1 /*
2 * Copyright 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymaster/soft_keymaster_device.h>
18
19 #include <assert.h>
20 #include <stddef.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include <time.h>
25
26 #include <algorithm>
27 #include <vector>
28
29 #include <type_traits>
30
31 #include <openssl/x509.h>
32
33 #include <hardware/keymaster1.h>
34 #define LOG_TAG "SoftKeymasterDevice"
35 #include <log/log.h>
36
37 #include <keymaster/android_keymaster.h>
38 #include <keymaster/android_keymaster_messages.h>
39 #include <keymaster/android_keymaster_utils.h>
40 #include <keymaster/authorization_set.h>
41 #include <keymaster/contexts/soft_keymaster_context.h>
42 #include <keymaster/key.h>
43 #include <keymaster/km_openssl/openssl_utils.h>
44 #include <keymaster/soft_keymaster_logger.h>
45
46 struct keystore_module soft_keymaster1_device_module = {
47 .common =
48 {
49 .tag = HARDWARE_MODULE_TAG,
50 .module_api_version = KEYMASTER_MODULE_API_VERSION_1_0,
51 .hal_api_version = HARDWARE_HAL_API_VERSION,
52 .id = KEYSTORE_HARDWARE_MODULE_ID,
53 .name = "OpenSSL-based SoftKeymaster HAL",
54 .author = "The Android Open Source Project",
55 .methods = nullptr,
56 .dso = nullptr,
57 .reserved = {},
58 },
59 };
60
61 struct keystore_module soft_keymaster2_device_module = {
62 .common =
63 {
64 .tag = HARDWARE_MODULE_TAG,
65 .module_api_version = KEYMASTER_MODULE_API_VERSION_2_0,
66 .hal_api_version = HARDWARE_HAL_API_VERSION,
67 .id = KEYSTORE_HARDWARE_MODULE_ID,
68 .name = "OpenSSL-based SoftKeymaster HAL",
69 .author = "The Android Open Source Project",
70 .methods = nullptr,
71 .dso = nullptr,
72 .reserved = {},
73 },
74 };
75
76 namespace keymaster {
77
78 const size_t kMaximumAttestationChallengeLength = 128;
79 const size_t kOperationTableSize = 16;
80
make_vector(const T * array,size_t len)81 template <typename T> std::vector<T> make_vector(const T* array, size_t len) {
82 return std::vector<T>(array, array + len);
83 }
84
85 // This helper class implements just enough of the C++ standard collection interface to be able to
86 // accept push_back calls, and it does nothing but count them. It's useful when you want to count
87 // insertions but not actually store anything. It's used in digest_set_is_full below to count the
88 // size of a set intersection.
89 struct PushbackCounter {
90 struct value_type {
91 // NOLINTNEXTLINE(google-explicit-constructor)
value_typekeymaster::PushbackCounter::value_type92 template <typename T> value_type(const T&) {}
93 };
push_backkeymaster::PushbackCounter94 void push_back(const value_type&) { ++count; }
95 size_t count = 0;
96 };
97
98 static std::vector<keymaster_digest_t> full_digest_list = {
99 KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
100 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
101
digest_set_is_full(Iter begin,Iter end)102 template <typename Iter> static bool digest_set_is_full(Iter begin, Iter end) {
103 PushbackCounter counter;
104 std::set_intersection(begin, end, full_digest_list.begin(), full_digest_list.end(),
105 std::back_inserter(counter));
106 return counter.count == full_digest_list.size();
107 }
108
add_digests(keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,SoftKeymasterDevice::DigestMap * map,bool * supports_all)109 static keymaster_error_t add_digests(keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
110 keymaster_purpose_t purpose,
111 SoftKeymasterDevice::DigestMap* map, bool* supports_all) {
112 auto key = std::make_pair(algorithm, purpose);
113
114 keymaster_digest_t* digests;
115 size_t digests_length;
116 keymaster_error_t error =
117 dev->get_supported_digests(dev, algorithm, purpose, &digests, &digests_length);
118 if (error != KM_ERROR_OK) {
119 LOG_E("Error %d getting supported digests from keymaster1 device", error);
120 return error;
121 }
122 std::unique_ptr<keymaster_digest_t, Malloc_Delete> digests_deleter(digests);
123
124 auto digest_vec = make_vector(digests, digests_length);
125 *supports_all = digest_set_is_full(digest_vec.begin(), digest_vec.end());
126 (*map)[key] = std::move(digest_vec);
127 return error;
128 }
129
map_digests(keymaster1_device_t * dev,SoftKeymasterDevice::DigestMap * map,bool * supports_all)130 static keymaster_error_t map_digests(keymaster1_device_t* dev, SoftKeymasterDevice::DigestMap* map,
131 bool* supports_all) {
132 map->clear();
133 *supports_all = true;
134
135 keymaster_algorithm_t sig_algorithms[] = {KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_HMAC};
136 keymaster_purpose_t sig_purposes[] = {KM_PURPOSE_SIGN, KM_PURPOSE_VERIFY};
137 for (auto algorithm : sig_algorithms)
138 for (auto purpose : sig_purposes) {
139 bool alg_purpose_supports_all;
140 keymaster_error_t error =
141 add_digests(dev, algorithm, purpose, map, &alg_purpose_supports_all);
142 if (error != KM_ERROR_OK) return error;
143 *supports_all &= alg_purpose_supports_all;
144 }
145
146 keymaster_algorithm_t crypt_algorithms[] = {KM_ALGORITHM_RSA};
147 keymaster_purpose_t crypt_purposes[] = {KM_PURPOSE_ENCRYPT, KM_PURPOSE_DECRYPT};
148 for (auto algorithm : crypt_algorithms)
149 for (auto purpose : crypt_purposes) {
150 bool alg_purpose_supports_all;
151 keymaster_error_t error =
152 add_digests(dev, algorithm, purpose, map, &alg_purpose_supports_all);
153 if (error != KM_ERROR_OK) return error;
154 *supports_all &= alg_purpose_supports_all;
155 }
156
157 return KM_ERROR_OK;
158 }
159
SoftKeymasterDevice(KmVersion version)160 SoftKeymasterDevice::SoftKeymasterDevice(KmVersion version)
161 : wrapped_km1_device_(nullptr), context_(new SoftKeymasterContext(version)),
162 impl_(new AndroidKeymaster(context_, kOperationTableSize)), configured_(false) {
163 LOG_I("Creating device", 0);
164 LOG_D("Device address: %p", this);
165
166 initialize_device_struct(KEYMASTER_SOFTWARE_ONLY | KEYMASTER_BLOBS_ARE_STANDALONE |
167 KEYMASTER_SUPPORTS_EC);
168 }
169
SoftKeymasterDevice(SoftKeymasterContext * context)170 SoftKeymasterDevice::SoftKeymasterDevice(SoftKeymasterContext* context)
171 : wrapped_km1_device_(nullptr), context_(context),
172 impl_(new AndroidKeymaster(context_, kOperationTableSize)), configured_(false) {
173 LOG_I("Creating test device", 0);
174 LOG_D("Device address: %p", this);
175
176 initialize_device_struct(KEYMASTER_SOFTWARE_ONLY | KEYMASTER_BLOBS_ARE_STANDALONE |
177 KEYMASTER_SUPPORTS_EC);
178 }
179
SetHardwareDevice(keymaster1_device_t * keymaster1_device)180 keymaster_error_t SoftKeymasterDevice::SetHardwareDevice(keymaster1_device_t* keymaster1_device) {
181 assert(keymaster1_device);
182 LOG_D("Reinitializing SoftKeymasterDevice to use HW keymaster1", 0);
183
184 if (!context_) return KM_ERROR_UNEXPECTED_NULL_POINTER;
185
186 keymaster_error_t error =
187 map_digests(keymaster1_device, &km1_device_digests_, &supports_all_digests_);
188 if (error != KM_ERROR_OK) return error;
189
190 error = context_->SetHardwareDevice(keymaster1_device);
191 if (error != KM_ERROR_OK) return error;
192
193 initialize_device_struct(keymaster1_device->flags);
194
195 module_name_ = km1_device_.common.module->name;
196 module_name_.append(" (Wrapping ");
197 module_name_.append(keymaster1_device->common.module->name);
198 module_name_.append(")");
199
200 updated_module_ = *km1_device_.common.module;
201 updated_module_.name = module_name_.c_str();
