45                      km_id_t* keyid) const override;
46     keymaster_error_t GetHmacSharingParameters(
47             HmacSharingParameters* params) override;
48     keymaster_error_t ComputeSharedHmac(
49             const HmacSharingParametersArray& params_array,
50             KeymasterBlob* sharingCheck) override;
51     VerifyAuthorizationResponse VerifyAuthorization(
52             const VerifyAuthorizationRequest& request) override;
53     KmErrorOr<std::array<uint8_t, 32>> ComputeHmac(
54             const std::vector<uint8_t>& data_to_mac) const override;
55     keymaster_error_t GetHmacKey(keymaster_key_blob_t* key) const;
56     keymaster_error_t GetUniqueIdKey(KeymasterKeyBlob* key) const;
57 
58 private:
59     static const size_t kKeyAgreementKeySize = TRUSTY_KM_KAK_SIZE;
60     keymaster_error_t GetKeyAgreementKey(KeymasterKeyBlob* kak) const;
61     bool have_saved_params_ = false;
62     HmacSharingParameters saved_params_;
63     KeymasterKeyBlob hmac_key_;
64 };
65 
66 }  // namespace keymaster
67 
68 #endif  // INCLUDE_KEYMASTER_OPENSSL_KEYMASTER_ENFORCEMENT_H_
69