1 /*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymaster/authorization_set.h>
18 #include <keymaster/key.h>
19 #include <keymaster/operation.h>
20
21 namespace keymaster {
22
supported(keymaster_padding_t padding) const23 bool OperationFactory::supported(keymaster_padding_t padding) const {
24 size_t padding_count;
25 const keymaster_padding_t* supported_paddings = SupportedPaddingModes(&padding_count);
26 for (size_t i = 0; i < padding_count; ++i)
27 if (padding == supported_paddings[i]) return true;
28 return false;
29 }
30
supported(keymaster_block_mode_t block_mode) const31 bool OperationFactory::supported(keymaster_block_mode_t block_mode) const {
32 size_t block_mode_count;
33 const keymaster_block_mode_t* supported_block_modes = SupportedBlockModes(&block_mode_count);
34 for (size_t i = 0; i < block_mode_count; ++i)
35 if (block_mode == supported_block_modes[i]) return true;
36 return false;
37 }
38
supported(keymaster_digest_t digest) const39 bool OperationFactory::supported(keymaster_digest_t digest) const {
40 size_t digest_count;
41 const keymaster_digest_t* supported_digests = SupportedDigests(&digest_count);
42 for (size_t i = 0; i < digest_count; ++i)
43 if (digest == supported_digests[i]) return true;
44 return false;
45 }
46
is_public_key_algorithm(keymaster_algorithm_t algorithm)47 inline bool is_public_key_algorithm(keymaster_algorithm_t algorithm) {
48 switch (algorithm) {
49 case KM_ALGORITHM_HMAC:
50 case KM_ALGORITHM_AES:
51 case KM_ALGORITHM_TRIPLE_DES:
52 return false;
53 case KM_ALGORITHM_RSA:
54 case KM_ALGORITHM_EC:
55 return true;
56 }
57
58 // Unreachable.
59 assert(false);
60 return false;
61 }
62
is_public_key_operation() const63 bool OperationFactory::is_public_key_operation() const {
64 KeyType key_type = registry_key();
65
66 if (!is_public_key_algorithm(key_type.algorithm)) return false;
67
68 switch (key_type.purpose) {
69 case KM_PURPOSE_VERIFY:
70 case KM_PURPOSE_ENCRYPT:
71 case KM_PURPOSE_WRAP:
72 return true;
73 case KM_PURPOSE_SIGN:
74 case KM_PURPOSE_DECRYPT:
75 case KM_PURPOSE_DERIVE_KEY:
76 case KM_PURPOSE_AGREE_KEY:
77 case KM_PURPOSE_ATTEST_KEY:
78 return false;
79 };
80
81 // Unreachable.
82 assert(false);
83 return false;
84 }
85
GetAndValidatePadding(const AuthorizationSet & begin_params,const Key & key,keymaster_padding_t * padding,keymaster_error_t * error) const86 bool OperationFactory::GetAndValidatePadding(const AuthorizationSet& begin_params, const Key& key,
87 keymaster_padding_t* padding,
88 keymaster_error_t* error) const {
89 *error = KM_ERROR_UNSUPPORTED_PADDING_MODE;
90 if (!begin_params.GetTagValue(TAG_PADDING, padding)) {
91 LOG_E("%zu padding modes specified in begin params", begin_params.GetTagCount(TAG_PADDING));
92 return false;
93 } else if (!supported(*padding)) {
94 LOG_E("Padding mode %d not supported", *padding);
95 return false;
96 } else if (
97 // If it's a public key operation, all padding modes are authorized.
98 !is_public_key_operation() &&
99 // Otherwise the key needs to authorize the specific mode.
100 !key.authorizations().Contains(TAG_PADDING, *padding) &&
101 !key.authorizations().Contains(TAG_PADDING_OLD, *padding)) {
102 LOG_E("Padding mode %d was specified, but not authorized by key", *padding);
103 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
104 return false;
105 }
106
107 *error = KM_ERROR_OK;
108 return true;
109 }
110
GetAndValidateDigest(const AuthorizationSet & begin_params,const Key & key,keymaster_digest_t * digest,keymaster_error_t * error) const111 bool OperationFactory::GetAndValidateDigest(const AuthorizationSet& begin_params, const Key& key,
112 keymaster_digest_t* digest,
113 keymaster_error_t* error) const {
114 return GetAndValidateDigest(begin_params, key, digest, error, false);
115 }
116
GetAndValidateDigest(const AuthorizationSet & begin_params,const Key & key,keymaster_digest_t * digest,keymaster_error_t * error,bool require_explicit_digest) const117 bool OperationFactory::GetAndValidateDigest(const AuthorizationSet& begin_params, const Key& key,
118 keymaster_digest_t* digest, keymaster_error_t* error,
119 bool require_explicit_digest) const {
120 *error = KM_ERROR_UNSUPPORTED_DIGEST;
121 if (!begin_params.GetTagValue(TAG_DIGEST, digest)) {
122 if (require_explicit_digest) {
123 return false;
124 }
125 if (key.authorizations().Contains(TAG_DIGEST, KM_DIGEST_NONE)) {
126 *digest = KM_DIGEST_NONE;
127 } else {
128 LOG_E("%zu digests specified in begin params and NONE not authorized",
129 begin_params.GetTagCount(TAG_DIGEST));
130 return false;
131 }
132 } else if (!supported(*digest)) {
133 LOG_E("Digest %d not supported", *digest);
134 return false;
135 } else if (
136 // If it's a public key operation, all digests are authorized.
137 !is_public_key_operation() &&
138 // Otherwise the key needs to authorize the specific digest.
139 !key.authorizations().Contains(TAG_DIGEST, *digest) &&
140 !key.authorizations().Contains(TAG_DIGEST_OLD, *digest)) {
141 LOG_E("Digest %d was specified, but not authorized by key", *digest);
142 *error = KM_ERROR_INCOMPATIBLE_DIGEST;
143 return false;
144 }
145 *error = KM_ERROR_OK;
146 return true;
147 }
148
UpdateForFinish(const AuthorizationSet & input_params,const Buffer & input)149 keymaster_error_t Operation::UpdateForFinish(const AuthorizationSet& input_params,
150 const Buffer& input) {
151 if (!input_params.empty() || input.available_read()) {
152 size_t input_consumed;
153 Buffer output;
154 AuthorizationSet output_params;
155 keymaster_error_t error =
156 Update(input_params, input, &output_params, &output, &input_consumed);
157 if (error != KM_ERROR_OK) return error;
158 assert(input_consumed == input.available_read());
159 assert(output_params.empty());
160 assert(output.available_read() == 0);
161 }
162
163 return KM_ERROR_OK;
164 }
165
166 } // namespace keymaster
167