202
203 km1_device_.common.module = &updated_module_;
204
205 wrapped_km1_device_ = keymaster1_device;
206 return KM_ERROR_OK;
207 }
208
Keymaster1DeviceIsGood()209 bool SoftKeymasterDevice::Keymaster1DeviceIsGood() {
210 std::vector<keymaster_digest_t> expected_rsa_digests = {
211 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
212 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
213 std::vector<keymaster_digest_t> expected_ec_digests = {
214 KM_DIGEST_NONE, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
215 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512};
216
217 for (auto& entry : km1_device_digests_) {
218 if (entry.first.first == KM_ALGORITHM_RSA)
219 if (!std::is_permutation(entry.second.begin(), entry.second.end(),
220 expected_rsa_digests.begin()))
221 return false;
222 if (entry.first.first == KM_ALGORITHM_EC)
223 if (!std::is_permutation(entry.second.begin(), entry.second.end(),
224 expected_ec_digests.begin()))
225 return false;
226 }
227 return true;
228 }
229
initialize_device_struct(uint32_t flags)230 void SoftKeymasterDevice::initialize_device_struct(uint32_t flags) {
231 memset(&km1_device_, 0, sizeof(km1_device_));
232
233 km1_device_.common.tag = HARDWARE_DEVICE_TAG;
234 km1_device_.common.version = 1;
235 km1_device_.common.module = reinterpret_cast<hw_module_t*>(&soft_keymaster1_device_module);
236 km1_device_.common.close = &close_device;
237
238 km1_device_.flags = flags;
239
240 km1_device_.context = this;
241
242 // keymaster0 APIs
243 km1_device_.generate_keypair = nullptr;
244 km1_device_.import_keypair = nullptr;
245 km1_device_.get_keypair_public = nullptr;
246 km1_device_.delete_keypair = nullptr;
247 km1_device_.delete_all = nullptr;
248 km1_device_.sign_data = nullptr;
249 km1_device_.verify_data = nullptr;
250
251 // keymaster1 APIs
252 km1_device_.get_supported_algorithms = get_supported_algorithms;
253 km1_device_.get_supported_block_modes = get_supported_block_modes;
254 km1_device_.get_supported_padding_modes = get_supported_padding_modes;
255 km1_device_.get_supported_digests = get_supported_digests;
256 km1_device_.get_supported_import_formats = get_supported_import_formats;
257 km1_device_.get_supported_export_formats = get_supported_export_formats;
258 km1_device_.add_rng_entropy = add_rng_entropy;
259 km1_device_.generate_key = generate_key;
260 km1_device_.get_key_characteristics = get_key_characteristics;
261 km1_device_.import_key = import_key;
262 km1_device_.export_key = export_key;
263 km1_device_.delete_key = delete_key;
264 km1_device_.delete_all_keys = delete_all_keys;
265 km1_device_.begin = begin;
266 km1_device_.update = update;
267 km1_device_.finish = finish;
268 km1_device_.abort = abort;
269
270 // keymaster2 APIs
271 memset(&km2_device_, 0, sizeof(km2_device_));
272
273 km2_device_.flags = flags;
274 km2_device_.context = this;
275
276 km2_device_.common.tag = HARDWARE_DEVICE_TAG;
277 km2_device_.common.version = 1;
278 km2_device_.common.module = reinterpret_cast<hw_module_t*>(&soft_keymaster2_device_module);
279 km2_device_.common.close = &close_device;
280
281 km2_device_.configure = configure;
282 km2_device_.add_rng_entropy = add_rng_entropy;
283 km2_device_.generate_key = generate_key;
284 km2_device_.get_key_characteristics = get_key_characteristics;
285 km2_device_.import_key = import_key;
286 km2_device_.export_key = export_key;
287 km2_device_.attest_key = attest_key;
288 km2_device_.upgrade_key = upgrade_key;
289 km2_device_.delete_key = delete_key;
290 km2_device_.delete_all_keys = delete_all_keys;
291 km2_device_.begin = begin;
292 km2_device_.update = update;
293 km2_device_.finish = finish;
294 km2_device_.abort = abort;
295 }
296
hw_device()297 hw_device_t* SoftKeymasterDevice::hw_device() {
298 return &km1_device_.common;
299 }
300
keymaster_device()301 keymaster1_device_t* SoftKeymasterDevice::keymaster_device() {
302 return &km1_device_;
303 }
304
keymaster2_device()305 keymaster2_device_t* SoftKeymasterDevice::keymaster2_device() {
306 return &km2_device_;
307 }
308
309 namespace {
310
BuildCharacteristics(const AuthorizationSet & hw_enforced,const AuthorizationSet & sw_enforced)311 keymaster_key_characteristics_t* BuildCharacteristics(const AuthorizationSet& hw_enforced,
312 const AuthorizationSet& sw_enforced) {
313 keymaster_key_characteristics_t* characteristics =
314 reinterpret_cast<keymaster_key_characteristics_t*>(
315 malloc(sizeof(keymaster_key_characteristics_t)));
316 if (characteristics) {
317 hw_enforced.CopyToParamSet(&characteristics->hw_enforced);
318 sw_enforced.CopyToParamSet(&characteristics->sw_enforced);
319 }
320 return characteristics;
321 }
322
323 template <typename RequestType>
AddClientAndAppData(const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,RequestType * request)324 void AddClientAndAppData(const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
325 RequestType* request) {
326 request->additional_params.Clear();
327 if (client_id) request->additional_params.push_back(TAG_APPLICATION_ID, *client_id);
328 if (app_data) request->additional_params.push_back(TAG_APPLICATION_DATA, *app_data);
329 }
330
convert_device(const T * dev)331 template <typename T> SoftKeymasterDevice* convert_device(const T* dev) {
332 static_assert((std::is_same<T, keymaster1_device_t>::value ||
333 std::is_same<T, keymaster2_device_t>::value),
334 "convert_device should only be applied to keymaster devices");
335 return reinterpret_cast<SoftKeymasterDevice*>(dev->context);
336 }
337
338 template <keymaster_tag_t Tag, keymaster_tag_type_t Type, typename KeymasterEnum>
FindTagValue(const keymaster_key_param_set_t & params,TypedEnumTag<Type,Tag,KeymasterEnum> tag,KeymasterEnum * value)339 bool FindTagValue(const keymaster_key_param_set_t& params,
340 TypedEnumTag<Type, Tag, KeymasterEnum> tag, KeymasterEnum* value) {
341 for (size_t i = 0; i < params.length; ++i)
342 if (params.params[i].tag == tag) {
343 *value = static_cast<KeymasterEnum>(params.params[i].enumerated);
344 return true;
345 }
346 return false;
347 }
348
349 } // namespace
350
351 /* static */
close_device(hw_device_t * dev)352 int SoftKeymasterDevice::close_device(hw_device_t* dev) {
353 switch (dev->module->module_api_version) {
354 case KEYMASTER_MODULE_API_VERSION_2_0: {
355 delete convert_device(reinterpret_cast<keymaster2_device_t*>(dev));
356 break;
357 }
358
359 case KEYMASTER_MODULE_API_VERSION_1_0: {
360 delete convert_device(reinterpret_cast<keymaster1_device_t*>(dev));
361 break;
362 }
363
364 default:
365 return -1;
366 }
367
368 return 0;
369 }
370
371 /* static */
get_supported_algorithms(const keymaster1_device_t * dev,keymaster_algorithm_t ** algorithms,size_t * algorithms_length)372 keymaster_error_t SoftKeymasterDevice::get_supported_algorithms(const keymaster1_device_t* dev,
373 keymaster_algorithm_t** algorithms,
374 size_t* algorithms_length) {
375 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
376
377 if (!algorithms || !algorithms_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
378
379 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
380 if (km1_dev) return km1_dev->get_supported_algorithms(km1_dev, algorithms, algorithms_length);
381
382 auto& impl_ = convert_device(dev)->impl_;
383 SupportedAlgorithmsRequest request(impl_->message_version());
