1 /*
2 * Copyright 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymaster/soft_keymaster_device.h>
18
19 #include <assert.h>
20 #include <stddef.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include <time.h>
25
26 #include <algorithm>
27 #include <vector>
28
29 #include <type_traits>
30
31 #include <openssl/x509.h>
32
33 #include <hardware/keymaster1.h>
34 #define LOG_TAG "SoftKeymasterDevice"
35 #include <log/log.h>
36
37 #include <keymaster/android_keymaster.h>
38 #include <keymaster/android_keymaster_messages.h>
39 #include <keymaster/android_keymaster_utils.h>
40 #include <keymaster/authorization_set.h>
41 #include <keymaster/contexts/soft_keymaster_context.h>
42 #include <keymaster/key.h>
43 #include <keymaster/km_openssl/openssl_utils.h>
44 #include <keymaster/soft_keymaster_logger.h>
45
46 struct keystore_module soft_keymaster1_device_module = {
47 .common =
48 {
49 .tag = HARDWARE_MODULE_TAG,
50 .module_api_version = KEYMASTER_MODULE_API_VERSION_1_0,
51 .hal_api_version = HARDWARE_HAL_API_VERSION,
52 .id = KEYSTORE_HARDWARE_MODULE_ID,
53 .name = "OpenSSL-based SoftKeymaster HAL",
54 .author = "The Android Open Source Project",
55 .methods = nullptr,
56 .dso = nullptr,
57 .reserved = {},
58 },
59 };
60
61 struct keystore_module soft_keymaster2_device_module = {
62 .common =
63 {
64 .tag = HARDWARE_MODULE_TAG,
65 .module_api_version = KEYMASTER_MODULE_API_VERSION_2_0,
66 .hal_api_version = HARDWARE_HAL_API_VERSION,
67 .id = KEYSTORE_HARDWARE_MODULE_ID,
68 .name = "OpenSSL-based SoftKeymaster HAL",
69 .author = "The Android Open Source Project",
70 .methods = nullptr,
71 .dso = nullptr,
72 .reserved = {},
73 },
74 };
75
76 namespace keymaster {
77
78 const size_t kMaximumAttestationChallengeLength = 128;
79 const size_t kOperationTableSize = 16;
80
make_vector(const T * array,size_t len)81 template <typename T> std::vector<T> make_vector(const T* array, size_t len) {
82 return std::vector<T>(array, array + len);
83 }
84
85 // This helper class implements just enough of the C++ standard collection interface to be able to
86 // accept push_back calls, and it does nothing but count them. It's useful when you want to count
87 // insertions but not actually store anything. It's used in digest_set_is_full below to count the
88 // size of a set intersection.
89 struct PushbackCounter {
90 struct value_type {
91 // NOLINTNEXTLINE(google-explicit-constructor)
value_typekeymaster::PushbackCounter::value_type92 template <typename T> value_type(const T&) {}
93 };
push_backkeymaster::PushbackCounter94 void push_back(const value_type&) { ++count; }
95 size_t count = 0;
96 };
97
98 static std::vector<keymaster_digest_t> full_digest_list = {
99 KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
100 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
101
digest_set_is_full(Iter begin,Iter end)102 template <typename Iter> static bool digest_set_is_full(Iter begin, Iter end) {
103 PushbackCounter counter;
104 std::set_intersection(begin, end, full_digest_list.begin(), full_digest_list.end(),
105 std::back_inserter(counter));
106 return counter.count == full_digest_list.size();
107 }
108
add_digests(keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,SoftKeymasterDevice::DigestMap * map,bool * supports_all)109 static keymaster_error_t add_digests(keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
110 keymaster_purpose_t purpose,
111 SoftKeymasterDevice::DigestMap* map, bool* supports_all) {
112 auto key = std::make_pair(algorithm, purpose);
113
114 keymaster_digest_t* digests;
115 size_t digests_length;
116 keymaster_error_t error =
117 dev->get_supported_digests(dev, algorithm, purpose, &digests, &digests_length);
118 if (error != KM_ERROR_OK) {
119 LOG_E("Error %d getting supported digests from keymaster1 device", error);
120 return error;
121 }
122 std::unique_ptr<keymaster_digest_t, Malloc_Delete> digests_deleter(digests);
123
124 auto digest_vec = make_vector(digests, digests_length);
125 *supports_all = digest_set_is_full(digest_vec.begin(), digest_vec.end());
126 (*map)[key] = std::move(digest_vec);
127 return error;
128 }
129
map_digests(keymaster1_device_t * dev,SoftKeymasterDevice::DigestMap * map,bool * supports_all)130 static keymaster_error_t map_digests(keymaster1_device_t* dev, SoftKeymasterDevice::DigestMap* map,
131 bool* supports_all) {
132 map->clear();
133 *supports_all = true;
134
135 keymaster_algorithm_t sig_algorithms[] = {KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_HMAC};
136 keymaster_purpose_t sig_purposes[] = {KM_PURPOSE_SIGN, KM_PURPOSE_VERIFY};
137 for (auto algorithm : sig_algorithms)
138 for (auto purpose : sig_purposes) {
139 bool alg_purpose_supports_all;
140 keymaster_error_t error =
141 add_digests(dev, algorithm, purpose, map, &alg_purpose_supports_all);
142 if (error != KM_ERROR_OK) return error;
143 *supports_all &= alg_purpose_supports_all;
144 }
145
146 keymaster_algorithm_t crypt_algorithms[] = {KM_ALGORITHM_RSA};
147 keymaster_purpose_t crypt_purposes[] = {KM_PURPOSE_ENCRYPT, KM_PURPOSE_DECRYPT};
148 for (auto algorithm : crypt_algorithms)
149 for (auto purpose : crypt_purposes) {
150 bool alg_purpose_supports_all;
151 keymaster_error_t error =
152 add_digests(dev, algorithm, purpose, map, &alg_purpose_supports_all);
153 if (error != KM_ERROR_OK) return error;
154 *supports_all &= alg_purpose_supports_all;
155 }
156
157 return KM_ERROR_OK;
158 }
159
SoftKeymasterDevice(KmVersion version)160 SoftKeymasterDevice::SoftKeymasterDevice(KmVersion version)
161 : wrapped_km1_device_(nullptr), context_(new (std::nothrow) SoftKeymasterContext(version)),
162 impl_(new (std::nothrow) AndroidKeymaster(context_, kOperationTableSize)),
163 configured_(false) {
164 LOG_I("Creating device");
165 LOG_D("Device address: %p", this);
166
167 initialize_device_struct(KEYMASTER_SOFTWARE_ONLY | KEYMASTER_BLOBS_ARE_STANDALONE |
168 KEYMASTER_SUPPORTS_EC);
169 }
170
SoftKeymasterDevice(SoftKeymasterContext * context)171 SoftKeymasterDevice::SoftKeymasterDevice(SoftKeymasterContext* context)
172 : wrapped_km1_device_(nullptr), context_(context),
173 impl_(new (std::nothrow) AndroidKeymaster(context_, kOperationTableSize)),
174 configured_(false) {
175 LOG_I("Creating test device");
176 LOG_D("Device address: %p", this);
177
178 initialize_device_struct(KEYMASTER_SOFTWARE_ONLY | KEYMASTER_BLOBS_ARE_STANDALONE |
179 KEYMASTER_SUPPORTS_EC);
180 }
181
SetHardwareDevice(keymaster1_device_t * keymaster1_device)182 keymaster_error_t SoftKeymasterDevice::SetHardwareDevice(keymaster1_device_t* keymaster1_device) {
183 assert(keymaster1_device);
184 LOG_D("Reinitializing SoftKeymasterDevice to use HW keymaster1");
185
186 if (!context_) return KM_ERROR_UNEXPECTED_NULL_POINTER;
187
188 keymaster_error_t error =
189 map_digests(keymaster1_device, &km1_device_digests_, &supports_all_digests_);
190 if (error != KM_ERROR_OK) return error;
191
192 error = context_->SetHardwareDevice(keymaster1_device);
193 if (error != KM_ERROR_OK) return error;
194
195 initialize_device_struct(keymaster1_device->flags);
196
197 module_name_ = km1_device_.common.module->name;
198 module_name_.append(" (Wrapping ");
199 module_name_.append(keymaster1_device->common.module->name);
200 module_name_.append(")");
201
202 updated_module_ = *km1_device_.common.module;
203 updated_module_.name = module_name_.c_str();
204
205 km1_device_.common.module = &updated_module_;
206
207 wrapped_km1_device_ = keymaster1_device;
208 return KM_ERROR_OK;
209 }
210
Keymaster1DeviceIsGood()211 bool SoftKeymasterDevice::Keymaster1DeviceIsGood() {
212 std::vector<keymaster_digest_t> expected_rsa_digests = {
213 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
