1 /*
2 * Copyright 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymaster/soft_keymaster_device.h>
18
19 #include <assert.h>
20 #include <stddef.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include <time.h>
25
26 #include <algorithm>
27 #include <vector>
28
29 #include <type_traits>
30
31 #include <openssl/x509.h>
32
33 #include <hardware/keymaster1.h>
34 #define LOG_TAG "SoftKeymasterDevice"
35 #include <cutils/log.h>
36
37 #include <keymaster/android_keymaster.h>
38 #include <keymaster/android_keymaster_messages.h>
39 #include <keymaster/android_keymaster_utils.h>
40 #include <keymaster/authorization_set.h>
41 #include <keymaster/km_openssl/openssl_utils.h>
42 #include <keymaster/contexts/soft_keymaster_context.h>
43 #include <keymaster/soft_keymaster_logger.h>
44 #include <keymaster/key.h>
45
46
47 struct keystore_module soft_keymaster1_device_module = {
48 .common =
49 {
50 .tag = HARDWARE_MODULE_TAG,
51 .module_api_version = KEYMASTER_MODULE_API_VERSION_1_0,
52 .hal_api_version = HARDWARE_HAL_API_VERSION,
53 .id = KEYSTORE_HARDWARE_MODULE_ID,
54 .name = "OpenSSL-based SoftKeymaster HAL",
55 .author = "The Android Open Source Project",
56 .methods = nullptr,
57 .dso = 0,
58 .reserved = {},
59 },
60 };
61
62 struct keystore_module soft_keymaster2_device_module = {
63 .common =
64 {
65 .tag = HARDWARE_MODULE_TAG,
66 .module_api_version = KEYMASTER_MODULE_API_VERSION_2_0,
67 .hal_api_version = HARDWARE_HAL_API_VERSION,
68 .id = KEYSTORE_HARDWARE_MODULE_ID,
69 .name = "OpenSSL-based SoftKeymaster HAL",
70 .author = "The Android Open Source Project",
71 .methods = nullptr,
72 .dso = 0,
73 .reserved = {},
74 },
75 };
76
77 namespace keymaster {
78
79 const size_t kMaximumAttestationChallengeLength = 128;
80 const size_t kOperationTableSize = 16;
81
make_vector(const T * array,size_t len)82 template <typename T> std::vector<T> make_vector(const T* array, size_t len) {
83 return std::vector<T>(array, array + len);
84 }
85
86 // This helper class implements just enough of the C++ standard collection interface to be able to
87 // accept push_back calls, and it does nothing but count them. It's useful when you want to count
88 // insertions but not actually store anything. It's used in digest_set_is_full below to count the
89 // size of a set intersection.
90 struct PushbackCounter {
91 struct value_type {
value_typekeymaster::PushbackCounter::value_type92 template <typename T> value_type(const T&) {}
93 };
push_backkeymaster::PushbackCounter94 void push_back(const value_type&) { ++count; }
95 size_t count = 0;
96 };
97
98 static std::vector<keymaster_digest_t> full_digest_list = {
99 KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
100 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
101
digest_set_is_full(Iter begin,Iter end)102 template <typename Iter> static bool digest_set_is_full(Iter begin, Iter end) {
103 PushbackCounter counter;
104 std::set_intersection(begin, end, full_digest_list.begin(), full_digest_list.end(),
105 std::back_inserter(counter));
106 return counter.count == full_digest_list.size();
107 }
108
add_digests(keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,SoftKeymasterDevice::DigestMap * map,bool * supports_all)109 static keymaster_error_t add_digests(keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
110 keymaster_purpose_t purpose,
111 SoftKeymasterDevice::DigestMap* map, bool* supports_all) {
112 auto key = std::make_pair(algorithm, purpose);
113
114 keymaster_digest_t* digests;
115 size_t digests_length;
116 keymaster_error_t error =
117 dev->get_supported_digests(dev, algorithm, purpose, &digests, &digests_length);
118 if (error != KM_ERROR_OK) {
119 LOG_E("Error %d getting supported digests from keymaster1 device", error);
120 return error;
121 }
122 std::unique_ptr<keymaster_digest_t, Malloc_Delete> digests_deleter(digests);
123
124 auto digest_vec = make_vector(digests, digests_length);
125 *supports_all = digest_set_is_full(digest_vec.begin(), digest_vec.end());
126 (*map)[key] = std::move(digest_vec);
127 return error;
128 }
129
map_digests(keymaster1_device_t * dev,SoftKeymasterDevice::DigestMap * map,bool * supports_all)130 static keymaster_error_t map_digests(keymaster1_device_t* dev, SoftKeymasterDevice::DigestMap* map,
131 bool* supports_all) {
132 map->clear();
133 *supports_all = true;
134
135 keymaster_algorithm_t sig_algorithms[] = {KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_HMAC};
136 keymaster_purpose_t sig_purposes[] = {KM_PURPOSE_SIGN, KM_PURPOSE_VERIFY};
137 for (auto algorithm : sig_algorithms)
138 for (auto purpose : sig_purposes) {
139 bool alg_purpose_supports_all;
140 keymaster_error_t error =
141 add_digests(dev, algorithm, purpose, map, &alg_purpose_supports_all);
142 if (error != KM_ERROR_OK)
143 return error;
144 *supports_all &= alg_purpose_supports_all;
145 }
146
147 keymaster_algorithm_t crypt_algorithms[] = {KM_ALGORITHM_RSA};
148 keymaster_purpose_t crypt_purposes[] = {KM_PURPOSE_ENCRYPT, KM_PURPOSE_DECRYPT};
149 for (auto algorithm : crypt_algorithms)
150 for (auto purpose : crypt_purposes) {
151 bool alg_purpose_supports_all;
152 keymaster_error_t error =
153 add_digests(dev, algorithm, purpose, map, &alg_purpose_supports_all);
154 if (error != KM_ERROR_OK)
155 return error;
156 *supports_all &= alg_purpose_supports_all;
157 }
158
159 return KM_ERROR_OK;
160 }
161
SoftKeymasterDevice()162 SoftKeymasterDevice::SoftKeymasterDevice()
163 : wrapped_km1_device_(nullptr),
164 context_(new SoftKeymasterContext),
165 impl_(new AndroidKeymaster(context_, kOperationTableSize)), configured_(false) {
166 LOG_I("Creating device", 0);
167 LOG_D("Device address: %p", this);
168
169 initialize_device_struct(KEYMASTER_SOFTWARE_ONLY | KEYMASTER_BLOBS_ARE_STANDALONE |
170 KEYMASTER_SUPPORTS_EC);
171 }
172
SoftKeymasterDevice(SoftKeymasterContext * context)173 SoftKeymasterDevice::SoftKeymasterDevice(SoftKeymasterContext* context)
174 : wrapped_km1_device_(nullptr), context_(context),
175 impl_(new AndroidKeymaster(context_, kOperationTableSize)), configured_(false) {
176 LOG_I("Creating test device", 0);
177 LOG_D("Device address: %p", this);
178
179 initialize_device_struct(KEYMASTER_SOFTWARE_ONLY | KEYMASTER_BLOBS_ARE_STANDALONE |
180 KEYMASTER_SUPPORTS_EC);
181 }
182
SetHardwareDevice(keymaster0_device_t * keymaster0_device)183 keymaster_error_t SoftKeymasterDevice::SetHardwareDevice(keymaster0_device_t* keymaster0_device) {
184 assert(keymaster0_device);
185 LOG_D("Reinitializing SoftKeymasterDevice to use HW keymaster0", 0);
186
187 if (!context_)
188 return KM_ERROR_UNEXPECTED_NULL_POINTER;
189
190 supports_all_digests_ = false;
191 keymaster_error_t error = context_->SetHardwareDevice(keymaster0_device);
192 if (error != KM_ERROR_OK)
193 return error;
194
195 initialize_device_struct(keymaster0_device->flags);
196
197 module_name_ = km1_device_.common.module->name;
198 module_name_.append("(Wrapping ");
199 module_name_.append(keymaster0_device->common.module->name);
200 module_name_.append(")");
201
202 updated_module_ = *km1_device_.common.module;
203 updated_module_.name = module_name_.c_str();
204
205 km1_device_.common.module = &updated_module_;
206
207 wrapped_km1_device_ = nullptr;
208 return KM_ERROR_OK;
209 }
210
SetHardwareDevice(keymaster1_device_t * keymaster1_device)211 keymaster_error_t SoftKeymasterDevice::SetHardwareDevice(keymaster1_device_t* keymaster1_device) {
212 assert(keymaster1_device);
213 LOG_D("Reinitializing SoftKeymasterDevice to use HW keymaster1", 0);
214
215 if (!context_)
216 return KM_ERROR_UNEXPECTED_NULL_POINTER;
217
218 keymaster_error_t error =
219 map_digests(keymaster1_device, &km1_device_digests_, &supports_all_digests_);
220 if (error != KM_ERROR_OK)
221 return error;
222