384 SupportedAlgorithmsResponse response(impl_->message_version());
385 impl_->SupportedAlgorithms(request, &response);
386 if (response.error != KM_ERROR_OK) {
387 LOG_E("get_supported_algorithms failed with %d", response.error);
388
389 return response.error;
390 }
391
392 *algorithms_length = response.results_length;
393 *algorithms =
394 reinterpret_cast<keymaster_algorithm_t*>(malloc(*algorithms_length * sizeof(**algorithms)));
395 if (!*algorithms) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
396 std::copy(response.results, response.results + response.results_length, *algorithms);
397 return KM_ERROR_OK;
398 }
399
400 /* static */
get_supported_block_modes(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_block_mode_t ** modes,size_t * modes_length)401 keymaster_error_t SoftKeymasterDevice::get_supported_block_modes(const keymaster1_device_t* dev,
402 keymaster_algorithm_t algorithm,
403 keymaster_purpose_t purpose,
404 keymaster_block_mode_t** modes,
405 size_t* modes_length) {
406 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
407
408 if (!modes || !modes_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
409
410 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
411 if (km1_dev)
412 return km1_dev->get_supported_block_modes(km1_dev, algorithm, purpose, modes, modes_length);
413
414 auto& impl_ = convert_device(dev)->impl_;
415 SupportedBlockModesRequest request(impl_->message_version());
416 request.algorithm = algorithm;
417 request.purpose = purpose;
418 SupportedBlockModesResponse response(impl_->message_version());
419 impl_->SupportedBlockModes(request, &response);
420
421 if (response.error != KM_ERROR_OK) {
422 LOG_E("get_supported_block_modes failed with %d", response.error);
423
424 return response.error;
425 }
426
427 *modes_length = response.results_length;
428 *modes = reinterpret_cast<keymaster_block_mode_t*>(malloc(*modes_length * sizeof(**modes)));
429 if (!*modes) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
430 std::copy(response.results, response.results + response.results_length, *modes);
431 return KM_ERROR_OK;
432 }
433
434 /* static */
get_supported_padding_modes(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_padding_t ** modes,size_t * modes_length)435 keymaster_error_t SoftKeymasterDevice::get_supported_padding_modes(const keymaster1_device_t* dev,
436 keymaster_algorithm_t algorithm,
437 keymaster_purpose_t purpose,
438 keymaster_padding_t** modes,
439 size_t* modes_length) {
440 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
441
442 if (!modes || !modes_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
443
444 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
445 if (km1_dev)
446 return km1_dev->get_supported_padding_modes(km1_dev, algorithm, purpose, modes,
447 modes_length);
448
449 auto& impl_ = convert_device(dev)->impl_;
450 SupportedPaddingModesRequest request(impl_->message_version());
451 request.algorithm = algorithm;
452 request.purpose = purpose;
453 SupportedPaddingModesResponse response(impl_->message_version());
454 convert_device(dev)->impl_->SupportedPaddingModes(request, &response);
455
456 if (response.error != KM_ERROR_OK) {
457 LOG_E("get_supported_padding_modes failed with %d", response.error);
458 return response.error;
459 }
460
461 *modes_length = response.results_length;
462 *modes = reinterpret_cast<keymaster_padding_t*>(malloc(*modes_length * sizeof(**modes)));
463 if (!*modes) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
464 std::copy(response.results, response.results + response.results_length, *modes);
465 return KM_ERROR_OK;
466 }
467
468 /* static */
get_supported_digests(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_digest_t ** digests,size_t * digests_length)469 keymaster_error_t SoftKeymasterDevice::get_supported_digests(const keymaster1_device_t* dev,
470 keymaster_algorithm_t algorithm,
471 keymaster_purpose_t purpose,
472 keymaster_digest_t** digests,
473 size_t* digests_length) {
474 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
475
476 if (!digests || !digests_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
477
478 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
479 if (km1_dev)
480 return km1_dev->get_supported_digests(km1_dev, algorithm, purpose, digests, digests_length);
481
482 auto& impl_ = convert_device(dev)->impl_;
483 SupportedDigestsRequest request(impl_->message_version());
484 request.algorithm = algorithm;
485 request.purpose = purpose;
486 SupportedDigestsResponse response(impl_->message_version());
487 impl_->SupportedDigests(request, &response);
488
489 if (response.error != KM_ERROR_OK) {
490 LOG_E("get_supported_digests failed with %d", response.error);
491 return response.error;
492 }
493
494 *digests_length = response.results_length;
495 *digests = reinterpret_cast<keymaster_digest_t*>(malloc(*digests_length * sizeof(**digests)));
496 if (!*digests) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
497 std::copy(response.results, response.results + response.results_length, *digests);
498 return KM_ERROR_OK;
499 }
500
501 /* static */
get_supported_import_formats(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_key_format_t ** formats,size_t * formats_length)502 keymaster_error_t SoftKeymasterDevice::get_supported_import_formats(
503 const keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
504 keymaster_key_format_t** formats, size_t* formats_length) {
505 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
506
507 if (!formats || !formats_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
508
509 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
510 if (km1_dev)
511 return km1_dev->get_supported_import_formats(km1_dev, algorithm, formats, formats_length);
512
513 auto& impl_ = convert_device(dev)->impl_;
514 SupportedImportFormatsRequest request(impl_->message_version());
515 request.algorithm = algorithm;
516 SupportedImportFormatsResponse response(impl_->message_version());
517 impl_->SupportedImportFormats(request, &response);
518
519 if (response.error != KM_ERROR_OK) {
520 LOG_E("get_supported_import_formats failed with %d", response.error);
521 return response.error;
522 }
523
524 *formats_length = response.results_length;
525 *formats =
526 reinterpret_cast<keymaster_key_format_t*>(malloc(*formats_length * sizeof(**formats)));
527 if (!*formats) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
528 std::copy(response.results, response.results + response.results_length, *formats);
529 return KM_ERROR_OK;
530 }
531
532 /* static */
get_supported_export_formats(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_key_format_t ** formats,size_t * formats_length)533 keymaster_error_t SoftKeymasterDevice::get_supported_export_formats(
534 const keymaster1_device_t* dev, keymaster_algorithm_t algorithm,
535 keymaster_key_format_t** formats, size_t* formats_length) {
536 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
537
538 if (!formats || !formats_length) return KM_ERROR_OUTPUT_PARAMETER_NULL;
539
540 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
541 if (km1_dev)
542 return km1_dev->get_supported_export_formats(km1_dev, algorithm, formats, formats_length);
543
544 auto& impl_ = convert_device(dev)->impl_;