214 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
215 std::vector<keymaster_digest_t> expected_ec_digests = {
216 KM_DIGEST_NONE, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
217 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
218
219 for (auto& entry : km1_device_digests_) {
220 if (entry.first.first == KM_ALGORITHM_RSA)
221 if (!std::is_permutation(entry.second.begin(), entry.second.end(),
222 expected_rsa_digests.begin()))
223 return false;
224 if (entry.first.first == KM_ALGORITHM_EC)
225 if (!std::is_permutation(entry.second.begin(), entry.second.end(),
226 expected_ec_digests.begin()))
227 return false;
228 }
229 return true;
230 }
231
initialize_device_struct(uint32_t flags)232 void SoftKeymasterDevice::initialize_device_struct(uint32_t flags) {
233 memset(&km1_device_, 0, sizeof(km1_device_));
234
235 km1_device_.common.tag = HARDWARE_DEVICE_TAG;
236 km1_device_.common.version = 1;
237 km1_device_.common.module = reinterpret_cast<hw_module_t*>(&soft_keymaster1_device_module);
238 km1_device_.common.close = &close_device;
239
240 km1_device_.flags = flags;
241
242 km1_device_.context = this;
243
244 // keymaster0 APIs
245 km1_device_.generate_keypair = nullptr;
246 km1_device_.import_keypair = nullptr;
247 km1_device_.get_keypair_public = nullptr;
248 km1_device_.delete_keypair = nullptr;
249 km1_device_.delete_all = nullptr;
250 km1_device_.sign_data = nullptr;
251 km1_device_.verify_data = nullptr;
252
253 // keymaster1 APIs
254 km1_device_.get_supported_algorithms = get_supported_algorithms;
255 km1_device_.get_supported_block_modes = get_supported_block_modes;
256 km1_device_.get_supported_padding_modes = get_supported_padding_modes;
257 km1_device_.get_supported_digests = get_supported_digests;
258 km1_device_.get_supported_import_formats = get_supported_import_formats;
259 km1_device_.get_supported_export_formats = get_supported_export_formats;
260 km1_device_.add_rng_entropy = add_rng_entropy;
261 km1_device_.generate_key = generate_key;
262 km1_device_.get_key_characteristics = get_key_characteristics;
263 km1_device_.import_key = import_key;
264 km1_device_.export_key = export_key;
265 km1_device_.delete_key = delete_key;
266 km1_device_.delete_all_keys = delete_all_keys;
267 km1_device_.begin = begin;
268 km1_device_.update = update;
269 km1_device_.finish = finish;
270 km1_device_.abort = abort;
271
272 // keymaster2 APIs
273 memset(&km2_device_, 0, sizeof(km2_device_));
274
275 km2_device_.flags = flags;
276 km2_device_.context = this;
277
278 km2_device_.common.tag = HARDWARE_DEVICE_TAG;
279 km2_device_.common.version = 1;
280 km2_device_.common.module = reinterpret_cast<hw_module_t*>(&soft_keymaster2_device_module);
281 km2_device_.common.close = &close_device;
282
283 km2_device_.configure = configure;
284 km2_device_.add_rng_entropy = add_rng_entropy;
285 km2_device_.generate_key = generate_key;
286 km2_device_.get_key_characteristics = get_key_characteristics;
287 km2_device_.import_key = import_key;
288 km2_device_.export_key = export_key;
289 km2_device_.attest_key = attest_key;
290 km2_device_.upgrade_key = upgrade_key;
291 km2_device_.delete_key = delete_key;
292 km2_device_.delete_all_keys = delete_all_keys;
293 km2_device_.begin = begin;
294 km2_device_.update = update;
295 km2_device_.finish = finish;
296 km2_device_.abort = abort;
297 }
298
hw_device()299 hw_device_t* SoftKeymasterDevice::hw_device() {
300 return &km1_device_.common;
301 }
302
keymaster_device()303 keymaster1_device_t* SoftKeymasterDevice::keymaster_device() {
304 return &km1_device_;
305 }
306
keymaster2_device()307 keymaster2_device_t* SoftKeymasterDevice::keymaster2_device() {
308 return &km2_device_;
309 }
310
311 namespace {
312
BuildCharacteristics(const AuthorizationSet & hw_enforced,const AuthorizationSet & sw_enforced)313 keymaster_key_characteristics_t* BuildCharacteristics(const AuthorizationSet& hw_enforced,
314 const AuthorizationSet& sw_enforced) {
315 keymaster_key_characteristics_t* characteristics =
316 reinterpret_cast<keymaster_key_characteristics_t*>(
317 malloc(sizeof(keymaster_key_characteristics_t)));
318 if (characteristics) {
319 hw_enforced.CopyToParamSet(&characteristics->hw_enforced);
320 sw_enforced.CopyToParamSet(&characteristics->sw_enforced);
321 }
322 return characteristics;
323 }
324
325 template <typename RequestType>
AddClientAndAppData(const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,RequestType * request)326 void AddClientAndAppData(const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
327 RequestType* request) {
328 request->additional_params.Clear();
329 if (client_id) request->additional_params.push_back(TAG_APPLICATION_ID, *client_id);
330 if (app_data) request->additional_params.push_back(TAG_APPLICATION_DATA, *app_data);
331 }
332
convert_device(const T * dev)333 template <typename T> SoftKeymasterDevice* convert_device(const T* dev) {
334 static_assert((std::is_same<T, keymaster1_device_t>::value ||
335 std::is_same<T, keymaster2_device_t>::value),
336 "convert_device should only be applied to keymaster devices");
337 return reinterpret_cast<SoftKeymasterDevice*>(dev->context);
338 }
339
340 template <keymaster_tag_t Tag, keymaster_tag_type_t Type, typename KeymasterEnum>
FindTagValue(const keymaster_key_param_set_t & params,TypedEnumTag<Type,Tag,KeymasterEnum> tag,KeymasterEnum * value)341 bool FindTagValue(const keymaster_key_param_set_t& params,
342 TypedEnumTag<Type, Tag, KeymasterEnum> tag, KeymasterEnum* value) {
343 for (size_t i = 0; i < params.length; ++i)
344 if (params.params[i].tag == tag) {
345 *value = static_cast<KeymasterEnum>(params.params[i].enumerated);
346 return true;
347 }
348 return false;
349 }
350
351 } // namespace
352
353 /* static */
close_device(hw_device_t * dev)354 int SoftKeymasterDevice::close_device(hw_device_t* dev) {
355 switch (dev->module->module_api_version) {
356 case KEYMASTER_MODULE_API_VERSION_2_0: {
357 delete convert_device(reinterpret_cast<keymaster2_device_t*>(dev));
358 break;
359 }
360
361 case KEYMASTER_MODULE_API_VERSION_1_0: {
362 delete convert_device(reinterpret_cast<keymaster1_device_t*>(dev));
363 break;
364 }
365
366 default:
367 return -1;
368 }
369
370 return 0;
371 }
372
373 /* static */
get_supported_algorithms(const keymaster1_device_t * dev,keymaster_algorithm_t ** algorithms,size_t * algorithms_length)374 keymaster_error_t SoftKeymasterDevice::get_supported_algorithms(const keymaster1_device_t* dev,
375 keymaster_algorithm_t** algorithms,
376 size_t* algorithms_length) {
377 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
378
379 if (!algorithms || !algorithms_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
380
381 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
382 if (km1_dev) return km1_dev->get_supported_algorithms(km1_dev, algorithms, algorithms_length);
383
384 auto& impl_ = convert_device(dev)->impl_;
385 SupportedAlgorithmsRequest request(impl_->message_version());
386 SupportedAlgorithmsResponse response(impl_->message_version());
387 impl_->SupportedAlgorithms(request, &response);
388 if (response.error != KM_ERROR_OK) {
389 LOG_E("get_supported_algorithms failed with %d", response.error);
390
391 return response.error;
392 }
393
394 *algorithms_length = response.results_length;
395 *algorithms =
396 reinterpret_cast<keymaster_algorithm_t*>(malloc(*algorithms_length * sizeof(**algorithms)));
397 if (!*algorithms) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
398 std::copy(response.results, response.results + response.results_length, *algorithms);
399 return KM_ERROR_OK;
400 }
401
402 /* static */
