1 /* 2 * Copyright 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include <memory> 20 #include <string> 21 22 #include <openssl/evp.h> 23 24 #include <hardware/keymaster1.h> 25 26 #include <keymaster/attestation_context.h> 27 #include <keymaster/contexts/soft_attestation_context.h> 28 #include <keymaster/keymaster_context.h> 29 #include <keymaster/km_openssl/software_random_source.h> 30 #include <keymaster/random_source.h> 31 #include <keymaster/soft_key_factory.h> 32 33 namespace keymaster { 34 35 class SoftKeymasterKeyRegistrations; 36 class Keymaster1Engine; 37 class Key; 38 39 /** 40 * SoftKeymasterContext provides the context for a non-secure implementation of AndroidKeymaster 41 * that can wrap a Keymaster0 implementation or an incomplete Keymaster1 implementation (one that 42 * lacks support for all required digests). 43 */ 44 class SoftKeymasterContext : public KeymasterContext, 45 SoftwareKeyBlobMaker, 46 SoftwareRandomSource, 47 public SoftAttestationContext { 48 public: 49 explicit SoftKeymasterContext(KmVersion version, const std::string& root_of_trust = "SW"); 50 ~SoftKeymasterContext() override; 51 GetKmVersion()52 KmVersion GetKmVersion() const override { return AttestationContext::GetKmVersion(); } 53 54 /** 55 * Use the specified HW keymaster1 device for performing undigested RSA and EC operations after 56 * digesting has been done in software. Takes ownership of the specified device (will call 57 * keymaster1_device->common.close()); 58 */ 59 keymaster_error_t SetHardwareDevice(keymaster1_device_t* keymaster1_device); 60 61 /********************************************************************************************* 62 * Implement KeymasterContext 63 */ 64 keymaster_error_t SetSystemVersion(uint32_t os_version, uint32_t os_patchlevel) override; 65 void GetSystemVersion(uint32_t* os_version, uint32_t* os_patchlevel) const override; 66 67 KeyFactory* GetKeyFactory(keymaster_algorithm_t algorithm) const override; 68 OperationFactory* GetOperationFactory(keymaster_algorithm_t algorithm, 69 keymaster_purpose_t purpose) const override; 70 keymaster_algorithm_t* GetSupportedAlgorithms(size_t* algorithms_count) const override; 71 keymaster_error_t UpgradeKeyBlob(const KeymasterKeyBlob& key_to_upgrade, 72 const AuthorizationSet& upgrade_params, 73 KeymasterKeyBlob* upgraded_key) const override; 74 keymaster_error_t ParseKeyBlob(const KeymasterKeyBlob& blob, 75 const AuthorizationSet& additional_params, 76 UniquePtr<Key>* key) const override; 77 keymaster_error_t DeleteKey(const KeymasterKeyBlob& blob) const override; 78 keymaster_error_t DeleteAllKeys() const override; 79 keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override; 80 81 CertificateChain GenerateAttestation(const Key& key, const AuthorizationSet& attest_params, 82 UniquePtr<Key> attest_key, 83 const KeymasterBlob& issuer_subject, 84 keymaster_error_t* error) const override; 85 CertificateChain GenerateSelfSignedCertificate(const Key& key, 86 const AuthorizationSet& cert_params, 87 bool fake_signature, 88 keymaster_error_t* error) const override; 89 90 keymaster_error_t 91 UnwrapKey(const KeymasterKeyBlob& wrapped_key_blob, const KeymasterKeyBlob& wrapping_key_blob, 92 const AuthorizationSet& wrapping_key_params, const KeymasterKeyBlob& masking_key, 93 AuthorizationSet* wrapped_key_params, keymaster_key_format_t* wrapped_key_format, 94 KeymasterKeyBlob* wrapped_key_material) const override; 95 enforcement_policy()96 KeymasterEnforcement* enforcement_policy() override { 97 // SoftKeymaster does no enforcement; it's all done by Keystore. 98 return nullptr; 99 } 100 101 /********************************************************************************************* 102 * Implement SoftwareKeyBlobMaker 103 */ 104 keymaster_error_t CreateKeyBlob(const AuthorizationSet& auths, keymaster_key_origin_t origin, 105 const KeymasterKeyBlob& key_material, KeymasterKeyBlob* blob, 106 AuthorizationSet* hw_enforced, 107 AuthorizationSet* sw_enforced) const override; 108 /*********************************************************************************************/ 109 110 private: 111 keymaster_error_t ParseKeymaster1HwBlob(const KeymasterKeyBlob& blob, 112 const AuthorizationSet& additional_params, 113 KeymasterKeyBlob* key_material, 114 AuthorizationSet* hw_enforced, 115 AuthorizationSet* sw_enforced) const; 116 117 std::unique_ptr<Keymaster1Engine> km1_engine_; 118 std::unique_ptr<KeyFactory> rsa_factory_; 119 std::unique_ptr<KeyFactory> ec_factory_; 120 std::unique_ptr<KeyFactory> aes_factory_; 121 std::unique_ptr<KeyFactory> tdes_factory_; 122 std::unique_ptr<KeyFactory> hmac_factory_; 123 keymaster1_device* km1_dev_; 124 const KeymasterBlob root_of_trust_; 125 uint32_t os_version_; 126 uint32_t os_patchlevel_; 127 }; 128 129 } // namespace keymaster 130