545 SupportedExportFormatsRequest request(impl_->message_version());
546 request.algorithm = algorithm;
547 SupportedExportFormatsResponse response(impl_->message_version());
548 impl_->SupportedExportFormats(request, &response);
549
550 if (response.error != KM_ERROR_OK) {
551 LOG_E("get_supported_export_formats failed with %d", response.error);
552 return response.error;
553 }
554
555 *formats_length = response.results_length;
556 *formats =
557 reinterpret_cast<keymaster_key_format_t*>(malloc(*formats_length * sizeof(**formats)));
558 if (!*formats) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
559 std::copy(response.results, response.results + *formats_length, *formats);
560 return KM_ERROR_OK;
561 }
562
563 /* static */
configure(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params)564 keymaster_error_t SoftKeymasterDevice::configure(const keymaster2_device_t* dev,
565 const keymaster_key_param_set_t* params) {
566 AuthorizationSet params_copy(*params);
567 auto& impl_ = convert_device(dev)->impl_;
568 ConfigureRequest request(impl_->message_version());
569 if (!params_copy.GetTagValue(TAG_OS_VERSION, &request.os_version) ||
570 !params_copy.GetTagValue(TAG_OS_PATCHLEVEL, &request.os_patchlevel)) {
571 LOG_E("Configuration parameters must contain OS version and patch level", 0);
572 return KM_ERROR_INVALID_ARGUMENT;
573 }
574 ConfigureResponse response(impl_->message_version());
575 impl_->Configure(request, &response);
576 if (response.error == KM_ERROR_OK) convert_device(dev)->configured_ = true;
577 return response.error;
578 }
579
580 /* static */
add_rng_entropy(const keymaster1_device_t * dev,const uint8_t * data,size_t data_length)581 keymaster_error_t SoftKeymasterDevice::add_rng_entropy(const keymaster1_device_t* dev,
582 const uint8_t* data, size_t data_length) {
583 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
584
585 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
586 if (km1_dev) return km1_dev->add_rng_entropy(km1_dev, data, data_length);
587
588 auto& impl_ = convert_device(dev)->impl_;
589 AddEntropyRequest request(impl_->message_version());
590 request.random_data.Reinitialize(data, data_length);
591 AddEntropyResponse response(impl_->message_version());
592 impl_->AddRngEntropy(request, &response);
593 if (response.error != KM_ERROR_OK) LOG_E("add_rng_entropy failed with %d", response.error);
594 return response.error;
595 }
596
597 /* static */
add_rng_entropy(const keymaster2_device_t * dev,const uint8_t * data,size_t data_length)598 keymaster_error_t SoftKeymasterDevice::add_rng_entropy(const keymaster2_device_t* dev,
599 const uint8_t* data, size_t data_length) {
600 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
601
602 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
603
604 SoftKeymasterDevice* sk_dev = convert_device(dev);
605 return add_rng_entropy(&sk_dev->km1_device_, data, data_length);
606 }
607
contains(const Collection & c,const Value & v)608 template <typename Collection, typename Value> bool contains(const Collection& c, const Value& v) {
609 return std::find(c.begin(), c.end(), v) != c.end();
610 }
611
FindUnsupportedDigest(keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,const AuthorizationSet & params,keymaster_digest_t * unsupported) const612 bool SoftKeymasterDevice::FindUnsupportedDigest(keymaster_algorithm_t algorithm,
613 keymaster_purpose_t purpose,
614 const AuthorizationSet& params,
615 keymaster_digest_t* unsupported) const {
616 assert(wrapped_km1_device_);
617
618 auto supported_digests = km1_device_digests_.find(std::make_pair(algorithm, purpose));
619 if (supported_digests == km1_device_digests_.end())
620 // Invalid algorith/purpose pair (e.g. EC encrypt). Let the error be handled by HW module.
621 return false;
622
623 for (auto& entry : params)
624 if (entry.tag == TAG_DIGEST)
625 if (!contains(supported_digests->second, entry.enumerated)) {
626 LOG_I("Digest %d requested but not supported by module %s", entry.enumerated,
627 wrapped_km1_device_->common.module->name);
628 *unsupported = static_cast<keymaster_digest_t>(entry.enumerated);
629 return true;
630 }
631 return false;
632 }
633
RequiresSoftwareDigesting(keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,const AuthorizationSet & params) const634 bool SoftKeymasterDevice::RequiresSoftwareDigesting(keymaster_algorithm_t algorithm,
635 keymaster_purpose_t purpose,
636 const AuthorizationSet& params) const {
637 assert(wrapped_km1_device_);
638 if (!wrapped_km1_device_) return true;
639
640 switch (algorithm) {
641 case KM_ALGORITHM_AES:
642 case KM_ALGORITHM_TRIPLE_DES:
643 LOG_D("Not performing software digesting for algorithm %d", algorithm);
644 return false;
645 case KM_ALGORITHM_HMAC:
646 case KM_ALGORITHM_RSA:
647 case KM_ALGORITHM_EC:
648 break;
649 }
650
651 keymaster_digest_t unsupported;
652 if (!FindUnsupportedDigest(algorithm, purpose, params, &unsupported)) {
653 LOG_D("Requested digest(s) supported for algorithm %d and purpose %d", algorithm, purpose);
654 return false;
655 }
656
657 return true;
658 }
659
KeyRequiresSoftwareDigesting(const AuthorizationSet & key_description) const660 bool SoftKeymasterDevice::KeyRequiresSoftwareDigesting(
661 const AuthorizationSet& key_description) const {
662 assert(wrapped_km1_device_);
663 if (!wrapped_km1_device_) return true;
664
665 keymaster_algorithm_t algorithm;
666 if (!key_description.GetTagValue(TAG_ALGORITHM, &algorithm)) {
667 // The hardware module will return an error during keygen.
668 return false;
669 }
670
671 for (auto& entry : key_description)
672 if (entry.tag == TAG_PURPOSE) {
673 keymaster_purpose_t purpose = static_cast<keymaster_purpose_t>(entry.enumerated);
674 if (RequiresSoftwareDigesting(algorithm, purpose, key_description)) return true;
675 }
676
677 return false;
678 }
679
680 /* static */
generate_key(const keymaster1_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t ** characteristics)681 keymaster_error_t SoftKeymasterDevice::generate_key(
682 const keymaster1_device_t* dev, const keymaster_key_param_set_t* params,
683 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t** characteristics) {
684 if (!dev || !params) return KM_ERROR_UNEXPECTED_NULL_POINTER;
685
686 if (!key_blob) return KM_ERROR_OUTPUT_PARAMETER_NULL;
687
688 SoftKeymasterDevice* sk_dev = convert_device(dev);
689
690 auto& impl_ = sk_dev->impl_;
691 GenerateKeyRequest request(impl_->message_version());
692 request.key_description.Reinitialize(*params);
693
694 keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
695 if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description))
696 return km1_dev->generate_key(km1_dev, params, key_blob, characteristics);
697
698 GenerateKeyResponse response(impl_->message_version());
699 impl_->GenerateKey(request, &response);
700 if (response.error != KM_ERROR_OK) return response.error;
701
702 key_blob->key_material_size = response.key_blob.key_material_size;
703 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
704 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
705 memcpy(tmp, response.key_blob.key_material, response.key_blob.key_material_size);
706 key_blob->key_material = tmp;
707
708 if (characteristics) {
709 // This is a keymaster1 method, and keymaster1 doesn't include version info, so remove it.
