• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SYSTEM_KEYMASTER_OPERATION_H_
18 #define SYSTEM_KEYMASTER_OPERATION_H_
19 
20 #include <assert.h>
21 #include <stdint.h>
22 #include <stdlib.h>
23 
24 #include <hardware/keymaster_defs.h>
25 #include <keymaster/android_keymaster_utils.h>
26 #include <keymaster/authorization_set.h>
27 #include <keymaster/logger.h>
28 
29 namespace keymaster {
30 
31 class AuthorizationSet;
32 class Key;
33 class Operation;
34 using OperationPtr = UniquePtr<Operation>;
35 
36 class OperationFactory {
37   public:
~OperationFactory()38     virtual ~OperationFactory() {}
39 
40     // Required for registry
41     struct KeyType {
KeyTypeKeyType42         KeyType(keymaster_algorithm_t alg, keymaster_purpose_t purp)
43             : algorithm(alg), purpose(purp) {}
44 
45         keymaster_algorithm_t algorithm;
46         keymaster_purpose_t purpose;
47 
48         bool operator==(const KeyType& rhs) const {
49             return algorithm == rhs.algorithm && purpose == rhs.purpose;
50         }
51     };
52     virtual KeyType registry_key() const = 0;
53 
54     // Factory methods
55     virtual OperationPtr CreateOperation(Key&& key, const AuthorizationSet& begin_params,
56                                          keymaster_error_t* error) = 0;
57 
58     // Informational methods.  The returned arrays reference static memory and must not be
59     // deallocated or modified.
SupportedPaddingModes(size_t * padding_count)60     virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_count) const {
61         *padding_count = 0;
62         return nullptr;
63     }
SupportedBlockModes(size_t * block_mode_count)64     virtual const keymaster_block_mode_t* SupportedBlockModes(size_t* block_mode_count) const {
65         *block_mode_count = 0;
66         return nullptr;
67     }
SupportedDigests(size_t * digest_count)68     virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const {
69         *digest_count = 0;
70         return nullptr;
71     }
72 
73     // Convenience methods
74     bool supported(keymaster_padding_t padding) const;
75     bool supported(keymaster_block_mode_t padding) const;
76     bool supported(keymaster_digest_t padding) const;
77 
78     bool is_public_key_operation() const;
79 
80     bool GetAndValidatePadding(const AuthorizationSet& begin_params, const Key& key,
81                                keymaster_padding_t* padding, keymaster_error_t* error) const;
82     bool GetAndValidateDigest(const AuthorizationSet& begin_params, const Key& key,
83                               keymaster_digest_t* digest, keymaster_error_t* error) const;
84     bool GetAndValidateDigest(const AuthorizationSet& begin_params, const Key& key,
85                               keymaster_digest_t* digest, keymaster_error_t* error,
86                               bool require_explicit_digest) const;
87 };
88 
89 /**
90  * Abstract base for all cryptographic operations.
91  */
92 class Operation {
93   public:
Operation(keymaster_purpose_t purpose,AuthorizationSet && hw_enforced,AuthorizationSet && sw_enforced)94     explicit Operation(keymaster_purpose_t purpose, AuthorizationSet&& hw_enforced,
95                        AuthorizationSet&& sw_enforced)
96         : purpose_(purpose), hw_enforced_(move(hw_enforced)), sw_enforced_(move(sw_enforced)) {}
~Operation()97     virtual ~Operation() {}
98 
99     Operation(const Operation&) = delete;
100     void operator=(const Operation&) = delete;
101 
purpose()102     keymaster_purpose_t purpose() const { return purpose_; }
103 
set_key_id(uint64_t key_id)104     void set_key_id(uint64_t key_id) { key_id_ = key_id; }
key_id()105     uint64_t key_id() const { return key_id_; }
operation_handle()106     virtual keymaster_operation_handle_t operation_handle() const { return operation_handle_; }
107 
authorizations()108     AuthProxy authorizations() const { return AuthProxy(hw_enforced_, sw_enforced_); }
hw_enforced()109     AuthorizationSet hw_enforced() const { return hw_enforced_; }
sw_enforced()110     AuthorizationSet sw_enforced() const { return sw_enforced_; }
111 
112     // Creates and initializes |confirmation_verifier_buffer_| that can be retrieved with
113     // get_confirmation_verifier_buffer().
114     //
115     // Returns false on allocation failure.
create_confirmation_verifier_buffer()116     bool create_confirmation_verifier_buffer() {
117         if (!confirmation_verifier_buffer_) {
118             Buffer* buffer = new (std::nothrow)
119                 Buffer(kConfirmationTokenMessageTag, kConfirmationTokenMessageTagSize);
120             if (buffer == nullptr) {
121                 return false;
122             }
123             confirmation_verifier_buffer_.reset(buffer);
124         }
125         return true;
126     }
127 
128     // If a Buffer for ConfirmationUI verification was created with
129     // create_confirmation_verifier_buffer(), returns it. If not, returns |nullptr|.
get_confirmation_verifier_buffer()130     Buffer* get_confirmation_verifier_buffer() { return confirmation_verifier_buffer_.get(); }
131 
132     virtual keymaster_error_t Begin(const AuthorizationSet& input_params,
133                                     AuthorizationSet* output_params) = 0;
134     virtual keymaster_error_t Update(const AuthorizationSet& input_params, const Buffer& input,
135                                      AuthorizationSet* output_params, Buffer* output,
136                                      size_t* input_consumed) = 0;
137     virtual keymaster_error_t Finish(const AuthorizationSet& input_params, const Buffer& input,
138                                      const Buffer& signature, AuthorizationSet* output_params,
139                                      Buffer* output) = 0;
140     virtual keymaster_error_t Abort() = 0;
141 
142   protected:
143     // Helper function for implementing Finish() methods that need to call Update() to process
144     // input, but don't expect any output.
145     keymaster_error_t UpdateForFinish(const AuthorizationSet& input_params, const Buffer& input);
146     keymaster_operation_handle_t operation_handle_;
147 
148   private:
149     const keymaster_purpose_t purpose_;
150     AuthorizationSet hw_enforced_;
151     AuthorizationSet sw_enforced_;
152     uint64_t key_id_;
153     UniquePtr<Buffer> confirmation_verifier_buffer_;
154 };
155 
156 }  // namespace keymaster
157 
158 #endif  // SYSTEM_KEYMASTER_OPERATION_H_
159