get_supported_block_modes(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_block_mode_t ** modes,size_t * modes_length)403 keymaster_error_t SoftKeymasterDevice::get_supported_block_modes(const keymaster1_device_t* dev,
404 keymaster_algorithm_t algorithm,
405 keymaster_purpose_t purpose,
406 keymaster_block_mode_t** modes,
407 size_t* modes_length) {
408 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
409
410 if (!modes || !modes_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
411
412 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
413 if (km1_dev)
414 return km1_dev->get_supported_block_modes(km1_dev, algorithm, purpose, modes, modes_length);
415
416 auto& impl_ = convert_device(dev)->impl_;
417 SupportedBlockModesRequest request(impl_->message_version());
418 request.algorithm = algorithm;
419 request.purpose = purpose;
420 SupportedBlockModesResponse response(impl_->message_version());
421 impl_->SupportedBlockModes(request, &response);
422
423 if (response.error != KM_ERROR_OK) {
424 LOG_E("get_supported_block_modes failed with %d", response.error);
425
426 return response.error;
427 }
428
429 *modes_length = response.results_length;
430 *modes = reinterpret_cast<keymaster_block_mode_t*>(malloc(*modes_length * sizeof(**modes)));
431 if (!*modes) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
432 std::copy(response.results, response.results + response.results_length, *modes);
433 return KM_ERROR_OK;
434 }
435
436 /* static */
get_supported_padding_modes(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_padding_t ** modes,size_t * modes_length)437 keymaster_error_t SoftKeymasterDevice::get_supported_padding_modes(const keymaster1_device_t* dev,
438 keymaster_algorithm_t algorithm,
439 keymaster_purpose_t purpose,
440 keymaster_padding_t** modes,
441 size_t* modes_length) {
442 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
443
444 if (!modes || !modes_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
445
446 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
447 if (km1_dev)
448 return km1_dev->get_supported_padding_modes(km1_dev, algorithm, purpose, modes,
449 modes_length);
450
451 auto& impl_ = convert_device(dev)->impl_;
452 SupportedPaddingModesRequest request(impl_->message_version());
453 request.algorithm = algorithm;
454 request.purpose = purpose;
455 SupportedPaddingModesResponse response(impl_->message_version());
456 convert_device(dev)->impl_->SupportedPaddingModes(request, &response);
457
458 if (response.error != KM_ERROR_OK) {
459 LOG_E("get_supported_padding_modes failed with %d", response.error);
460 return response.error;
461 }
462
463 *modes_length = response.results_length;
464 *modes = reinterpret_cast<keymaster_padding_t*>(malloc(*modes_length * sizeof(**modes)));
465 if (!*modes) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
466 std::copy(response.results, response.results + response.results_length, *modes);
467 return KM_ERROR_OK;
468 }
469
470 /* static */
get_supported_digests(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_digest_t ** digests,size_t * digests_length)471 keymaster_error_t SoftKeymasterDevice::get_supported_digests(const keymaster1_device_t* dev,
472 keymaster_algorithm_t algorithm,
473 keymaster_purpose_t purpose,
474 keymaster_digest_t** digests,
475 size_t* digests_length) {
476 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
477
478 if (!digests || !digests_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
479
480 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
481 if (km1_dev)
482 return km1_dev->get_supported_digests(km1_dev, algorithm, purpose, digests, digests_length);
483
484 auto& impl_ = convert_device(dev)->impl_;
485 SupportedDigestsRequest request(impl_->message_version());
486 request.algorithm = algorithm;
487 request.purpose = purpose;
488 SupportedDigestsResponse response(impl_->message_version());
489 impl_->SupportedDigests(request, &response);
490
491 if (response.error != KM_ERROR_OK) {
492 LOG_E("get_supported_digests failed with %d", response.error);
493 return response.error;
494 }
495
496 *digests_length = response.results_length;
497 *digests = reinterpret_cast<keymaster_digest_t*>(malloc(*digests_length * sizeof(**digests)));
498 if (!*digests) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
499 std::copy(response.results, response.results + response.results_length, *digests);
500 return KM_ERROR_OK;
501 }
502
503 /* static */
get_supported_import_formats(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_key_format_t ** formats,size_t * formats_length)504 keymaster_error_t SoftKeymasterDevice::get_supported_import_formats(
505 const keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
506 keymaster_key_format_t** formats, size_t* formats_length) {
507 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
508
509 if (!formats || !formats_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
510
511 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
512 if (km1_dev)
513 return km1_dev->get_supported_import_formats(km1_dev, algorithm, formats, formats_length);
514
515 auto& impl_ = convert_device(dev)->impl_;
516 SupportedImportFormatsRequest request(impl_->message_version());
517 request.algorithm = algorithm;
518 SupportedImportFormatsResponse response(impl_->message_version());
519 impl_->SupportedImportFormats(request, &response);
520
521 if (response.error != KM_ERROR_OK) {
522 LOG_E("get_supported_import_formats failed with %d", response.error);
523 return response.error;
524 }
525
526 *formats_length = response.results_length;
527 *formats =
528 reinterpret_cast<keymaster_key_format_t*>(malloc(*formats_length * sizeof(**formats)));
529 if (!*formats) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
530 std::copy(response.results, response.results + response.results_length, *formats);
531 return KM_ERROR_OK;
532 }
533
534 /* static */
get_supported_export_formats(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_key_format_t ** formats,size_t * formats_length)535 keymaster_error_t SoftKeymasterDevice::get_supported_export_formats(
536 const keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
537 keymaster_key_format_t** formats, size_t* formats_length) {
538 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
539
540 if (!formats || !formats_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
541
542 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
543 if (km1_dev)
544 return km1_dev->get_supported_export_formats(km1_dev, algorithm, formats, formats_length);
545
546 auto& impl_ = convert_device(dev)->impl_;
547 SupportedExportFormatsRequest request(impl_->message_version());
548 request.algorithm = algorithm;
549 SupportedExportFormatsResponse response(impl_->message_version());
550 impl_->SupportedExportFormats(request, &response);
551
552 if (response.error != KM_ERROR_OK) {
553 LOG_E("get_supported_export_formats failed with %d", response.error);
554 return response.error;
555 }
556
557 *formats_length = response.results_length;
558 *formats =
559 reinterpret_cast<keymaster_key_format_t*>(malloc(*formats_length * sizeof(**formats)));
560 if (!*formats) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
561 std::copy(response.results, response.results + *formats_length, *formats);
562 return KM_ERROR_OK;
563 }
564
565 /* static */
configure(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params)566 keymaster_error_t SoftKeymasterDevice::configure(const keymaster2_device_t* dev,
567 const keymaster_key_param_set_t* params) {
568 AuthorizationSet params_copy(*params);
569 auto& impl_ = convert_device(dev)->impl_;
570 ConfigureRequest request(impl_->message_version());
571 if (!params_copy.GetTagValue(TAG_OS_VERSION, &request.os_version) ||