710 response.enforced.erase(response.enforced.find(TAG_OS_VERSION));
711 response.enforced.erase(response.enforced.find(TAG_OS_PATCHLEVEL));
712 response.unenforced.erase(response.unenforced.find(TAG_OS_VERSION));
713 response.unenforced.erase(response.unenforced.find(TAG_OS_PATCHLEVEL));
714
715 *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
716 if (!*characteristics) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
717 }
718
719 return KM_ERROR_OK;
720 }
721
722 keymaster_error_t
generate_key(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)723 SoftKeymasterDevice::generate_key(const keymaster2_device_t* dev, //
724 const keymaster_key_param_set_t* params,
725 keymaster_key_blob_t* key_blob,
726 keymaster_key_characteristics_t* characteristics) {
727 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
728
729 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
730
731 if (!key_blob) return KM_ERROR_OUTPUT_PARAMETER_NULL;
732
733 SoftKeymasterDevice* sk_dev = convert_device(dev);
734
735 auto& impl_ = sk_dev->impl_;
736 GenerateKeyRequest request(impl_->message_version());
737 request.key_description.Reinitialize(*params);
738
739 keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
740 if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description)) {
741 keymaster_ec_curve_t curve;
742 if (request.key_description.Contains(TAG_ALGORITHM, KM_ALGORITHM_EC) &&
743 request.key_description.GetTagValue(TAG_EC_CURVE, &curve)) {
744 // Keymaster1 doesn't know about EC curves. We need to translate to key size.
745 uint32_t key_size_from_curve;
746 keymaster_error_t error = EcCurveToKeySize(curve, &key_size_from_curve);
747 if (error != KM_ERROR_OK) {
748 return error;
749 }
750
751 uint32_t key_size_from_desc;
752 if (request.key_description.GetTagValue(TAG_KEY_SIZE, &key_size_from_desc)) {
753 if (key_size_from_desc != key_size_from_curve) {
754 return KM_ERROR_INVALID_ARGUMENT;
755 }
756 } else {
757 request.key_description.push_back(TAG_KEY_SIZE, key_size_from_curve);
758 }
759 }
760
761 keymaster_key_characteristics_t* chars_ptr;
762 keymaster_error_t error = km1_dev->generate_key(km1_dev, &request.key_description, key_blob,
763 characteristics ? &chars_ptr : nullptr);
764 if (error != KM_ERROR_OK) return error;
765
766 if (characteristics) {
767 *characteristics = *chars_ptr;
768 free(chars_ptr);
769 }
770
771 return KM_ERROR_OK;
772 }
773
774 GenerateKeyResponse response(impl_->message_version());
775 impl_->GenerateKey(request, &response);
776 if (response.error != KM_ERROR_OK) return response.error;
777
778 key_blob->key_material_size = response.key_blob.key_material_size;
779 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
780 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
781 memcpy(tmp, response.key_blob.key_material, response.key_blob.key_material_size);
782 key_blob->key_material = tmp;
783
784 if (characteristics) {
785 response.enforced.CopyToParamSet(&characteristics->hw_enforced);
786 response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
787 }
788
789 return KM_ERROR_OK;
790 }
791
792 /* static */
get_key_characteristics(const keymaster1_device_t * dev,const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t ** characteristics)793 keymaster_error_t SoftKeymasterDevice::get_key_characteristics(
794 const keymaster1_device_t* dev, const keymaster_key_blob_t* key_blob,
795 const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
796 keymaster_key_characteristics_t** characteristics) {
797 if (!dev || !key_blob || !key_blob->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
798
799 if (!characteristics) return KM_ERROR_OUTPUT_PARAMETER_NULL;
800
801 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
802 if (km1_dev) {
803 keymaster_error_t error = km1_dev->get_key_characteristics(km1_dev, key_blob, client_id,
804 app_data, characteristics);
805 if (error != KM_ERROR_INVALID_KEY_BLOB) {
806 return error;
807 }
808 // If we got "invalid blob", continue to try with the software device. This might be a
809 // software key blob.
810 }
811
812 auto& impl_ = convert_device(dev)->impl_;
813 GetKeyCharacteristicsRequest request(impl_->message_version());
814 request.SetKeyMaterial(*key_blob);
815 AddClientAndAppData(client_id, app_data, &request);
816
817 GetKeyCharacteristicsResponse response(impl_->message_version());
818 impl_->GetKeyCharacteristics(request, &response);
819 if (response.error != KM_ERROR_OK) return response.error;
820
821 // This is a keymaster1 method, and keymaster1 doesn't include version info, so remove it.
822 response.enforced.erase(response.enforced.find(TAG_OS_VERSION));
823 response.enforced.erase(response.enforced.find(TAG_OS_PATCHLEVEL));
824 response.unenforced.erase(response.unenforced.find(TAG_OS_VERSION));
825 response.unenforced.erase(response.unenforced.find(TAG_OS_PATCHLEVEL));
826
827 *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
828 if (!*characteristics) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
829
830 return KM_ERROR_OK;
831 }
832
833 /* static */
get_key_characteristics(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t * characteristics)834 keymaster_error_t SoftKeymasterDevice::get_key_characteristics(
835 const keymaster2_device_t* dev, const keymaster_key_blob_t* key_blob,
836 const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
837 keymaster_key_characteristics_t* characteristics) {
838 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
839
840 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
841
842 if (!characteristics) return KM_ERROR_OUTPUT_PARAMETER_NULL;
843
844 SoftKeymasterDevice* sk_dev = convert_device(dev);
845
846 auto& impl_ = sk_dev->impl_;
847 GetKeyCharacteristicsRequest request(impl_->message_version());
848 request.SetKeyMaterial(*key_blob);
849 AddClientAndAppData(client_id, app_data, &request);
850
851 GetKeyCharacteristicsResponse response(impl_->message_version());
852 impl_->GetKeyCharacteristics(request, &response);
853 if (response.error != KM_ERROR_OK) return response.error;
854
855 response.enforced.CopyToParamSet(&characteristics->hw_enforced);
856 response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
857
858 return KM_ERROR_OK;
859 }
860
861 /* static */
import_key(const keymaster1_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t ** characteristics)862 keymaster_error_t SoftKeymasterDevice::import_key(
863 const keymaster1_device_t* dev, const keymaster_key_param_set_t* params,
864 keymaster_key_format_t key_format, const keymaster_blob_t* key_data,
865 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t** characteristics) {
866 if (!params || !key_data) return KM_ERROR_UNEXPECTED_NULL_POINTER;
867
868 if (!key_blob) return KM_ERROR_OUTPUT_PARAMETER_NULL;
869
870 SoftKeymasterDevice* sk_dev = convert_device(dev);
871
872 auto& impl_ = sk_dev->impl_;
873 ImportKeyRequest request(impl_->message_version());
874 request.key_description.Reinitialize(*params);
875
876 keymaster1_device_t* km1_dev = sk_dev->wrapped_km1_device_;
877 if (km1_dev && !sk_dev->KeyRequiresSoftwareDigesting(request.key_description))
