1 /*
2 * Copyright 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "rsa_keymaster0_key.h"
18
19 #include <memory>
20
21 #include <keymaster/android_keymaster_utils.h>
22 #include <keymaster/logger.h>
23 #include <keymaster/soft_keymaster_context.h>
24
25 #include "keymaster0_engine.h"
26 #include "openssl_utils.h"
27
28 using std::unique_ptr;
29
30 namespace keymaster {
31
RsaKeymaster0KeyFactory(const SoftKeymasterContext * context,const Keymaster0Engine * engine)32 RsaKeymaster0KeyFactory::RsaKeymaster0KeyFactory(const SoftKeymasterContext* context,
33 const Keymaster0Engine* engine)
34 : RsaKeyFactory(context), engine_(engine) {}
35
GenerateKey(const AuthorizationSet & key_description,KeymasterKeyBlob * key_blob,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced) const36 keymaster_error_t RsaKeymaster0KeyFactory::GenerateKey(const AuthorizationSet& key_description,
37 KeymasterKeyBlob* key_blob,
38 AuthorizationSet* hw_enforced,
39 AuthorizationSet* sw_enforced) const {
40 if (!key_blob || !hw_enforced || !sw_enforced)
41 return KM_ERROR_OUTPUT_PARAMETER_NULL;
42
43 uint64_t public_exponent;
44 if (!key_description.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &public_exponent)) {
45 LOG_E("%s", "No public exponent specified for RSA key generation");
46 return KM_ERROR_INVALID_ARGUMENT;
47 }
48
49 uint32_t key_size;
50 if (!key_description.GetTagValue(TAG_KEY_SIZE, &key_size)) {
51 LOG_E("%s", "No key size specified for RSA key generation");
52 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
53 }
54
55 KeymasterKeyBlob key_material;
56 if (!engine_->GenerateRsaKey(public_exponent, key_size, &key_material))
57 return KM_ERROR_UNKNOWN_ERROR;
58
59 // These tags are hardware-enforced. Putting them in the hw_enforced set here will ensure that
60 // context_->CreateKeyBlob doesn't put them in sw_enforced.
61 hw_enforced->push_back(TAG_ALGORITHM, KM_ALGORITHM_RSA);
62 hw_enforced->push_back(TAG_RSA_PUBLIC_EXPONENT, public_exponent);
63 hw_enforced->push_back(TAG_KEY_SIZE, key_size);
64 hw_enforced->push_back(TAG_ORIGIN, KM_ORIGIN_UNKNOWN);
65
66 return context_->CreateKeyBlob(key_description, KM_ORIGIN_UNKNOWN, key_material, key_blob,
67 hw_enforced, sw_enforced);
68 }
69
ImportKey(const AuthorizationSet & key_description,keymaster_key_format_t input_key_material_format,const KeymasterKeyBlob & input_key_material,KeymasterKeyBlob * output_key_blob,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced) const70 keymaster_error_t RsaKeymaster0KeyFactory::ImportKey(
71 const AuthorizationSet& key_description, keymaster_key_format_t input_key_material_format,
72 const KeymasterKeyBlob& input_key_material, KeymasterKeyBlob* output_key_blob,
73 AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced) const {
74 if (!output_key_blob || !hw_enforced || !sw_enforced)
75 return KM_ERROR_OUTPUT_PARAMETER_NULL;
76
77 AuthorizationSet authorizations;
78 uint64_t public_exponent;
79 uint32_t key_size;
80 keymaster_error_t error =
81 UpdateImportKeyDescription(key_description, input_key_material_format, input_key_material,
82 &authorizations, &public_exponent, &key_size);
83 if (error != KM_ERROR_OK)
84 return error;
85
86 KeymasterKeyBlob imported_hw_key;
87 if (!engine_->ImportKey(input_key_material_format, input_key_material, &imported_hw_key))
88 return KM_ERROR_UNKNOWN_ERROR;
89
90 // These tags are hardware-enforced. Putting them in the hw_enforced set here will ensure that
91 // context_->CreateKeyBlob doesn't put them in sw_enforced.
92 hw_enforced->push_back(TAG_ALGORITHM, KM_ALGORITHM_RSA);
93 hw_enforced->push_back(TAG_RSA_PUBLIC_EXPONENT, public_exponent);
94 hw_enforced->push_back(TAG_KEY_SIZE, key_size);
95 hw_enforced->push_back(TAG_ORIGIN, KM_ORIGIN_UNKNOWN);
96
97 return context_->CreateKeyBlob(authorizations, KM_ORIGIN_UNKNOWN, imported_hw_key,
98 output_key_blob, hw_enforced, sw_enforced);
99 }
100
LoadKey(const KeymasterKeyBlob & key_material,const AuthorizationSet & additional_params,const AuthorizationSet & hw_enforced,const AuthorizationSet & sw_enforced,UniquePtr<Key> * key) const101 keymaster_error_t RsaKeymaster0KeyFactory::LoadKey(const KeymasterKeyBlob& key_material,
102 const AuthorizationSet& additional_params,
103 const AuthorizationSet& hw_enforced,
104 const AuthorizationSet& sw_enforced,
105 UniquePtr<Key>* key) const {
106 if (!key)
107 return KM_ERROR_OUTPUT_PARAMETER_NULL;
108
109 if (sw_enforced.GetTagCount(TAG_ALGORITHM) == 1)
110 return super::LoadKey(key_material, additional_params, hw_enforced, sw_enforced, key);
111
112 unique_ptr<RSA, RSA_Delete> rsa(engine_->BlobToRsaKey(key_material));
113 if (!rsa)
114 return KM_ERROR_UNKNOWN_ERROR;
115
116 keymaster_error_t error;
117 key->reset(new (std::nothrow)
118 RsaKeymaster0Key(rsa.release(), hw_enforced, sw_enforced, &error));
119 if (!key->get())
120 error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
121
122 if (error != KM_ERROR_OK)
123 return error;
124
125 return KM_ERROR_OK;
126 }
127
128 } // namespace keymaster
129