572 !params_copy.GetTagValue(TAG_OS_PATCHLEVEL, &request.os_patchlevel)) {
573 LOG_E("Configuration parameters must contain OS version and patch level");
574 return KM_ERROR_INVALID_ARGUMENT;
575 }
576 ConfigureResponse response(impl_->message_version());
577 impl_->Configure(request, &response);
578 if (response.error == KM_ERROR_OK) convert_device(dev)->configured_ = true;
579 return response.error;
580 }
581
582 /* static */
add_rng_entropy(const keymaster1_device_t * dev,const uint8_t * data,size_t data_length)583 keymaster_error_t SoftKeymasterDevice::add_rng_entropy(const keymaster1_device_t* dev,
584 const uint8_t* data, size_t data_length) {
585 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
586
587 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
588 if (km1_dev) return km1_dev->add_rng_entropy(km1_dev, data, data_length);
589
590 auto& impl_ = convert_device(dev)->impl_;
591 AddEntropyRequest request(impl_->message_version());
592 request.random_data.Reinitialize(data, data_length);
593 AddEntropyResponse response(impl_->message_version());
594 impl_->AddRngEntropy(request, &response);
595 if (response.error != KM_ERROR_OK) LOG_E("add_rng_entropy failed with %d", response.error);
596 return response.error;
597 }
598
599 /* static */
add_rng_entropy(const keymaster2_device_t * dev,const uint8_t * data,size_t data_length)600 keymaster_error_t SoftKeymasterDevice::add_rng_entropy(const keymaster2_device_t* dev,
601 const uint8_t* data, size_t data_length) {
602 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
603
604 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
605
606 SoftKeymasterDevice* sk_dev = convert_device(dev);
607 return add_rng_entropy(&sk_dev->km1_device_, data, data_length);
608 }
609
contains(const Collection & c,const Value & v)610 template <typename Collection, typename Value> bool contains(const Collection& c, const Value& v) {
611 return std::find(c.begin(), c.end(), v) != c.end();
612 }
613
FindUnsupportedDigest(keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,const AuthorizationSet & params,keymaster_digest_t * unsupported) const614 bool SoftKeymasterDevice::FindUnsupportedDigest(keymaster_algorithm_t algorithm,
615 keymaster_purpose_t purpose,
616 const AuthorizationSet& params,
617 keymaster_digest_t* unsupported) const {
618 assert(wrapped_km1_device_);
619
620 auto supported_digests = km1_device_digests_.find(std::make_pair(algorithm, purpose));
621 if (supported_digests == km1_device_digests_.end())
622 // Invalid algorith/purpose pair (e.g. EC encrypt). Let the error be handled by HW module.
623 return false;
624
625 for (auto& entry : params)
626 if (entry.tag == TAG_DIGEST)
627 if (!contains(supported_digests->second, entry.enumerated)) {
628 LOG_I("Digest %d requested but not supported by module %s", entry.enumerated,
629 wrapped_km1_device_->common.module->name);
630 *unsupported = static_cast<keymaster_digest_t>(entry.enumerated);
631 return true;
632 }
633 return false;
634 }
635
RequiresSoftwareDigesting(keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,const AuthorizationSet & params) const636 bool SoftKeymasterDevice::RequiresSoftwareDigesting(keymaster_algorithm_t algorithm,
637 keymaster_purpose_t purpose,
638 const AuthorizationSet& params) const {
639 assert(wrapped_km1_device_);
640 if (!wrapped_km1_device_) return true;
641
642 switch (algorithm) {
643 case KM_ALGORITHM_AES:
644 case KM_ALGORITHM_TRIPLE_DES:
645 LOG_D("Not performing software digesting for algorithm %d", algorithm);
646 return false;
647 case KM_ALGORITHM_HMAC:
648 case KM_ALGORITHM_RSA:
649 case KM_ALGORITHM_EC:
650 break;
651 }
652
653 keymaster_digest_t unsupported;
654 if (!FindUnsupportedDigest(algorithm, purpose, params, &unsupported)) {
655 LOG_D("Requested digest(s) supported for algorithm %d and purpose %d", algorithm, purpose);
656 return false;
657 }
658
659 return true;
660 }
661
KeyRequiresSoftwareDigesting(const AuthorizationSet & key_description) const662 bool SoftKeymasterDevice::KeyRequiresSoftwareDigesting(
663 const AuthorizationSet& key_description) const {
664 assert(wrapped_km1_device_);
665 if (!wrapped_km1_device_) return true;
666
667 keymaster_algorithm_t algorithm;
668 if (!key_description.GetTagValue(TAG_ALGORITHM, &algorithm)) {
669 // The hardware module will return an error during keygen.
670 return false;
671 }
672
673 for (auto& entry : key_description)
674 if (entry.tag == TAG_PURPOSE) {
675 keymaster_purpose_t purpose = static_cast<keymaster_purpose_t>(entry.enumerated);
676 if (RequiresSoftwareDigesting(algorithm, purpose, key_description)) return true;
677 }
678
679 return false;
680 }
681
682 /* static */
generate_key(const keymaster1_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t ** characteristics)683 keymaster_error_t SoftKeymasterDevice::generate_key(
684 const keymaster1_device_t* dev, const keymaster_key_param_set_t* params,
685 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t** characteristics) {
686 if (!dev || !params) return KM_ERROR_UNEXPECTED_NULL_POINTER;
687
688 if (!key_blob) return KM_ERROR_OUTPUT_PARAMETER_NULL;
689
690 SoftKeymasterDevice* sk_dev = convert_device(dev);
691
692 auto& impl_ = sk_dev->impl_;
693 GenerateKeyRequest request(impl_->message_version());
694 request.key_description.Reinitialize(*params);
695
696 keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
697 if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description))
698 return km1_dev->generate_key(km1_dev, params, key_blob, characteristics);
699
700 GenerateKeyResponse response(impl_->message_version());
701 impl_->GenerateKey(request, &response);
702 if (response.error != KM_ERROR_OK) return response.error;
703
704 key_blob->key_material_size = response.key_blob.key_material_size;
705 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
706 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
707 memcpy(tmp, response.key_blob.key_material, response.key_blob.key_material_size);
708 key_blob->key_material = tmp;
709
710 if (characteristics) {
711 // This is a keymaster1 method, and keymaster1 doesn't include version info, so remove it.
712 response.enforced.erase(response.enforced.find(TAG_OS_VERSION));
713 response.enforced.erase(response.enforced.find(TAG_OS_PATCHLEVEL));
714 response.unenforced.erase(response.unenforced.find(TAG_OS_VERSION));
715 response.unenforced.erase(response.unenforced.find(TAG_OS_PATCHLEVEL));
716
717 *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
718 if (!*characteristics) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
719 }
720
721 return KM_ERROR_OK;
722 }
723
724 keymaster_error_t
generate_key(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)725 SoftKeymasterDevice::generate_key(const keymaster2_device_t* dev, //
726 const keymaster_key_param_set_t* params,
727 keymaster_key_blob_t* key_blob,
728 keymaster_key_characteristics_t* characteristics) {
729 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
730
731 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
732
733 if (!key_blob) return KM_ERROR_OUTPUT_PARAMETER_NULL;
734
735 SoftKeymasterDevice* sk_dev = convert_device(dev);
736
737 auto& impl_ = sk_dev->impl_;
738 GenerateKeyRequest request(impl_->message_version());
739 request.key_description.Reinitialize(*params);
740
741 keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
742 if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description)) {
743 keymaster_ec_curve_t curve;
744 if (request.key_description.Contains(TAG_ALGORITHM, KM_ALGORITHM_EC) &&
745 request.key_description.GetTagValue(TAG_EC_CURVE, &curve)) {
746 // Keymaster1 doesn't know about EC curves. We need to translate to key size.