223 error = context_->SetHardwareDevice(keymaster1_device);
224 if (error != KM_ERROR_OK)
225 return error;
226
227 initialize_device_struct(keymaster1_device->flags);
228
229 module_name_ = km1_device_.common.module->name;
230 module_name_.append(" (Wrapping ");
231 module_name_.append(keymaster1_device->common.module->name);
232 module_name_.append(")");
233
234 updated_module_ = *km1_device_.common.module;
235 updated_module_.name = module_name_.c_str();
236
237 km1_device_.common.module = &updated_module_;
238
239 wrapped_km1_device_ = keymaster1_device;
240 return KM_ERROR_OK;
241 }
242
Keymaster1DeviceIsGood()243 bool SoftKeymasterDevice::Keymaster1DeviceIsGood() {
244 std::vector<keymaster_digest_t> expected_rsa_digests = {
245 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
246 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
247 std::vector<keymaster_digest_t> expected_ec_digests = {
248 KM_DIGEST_NONE, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
249 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
250
251 for (auto& entry : km1_device_digests_) {
252 if (entry.first.first == KM_ALGORITHM_RSA)
253 if (!std::is_permutation(entry.second.begin(), entry.second.end(),
254 expected_rsa_digests.begin()))
255 return false;
256 if (entry.first.first == KM_ALGORITHM_EC)
257 if (!std::is_permutation(entry.second.begin(), entry.second.end(),
258 expected_ec_digests.begin()))
259 return false;
260 }
261 return true;
262 }
263
initialize_device_struct(uint32_t flags)264 void SoftKeymasterDevice::initialize_device_struct(uint32_t flags) {
265 memset(&km1_device_, 0, sizeof(km1_device_));
266
267 km1_device_.common.tag = HARDWARE_DEVICE_TAG;
268 km1_device_.common.version = 1;
269 km1_device_.common.module = reinterpret_cast<hw_module_t*>(&soft_keymaster1_device_module);
270 km1_device_.common.close = &close_device;
271
272 km1_device_.flags = flags;
273
274 km1_device_.context = this;
275
276 // keymaster0 APIs
277 km1_device_.generate_keypair = nullptr;
278 km1_device_.import_keypair = nullptr;
279 km1_device_.get_keypair_public = nullptr;
280 km1_device_.delete_keypair = nullptr;
281 km1_device_.delete_all = nullptr;
282 km1_device_.sign_data = nullptr;
283 km1_device_.verify_data = nullptr;
284
285 // keymaster1 APIs
286 km1_device_.get_supported_algorithms = get_supported_algorithms;
287 km1_device_.get_supported_block_modes = get_supported_block_modes;
288 km1_device_.get_supported_padding_modes = get_supported_padding_modes;
289 km1_device_.get_supported_digests = get_supported_digests;
290 km1_device_.get_supported_import_formats = get_supported_import_formats;
291 km1_device_.get_supported_export_formats = get_supported_export_formats;
292 km1_device_.add_rng_entropy = add_rng_entropy;
293 km1_device_.generate_key = generate_key;
294 km1_device_.get_key_characteristics = get_key_characteristics;
295 km1_device_.import_key = import_key;
296 km1_device_.export_key = export_key;
297 km1_device_.delete_key = delete_key;
298 km1_device_.delete_all_keys = delete_all_keys;
299 km1_device_.begin = begin;
300 km1_device_.update = update;
301 km1_device_.finish = finish;
302 km1_device_.abort = abort;
303
304 // keymaster2 APIs
305 memset(&km2_device_, 0, sizeof(km2_device_));
306
307 km2_device_.flags = flags;
308 km2_device_.context = this;
309
310 km2_device_.common.tag = HARDWARE_DEVICE_TAG;
311 km2_device_.common.version = 1;
312 km2_device_.common.module = reinterpret_cast<hw_module_t*>(&soft_keymaster2_device_module);
313 km2_device_.common.close = &close_device;
314
315 km2_device_.configure = configure;
316 km2_device_.add_rng_entropy = add_rng_entropy;
317 km2_device_.generate_key = generate_key;
318 km2_device_.get_key_characteristics = get_key_characteristics;
319 km2_device_.import_key = import_key;
320 km2_device_.export_key = export_key;
321 km2_device_.attest_key = attest_key;
322 km2_device_.upgrade_key = upgrade_key;
323 km2_device_.delete_key = delete_key;
324 km2_device_.delete_all_keys = delete_all_keys;
325 km2_device_.begin = begin;
326 km2_device_.update = update;
327 km2_device_.finish = finish;
328 km2_device_.abort = abort;
329 }
330
hw_device()331 hw_device_t* SoftKeymasterDevice::hw_device() {
332 return &km1_device_.common;
333 }
334
keymaster_device()335 keymaster1_device_t* SoftKeymasterDevice::keymaster_device() {
336 return &km1_device_;
337 }
338
keymaster2_device()339 keymaster2_device_t* SoftKeymasterDevice::keymaster2_device() {
340 return &km2_device_;
341 }
342
343 namespace {
344
BuildCharacteristics(const AuthorizationSet & hw_enforced,const AuthorizationSet & sw_enforced)345 keymaster_key_characteristics_t* BuildCharacteristics(const AuthorizationSet& hw_enforced,
346 const AuthorizationSet& sw_enforced) {
347 keymaster_key_characteristics_t* characteristics =
348 reinterpret_cast<keymaster_key_characteristics_t*>(
349 malloc(sizeof(keymaster_key_characteristics_t)));
350 if (characteristics) {
351 hw_enforced.CopyToParamSet(&characteristics->hw_enforced);
352 sw_enforced.CopyToParamSet(&characteristics->sw_enforced);
353 }
354 return characteristics;
355 }
356
357 template <typename RequestType>
AddClientAndAppData(const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,RequestType * request)358 void AddClientAndAppData(const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
359 RequestType* request) {
360 request->additional_params.Clear();
361 if (client_id)
362 request->additional_params.push_back(TAG_APPLICATION_ID, *client_id);
363 if (app_data)
364 request->additional_params.push_back(TAG_APPLICATION_DATA, *app_data);
365 }
366
convert_device(const T * dev)367 template <typename T> SoftKeymasterDevice* convert_device(const T* dev) {
368 static_assert((std::is_same<T, keymaster0_device_t>::value ||
369 std::is_same<T, keymaster1_device_t>::value ||
370 std::is_same<T, keymaster2_device_t>::value),
371 "convert_device should only be applied to keymaster devices");
372 return reinterpret_cast<SoftKeymasterDevice*>(dev->context);
373 }
374
375 template <keymaster_tag_t Tag, keymaster_tag_type_t Type, typename KeymasterEnum>
FindTagValue(const keymaster_key_param_set_t & params,TypedEnumTag<Type,Tag,KeymasterEnum> tag,KeymasterEnum * value)376 bool FindTagValue(const keymaster_key_param_set_t& params,
377 TypedEnumTag<Type, Tag, KeymasterEnum> tag, KeymasterEnum* value) {
378 for (size_t i = 0; i < params.length; ++i)
379 if (params.params[i].tag == tag) {
380 *value = static_cast<KeymasterEnum>(params.params[i].enumerated);
381 return true;
382 }
383 return false;
384 }
385
386 } // unnamed namespaced
387
388 /* static */
close_device(hw_device_t * dev)389 int SoftKeymasterDevice::close_device(hw_device_t* dev) {
390 switch (dev->module->module_api_version) {
391 case KEYMASTER_MODULE_API_VERSION_2_0: {
392 delete convert_device(reinterpret_cast<keymaster2_device_t*>(dev));
393 break;
394 }
395
396 case KEYMASTER_MODULE_API_VERSION_1_0: {
397 delete convert_device(reinterpret_cast<keymaster1_device_t*>(dev));
398 break;
399 }
400
401 default:
402 return -1;
403 }
404
405 return 0;
406 }
407
408 /* static */
get_supported_algorithms(const keymaster1_device_t * dev,keymaster_algorithm_t ** algorithms,size_t * algorithms_length)409 keymaster_error_t SoftKeymasterDevice::get_supported_algorithms(const keymaster1_device_t* dev,
410 keymaster_algorithm_t** algorithms,
411 size_t* algorithms_length) {
412 if (!dev)
413 return KM_ERROR_UNEXPECTED_NULL_POINTER;
414
415 if (!algorithms || !algorithms_length)
416 return KM_ERROR_OUTPUT_PARAMETER_NULL;
417
418 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
419 if (km1_dev)
420 return km1_dev->get_supported_algorithms(km1_dev, algorithms, algorithms_length);
421
422 SupportedAlgorithmsRequest request;
423 SupportedAlgorithmsResponse response;