878 return km1_dev->import_key(km1_dev, params, key_format, key_data, key_blob,
879 characteristics);
880
881 if (characteristics) *characteristics = nullptr;
882
883 request.key_format = key_format;
884 request.key_data = KeymasterKeyBlob(key_data->data, key_data->data_length);
885
886 ImportKeyResponse response(impl_->message_version());
887 impl_->ImportKey(request, &response);
888 if (response.error != KM_ERROR_OK) return response.error;
889
890 key_blob->key_material_size = response.key_blob.key_material_size;
891 key_blob->key_material = reinterpret_cast<uint8_t*>(malloc(key_blob->key_material_size));
892 if (!key_blob->key_material) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
893 memcpy(const_cast<uint8_t*>(key_blob->key_material), response.key_blob.key_material,
894 response.key_blob.key_material_size);
895
896 if (characteristics) {
897 *characteristics = BuildCharacteristics(response.enforced, response.unenforced);
898 if (!*characteristics) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
899 }
900 return KM_ERROR_OK;
901 }
902
903 /* static */
import_key(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)904 keymaster_error_t SoftKeymasterDevice::import_key(
905 const keymaster2_device_t* dev, const keymaster_key_param_set_t* params,
906 keymaster_key_format_t key_format, const keymaster_blob_t* key_data,
907 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t* characteristics) {
908 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
909
910 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
911
912 SoftKeymasterDevice* sk_dev = convert_device(dev);
913
914 keymaster_error_t error;
915 if (characteristics) {
916 keymaster_key_characteristics_t* characteristics_ptr;
917 error = import_key(&sk_dev->km1_device_, params, key_format, key_data, key_blob,
918 &characteristics_ptr);
919 if (error == KM_ERROR_OK) {
920 *characteristics = *characteristics_ptr;
921 free(characteristics_ptr);
922 }
923 } else {
924 error = import_key(&sk_dev->km1_device_, params, key_format, key_data, key_blob, nullptr);
925 }
926
927 return error;
928 }
929
930 /* static */
export_key(const keymaster1_device_t * dev,keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)931 keymaster_error_t SoftKeymasterDevice::export_key(const keymaster1_device_t* dev,
932 keymaster_key_format_t export_format,
933 const keymaster_key_blob_t* key_to_export,
934 const keymaster_blob_t* client_id,
935 const keymaster_blob_t* app_data,
936 keymaster_blob_t* export_data) {
937 if (!key_to_export || !key_to_export->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
938
939 if (!export_data) return KM_ERROR_OUTPUT_PARAMETER_NULL;
940
941 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
942 if (km1_dev)
943 return km1_dev->export_key(km1_dev, export_format, key_to_export, client_id, app_data,
944 export_data);
945
946 export_data->data = nullptr;
947 export_data->data_length = 0;
948
949 auto& impl_ = convert_device(dev)->impl_;
950 ExportKeyRequest request(impl_->message_version());
951 request.key_format = export_format;
952 request.SetKeyMaterial(*key_to_export);
953 AddClientAndAppData(client_id, app_data, &request);
954
955 ExportKeyResponse response(impl_->message_version());
956 impl_->ExportKey(request, &response);
957 if (response.error != KM_ERROR_OK) return response.error;
958
959 export_data->data_length = response.key_data_length;
960 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(export_data->data_length));
961 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
962 memcpy(tmp, response.key_data, export_data->data_length);
963 export_data->data = tmp;
964 return KM_ERROR_OK;
965 }
966
967 /* static */
export_key(const keymaster2_device_t * dev,keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)968 keymaster_error_t SoftKeymasterDevice::export_key(const keymaster2_device_t* dev,
969 keymaster_key_format_t export_format,
970 const keymaster_key_blob_t* key_to_export,
971 const keymaster_blob_t* client_id,
972 const keymaster_blob_t* app_data,
973 keymaster_blob_t* export_data) {
974 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
975
976 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
977
978 SoftKeymasterDevice* sk_dev = convert_device(dev);
979 return export_key(&sk_dev->km1_device_, export_format, key_to_export, client_id, app_data,
980 export_data);
981 }
982
983 /* static */
attest_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_to_attest,const keymaster_key_param_set_t * attest_params,keymaster_cert_chain_t * cert_chain)984 keymaster_error_t SoftKeymasterDevice::attest_key(const keymaster2_device_t* dev,
985 const keymaster_key_blob_t* key_to_attest,
986 const keymaster_key_param_set_t* attest_params,
987 keymaster_cert_chain_t* cert_chain) {
988 if (!dev || !key_to_attest || !attest_params || !cert_chain)
989 return KM_ERROR_UNEXPECTED_NULL_POINTER;
990
991 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
992
993 *cert_chain = {};
994
995 auto& impl_ = convert_device(dev)->impl_;
996 AttestKeyRequest request(impl_->message_version());
997 request.SetKeyMaterial(*key_to_attest);
998 request.attest_params.Reinitialize(*attest_params);
999
1000 keymaster_blob_t attestation_challenge = {};
1001 request.attest_params.GetTagValue(TAG_ATTESTATION_CHALLENGE, &attestation_challenge);
1002 if (attestation_challenge.data_length > kMaximumAttestationChallengeLength) {
1003 LOG_E("%d-byte attestation challenge; only %d bytes allowed",
1004 attestation_challenge.data_length, kMaximumAttestationChallengeLength);
1005 return KM_ERROR_INVALID_INPUT_LENGTH;
1006 }
1007
1008 AttestKeyResponse response(impl_->message_version());
1009 impl_->AttestKey(request, &response);
1010 if (response.error != KM_ERROR_OK) return response.error;
1011
1012 // Allocate and clear storage for cert_chain.
1013 keymaster_cert_chain_t& rsp_chain = response.certificate_chain;
1014 cert_chain->entries = reinterpret_cast<keymaster_blob_t*>(
1015 malloc(rsp_chain.entry_count * sizeof(*cert_chain->entries)));
1016 if (!cert_chain->entries) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1017 cert_chain->entry_count = rsp_chain.entry_count;
1018 for (keymaster_blob_t& entry : array_range(cert_chain->entries, cert_chain->entry_count))
1019 entry = {};
1020
1021 // Copy cert_chain contents
1022 size_t i = 0;
1023 for (keymaster_blob_t& entry : array_range(rsp_chain.entries, rsp_chain.entry_count)) {
1024 cert_chain->entries[i].data = reinterpret_cast<uint8_t*>(malloc(entry.data_length));
1025 if (!cert_chain->entries[i].data) {
1026 keymaster_free_cert_chain(cert_chain);
1027 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1028 }
1029 cert_chain->entries[i].data_length = entry.data_length;
1030 memcpy(const_cast<uint8_t*>(cert_chain->entries[i].data), entry.data, entry.data_length);
1031 ++i;
1032 }
1033
1034 return KM_ERROR_OK;
1035 }
1036
1037 /* static */
upgrade_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_to_upgrade,const keymaster_key_param_set_t * upgrade_params,keymaster_key_blob_t * upgraded_key)1038 keymaster_error_t SoftKeymasterDevice::upgrade_key(const keymaster2_device_t* dev,