747 uint32_t key_size_from_curve;
748 keymaster_error_t error = EcCurveToKeySize(curve, &key_size_from_curve);
749 if (error != KM_ERROR_OK) {
750 return error;
751 }
752
753 uint32_t key_size_from_desc;
754 if (request.key_description.GetTagValue(TAG_KEY_SIZE, &key_size_from_desc)) {
755 if (key_size_from_desc != key_size_from_curve) {
756 return KM_ERROR_INVALID_ARGUMENT;
757 }
758 } else {
759 request.key_description.push_back(TAG_KEY_SIZE, key_size_from_curve);
760 }
761 }
762
763 keymaster_key_characteristics_t* chars_ptr;
764 keymaster_error_t error = km1_dev->generate_key(km1_dev, &request.key_description, key_blob,
765 characteristics ? &chars_ptr : nullptr);
766 if (error != KM_ERROR_OK) return error;
767
768 if (characteristics) {
769 *characteristics = *chars_ptr;
770 free(chars_ptr);
771 }
772
773 return KM_ERROR_OK;
774 }
775
776 GenerateKeyResponse response(impl_->message_version());
777 impl_->GenerateKey(request, &response);
778 if (response.error != KM_ERROR_OK) return response.error;
779
780 key_blob->key_material_size = response.key_blob.key_material_size;
781 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
782 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
783 memcpy(tmp, response.key_blob.key_material, response.key_blob.key_material_size);
784 key_blob->key_material = tmp;
785
786 if (characteristics) {
787 response.enforced.CopyToParamSet(&characteristics->hw_enforced);
788 response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
789 }
790
791 return KM_ERROR_OK;
792 }
793
794 /* static */
get_key_characteristics(const keymaster1_device_t * dev,const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t ** characteristics)795 keymaster_error_t SoftKeymasterDevice::get_key_characteristics(
796 const keymaster1_device_t* dev, const keymaster_key_blob_t* key_blob,
797 const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
798 keymaster_key_characteristics_t** characteristics) {
799 if (!dev || !key_blob || !key_blob->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
800
801 if (!characteristics) return KM_ERROR_OUTPUT_PARAMETER_NULL;
802
803 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
804 if (km1_dev) {
805 keymaster_error_t error = km1_dev->get_key_characteristics(km1_dev, key_blob, client_id,
806 app_data, characteristics);
807 if (error != KM_ERROR_INVALID_KEY_BLOB) {
808 return error;
809 }
810 // If we got "invalid blob", continue to try with the software device. This might be a
811 // software key blob.
812 }
813
814 auto& impl_ = convert_device(dev)->impl_;
815 GetKeyCharacteristicsRequest request(impl_->message_version());
816 request.SetKeyMaterial(*key_blob);
817 AddClientAndAppData(client_id, app_data, &request);
818
819 GetKeyCharacteristicsResponse response(impl_->message_version());
820 impl_->GetKeyCharacteristics(request, &response);
821 if (response.error != KM_ERROR_OK) return response.error;
822
823 // This is a keymaster1 method, and keymaster1 doesn't include version info, so remove it.
824 response.enforced.erase(response.enforced.find(TAG_OS_VERSION));
825 response.enforced.erase(response.enforced.find(TAG_OS_PATCHLEVEL));
826 response.unenforced.erase(response.unenforced.find(TAG_OS_VERSION));
827 response.unenforced.erase(response.unenforced.find(TAG_OS_PATCHLEVEL));
828
829 *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
830 if (!*characteristics) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
831
832 return KM_ERROR_OK;
833 }
834
835 /* static */
get_key_characteristics(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t * characteristics)836 keymaster_error_t SoftKeymasterDevice::get_key_characteristics(
837 const keymaster2_device_t* dev, const keymaster_key_blob_t* key_blob,
838 const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
839 keymaster_key_characteristics_t* characteristics) {
840 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
841
842 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
843
844 if (!characteristics) return KM_ERROR_OUTPUT_PARAMETER_NULL;
845
846 SoftKeymasterDevice* sk_dev = convert_device(dev);
847
848 auto& impl_ = sk_dev->impl_;
849 GetKeyCharacteristicsRequest request(impl_->message_version());
850 request.SetKeyMaterial(*key_blob);
851 AddClientAndAppData(client_id, app_data, &request);
852
853 GetKeyCharacteristicsResponse response(impl_->message_version());
854 impl_->GetKeyCharacteristics(request, &response);
855 if (response.error != KM_ERROR_OK) return response.error;
856
857 response.enforced.CopyToParamSet(&characteristics->hw_enforced);
858 response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
859
860 return KM_ERROR_OK;
861 }
862
863 /* static */
import_key(const keymaster1_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t ** characteristics)864 keymaster_error_t SoftKeymasterDevice::import_key(
865 const keymaster1_device_t* dev, const keymaster_key_param_set_t* params,
866 keymaster_key_format_t key_format, const keymaster_blob_t* key_data,
867 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t** characteristics) {
868 if (!params || !key_data) return KM_ERROR_UNEXPECTED_NULL_POINTER;
869
870 if (!key_blob) return KM_ERROR_OUTPUT_PARAMETER_NULL;
871
872 SoftKeymasterDevice* sk_dev = convert_device(dev);
873
874 auto& impl_ = sk_dev->impl_;
875 ImportKeyRequest request(impl_->message_version());
876 request.key_description.Reinitialize(*params);
877
878 keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
879 if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description))
880 return km1_dev->import_key(km1_dev, params, key_format, key_data, key_blob,
881 characteristics);
882
883 if (characteristics) *characteristics = nullptr;
884
885 request.key_format = key_format;
886 request.key_data = KeymasterKeyBlob(key_data->data, key_data->data_length);
887
888 ImportKeyResponse response(impl_->message_version());
889 impl_->ImportKey(request, &response);
890 if (response.error != KM_ERROR_OK) return response.error;
891
892 key_blob->key_material_size = response.key_blob.key_material_size;
893 key_blob->key_material = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
894 if (!key_blob->key_material) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
895 memcpy(const_cast<uint8_t*>(key_blob->key_material), response.key_blob.key_material,
896 response.key_blob.key_material_size);
897
898 if (characteristics) {
899 *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
900 if (!*characteristics) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
901 }
902 return KM_ERROR_OK;
903 }
904
905 /* static */
import_key(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)906 keymaster_error_t SoftKeymasterDevice::import_key(
907 const keymaster2_device_t* dev, const keymaster_key_param_set_t* params,
908 keymaster_key_format_t key_format, const keymaster_blob_t* key_data,
909 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t* characteristics) {
910 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
911
912 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
913
914 SoftKeymasterDevice* sk_dev = convert_device(dev);
915
916 keymaster_error_t error;
917 if (characteristics) {
918 keymaster_key_characteristics_t* characteristics_ptr;
919 error = import_key(&sk_dev->km1_device_, params, key_format, key_data, key_blob,
920 &characteristics_ptr);
921 if (error == KM_ERROR_OK) {
922 *characteristics = *characteristics_ptr;
923 free(characteristics_ptr);
924 }
925 } else {
926 error = import_key(&sk_dev->km1_device_, params, key_format, key_data, key_blob, nullptr);
927 }
928
929 return error;
930 }
931
932 /* static */
export_key(const keymaster1_device_t * dev,keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)933 keymaster_error_t SoftKeymasterDevice::export_key(const keymaster1_device_t* dev,
934 keymaster_key_format_t export_format,
935 const keymaster_key_blob_t* key_to_export,
936 const keymaster_blob_t* client_id,
937 const keymaster_blob_t* app_data,
938 keymaster_blob_t* export_data) {
939 if (!key_to_export || !key_to_export->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
940
941 if (!export_data) return KM_ERROR_OUTPUT_PARAMETER_NULL;
942
943 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
944 if (km1_dev)
945 return km1_dev->export_key(km1_dev, export_format, key_to_export, client_id, app_data,
946 export_data);
947