424 convert_device(dev)->impl_->SupportedAlgorithms(request, &response);
425 if (response.error != KM_ERROR_OK) {
426 LOG_E("get_supported_algorithms failed with %d", response.error);
427
428 return response.error;
429 }
430
431 *algorithms_length = response.results_length;
432 *algorithms =
433 reinterpret_cast<keymaster_algorithm_t*>(malloc(*algorithms_length * sizeof(**algorithms)));
434 if (!*algorithms)
435 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
436 std::copy(response.results, response.results + response.results_length, *algorithms);
437 return KM_ERROR_OK;
438 }
439
440 /* static */
get_supported_block_modes(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_block_mode_t ** modes,size_t * modes_length)441 keymaster_error_t SoftKeymasterDevice::get_supported_block_modes(const keymaster1_device_t* dev,
442 keymaster_algorithm_t algorithm,
443 keymaster_purpose_t purpose,
444 keymaster_block_mode_t** modes,
445 size_t* modes_length) {
446 if (!dev)
447 return KM_ERROR_UNEXPECTED_NULL_POINTER;
448
449 if (!modes || !modes_length)
450 return KM_ERROR_OUTPUT_PARAMETER_NULL;
451
452 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
453 if (km1_dev)
454 return km1_dev->get_supported_block_modes(km1_dev, algorithm, purpose, modes, modes_length);
455
456 SupportedBlockModesRequest request;
457 request.algorithm = algorithm;
458 request.purpose = purpose;
459 SupportedBlockModesResponse response;
460 convert_device(dev)->impl_->SupportedBlockModes(request, &response);
461
462 if (response.error != KM_ERROR_OK) {
463 LOG_E("get_supported_block_modes failed with %d", response.error);
464
465 return response.error;
466 }
467
468 *modes_length = response.results_length;
469 *modes = reinterpret_cast<keymaster_block_mode_t*>(malloc(*modes_length * sizeof(**modes)));
470 if (!*modes)
471 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
472 std::copy(response.results, response.results + response.results_length, *modes);
473 return KM_ERROR_OK;
474 }
475
476 /* static */
get_supported_padding_modes(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_padding_t ** modes,size_t * modes_length)477 keymaster_error_t SoftKeymasterDevice::get_supported_padding_modes(const keymaster1_device_t* dev,
478 keymaster_algorithm_t algorithm,
479 keymaster_purpose_t purpose,
480 keymaster_padding_t** modes,
481 size_t* modes_length) {
482 if (!dev)
483 return KM_ERROR_UNEXPECTED_NULL_POINTER;
484
485 if (!modes || !modes_length)
486 return KM_ERROR_OUTPUT_PARAMETER_NULL;
487
488 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
489 if (km1_dev)
490 return km1_dev->get_supported_padding_modes(km1_dev, algorithm, purpose, modes,
491 modes_length);
492
493 SupportedPaddingModesRequest request;
494 request.algorithm = algorithm;
495 request.purpose = purpose;
496 SupportedPaddingModesResponse response;
497 convert_device(dev)->impl_->SupportedPaddingModes(request, &response);
498
499 if (response.error != KM_ERROR_OK) {
500 LOG_E("get_supported_padding_modes failed with %d", response.error);
501 return response.error;
502 }
503
504 *modes_length = response.results_length;
505 *modes = reinterpret_cast<keymaster_padding_t*>(malloc(*modes_length * sizeof(**modes)));
506 if (!*modes)
507 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
508 std::copy(response.results, response.results + response.results_length, *modes);
509 return KM_ERROR_OK;
510 }
511
512 /* static */
get_supported_digests(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_digest_t ** digests,size_t * digests_length)513 keymaster_error_t SoftKeymasterDevice::get_supported_digests(const keymaster1_device_t* dev,
514 keymaster_algorithm_t algorithm,
515 keymaster_purpose_t purpose,
516 keymaster_digest_t** digests,
517 size_t* digests_length) {
518 if (!dev)
519 return KM_ERROR_UNEXPECTED_NULL_POINTER;
520
521 if (!digests || !digests_length)
522 return KM_ERROR_OUTPUT_PARAMETER_NULL;
523
524 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
525 if (km1_dev)
526 return km1_dev->get_supported_digests(km1_dev, algorithm, purpose, digests, digests_length);
527
528 SupportedDigestsRequest request;
529 request.algorithm = algorithm;
530 request.purpose = purpose;
531 SupportedDigestsResponse response;
532 convert_device(dev)->impl_->SupportedDigests(request, &response);
533
534 if (response.error != KM_ERROR_OK) {
535 LOG_E("get_supported_digests failed with %d", response.error);
536 return response.error;
537 }
538
539 *digests_length = response.results_length;
540 *digests = reinterpret_cast<keymaster_digest_t*>(malloc(*digests_length * sizeof(**digests)));
541 if (!*digests)
542 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
543 std::copy(response.results, response.results + response.results_length, *digests);
544 return KM_ERROR_OK;
545 }
546
547 /* static */
get_supported_import_formats(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_key_format_t ** formats,size_t * formats_length)548 keymaster_error_t SoftKeymasterDevice::get_supported_import_formats(
549 const keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
550 keymaster_key_format_t** formats, size_t* formats_length) {
551 if (!dev)
552 return KM_ERROR_UNEXPECTED_NULL_POINTER;
553
554 if (!formats || !formats_length)
555 return KM_ERROR_OUTPUT_PARAMETER_NULL;
556
557 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
558 if (km1_dev)
559 return km1_dev->get_supported_import_formats(km1_dev, algorithm, formats, formats_length);
560
561 SupportedImportFormatsRequest request;
562 request.algorithm = algorithm;
563 SupportedImportFormatsResponse response;
564 convert_device(dev)->impl_->SupportedImportFormats(request, &response);
565
566 if (response.error != KM_ERROR_OK) {
567 LOG_E("get_supported_import_formats failed with %d", response.error);
568 return response.error;
569 }
570
571 *formats_length = response.results_length;
572 *formats =
573 reinterpret_cast<keymaster_key_format_t*>(malloc(*formats_length * sizeof(**formats)));
574 if (!*formats)
575 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
576 std::copy(response.results, response.results + response.results_length, *formats);
577 return KM_ERROR_OK;
578 }
579
580 /* static */
get_supported_export_formats(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_key_format_t ** formats,size_t * formats_length)581 keymaster_error_t SoftKeymasterDevice::get_supported_export_formats(
582 const keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
583 keymaster_key_format_t** formats, size_t* formats_length) {
584 if (!dev)
585 return KM_ERROR_UNEXPECTED_NULL_POINTER;
586
587 if (!formats || !formats_length)
588 return KM_ERROR_OUTPUT_PARAMETER_NULL;
589
590 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
591 if (km1_dev)
592 return km1_dev->get_supported_export_formats(km1_dev, algorithm, formats, formats_length);
593
594 SupportedExportFormatsRequest request;
595 request.algorithm = algorithm;
596 SupportedExportFormatsResponse response;
597 convert_device(dev)->impl_->SupportedExportFormats(request, &response);
598
599 if (response.error != KM_ERROR_OK) {
600 LOG_E("get_supported_export_formats failed with %d", response.error);
601 return response.error;
602 }
603
604 *formats_length = response.results_length;
605 *formats =
606 reinterpret_cast<keymaster_key_format_t*>(malloc(*formats_length * sizeof(**formats)));
607 if (!*formats)
608 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
609 std::copy(response.results, response.results + *formats_length, *formats);
610 return KM_ERROR_OK;
611 }
612
613 /* static */
configure(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params)614 keymaster_error_t SoftKeymasterDevice::configure(const keymaster2_device_t* dev,
615 const keymaster_key_param_set_t* params) {
