1 /*
2 * Copyright 2020, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "android.hardware.security.keymint-impl.remote"
18 #include <log/log.h>
19
20 #include "guest/hals/keymint/remote/remote_keymint_operation.h"
21
22 #include <aidl/android/hardware/security/keymint/ErrorCode.h>
23 #include <aidl/android/hardware/security/secureclock/ISecureClock.h>
24
25 #include <keymaster/android_keymaster.h>
26
27 #include "KeyMintUtils.h"
28
29 namespace aidl::android::hardware::security::keymint {
30
31 using ::keymaster::AbortOperationRequest;
32 using ::keymaster::AbortOperationResponse;
33 using ::keymaster::Buffer;
34 using ::keymaster::FinishOperationRequest;
35 using ::keymaster::FinishOperationResponse;
36 using ::keymaster::TAG_ASSOCIATED_DATA;
37 using ::keymaster::UpdateOperationRequest;
38 using ::keymaster::UpdateOperationResponse;
39 using secureclock::TimeStampToken;
40 using namespace km_utils;
41
RemoteKeyMintOperation(::keymaster::RemoteKeymaster & impl,keymaster_operation_handle_t opHandle)42 RemoteKeyMintOperation::RemoteKeyMintOperation(
43 ::keymaster::RemoteKeymaster& impl, keymaster_operation_handle_t opHandle)
44 : impl_(impl), opHandle_(opHandle) {}
45
~RemoteKeyMintOperation()46 RemoteKeyMintOperation::~RemoteKeyMintOperation() {
47 if (opHandle_ != 0) {
48 abort();
49 }
50 }
51
updateAad(const vector<uint8_t> & input,const optional<HardwareAuthToken> & authToken,const optional<TimeStampToken> &)52 ScopedAStatus RemoteKeyMintOperation::updateAad(
53 const vector<uint8_t>& input, const optional<HardwareAuthToken>& authToken,
54 const optional<TimeStampToken>& /* timestampToken */) {
55 UpdateOperationRequest request(impl_.message_version());
56 request.op_handle = opHandle_;
57 request.additional_params.push_back(TAG_ASSOCIATED_DATA, input.data(),
58 input.size());
59 if (authToken) {
60 auto tokenAsVec(authToken2AidlVec(*authToken));
61 request.additional_params.push_back(keymaster::TAG_AUTH_TOKEN,
62 tokenAsVec.data(), tokenAsVec.size());
63 }
64
65 UpdateOperationResponse response(impl_.message_version());
66 impl_.UpdateOperation(request, &response);
67
68 return kmError2ScopedAStatus(response.error);
69 }
70
update(const vector<uint8_t> & input,const optional<HardwareAuthToken> & authToken,const optional<TimeStampToken> &,vector<uint8_t> * output)71 ScopedAStatus RemoteKeyMintOperation::update(
72 const vector<uint8_t>& input, const optional<HardwareAuthToken>& authToken,
73 const optional<TimeStampToken>&
74 /* timestampToken */,
75 vector<uint8_t>* output) {
76 if (!output) {
77 return kmError2ScopedAStatus(KM_ERROR_OUTPUT_PARAMETER_NULL);
78 }
79
80 UpdateOperationRequest request(impl_.message_version());
81 request.op_handle = opHandle_;
82 request.input.Reinitialize(input.data(), input.size());
83 if (authToken) {
84 auto tokenAsVec(authToken2AidlVec(*authToken));
85 request.additional_params.push_back(keymaster::TAG_AUTH_TOKEN,
86 tokenAsVec.data(), tokenAsVec.size());
87 }
88
89 UpdateOperationResponse response(impl_.message_version());
90 impl_.UpdateOperation(request, &response);
91
92 if (response.error != KM_ERROR_OK) {
93 return kmError2ScopedAStatus(response.error);
94 }
95 if (response.input_consumed != request.input.buffer_size()) {
96 return kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
97 }
98
99 *output = kmBuffer2vector(response.output);
100 return ScopedAStatus::ok();
101 }
102
finish(const optional<vector<uint8_t>> & input,const optional<vector<uint8_t>> & signature,const optional<HardwareAuthToken> & authToken,const optional<TimeStampToken> &,const optional<vector<uint8_t>> & confirmationToken,vector<uint8_t> * output)103 ScopedAStatus RemoteKeyMintOperation::finish(
104 const optional<vector<uint8_t>>& input, //
105 const optional<vector<uint8_t>>& signature, //
106 const optional<HardwareAuthToken>& authToken,
107 const optional<TimeStampToken>& /* timestampToken */,
108 const optional<vector<uint8_t>>& confirmationToken,
109 vector<uint8_t>* output) {
110 if (!output) {
111 return ScopedAStatus(AStatus_fromServiceSpecificError(
112 static_cast<int32_t>(ErrorCode::OUTPUT_PARAMETER_NULL)));
113 }
114
115 FinishOperationRequest request(impl_.message_version());
116 request.op_handle = opHandle_;
117 if (input) {
118 request.input.Reinitialize(input->data(), input->size());
119 }
120 if (signature) {
121 request.signature.Reinitialize(signature->data(), signature->size());
122 }
123 if (authToken) {
124 auto tokenAsVec(authToken2AidlVec(*authToken));
125 request.additional_params.push_back(keymaster::TAG_AUTH_TOKEN,
126 tokenAsVec.data(), tokenAsVec.size());
127 }
128 if (confirmationToken) {
129 request.additional_params.push_back(keymaster::TAG_CONFIRMATION_TOKEN,
130 confirmationToken->data(),
131 confirmationToken->size());
132 }
133
134 FinishOperationResponse response(impl_.message_version());
135 impl_.FinishOperation(request, &response);
136 opHandle_ = 0;
137
138 if (response.error != KM_ERROR_OK) {
139 return kmError2ScopedAStatus(response.error);
140 }
141
142 *output = kmBuffer2vector(response.output);
143 return ScopedAStatus::ok();
144 }
145
abort()146 ScopedAStatus RemoteKeyMintOperation::abort() {
147 AbortOperationRequest request(impl_.message_version());
148 request.op_handle = opHandle_;
149
150 AbortOperationResponse response(impl_.message_version());
151 impl_.AbortOperation(request, &response);
152 opHandle_ = 0;
153
154 return kmError2ScopedAStatus(response.error);
155 }
156
157 } // namespace aidl::android::hardware::security::keymint
158