948 export_data->data = nullptr;
949 export_data->data_length = 0;
950
951 auto& impl_ = convert_device(dev)->impl_;
952 ExportKeyRequest request(impl_->message_version());
953 request.key_format = export_format;
954 request.SetKeyMaterial(*key_to_export);
955 AddClientAndAppData(client_id, app_data, &request);
956
957 ExportKeyResponse response(impl_->message_version());
958 impl_->ExportKey(request, &response);
959 if (response.error != KM_ERROR_OK) return response.error;
960
961 export_data->data_length = response.key_data_length;
962 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(export_data->data_length));
963 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
964 memcpy(tmp, response.key_data, export_data->data_length);
965 export_data->data = tmp;
966 return KM_ERROR_OK;
967 }
968
969 /* static */
export_key(const keymaster2_device_t * dev,keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)970 keymaster_error_t SoftKeymasterDevice::export_key(const keymaster2_device_t* dev,
971 keymaster_key_format_t export_format,
972 const keymaster_key_blob_t* key_to_export,
973 const keymaster_blob_t* client_id,
974 const keymaster_blob_t* app_data,
975 keymaster_blob_t* export_data) {
976 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
977
978 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
979
980 SoftKeymasterDevice* sk_dev = convert_device(dev);
981 return export_key(&sk_dev->km1_device_, export_format, key_to_export, client_id, app_data,
982 export_data);
983 }
984
985 /* static */
attest_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_to_attest,const keymaster_key_param_set_t * attest_params,keymaster_cert_chain_t * cert_chain)986 keymaster_error_t SoftKeymasterDevice::attest_key(const keymaster2_device_t* dev,
987 const keymaster_key_blob_t* key_to_attest,
988 const keymaster_key_param_set_t* attest_params,
989 keymaster_cert_chain_t* cert_chain) {
990 if (!dev || !key_to_attest || !attest_params || !cert_chain)
991 return KM_ERROR_UNEXPECTED_NULL_POINTER;
992
993 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
994
995 *cert_chain = {};
996
997 auto& impl_ = convert_device(dev)->impl_;
998 AttestKeyRequest request(impl_->message_version());
999 request.SetKeyMaterial(*key_to_attest);
1000 request.attest_params.Reinitialize(*attest_params);
1001
1002 keymaster_blob_t attestation_challenge = {};
1003 request.attest_params.GetTagValue(TAG_ATTESTATION_CHALLENGE, &attestation_challenge);
1004 if (attestation_challenge.data_length > kMaximumAttestationChallengeLength) {
1005 LOG_E("%zu-byte attestation challenge; only %zu bytes allowed",
1006 attestation_challenge.data_length, kMaximumAttestationChallengeLength);
1007 return KM_ERROR_INVALID_INPUT_LENGTH;
1008 }
1009
1010 AttestKeyResponse response(impl_->message_version());
1011 impl_->AttestKey(request, &response);
1012 if (response.error != KM_ERROR_OK) return response.error;
1013
1014 // Allocate and clear storage for cert_chain.
1015 keymaster_cert_chain_t& rsp_chain = response.certificate_chain;
1016 cert_chain->entries = reinterpret_cast<keymaster_blob_t*>(
1017 malloc(rsp_chain.entry_count * sizeof(*cert_chain->entries)));
1018 if (!cert_chain->entries) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1019 cert_chain->entry_count = rsp_chain.entry_count;
1020 for (keymaster_blob_t& entry : array_range(cert_chain->entries, cert_chain->entry_count))
1021 entry = {};
1022
1023 // Copy cert_chain contents
1024 size_t i = 0;
1025 for (keymaster_blob_t& entry : array_range(rsp_chain.entries, rsp_chain.entry_count)) {
1026 cert_chain->entries[i].data = reinterpret_cast<uint8_t*>(malloc(entry.data_length));
1027 if (!cert_chain->entries[i].data) {
1028 keymaster_free_cert_chain(cert_chain);
1029 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1030 }
1031 cert_chain->entries[i].data_length = entry.data_length;
1032 memcpy(const_cast<uint8_t*>(cert_chain->entries[i].data), entry.data, entry.data_length);
1033 ++i;
1034 }
1035
1036 return KM_ERROR_OK;
1037 }
1038
1039 /* static */
upgrade_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_to_upgrade,const keymaster_key_param_set_t * upgrade_params,keymaster_key_blob_t * upgraded_key)1040 keymaster_error_t SoftKeymasterDevice::upgrade_key(const keymaster2_device_t* dev,
1041 const keymaster_key_blob_t* key_to_upgrade,
1042 const keymaster_key_param_set_t* upgrade_params,
1043 keymaster_key_blob_t* upgraded_key) {
1044 if (!dev || !key_to_upgrade || !upgrade_params) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1045
1046 if (!upgraded_key) return KM_ERROR_OUTPUT_PARAMETER_NULL;
1047
1048 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1049
1050 auto& impl_ = convert_device(dev)->impl_;
1051 UpgradeKeyRequest request(impl_->message_version());
1052 request.SetKeyMaterial(*key_to_upgrade);
1053 request.upgrade_params.Reinitialize(*upgrade_params);
1054
1055 UpgradeKeyResponse response(impl_->message_version());
1056 impl_->UpgradeKey(request, &response);
1057 if (response.error != KM_ERROR_OK) return response.error;
1058
1059 upgraded_key->key_material_size = response.upgraded_key.key_material_size;
1060 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(upgraded_key->key_material_size));
1061 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1062 memcpy(tmp, response.upgraded_key.key_material, response.upgraded_key.key_material_size);
1063 upgraded_key->key_material = tmp;
1064
1065 return KM_ERROR_OK;
1066 }
1067
1068 /* static */
delete_key(const keymaster1_device_t * dev,const keymaster_key_blob_t * key)1069 keymaster_error_t SoftKeymasterDevice::delete_key(const keymaster1_device_t* dev,
1070 const keymaster_key_blob_t* key) {
1071 if (!dev || !key || !key->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1072
1073 KeymasterKeyBlob blob(*key);
1074 return convert_device(dev)->context_->DeleteKey(blob);
1075 }
1076
1077 /* static */
delete_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key)1078 keymaster_error_t SoftKeymasterDevice::delete_key(const keymaster2_device_t* dev,
1079 const keymaster_key_blob_t* key) {
1080 if (!dev || !key || !key->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1081
1082 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1083
1084 KeymasterKeyBlob blob(*key);
1085 return convert_device(dev)->context_->DeleteKey(blob);
1086 }
1087
1088 /* static */
delete_all_keys(const keymaster1_device_t * dev)1089 keymaster_error_t SoftKeymasterDevice::delete_all_keys(const keymaster1_device_t* dev) {
1090 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1091
1092 return convert_device(dev)->context_->DeleteAllKeys();
1093 }
1094
1095 /* static */
delete_all_keys(const keymaster2_device_t * dev)1096 keymaster_error_t SoftKeymasterDevice::delete_all_keys(const keymaster2_device_t* dev) {
1097 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1098
1099 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1100
1101 return convert_device(dev)->context_->DeleteAllKeys();
1102 }
1103
1104 /* static */
begin(const keymaster1_device_t * dev,keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)1105 keymaster_error_t SoftKeymasterDevice::begin(const keymaster1_device_t* dev,
1106 keymaster_purpose_t purpose,
1107 const keymaster_key_blob_t* key,
1108 const keymaster_key_param_set_t* in_params,
1109 keymaster_key_param_set_t* out_params,
1110 keymaster_operation_handle_t* operation_handle) {
1111 if (!dev || !key || !key->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1112
1113 if (!operation_handle) return KM_ERROR_OUTPUT_PARAMETER_NULL;
1114
1115 SoftKeymasterDevice* skdev = convert_device(dev);
1116 const keymaster1_device_t* km1_dev = skdev->wrapped_km1_device_;
1117
1118 if (km1_dev) {
1119 AuthorizationSet in_params_set(*in_params);
1120
1121 UniquePtr<Key> akmKey; // android keymaster key
1122 skdev->context_->ParseKeyBlob(KeymasterKeyBlob(*key), in_params_set, &akmKey);
1123
1124 keymaster_algorithm_t algorithm = KM_ALGORITHM_AES;
1125 if (!akmKey->hw_enforced().GetTagValue(TAG_ALGORITHM, &algorithm) &&
1126 !akmKey->sw_enforced().GetTagValue(TAG_ALGORITHM, &algorithm)) {
1127 return KM_ERROR_INVALID_KEY_BLOB;
1128 }
1129
1130 if (algorithm == KM_ALGORITHM_HMAC) {
1131 // Because HMAC keys can have only one digest, in_params_set doesn't contain it. We
1132 // need to get the digest from the key and add it to in_params_set.