616 AuthorizationSet params_copy(*params);
617 ConfigureRequest request;
618 if (!params_copy.GetTagValue(TAG_OS_VERSION, &request.os_version) ||
619 !params_copy.GetTagValue(TAG_OS_PATCHLEVEL, &request.os_patchlevel)) {
620 LOG_E("Configuration parameters must contain OS version and patch level", 0);
621 return KM_ERROR_INVALID_ARGUMENT;
622 }
623 ConfigureResponse response;
624 convert_device(dev)->impl_->Configure(request, &response);
625 if (response.error == KM_ERROR_OK)
626 convert_device(dev)->configured_ = true;
627 return response.error;
628 }
629
630 /* static */
add_rng_entropy(const keymaster1_device_t * dev,const uint8_t * data,size_t data_length)631 keymaster_error_t SoftKeymasterDevice::add_rng_entropy(const keymaster1_device_t* dev,
632 const uint8_t* data, size_t data_length) {
633 if (!dev)
634 return KM_ERROR_UNEXPECTED_NULL_POINTER;
635
636 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
637 if (km1_dev)
638 return km1_dev->add_rng_entropy(km1_dev, data, data_length);
639
640 AddEntropyRequest request;
641 request.random_data.Reinitialize(data, data_length);
642 AddEntropyResponse response;
643 convert_device(dev)->impl_->AddRngEntropy(request, &response);
644 if (response.error != KM_ERROR_OK)
645 LOG_E("add_rng_entropy failed with %d", response.error);
646 return response.error;
647 }
648
649 /* static */
add_rng_entropy(const keymaster2_device_t * dev,const uint8_t * data,size_t data_length)650 keymaster_error_t SoftKeymasterDevice::add_rng_entropy(const keymaster2_device_t* dev,
651 const uint8_t* data, size_t data_length) {
652 if (!dev)
653 return KM_ERROR_UNEXPECTED_NULL_POINTER;
654
655 if (!convert_device(dev)->configured())
656 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
657
658 SoftKeymasterDevice* sk_dev = convert_device(dev);
659 return add_rng_entropy(&sk_dev->km1_device_, data, data_length);
660 }
661
contains(const Collection & c,const Value & v)662 template <typename Collection, typename Value> bool contains(const Collection& c, const Value& v) {
663 return std::find(c.begin(), c.end(), v) != c.end();
664 }
665
FindUnsupportedDigest(keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,const AuthorizationSet & params,keymaster_digest_t * unsupported) const666 bool SoftKeymasterDevice::FindUnsupportedDigest(keymaster_algorithm_t algorithm,
667 keymaster_purpose_t purpose,
668 const AuthorizationSet& params,
669 keymaster_digest_t* unsupported) const {
670 assert(wrapped_km1_device_);
671
672 auto supported_digests = km1_device_digests_.find(std::make_pair(algorithm, purpose));
673 if (supported_digests == km1_device_digests_.end())
674 // Invalid algorith/purpose pair (e.g. EC encrypt). Let the error be handled by HW module.
675 return false;
676
677 for (auto& entry : params)
678 if (entry.tag == TAG_DIGEST)
679 if (!contains(supported_digests->second, entry.enumerated)) {
680 LOG_I("Digest %d requested but not supported by module %s", entry.enumerated,
681 wrapped_km1_device_->common.module->name);
682 *unsupported = static_cast<keymaster_digest_t>(entry.enumerated);
683 return true;
684 }
685 return false;
686 }
687
RequiresSoftwareDigesting(keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,const AuthorizationSet & params) const688 bool SoftKeymasterDevice::RequiresSoftwareDigesting(keymaster_algorithm_t algorithm,
689 keymaster_purpose_t purpose,
690 const AuthorizationSet& params) const {
691 assert(wrapped_km1_device_);
692 if (!wrapped_km1_device_)
693 return true;
694
695 switch (algorithm) {
696 case KM_ALGORITHM_AES:
697 case KM_ALGORITHM_TRIPLE_DES:
698 LOG_D("Not performing software digesting for algorithm %d", algorithm);
699 return false;
700 case KM_ALGORITHM_HMAC:
701 case KM_ALGORITHM_RSA:
702 case KM_ALGORITHM_EC:
703 break;
704 }
705
706 keymaster_digest_t unsupported;
707 if (!FindUnsupportedDigest(algorithm, purpose, params, &unsupported)) {
708 LOG_D("Requested digest(s) supported for algorithm %d and purpose %d", algorithm, purpose);
709 return false;
710 }
711
712 return true;
713 }
714
KeyRequiresSoftwareDigesting(const AuthorizationSet & key_description) const715 bool SoftKeymasterDevice::KeyRequiresSoftwareDigesting(
716 const AuthorizationSet& key_description) const {
717 assert(wrapped_km1_device_);
718 if (!wrapped_km1_device_)
719 return true;
720
721 keymaster_algorithm_t algorithm;
722 if (!key_description.GetTagValue(TAG_ALGORITHM, &algorithm)) {
723 // The hardware module will return an error during keygen.
724 return false;
725 }
726
727 for (auto& entry : key_description)
728 if (entry.tag == TAG_PURPOSE) {
729 keymaster_purpose_t purpose = static_cast<keymaster_purpose_t>(entry.enumerated);
730 if (RequiresSoftwareDigesting(algorithm, purpose, key_description))
731 return true;
732 }
733
734 return false;
735 }
736
737 /* static */
generate_key(const keymaster1_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t ** characteristics)738 keymaster_error_t SoftKeymasterDevice::generate_key(
739 const keymaster1_device_t* dev, const keymaster_key_param_set_t* params,
740 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t** characteristics) {
741 if (!dev || !params)
742 return KM_ERROR_UNEXPECTED_NULL_POINTER;
743
744 if (!key_blob)
745 return KM_ERROR_OUTPUT_PARAMETER_NULL;
746
747 SoftKeymasterDevice* sk_dev = convert_device(dev);
748
749 GenerateKeyRequest request;
750 request.key_description.Reinitialize(*params);
751
752 keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
753 if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description))
754 return km1_dev->generate_key(km1_dev, params, key_blob, characteristics);
755
756 GenerateKeyResponse response;
757 sk_dev->impl_->GenerateKey(request, &response);
758 if (response.error != KM_ERROR_OK)
759 return response.error;
760
761 key_blob->key_material_size = response.key_blob.key_material_size;
762 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
763 if (!tmp)
764 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
765 memcpy(tmp, response.key_blob.key_material, response.key_blob.key_material_size);
766 key_blob->key_material = tmp;
767
768 if (characteristics) {
769 // This is a keymaster1 method, and keymaster1 doesn't include version info, so remove it.
770 response.enforced.erase(response.enforced.find(TAG_OS_VERSION));
771 response.enforced.erase(response.enforced.find(TAG_OS_PATCHLEVEL));
772 response.unenforced.erase(response.unenforced.find(TAG_OS_VERSION));
773 response.unenforced.erase(response.unenforced.find(TAG_OS_PATCHLEVEL));
774
775 *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
776 if (!*characteristics)
777 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
778 }
779
780 return KM_ERROR_OK;
781 }
782
783 keymaster_error_t
generate_key(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)784 SoftKeymasterDevice::generate_key(const keymaster2_device_t* dev, //
785 const keymaster_key_param_set_t* params,
786 keymaster_key_blob_t* key_blob,
787 keymaster_key_characteristics_t* characteristics) {
788 if (!dev)
789 return KM_ERROR_UNEXPECTED_NULL_POINTER;
790
791 if (!convert_device(dev)->configured())
792 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
793
794 if (!key_blob)
795 return KM_ERROR_OUTPUT_PARAMETER_NULL;
796
797 SoftKeymasterDevice* sk_dev = convert_device(dev);
798
799 GenerateKeyRequest request;
800 request.key_description.Reinitialize(*params);
801
802 keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
803 if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description)) {
804 keymaster_ec_curve_t curve;
805 if (request.key_description.Contains(TAG_ALGORITHM, KM_ALGORITHM_EC) &&
806 request.key_description.GetTagValue(TAG_EC_CURVE, &curve)) {
807 // Keymaster1 doesn't know about EC curves. We need to translate to key size.