1039 const keymaster_key_blob_t* key_to_upgrade,
1040 const keymaster_key_param_set_t* upgrade_params,
1041 keymaster_key_blob_t* upgraded_key) {
1042 if (!dev || !key_to_upgrade || !upgrade_params) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1043
1044 if (!upgraded_key) return KM_ERROR_OUTPUT_PARAMETER_NULL;
1045
1046 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1047
1048 auto& impl_ = convert_device(dev)->impl_;
1049 UpgradeKeyRequest request(impl_->message_version());
1050 request.SetKeyMaterial(*key_to_upgrade);
1051 request.upgrade_params.Reinitialize(*upgrade_params);
1052
1053 UpgradeKeyResponse response(impl_->message_version());
1054 impl_->UpgradeKey(request, &response);
1055 if (response.error != KM_ERROR_OK) return response.error;
1056
1057 upgraded_key->key_material_size = response.upgraded_key.key_material_size;
1058 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(upgraded_key->key_material_size));
1059 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1060 memcpy(tmp, response.upgraded_key.key_material, response.upgraded_key.key_material_size);
1061 upgraded_key->key_material = tmp;
1062
1063 return KM_ERROR_OK;
1064 }
1065
1066 /* static */
delete_key(const keymaster1_device_t * dev,const keymaster_key_blob_t * key)1067 keymaster_error_t SoftKeymasterDevice::delete_key(const keymaster1_device_t* dev,
1068 const keymaster_key_blob_t* key) {
1069 if (!dev || !key || !key->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1070
1071 KeymasterKeyBlob blob(*key);
1072 return convert_device(dev)->context_->DeleteKey(blob);
1073 }
1074
1075 /* static */
delete_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key)1076 keymaster_error_t SoftKeymasterDevice::delete_key(const keymaster2_device_t* dev,
1077 const keymaster_key_blob_t* key) {
1078 if (!dev || !key || !key->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1079
1080 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1081
1082 KeymasterKeyBlob blob(*key);
1083 return convert_device(dev)->context_->DeleteKey(blob);
1084 }
1085
1086 /* static */
delete_all_keys(const keymaster1_device_t * dev)1087 keymaster_error_t SoftKeymasterDevice::delete_all_keys(const keymaster1_device_t* dev) {
1088 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1089
1090 return convert_device(dev)->context_->DeleteAllKeys();
1091 }
1092
1093 /* static */
delete_all_keys(const keymaster2_device_t * dev)1094 keymaster_error_t SoftKeymasterDevice::delete_all_keys(const keymaster2_device_t* dev) {
1095 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1096
1097 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1098
1099 return convert_device(dev)->context_->DeleteAllKeys();
1100 }
1101
1102 /* static */
begin(const keymaster1_device_t * dev,keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)1103 keymaster_error_t SoftKeymasterDevice::begin(const keymaster1_device_t* dev,
1104 keymaster_purpose_t purpose,
1105 const keymaster_key_blob_t* key,
1106 const keymaster_key_param_set_t* in_params,
1107 keymaster_key_param_set_t* out_params,
1108 keymaster_operation_handle_t* operation_handle) {
1109 if (!dev || !key || !key->key_material) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1110
1111 if (!operation_handle) return KM_ERROR_OUTPUT_PARAMETER_NULL;
1112
1113 SoftKeymasterDevice* skdev = convert_device(dev);
1114 const keymaster1_device_t* km1_dev = skdev->wrapped_km1_device_;
1115
1116 if (km1_dev) {
1117 AuthorizationSet in_params_set(*in_params);
1118
1119 UniquePtr<Key> akmKey; // android keymaster key
1120 skdev->context_->ParseKeyBlob(KeymasterKeyBlob(*key), in_params_set, &akmKey);
1121
1122 keymaster_algorithm_t algorithm = KM_ALGORITHM_AES;
1123 if (!akmKey->hw_enforced().GetTagValue(TAG_ALGORITHM, &algorithm) &&
1124 !akmKey->sw_enforced().GetTagValue(TAG_ALGORITHM, &algorithm)) {
1125 return KM_ERROR_INVALID_KEY_BLOB;
1126 }
1127
1128 if (algorithm == KM_ALGORITHM_HMAC) {
1129 // Because HMAC keys can have only one digest, in_params_set doesn't contain it. We
1130 // need to get the digest from the key and add it to in_params_set.
1131 keymaster_digest_t digest;
1132 if (!akmKey->hw_enforced().GetTagValue(TAG_DIGEST, &digest) &&
1133 !akmKey->sw_enforced().GetTagValue(TAG_DIGEST, &digest)) {
1134 return KM_ERROR_INVALID_KEY_BLOB;
1135 }
1136 in_params_set.push_back(TAG_DIGEST, digest);
1137 }
1138
1139 if (!skdev->RequiresSoftwareDigesting(algorithm, purpose, in_params_set)) {
1140 LOG_D("Operation supported by %s, passing through to keymaster1 module",
1141 km1_dev->common.module->name);
1142 return km1_dev->begin(km1_dev, purpose, key, in_params, out_params, operation_handle);
1143 }
1144 LOG_I("Doing software digesting for keymaster1 module %s", km1_dev->common.module->name);
1145 }
1146
1147 if (out_params) {
1148 out_params->params = nullptr;
1149 out_params->length = 0;
1150 }
1151
1152 auto& impl_ = skdev->impl_;
1153 BeginOperationRequest request(impl_->message_version());
1154 request.purpose = purpose;
1155 request.SetKeyMaterial(*key);
1156 request.additional_params.Reinitialize(*in_params);
1157
1158 BeginOperationResponse response(impl_->message_version());
1159 impl_->BeginOperation(request, &response);
1160 if (response.error != KM_ERROR_OK) return response.error;
1161
1162 if (response.output_params.size() > 0) {
1163 if (out_params)
1164 response.output_params.CopyToParamSet(out_params);
1165 else
1166 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1167 }
1168
1169 *operation_handle = response.op_handle;
1170 return KM_ERROR_OK;
1171 }
1172
1173 /* static */
begin(const keymaster2_device_t * dev,keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)1174 keymaster_error_t SoftKeymasterDevice::begin(const keymaster2_device_t* dev,
1175 keymaster_purpose_t purpose,
1176 const keymaster_key_blob_t* key,
1177 const keymaster_key_param_set_t* in_params,
1178 keymaster_key_param_set_t* out_params,
1179 keymaster_operation_handle_t* operation_handle) {
1180 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1181
1182 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1183
1184 SoftKeymasterDevice* sk_dev = convert_device(dev);
1185 return begin(&sk_dev->km1_device_, purpose, key, in_params, out_params, operation_handle);
1186 }
1187
1188 /* static */
update(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1189 keymaster_error_t SoftKeymasterDevice::update(const keymaster1_device_t* dev,
1190 keymaster_operation_handle_t operation_handle,
1191 const keymaster_key_param_set_t* in_params,
1192 const keymaster_blob_t* input, size_t* input_consumed,
1193 keymaster_key_param_set_t* out_params,
1194 keymaster_blob_t* output) {
1195 if (!input) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1196
1197 if (!input_consumed) return KM_ERROR_OUTPUT_PARAMETER_NULL;
1198
1199 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1200 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1201 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1202 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1203 // km1_dev after doing necessary digesting.