1133 keymaster_digest_t digest;
1134 if (!akmKey->hw_enforced().GetTagValue(TAG_DIGEST, &digest) &&
1135 !akmKey->sw_enforced().GetTagValue(TAG_DIGEST, &digest)) {
1136 return KM_ERROR_INVALID_KEY_BLOB;
1137 }
1138 in_params_set.push_back(TAG_DIGEST, digest);
1139 }
1140
1141 if (!skdev->RequiresSoftwareDigesting(algorithm, purpose, in_params_set)) {
1142 LOG_D("Operation supported by %s, passing through to keymaster1 module",
1143 km1_dev->common.module->name);
1144 return km1_dev->begin(km1_dev, purpose, key, in_params, out_params, operation_handle);
1145 }
1146 LOG_I("Doing software digesting for keymaster1 module %s", km1_dev->common.module->name);
1147 }
1148
1149 if (out_params) {
1150 out_params->params = nullptr;
1151 out_params->length = 0;
1152 }
1153
1154 auto& impl_ = skdev->impl_;
1155 BeginOperationRequest request(impl_->message_version());
1156 request.purpose = purpose;
1157 request.SetKeyMaterial(*key);
1158 request.additional_params.Reinitialize(*in_params);
1159
1160 BeginOperationResponse response(impl_->message_version());
1161 impl_->BeginOperation(request, &response);
1162 if (response.error != KM_ERROR_OK) return response.error;
1163
1164 if (response.output_params.size() > 0) {
1165 if (out_params)
1166 response.output_params.CopyToParamSet(out_params);
1167 else
1168 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1169 }
1170
1171 *operation_handle = response.op_handle;
1172 return KM_ERROR_OK;
1173 }
1174
1175 /* static */
begin(const keymaster2_device_t * dev,keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)1176 keymaster_error_t SoftKeymasterDevice::begin(const keymaster2_device_t* dev,
1177 keymaster_purpose_t purpose,
1178 const keymaster_key_blob_t* key,
1179 const keymaster_key_param_set_t* in_params,
1180 keymaster_key_param_set_t* out_params,
1181 keymaster_operation_handle_t* operation_handle) {
1182 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1183
1184 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1185
1186 SoftKeymasterDevice* sk_dev = convert_device(dev);
1187 return begin(&sk_dev->km1_device_, purpose, key, in_params, out_params, operation_handle);
1188 }
1189
1190 /* static */
update(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1191 keymaster_error_t SoftKeymasterDevice::update(const keymaster1_device_t* dev,
1192 keymaster_operation_handle_t operation_handle,
1193 const keymaster_key_param_set_t* in_params,
1194 const keymaster_blob_t* input, size_t* input_consumed,
1195 keymaster_key_param_set_t* out_params,
1196 keymaster_blob_t* output) {
1197 if (!input) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1198
1199 if (!input_consumed) return KM_ERROR_OUTPUT_PARAMETER_NULL;
1200
1201 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1202 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1203 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1204 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1205 // km1_dev after doing necessary digesting.
1206 return km1_dev->update(km1_dev, operation_handle, in_params, input, input_consumed,
1207 out_params, output);
1208 }
1209
1210 if (out_params) {
1211 out_params->params = nullptr;
1212 out_params->length = 0;
1213 }
1214 if (output) {
1215 output->data = nullptr;
1216 output->data_length = 0;
1217 }
1218
1219 auto& impl_ = convert_device(dev)->impl_;
1220 UpdateOperationRequest request(impl_->message_version());
1221 request.op_handle = operation_handle;
1222 if (input) request.input.Reinitialize(input->data, input->data_length);
1223 if (in_params) request.additional_params.Reinitialize(*in_params);
1224
1225 UpdateOperationResponse response(impl_->message_version());
1226 impl_->UpdateOperation(request, &response);
1227 if (response.error != KM_ERROR_OK) return response.error;
1228
1229 if (response.output_params.size() > 0) {
1230 if (out_params)
1231 response.output_params.CopyToParamSet(out_params);
1232 else
1233 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1234 }
1235
1236 *input_consumed = response.input_consumed;
1237 if (output) {
1238 output->data_length = response.output.available_read();
1239 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1240 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1241 memcpy(tmp, response.output.peek_read(), output->data_length);
1242 output->data = tmp;
1243 } else if (response.output.available_read() > 0) {
1244 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1245 }
1246 return KM_ERROR_OK;
1247 }
1248
1249 /* static */
update(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1250 keymaster_error_t SoftKeymasterDevice::update(const keymaster2_device_t* dev,
1251 keymaster_operation_handle_t operation_handle,
1252 const keymaster_key_param_set_t* in_params,
1253 const keymaster_blob_t* input, size_t* input_consumed,
1254 keymaster_key_param_set_t* out_params,
1255 keymaster_blob_t* output) {
1256 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1257
1258 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1259
1260 SoftKeymasterDevice* sk_dev = convert_device(dev);
1261 return update(&sk_dev->km1_device_, operation_handle, in_params, input, input_consumed,
1262 out_params, output);
1263 }
1264
1265 /* static */
finish(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * params,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1266 keymaster_error_t SoftKeymasterDevice::finish(const keymaster1_device_t* dev,
1267 keymaster_operation_handle_t operation_handle,
1268 const keymaster_key_param_set_t* params,
1269 const keymaster_blob_t* signature,
1270 keymaster_key_param_set_t* out_params,
1271 keymaster_blob_t* output) {
1272 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1273
1274 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1275 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1276 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1277 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1278 // km1_dev after doing necessary digesting.
1279 return km1_dev->finish(km1_dev, operation_handle, params, signature, out_params, output);
1280 }
1281
1282 if (out_params) {
1283 out_params->params = nullptr;
1284 out_params->length = 0;
1285 }
1286
1287 if (output) {
1288 output->data = nullptr;
1289 output->data_length = 0;
1290 }
1291
1292 auto& impl_ = convert_device(dev)->impl_;
1293 FinishOperationRequest request(impl_->message_version());
1294 request.op_handle = operation_handle;
1295 if (signature && signature->data_length > 0)
1296 request.signature.Reinitialize(signature->data, signature->data_length);
1297 request.additional_params.Reinitialize(*params);
1298
1299 FinishOperationResponse response(impl_->message_version());
1300 impl_->FinishOperation(request, &response);
1301 if (response.error != KM_ERROR_OK) return response.error;
1302
1303 if (response.output_params.size() > 0) {
1304 if (out_params)
1305 response.output_params.CopyToParamSet(out_params);
1306 else
1307 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1308 }
1309 if (output) {
1310 output->data_length = response.output.available_read();
1311 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1312 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1313 memcpy(tmp, response.output.peek_read(), output->data_length);
1314 output->data = tmp;
1315 } else if (response.output.available_read() > 0) {
1316 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1317 }
1318
1319 return KM_ERROR_OK;
1320 }
1321
1322 struct KeyParamSetContents_Delete {
operator ()keymaster::KeyParamSetContents_Delete1323 void operator()(keymaster_key_param_set_t* p) { keymaster_free_param_set(p); }
1324 };
1325
1326 /* static */
finish(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * params,const keymaster_blob_t * input,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1327 keymaster_error_t SoftKeymasterDevice::finish(const keymaster2_device_t* dev,
1328 keymaster_operation_handle_t operation_handle,
1329 const keymaster_key_param_set_t* params,
1330 const keymaster_blob_t* input,
1331 const keymaster_blob_t* signature,
1332 keymaster_key_param_set_t* out_params,
1333 keymaster_blob_t* output) {
1334 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1335
1336 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1337
1338 if (out_params) *out_params = {};
1339
1340 if (output) *output = {};
1341
1342 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1343 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1344 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1345 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1346 // km1_dev after doing necessary digesting.