808 uint32_t key_size_from_curve;
809 keymaster_error_t error = EcCurveToKeySize(curve, &key_size_from_curve);
810 if (error != KM_ERROR_OK) {
811 return error;
812 }
813
814 uint32_t key_size_from_desc;
815 if (request.key_description.GetTagValue(TAG_KEY_SIZE, &key_size_from_desc)) {
816 if (key_size_from_desc != key_size_from_curve) {
817 return KM_ERROR_INVALID_ARGUMENT;
818 }
819 } else {
820 request.key_description.push_back(TAG_KEY_SIZE, key_size_from_curve);
821 }
822 }
823
824 keymaster_key_characteristics_t* chars_ptr;
825 keymaster_error_t error = km1_dev->generate_key(km1_dev, &request.key_description, key_blob,
826 characteristics ? &chars_ptr : nullptr);
827 if (error != KM_ERROR_OK)
828 return error;
829
830 if (characteristics) {
831 *characteristics = *chars_ptr;
832 free(chars_ptr);
833 }
834
835 return KM_ERROR_OK;
836 }
837
838 GenerateKeyResponse response;
839 sk_dev->impl_->GenerateKey(request, &response);
840 if (response.error != KM_ERROR_OK)
841 return response.error;
842
843 key_blob->key_material_size = response.key_blob.key_material_size;
844 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
845 if (!tmp)
846 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
847 memcpy(tmp, response.key_blob.key_material, response.key_blob.key_material_size);
848 key_blob->key_material = tmp;
849
850 if (characteristics) {
851 response.enforced.CopyToParamSet(&characteristics->hw_enforced);
852 response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
853 }
854
855 return KM_ERROR_OK;
856 }
857
858 /* static */
get_key_characteristics(const keymaster1_device_t * dev,const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t ** characteristics)859 keymaster_error_t SoftKeymasterDevice::get_key_characteristics(
860 const keymaster1_device_t* dev, const keymaster_key_blob_t* key_blob,
861 const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
862 keymaster_key_characteristics_t** characteristics) {
863 if (!dev || !key_blob || !key_blob->key_material)
864 return KM_ERROR_UNEXPECTED_NULL_POINTER;
865
866 if (!characteristics)
867 return KM_ERROR_OUTPUT_PARAMETER_NULL;
868
869 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
870 if (km1_dev) {
871 keymaster_error_t error = km1_dev->get_key_characteristics(km1_dev, key_blob, client_id,
872 app_data, characteristics);
873 if (error != KM_ERROR_INVALID_KEY_BLOB) {
874 return error;
875 }
876 // If we got "invalid blob", continue to try with the software device. This might be a
877 // software key blob.
878 }
879
880 GetKeyCharacteristicsRequest request;
881 request.SetKeyMaterial(*key_blob);
882 AddClientAndAppData(client_id, app_data, &request);
883
884 GetKeyCharacteristicsResponse response;
885 convert_device(dev)->impl_->GetKeyCharacteristics(request, &response);
886 if (response.error != KM_ERROR_OK)
887 return response.error;
888
889 // This is a keymaster1 method, and keymaster1 doesn't include version info, so remove it.
890 response.enforced.erase(response.enforced.find(TAG_OS_VERSION));
891 response.enforced.erase(response.enforced.find(TAG_OS_PATCHLEVEL));
892 response.unenforced.erase(response.unenforced.find(TAG_OS_VERSION));
893 response.unenforced.erase(response.unenforced.find(TAG_OS_PATCHLEVEL));
894
895 *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
896 if (!*characteristics)
897 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
898
899 return KM_ERROR_OK;
900 }
901
902 /* static */
get_key_characteristics(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t * characteristics)903 keymaster_error_t SoftKeymasterDevice::get_key_characteristics(
904 const keymaster2_device_t* dev, const keymaster_key_blob_t* key_blob,
905 const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
906 keymaster_key_characteristics_t* characteristics) {
907 if (!dev)
908 return KM_ERROR_UNEXPECTED_NULL_POINTER;
909
910 if (!convert_device(dev)->configured())
911 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
912
913 if (!characteristics)
914 return KM_ERROR_OUTPUT_PARAMETER_NULL;
915
916 SoftKeymasterDevice* sk_dev = convert_device(dev);
917
918 GetKeyCharacteristicsRequest request;
919 request.SetKeyMaterial(*key_blob);
920 AddClientAndAppData(client_id, app_data, &request);
921
922 GetKeyCharacteristicsResponse response;
923 sk_dev->impl_->GetKeyCharacteristics(request, &response);
924 if (response.error != KM_ERROR_OK)
925 return response.error;
926
927 response.enforced.CopyToParamSet(&characteristics->hw_enforced);
928 response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
929
930 return KM_ERROR_OK;
931 }
932
933 /* static */
import_key(const keymaster1_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t ** characteristics)934 keymaster_error_t SoftKeymasterDevice::import_key(
935 const keymaster1_device_t* dev, const keymaster_key_param_set_t* params,
936 keymaster_key_format_t key_format, const keymaster_blob_t* key_data,
937 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t** characteristics) {
938 if (!params || !key_data)
939 return KM_ERROR_UNEXPECTED_NULL_POINTER;
940
941 if (!key_blob)
942 return KM_ERROR_OUTPUT_PARAMETER_NULL;
943
944 SoftKeymasterDevice* sk_dev = convert_device(dev);
945
946 ImportKeyRequest request;
947 request.key_description.Reinitialize(*params);
948
949 keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
950 if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description))
951 return km1_dev->import_key(km1_dev, params, key_format, key_data, key_blob,
952 characteristics);
953
954 if (characteristics)
955 *characteristics = nullptr;
956
957 request.key_format = key_format;
958 request.SetKeyMaterial(key_data->data, key_data->data_length);
959
960 ImportKeyResponse response;
961 convert_device(dev)->impl_->ImportKey(request, &response);
962 if (response.error != KM_ERROR_OK)
963 return response.error;
964
965 key_blob->key_material_size = response.key_blob.key_material_size;
966 key_blob->key_material = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
967 if (!key_blob->key_material)
968 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
969 memcpy(const_cast<uint8_t*>(key_blob->key_material), response.key_blob.key_material,
970 response.key_blob.key_material_size);
971
972 if (characteristics) {
973 *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
974 if (!*characteristics)
975 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
976 }
977 return KM_ERROR_OK;
978 }
979
980 /* static */
import_key(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)981 keymaster_error_t SoftKeymasterDevice::import_key(
982 const keymaster2_device_t* dev, const keymaster_key_param_set_t* params,
983 keymaster_key_format_t key_format, const keymaster_blob_t* key_data,
984 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t* characteristics) {
985 if (!dev)
986 return KM_ERROR_UNEXPECTED_NULL_POINTER;
987
988 if (!convert_device(dev)->configured())
989 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
990
991 SoftKeymasterDevice* sk_dev = convert_device(dev);
992
993 keymaster_error_t error;
994 if (characteristics) {
995 keymaster_key_characteristics_t* characteristics_ptr;
996 error = import_key(&sk_dev->km1_device_, params, key_format, key_data, key_blob,
997 &characteristics_ptr);
998 if (error == KM_ERROR_OK) {
999 *characteristics = *characteristics_ptr;
1000 free(characteristics_ptr);
1001 }
1002 } else {
1003 error = import_key(&sk_dev->km1_device_, params, key_format, key_data, key_blob, nullptr);
1004 }
1005
1006 return error;
1007 }
1008
1009 /* static */
export_key(const keymaster1_device_t * dev,keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)1010 keymaster_error_t SoftKeymasterDevice::export_key(const keymaster1_device_t* dev,
1011 keymaster_key_format_t export_format,
1012 const keymaster_key_blob_t* key_to_export,
1013 const keymaster_blob_t* client_id,
1014 const keymaster_blob_t* app_data,
1015 keymaster_blob_t* export_data) {
1016 if (!key_to_export || !key_to_export->key_material)
1017 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1018
1019 if (!export_data)
1020 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1021
1022 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1023 if (km1_dev)
1024 return km1_dev->export_key(km1_dev, export_format, key_to_export, client_id, app_data,
1025 export_data);
1026
1027 export_data->data = nullptr;
1028 export_data->data_length = 0;
1029
1030 ExportKeyRequest request;
1031 request.key_format = export_format;