1347
1348 std::vector<uint8_t> accumulated_output;
1349 AuthorizationSet accumulated_out_params;
1350 AuthorizationSet mutable_params(*params);
1351 if (input && input->data && input->data_length) {
1352 // Keymaster1 doesn't support input to finish(). Call update() to process input.
1353
1354 accumulated_output.reserve(input->data_length); // Guess at output size
1355 keymaster_blob_t mutable_input = *input;
1356
1357 while (mutable_input.data_length > 0) {
1358 keymaster_key_param_set_t update_out_params = {};
1359 keymaster_blob_t update_output = {};
1360 size_t input_consumed = 0;
1361 keymaster_error_t error =
1362 km1_dev->update(km1_dev, operation_handle, &mutable_params, &mutable_input,
1363 &input_consumed, &update_out_params, &update_output);
1364 if (error != KM_ERROR_OK) {
1365 return error;
1366 }
1367
1368 accumulated_output.reserve(accumulated_output.size() + update_output.data_length);
1369 std::copy(update_output.data, update_output.data + update_output.data_length,
1370 std::back_inserter(accumulated_output));
1371 free(const_cast<uint8_t*>(update_output.data));
1372
1373 accumulated_out_params.push_back(update_out_params);
1374 keymaster_free_param_set(&update_out_params);
1375
1376 mutable_input.data += input_consumed;
1377 mutable_input.data_length -= input_consumed;
1378
1379 // AAD should only be sent once, so remove it if present.
1380 int aad_pos = mutable_params.find(TAG_ASSOCIATED_DATA);
1381 if (aad_pos != -1) {
1382 mutable_params.erase(aad_pos);
1383 }
1384
1385 if (input_consumed == 0) {
1386 // Apparently we need more input than we have to complete an operation.
1387 km1_dev->abort(km1_dev, operation_handle);
1388 return KM_ERROR_INVALID_INPUT_LENGTH;
1389 }
1390 }
1391 }
1392
1393 keymaster_key_param_set_t finish_out_params = {};
1394 keymaster_blob_t finish_output = {};
1395 keymaster_error_t error = km1_dev->finish(km1_dev, operation_handle, &mutable_params,
1396 signature, &finish_out_params, &finish_output);
1397 if (error != KM_ERROR_OK) {
1398 return error;
1399 }
1400
1401 if (!accumulated_out_params.empty()) {
1402 accumulated_out_params.push_back(finish_out_params);
1403 keymaster_free_param_set(&finish_out_params);
1404 accumulated_out_params.Deduplicate();
1405 accumulated_out_params.CopyToParamSet(&finish_out_params);
1406 }
1407 std::unique_ptr<keymaster_key_param_set_t, KeyParamSetContents_Delete>
1408 finish_out_params_deleter(&finish_out_params);
1409
1410 if (!accumulated_output.empty()) {
1411 size_t finish_out_length = accumulated_output.size() + finish_output.data_length;
1412 uint8_t* finish_out_buf = reinterpret_cast<uint8_t*>(malloc(finish_out_length));
1413
1414 std::copy(accumulated_output.begin(), accumulated_output.end(), finish_out_buf);
1415 std::copy(finish_output.data, finish_output.data + finish_output.data_length,
1416 finish_out_buf + accumulated_output.size());
1417
1418 free(const_cast<uint8_t*>(finish_output.data));
1419 finish_output.data_length = finish_out_length;
1420 finish_output.data = finish_out_buf;
1421 }
1422 std::unique_ptr<uint8_t, Malloc_Delete> finish_output_deleter(
1423 const_cast<uint8_t*>(finish_output.data));
1424
1425 if ((!out_params && finish_out_params.length) || (!output && finish_output.data_length)) {
1426 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1427 }
1428
1429 *out_params = finish_out_params;
1430 *output = finish_output;
1431
1432 finish_out_params_deleter.release(); // NOLINT(bugprone-unused-return-value)
1433 finish_output_deleter.release(); // NOLINT(bugprone-unused-return-value)
1434
1435 return KM_ERROR_OK;
1436 }
1437
1438 auto& impl_ = convert_device(dev)->impl_;
1439 FinishOperationRequest request(impl_->message_version());
1440 request.op_handle = operation_handle;
1441 if (signature && signature->data_length > 0)
1442 request.signature.Reinitialize(signature->data, signature->data_length);
1443 if (input && input->data_length > 0)
1444 request.input.Reinitialize(input->data, input->data_length);
1445 request.additional_params.Reinitialize(*params);
1446
1447 FinishOperationResponse response(impl_->message_version());
1448 impl_->FinishOperation(request, &response);
1449 if (response.error != KM_ERROR_OK) return response.error;
1450
1451 if (response.output_params.size() > 0) {
1452 if (out_params)
1453 response.output_params.CopyToParamSet(out_params);
1454 else
1455 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1456 }
1457 if (output) {
1458 output->data_length = response.output.available_read();
1459 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1460 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1461 memcpy(tmp, response.output.peek_read(), output->data_length);
1462 output->data = tmp;
1463 } else if (response.output.available_read() > 0) {
1464 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1465 }
1466
1467 return KM_ERROR_OK;
1468 }
1469
1470 /* static */
abort(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle)1471 keymaster_error_t SoftKeymasterDevice::abort(const keymaster1_device_t* dev,
1472 keymaster_operation_handle_t operation_handle) {
1473 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1474 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1475 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1476 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1477 // km1_dev.
1478 return km1_dev->abort(km1_dev, operation_handle);
1479 }
1480
1481 auto& impl_ = convert_device(dev)->impl_;
1482 AbortOperationRequest request(impl_->message_version());
1483 request.op_handle = operation_handle;
1484 AbortOperationResponse response(impl_->message_version());
1485 impl_->AbortOperation(request, &response);
1486 return response.error;
1487 }
1488
1489 /* static */
abort(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle)1490 keymaster_error_t SoftKeymasterDevice::abort(const keymaster2_device_t* dev,
1491 keymaster_operation_handle_t operation_handle) {
1492 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1493
1494 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1495
1496 SoftKeymasterDevice* sk_dev = convert_device(dev);
1497 return abort(&sk_dev->km1_device_, operation_handle);
1498 }
1499
1500 /* static */
StoreDefaultNewKeyParams(keymaster_algorithm_t algorithm,AuthorizationSet * auth_set)1501 void SoftKeymasterDevice::StoreDefaultNewKeyParams(keymaster_algorithm_t algorithm,
1502 AuthorizationSet* auth_set) {
1503 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_SIGN);
1504 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_VERIFY);
1505 auth_set->push_back(TAG_ALL_USERS);
1506 auth_set->push_back(TAG_NO_AUTH_REQUIRED);
1507
1508 // All digests.
1509 auth_set->push_back(TAG_DIGEST, KM_DIGEST_NONE);
1510 auth_set->push_back(TAG_DIGEST, KM_DIGEST_MD5);
1511 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA1);
1512 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_224);
1513 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1514 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384);
1515 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_512);
1516
1517 if (algorithm == KM_ALGORITHM_RSA) {
1518 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_ENCRYPT);
1519 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_DECRYPT);
1520 auth_set->push_back(TAG_PADDING, KM_PAD_NONE);
1521 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1522 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
1523 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1524 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
1525 }
1526 }
1527
1528 } // namespace keymaster
1529