1032 request.SetKeyMaterial(*key_to_export);
1033 AddClientAndAppData(client_id, app_data, &request);
1034
1035 ExportKeyResponse response;
1036 convert_device(dev)->impl_->ExportKey(request, &response);
1037 if (response.error != KM_ERROR_OK)
1038 return response.error;
1039
1040 export_data->data_length = response.key_data_length;
1041 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(export_data->data_length));
1042 if (!tmp)
1043 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1044 memcpy(tmp, response.key_data, export_data->data_length);
1045 export_data->data = tmp;
1046 return KM_ERROR_OK;
1047 }
1048
1049 /* static */
export_key(const keymaster2_device_t * dev,keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)1050 keymaster_error_t SoftKeymasterDevice::export_key(const keymaster2_device_t* dev,
1051 keymaster_key_format_t export_format,
1052 const keymaster_key_blob_t* key_to_export,
1053 const keymaster_blob_t* client_id,
1054 const keymaster_blob_t* app_data,
1055 keymaster_blob_t* export_data) {
1056 if (!dev)
1057 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1058
1059 if (!convert_device(dev)->configured())
1060 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1061
1062 SoftKeymasterDevice* sk_dev = convert_device(dev);
1063 return export_key(&sk_dev->km1_device_, export_format, key_to_export, client_id, app_data,
1064 export_data);
1065 }
1066
1067 /* static */
attest_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_to_attest,const keymaster_key_param_set_t * attest_params,keymaster_cert_chain_t * cert_chain)1068 keymaster_error_t SoftKeymasterDevice::attest_key(const keymaster2_device_t* dev,
1069 const keymaster_key_blob_t* key_to_attest,
1070 const keymaster_key_param_set_t* attest_params,
1071 keymaster_cert_chain_t* cert_chain) {
1072 if (!dev || !key_to_attest || !attest_params || !cert_chain)
1073 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1074
1075 if (!convert_device(dev)->configured())
1076 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1077
1078 *cert_chain = {};
1079
1080 AttestKeyRequest request;
1081 request.SetKeyMaterial(*key_to_attest);
1082 request.attest_params.Reinitialize(*attest_params);
1083
1084 keymaster_blob_t attestation_challenge = {};
1085 request.attest_params.GetTagValue(TAG_ATTESTATION_CHALLENGE, &attestation_challenge);
1086 if (attestation_challenge.data_length > kMaximumAttestationChallengeLength) {
1087 LOG_E("%d-byte attestation challenge; only %d bytes allowed",
1088 attestation_challenge.data_length, kMaximumAttestationChallengeLength);
1089 return KM_ERROR_INVALID_INPUT_LENGTH;
1090 }
1091
1092 AttestKeyResponse response;
1093 convert_device(dev)->impl_->AttestKey(request, &response);
1094 if (response.error != KM_ERROR_OK)
1095 return response.error;
1096
1097 // Allocate and clear storage for cert_chain.
1098 keymaster_cert_chain_t& rsp_chain = response.certificate_chain;
1099 cert_chain->entries = reinterpret_cast<keymaster_blob_t*>(
1100 malloc(rsp_chain.entry_count * sizeof(*cert_chain->entries)));
1101 if (!cert_chain->entries)
1102 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1103 cert_chain->entry_count = rsp_chain.entry_count;
1104 for (keymaster_blob_t& entry : array_range(cert_chain->entries, cert_chain->entry_count))
1105 entry = {};
1106
1107 // Copy cert_chain contents
1108 size_t i = 0;
1109 for (keymaster_blob_t& entry : array_range(rsp_chain.entries, rsp_chain.entry_count)) {
1110 cert_chain->entries[i].data = reinterpret_cast<uint8_t*>(malloc(entry.data_length));
1111 if (!cert_chain->entries[i].data) {
1112 keymaster_free_cert_chain(cert_chain);
1113 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1114 }
1115 cert_chain->entries[i].data_length = entry.data_length;
1116 memcpy(const_cast<uint8_t*>(cert_chain->entries[i].data), entry.data, entry.data_length);
1117 ++i;
1118 }
1119
1120 return KM_ERROR_OK;
1121 }
1122
1123 /* static */
upgrade_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_to_upgrade,const keymaster_key_param_set_t * upgrade_params,keymaster_key_blob_t * upgraded_key)1124 keymaster_error_t SoftKeymasterDevice::upgrade_key(const keymaster2_device_t* dev,
1125 const keymaster_key_blob_t* key_to_upgrade,
1126 const keymaster_key_param_set_t* upgrade_params,
1127 keymaster_key_blob_t* upgraded_key) {
1128 if (!dev || !key_to_upgrade || !upgrade_params)
1129 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1130
1131 if (!upgraded_key)
1132 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1133
1134 if (!convert_device(dev)->configured())
1135 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1136
1137 UpgradeKeyRequest request;
1138 request.SetKeyMaterial(*key_to_upgrade);
1139 request.upgrade_params.Reinitialize(*upgrade_params);
1140
1141 UpgradeKeyResponse response;
1142 convert_device(dev)->impl_->UpgradeKey(request, &response);
1143 if (response.error != KM_ERROR_OK)
1144 return response.error;
1145
1146 upgraded_key->key_material_size = response.upgraded_key.key_material_size;
1147 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(upgraded_key->key_material_size));
1148 if (!tmp)
1149 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1150 memcpy(tmp, response.upgraded_key.key_material, response.upgraded_key.key_material_size);
1151 upgraded_key->key_material = tmp;
1152
1153 return KM_ERROR_OK;
1154 }
1155
1156 /* static */
delete_key(const keymaster1_device_t * dev,const keymaster_key_blob_t * key)1157 keymaster_error_t SoftKeymasterDevice::delete_key(const keymaster1_device_t* dev,
1158 const keymaster_key_blob_t* key) {
1159 if (!dev || !key || !key->key_material)
1160 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1161
1162 KeymasterKeyBlob blob(*key);
1163 return convert_device(dev)->context_->DeleteKey(blob);
1164 }
1165
1166 /* static */
delete_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key)1167 keymaster_error_t SoftKeymasterDevice::delete_key(const keymaster2_device_t* dev,
1168 const keymaster_key_blob_t* key) {
1169 if (!dev || !key || !key->key_material)
1170 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1171
1172 if (!convert_device(dev)->configured())
1173 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1174
1175 KeymasterKeyBlob blob(*key);
1176 return convert_device(dev)->context_->DeleteKey(blob);
1177 }
1178
1179 /* static */
delete_all_keys(const keymaster1_device_t * dev)1180 keymaster_error_t SoftKeymasterDevice::delete_all_keys(const keymaster1_device_t* dev) {
1181 if (!dev)
1182 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1183
1184 return convert_device(dev)->context_->DeleteAllKeys();
1185 }
1186
1187 /* static */
delete_all_keys(const keymaster2_device_t * dev)1188 keymaster_error_t SoftKeymasterDevice::delete_all_keys(const keymaster2_device_t* dev) {
1189 if (!dev)
1190 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1191
1192 if (!convert_device(dev)->configured())
1193 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1194
1195 return convert_device(dev)->context_->DeleteAllKeys();
1196 }
1197
1198 /* static */
begin(const keymaster1_device_t * dev,keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)1199 keymaster_error_t SoftKeymasterDevice::begin(const keymaster1_device_t* dev,
1200 keymaster_purpose_t purpose,
1201 const keymaster_key_blob_t* key,
1202 const keymaster_key_param_set_t* in_params,
1203 keymaster_key_param_set_t* out_params,
1204 keymaster_operation_handle_t* operation_handle) {
1205 if (!dev || !key || !key->key_material)
1206 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1207
1208 if (!operation_handle)
1209 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1210
1211 SoftKeymasterDevice* skdev = convert_device(dev);
1212 const keymaster1_device_t* km1_dev = skdev->wrapped_km1_device_;
1213
1214 if (km1_dev) {
1215 AuthorizationSet in_params_set(*in_params);
1216
1217 UniquePtr<Key> akmKey; // android keymaster key
1218 skdev->context_->ParseKeyBlob(KeymasterKeyBlob(*key), in_params_set, &akmKey);
1219
1220 keymaster_algorithm_t algorithm = KM_ALGORITHM_AES;
1221 if (!akmKey->hw_enforced().GetTagValue(TAG_ALGORITHM, &algorithm) &&
1222 !akmKey->sw_enforced().GetTagValue(TAG_ALGORITHM, &algorithm)) {
1223 return KM_ERROR_INVALID_KEY_BLOB;
1224 }
1225
1226 if (algorithm == KM_ALGORITHM_HMAC) {
1227 // Because HMAC keys can have only one digest, in_params_set doesn't contain it. We
1228 // need to get the digest from the key and add it to in_params_set.
1229 keymaster_digest_t digest;
1230 if (!akmKey->hw_enforced().GetTagValue(TAG_DIGEST, &digest) &&
1231 !akmKey->sw_enforced().GetTagValue(TAG_DIGEST, &digest)) {
1232 return KM_ERROR_INVALID_KEY_BLOB;
1233 }
1234 in_params_set.push_back(TAG_DIGEST, digest);
1235 }
1236
1237 if (!skdev->RequiresSoftwareDigesting(algorithm, purpose, in_params_set)) {
1238 LOG_D("Operation supported by %s, passing through to keymaster1 module",
1239 km1_dev->common.module->name);
1240 return km1_dev->begin(km1_dev, purpose, key, in_params, out_params, operation_handle);
1241 }
1242 LOG_I("Doing software digesting for keymaster1 module %s", km1_dev->common.module->name);
1243 }
1244
1245 if (out_params) {
1246 out_params->params = nullptr;
1247 out_params->length = 0;
1248 }
1249
1250 BeginOperationRequest request;
1251 request.purpose = purpose;
1252 request.SetKeyMaterial(*key);
1253 request.additional_params.Reinitialize(*in_params);
1254
1255 BeginOperationResponse response;
1256 skdev->impl_->BeginOperation(request, &response);
1257 if (response.error != KM_ERROR_OK)
1258 return response.error;
1259
1260 if (response.output_params.size() > 0) {
1261 if (out_params)
1262 response.output_params.CopyToParamSet(out_params);
1263 else
1264 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1265 }
1266
1267 *operation_handle = response.op_handle;
1268 return KM_ERROR_OK;
1269 }
1270
1271 /* static */
begin(const keymaster2_device_t * dev,keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)1272 keymaster_error_t SoftKeymasterDevice::begin(const keymaster2_device_t* dev,
1273 keymaster_purpose_t purpose,
1274 const keymaster_key_blob_t* key,
1275 const keymaster_key_param_set_t* in_params,
1276 keymaster_key_param_set_t* out_params,
1277 keymaster_operation_handle_t* operation_handle) {
1278 if (!dev)
1279 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1280
1281 if (!convert_device(dev)->configured())
1282 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1283
1284 SoftKeymasterDevice* sk_dev = convert_device(dev);
1285 return begin(&sk_dev->km1_device_, purpose, key, in_params, out_params, operation_handle);
1286 }
1287
1288 /* static */
update(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1289 keymaster_error_t SoftKeymasterDevice::update(const keymaster1_device_t* dev,
1290 keymaster_operation_handle_t operation_handle,
1291 const keymaster_key_param_set_t* in_params,
1292 const keymaster_blob_t* input, size_t* input_consumed,
1293 keymaster_key_param_set_t* out_params,
1294 keymaster_blob_t* output) {
1295 if (!input)
1296 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1297
1298 if (!input_consumed)
1299 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1300
1301 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1302 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1303 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1304 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1305 // km1_dev after doing necessary digesting.
1306 return km1_dev->update(km1_dev, operation_handle, in_params, input, input_consumed,
1307 out_params, output);
1308 }
1309
1310 if (out_params) {
1311 out_params->params = nullptr;
1312 out_params->length = 0;
1313 }
1314 if (output) {
1315 output->data = nullptr;
1316 output->data_length = 0;
1317 }
1318
1319 UpdateOperationRequest request;
1320 request.op_handle = operation_handle;
1321 if (input)
1322 request.input.Reinitialize(input->data, input->data_length);
1323 if (in_params)
1324 request.additional_params.Reinitialize(*in_params);
1325
1326 UpdateOperationResponse response;
1327 convert_device(dev)->impl_->UpdateOperation(request, &response);
1328 if (response.error != KM_ERROR_OK)
1329 return response.error;
1330
1331 if (response.output_params.size() > 0) {
1332 if (out_params)
1333 response.output_params.CopyToParamSet(out_params);
1334 else
1335 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1336 }
1337
1338 *input_consumed = response.input_consumed;
1339 if (output) {
1340 output->data_length = response.output.available_read();
1341 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1342 if (!tmp)
1343 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1344 memcpy(tmp, response.output.peek_read(), output->data_length);
1345 output->data = tmp;
1346 } else if (response.output.available_read() > 0) {
1347 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1348 }
1349 return KM_ERROR_OK;
1350 }
1351
1352 /* static */
update(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1353 keymaster_error_t SoftKeymasterDevice::update(const keymaster2_device_t* dev,
1354 keymaster_operation_handle_t operation_handle,
1355 const keymaster_key_param_set_t* in_params,
1356 const keymaster_blob_t* input, size_t* input_consumed,
1357 keymaster_key_param_set_t* out_params,
1358 keymaster_blob_t* output) {
1359 if (!dev)
1360 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1361
1362 if (!convert_device(dev)->configured())
1363 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1364
1365 SoftKeymasterDevice* sk_dev = convert_device(dev);
1366 return update(&sk_dev->km1_device_, operation_handle, in_params, input, input_consumed,
1367 out_params, output);
1368 }
1369
1370 /* static */
finish(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * params,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1371 keymaster_error_t SoftKeymasterDevice::finish(const keymaster1_device_t* dev,
1372 keymaster_operation_handle_t operation_handle,
1373 const keymaster_key_param_set_t* params,
1374 const keymaster_blob_t* signature,
1375 keymaster_key_param_set_t* out_params,
1376 keymaster_blob_t* output) {
1377 if (!dev)
1378 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1379
1380 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1381 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1382 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1383 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1384 // km1_dev after doing necessary digesting.
1385 return km1_dev->finish(km1_dev, operation_handle, params, signature, out_params, output);
1386 }
1387
1388 if (out_params) {
1389 out_params->params = nullptr;
1390 out_params->length = 0;
1391 }
1392
1393 if (output) {
1394 output->data = nullptr;
1395 output->data_length = 0;
1396 }
1397
1398 FinishOperationRequest request;
1399 request.op_handle = operation_handle;
1400 if (signature && signature->data_length > 0)
1401 request.signature.Reinitialize(signature->data, signature->data_length);
1402 request.additional_params.Reinitialize(*params);
1403
1404 FinishOperationResponse response;
1405 convert_device(dev)->impl_->FinishOperation(request, &response);
1406 if (response.error != KM_ERROR_OK)
1407 return response.error;
1408
1409 if (response.output_params.size() > 0) {
1410 if (out_params)
1411 response.output_params.CopyToParamSet(out_params);
1412 else
1413 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1414 }
1415 if (output) {
1416 output->data_length = response.output.available_read();
1417 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1418 if (!tmp)
1419 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1420 memcpy(tmp, response.output.peek_read(), output->data_length);
1421 output->data = tmp;
1422 } else if (response.output.available_read() > 0) {
1423 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1424 }
1425
1426 return KM_ERROR_OK;
1427 }
1428
1429 struct KeyParamSetContents_Delete {
operator ()keymaster::KeyParamSetContents_Delete1430 void operator()(keymaster_key_param_set_t* p) { keymaster_free_param_set(p); }
1431 };
1432
1433 /* static */
finish(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * params,const keymaster_blob_t * input,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1434 keymaster_error_t SoftKeymasterDevice::finish(const keymaster2_device_t* dev,
1435 keymaster_operation_handle_t operation_handle,
1436 const keymaster_key_param_set_t* params,
1437 const keymaster_blob_t* input,
1438 const keymaster_blob_t* signature,
1439 keymaster_key_param_set_t* out_params,
1440 keymaster_blob_t* output) {
1441 if (!dev)
1442 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1443
1444 if (!convert_device(dev)->configured())
1445 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1446
1447 if (out_params)
1448 *out_params = {};
1449
1450 if (output)
1451 *output = {};
1452
1453 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1454 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1455 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1456 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1457 // km1_dev after doing necessary digesting.
1458
1459 std::vector<uint8_t> accumulated_output;
1460 AuthorizationSet accumulated_out_params;
1461 AuthorizationSet mutable_params(*params);
1462 if (input && input->data && input->data_length) {
1463 // Keymaster1 doesn't support input to finish(). Call update() to process input.
1464
1465 accumulated_output.reserve(input->data_length); // Guess at output size
1466 keymaster_blob_t mutable_input = *input;
1467
1468 while (mutable_input.data_length > 0) {
1469 keymaster_key_param_set_t update_out_params = {};
1470 keymaster_blob_t update_output = {};
1471 size_t input_consumed = 0;
1472 keymaster_error_t error =
1473 km1_dev->update(km1_dev, operation_handle, &mutable_params, &mutable_input,
1474 &input_consumed, &update_out_params, &update_output);
1475 if (error != KM_ERROR_OK) {
1476 return error;
1477 }
1478
1479 accumulated_output.reserve(accumulated_output.size() + update_output.data_length);
1480 std::copy(update_output.data, update_output.data + update_output.data_length,
1481 std::back_inserter(accumulated_output));
1482 free(const_cast<uint8_t*>(update_output.data));
1483
1484 accumulated_out_params.push_back(update_out_params);
1485 keymaster_free_param_set(&update_out_params);
1486
1487 mutable_input.data += input_consumed;
1488 mutable_input.data_length -= input_consumed;
1489
1490 // AAD should only be sent once, so remove it if present.
1491 int aad_pos = mutable_params.find(TAG_ASSOCIATED_DATA);
1492 if (aad_pos != -1) {
1493 mutable_params.erase(aad_pos);
1494 }
1495
1496 if (input_consumed == 0) {
1497 // Apparently we need more input than we have to complete an operation.
1498 km1_dev->abort(km1_dev, operation_handle);
1499 return KM_ERROR_INVALID_INPUT_LENGTH;
1500 }
1501 }
1502 }
1503
1504 keymaster_key_param_set_t finish_out_params = {};
1505 keymaster_blob_t finish_output = {};
1506 keymaster_error_t error = km1_dev->finish(km1_dev, operation_handle, &mutable_params,
1507 signature, &finish_out_params, &finish_output);
1508 if (error != KM_ERROR_OK) {
1509 return error;
1510 }
1511
1512 if (!accumulated_out_params.empty()) {
1513 accumulated_out_params.push_back(finish_out_params);
1514 keymaster_free_param_set(&finish_out_params);
1515 accumulated_out_params.Deduplicate();
1516 accumulated_out_params.CopyToParamSet(&finish_out_params);
1517 }
1518 std::unique_ptr<keymaster_key_param_set_t, KeyParamSetContents_Delete>
1519 finish_out_params_deleter(&finish_out_params);
1520
1521 if (!accumulated_output.empty()) {
1522 size_t finish_out_length = accumulated_output.size() + finish_output.data_length;
1523 uint8_t* finish_out_buf = reinterpret_cast<uint8_t*>(malloc(finish_out_length));
1524
1525 std::copy(accumulated_output.begin(), accumulated_output.end(), finish_out_buf);
1526 std::copy(finish_output.data, finish_output.data + finish_output.data_length,
1527 finish_out_buf + accumulated_output.size());
1528
1529 free(const_cast<uint8_t*>(finish_output.data));
1530 finish_output.data_length = finish_out_length;
1531 finish_output.data = finish_out_buf;
1532 }
1533 std::unique_ptr<uint8_t, Malloc_Delete> finish_output_deleter(
1534 const_cast<uint8_t*>(finish_output.data));
1535
1536 if ((!out_params && finish_out_params.length) || (!output && finish_output.data_length)) {
1537 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1538 }
1539
1540 if (out_params) {
1541 *out_params = finish_out_params;
1542 }
1543
1544 if (output) {
1545 *output = finish_output;
1546 }
1547
1548 finish_out_params_deleter.release();
1549 finish_output_deleter.release();
1550
1551 return KM_ERROR_OK;
1552 }
1553
1554 FinishOperationRequest request;
1555 request.op_handle = operation_handle;
1556 if (signature && signature->data_length > 0)
1557 request.signature.Reinitialize(signature->data, signature->data_length);
1558 if (input && input->data_length > 0)
1559 request.input.Reinitialize(input->data, input->data_length);
1560 request.additional_params.Reinitialize(*params);
1561
1562 FinishOperationResponse response;
1563 convert_device(dev)->impl_->FinishOperation(request, &response);
1564 if (response.error != KM_ERROR_OK)
1565 return response.error;
1566
1567 if (response.output_params.size() > 0) {
1568 if (out_params)
1569 response.output_params.CopyToParamSet(out_params);
1570 else
1571 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1572 }
1573 if (output) {
1574 output->data_length = response.output.available_read();
1575 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1576 if (!tmp)
1577 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1578 memcpy(tmp, response.output.peek_read(), output->data_length);
1579 output->data = tmp;
1580 } else if (response.output.available_read() > 0) {
1581 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1582 }
1583
1584 return KM_ERROR_OK;
1585 }
1586
1587 /* static */
abort(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle)1588 keymaster_error_t SoftKeymasterDevice::abort(const keymaster1_device_t* dev,
1589 keymaster_operation_handle_t operation_handle) {
1590 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1591 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1592 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1593 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1594 // km1_dev.
1595 return km1_dev->abort(km1_dev, operation_handle);
1596 }
1597
1598 AbortOperationRequest request;
1599 request.op_handle = operation_handle;
1600 AbortOperationResponse response;
1601 convert_device(dev)->impl_->AbortOperation(request, &response);
1602 return response.error;
1603 }
1604
1605 /* static */
abort(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle)1606 keymaster_error_t SoftKeymasterDevice::abort(const keymaster2_device_t* dev,
1607 keymaster_operation_handle_t operation_handle) {
1608 if (!dev)
1609 return KM_ERROR_UNEXPECTED_NULL_POINTER;
1610
1611 if (!convert_device(dev)->configured())
1612 return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1613
1614 SoftKeymasterDevice* sk_dev = convert_device(dev);
1615 return abort(&sk_dev->km1_device_, operation_handle);
1616 }
1617
1618 /* static */
StoreDefaultNewKeyParams(keymaster_algorithm_t algorithm,AuthorizationSet * auth_set)1619 void SoftKeymasterDevice::StoreDefaultNewKeyParams(keymaster_algorithm_t algorithm,
1620 AuthorizationSet* auth_set) {
1621 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_SIGN);
1622 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_VERIFY);
1623 auth_set->push_back(TAG_ALL_USERS);
1624 auth_set->push_back(TAG_NO_AUTH_REQUIRED);
1625
1626 // All digests.
1627 auth_set->push_back(TAG_DIGEST, KM_DIGEST_NONE);
1628 auth_set->push_back(TAG_DIGEST, KM_DIGEST_MD5);
1629 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA1);
1630 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_224);
1631 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1632 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384);
1633 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_512);
1634
1635 if (algorithm == KM_ALGORITHM_RSA) {
1636 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_ENCRYPT);
1637 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_DECRYPT);
1638 auth_set->push_back(TAG_PADDING, KM_PAD_NONE);
1639 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1640 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
1641 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1642 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
1643 }
1644 }
1645
1646 } // namespace keymaster
1647