1204 return km1_dev->update(km1_dev, operation_handle, in_params, input, input_consumed,
1205 out_params, output);
1206 }
1207
1208 if (out_params) {
1209 out_params->params = nullptr;
1210 out_params->length = 0;
1211 }
1212 if (output) {
1213 output->data = nullptr;
1214 output->data_length = 0;
1215 }
1216
1217 auto& impl_ = convert_device(dev)->impl_;
1218 UpdateOperationRequest request(impl_->message_version());
1219 request.op_handle = operation_handle;
1220 if (input) request.input.Reinitialize(input->data, input->data_length);
1221 if (in_params) request.additional_params.Reinitialize(*in_params);
1222
1223 UpdateOperationResponse response(impl_->message_version());
1224 impl_->UpdateOperation(request, &response);
1225 if (response.error != KM_ERROR_OK) return response.error;
1226
1227 if (response.output_params.size() > 0) {
1228 if (out_params)
1229 response.output_params.CopyToParamSet(out_params);
1230 else
1231 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1232 }
1233
1234 *input_consumed = response.input_consumed;
1235 if (output) {
1236 output->data_length = response.output.available_read();
1237 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1238 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1239 memcpy(tmp, response.output.peek_read(), output->data_length);
1240 output->data = tmp;
1241 } else if (response.output.available_read() > 0) {
1242 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1243 }
1244 return KM_ERROR_OK;
1245 }
1246
1247 /* static */
update(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1248 keymaster_error_t SoftKeymasterDevice::update(const keymaster2_device_t* dev,
1249 keymaster_operation_handle_t operation_handle,
1250 const keymaster_key_param_set_t* in_params,
1251 const keymaster_blob_t* input, size_t* input_consumed,
1252 keymaster_key_param_set_t* out_params,
1253 keymaster_blob_t* output) {
1254 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1255
1256 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1257
1258 SoftKeymasterDevice* sk_dev = convert_device(dev);
1259 return update(&sk_dev->km1_device_, operation_handle, in_params, input, input_consumed,
1260 out_params, output);
1261 }
1262
1263 /* static */
finish(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * params,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1264 keymaster_error_t SoftKeymasterDevice::finish(const keymaster1_device_t* dev,
1265 keymaster_operation_handle_t operation_handle,
1266 const keymaster_key_param_set_t* params,
1267 const keymaster_blob_t* signature,
1268 keymaster_key_param_set_t* out_params,
1269 keymaster_blob_t* output) {
1270 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1271
1272 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1273 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1274 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1275 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1276 // km1_dev after doing necessary digesting.
1277 return km1_dev->finish(km1_dev, operation_handle, params, signature, out_params, output);
1278 }
1279
1280 if (out_params) {
1281 out_params->params = nullptr;
1282 out_params->length = 0;
1283 }
1284
1285 if (output) {
1286 output->data = nullptr;
1287 output->data_length = 0;
1288 }
1289
1290 auto& impl_ = convert_device(dev)->impl_;
1291 FinishOperationRequest request(impl_->message_version());
1292 request.op_handle = operation_handle;
1293 if (signature && signature->data_length > 0)
1294 request.signature.Reinitialize(signature->data, signature->data_length);
1295 request.additional_params.Reinitialize(*params);
1296
1297 FinishOperationResponse response(impl_->message_version());
1298 impl_->FinishOperation(request, &response);
1299 if (response.error != KM_ERROR_OK) return response.error;
1300
1301 if (response.output_params.size() > 0) {
1302 if (out_params)
1303 response.output_params.CopyToParamSet(out_params);
1304 else
1305 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1306 }
1307 if (output) {
1308 output->data_length = response.output.available_read();
1309 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1310 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1311 memcpy(tmp, response.output.peek_read(), output->data_length);
1312 output->data = tmp;
1313 } else if (response.output.available_read() > 0) {
1314 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1315 }
1316
1317 return KM_ERROR_OK;
1318 }
1319
1320 struct KeyParamSetContents_Delete {
operator ()keymaster::KeyParamSetContents_Delete1321 void operator()(keymaster_key_param_set_t* p) { keymaster_free_param_set(p); }
1322 };
1323
1324 /* static */
finish(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * params,const keymaster_blob_t * input,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)1325 keymaster_error_t SoftKeymasterDevice::finish(const keymaster2_device_t* dev,
1326 keymaster_operation_handle_t operation_handle,
1327 const keymaster_key_param_set_t* params,
1328 const keymaster_blob_t* input,
1329 const keymaster_blob_t* signature,
1330 keymaster_key_param_set_t* out_params,
1331 keymaster_blob_t* output) {
1332 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1333
1334 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1335
1336 if (out_params) *out_params = {};
1337
1338 if (output) *output = {};
1339
1340 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1341 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1342 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1343 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1344 // km1_dev after doing necessary digesting.
1345
1346 std::vector<uint8_t> accumulated_output;
1347 AuthorizationSet accumulated_out_params;
1348 AuthorizationSet mutable_params(*params);
1349 if (input && input->data && input->data_length) {
1350 // Keymaster1 doesn't support input to finish(). Call update() to process input.
1351
1352 accumulated_output.reserve(input->data_length); // Guess at output size
1353 keymaster_blob_t mutable_input = *input;
1354
1355 while (mutable_input.data_length > 0) {
1356 keymaster_key_param_set_t update_out_params = {};
1357 keymaster_blob_t update_output = {};
1358 size_t input_consumed = 0;
1359 keymaster_error_t error =
1360 km1_dev->update(km1_dev, operation_handle, &mutable_params, &mutable_input,
1361 &input_consumed, &update_out_params, &update_output);
1362 if (error != KM_ERROR_OK) {
1363 return error;
1364 }
1365
1366 accumulated_output.reserve(accumulated_output.size() + update_output.data_length);
1367 std::copy(update_output.data, update_output.data + update_output.data_length,
1368 std::back_inserter(accumulated_output));
1369 free(const_cast<uint8_t*>(update_output.data));
1370
1371 accumulated_out_params.push_back(update_out_params);
1372 keymaster_free_param_set(&update_out_params);
1373
1374 mutable_input.data += input_consumed;
1375 mutable_input.data_length -= input_consumed;
1376
1377 // AAD should only be sent once, so remove it if present.
1378 int aad_pos = mutable_params.find(TAG_ASSOCIATED_DATA);
1379 if (aad_pos != -1) {
1380 mutable_params.erase(aad_pos);
1381 }
1382
1383 if (input_consumed == 0) {
1384 // Apparently we need more input than we have to complete an operation.
1385 km1_dev->abort(km1_dev, operation_handle);
1386 return KM_ERROR_INVALID_INPUT_LENGTH;
1387 }
1388 }
1389 }
1390
1391 keymaster_key_param_set_t finish_out_params = {};
1392 keymaster_blob_t finish_output = {};
1393 keymaster_error_t error = km1_dev->finish(km1_dev, operation_handle, &mutable_params,
1394 signature, &finish_out_params, &finish_output);
1395 if (error != KM_ERROR_OK) {
1396 return error;
1397 }
1398
1399 if (!accumulated_out_params.empty()) {
1400 accumulated_out_params.push_back(finish_out_params);
1401 keymaster_free_param_set(&finish_out_params);
1402 accumulated_out_params.Deduplicate();
1403 accumulated_out_params.CopyToParamSet(&finish_out_params);
1404 }
1405 std::unique_ptr<keymaster_key_param_set_t, KeyParamSetContents_Delete>
1406 finish_out_params_deleter(&finish_out_params);
1407
1408 if (!accumulated_output.empty()) {
1409 size_t finish_out_length = accumulated_output.size() + finish_output.data_length;
1410 uint8_t* finish_out_buf = reinterpret_cast<uint8_t*>(malloc(finish_out_length));
1411
1412 std::copy(accumulated_output.begin(), accumulated_output.end(), finish_out_buf);
1413 std::copy(finish_output.data, finish_output.data + finish_output.data_length,
1414 finish_out_buf + accumulated_output.size());
1415
1416 free(const_cast<uint8_t*>(finish_output.data));
1417 finish_output.data_length = finish_out_length;
1418 finish_output.data = finish_out_buf;
1419 }
1420 std::unique_ptr<uint8_t, Malloc_Delete> finish_output_deleter(
1421 const_cast<uint8_t*>(finish_output.data));
1422
1423 if ((!out_params && finish_out_params.length) || (!output && finish_output.data_length)) {
1424 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1425 }
1426
1427 *out_params = finish_out_params;
1428 *output = finish_output;
1429
1430 finish_out_params_deleter.release(); // NOLINT(bugprone-unused-return-value)
1431 finish_output_deleter.release(); // NOLINT(bugprone-unused-return-value)
1432
1433 return KM_ERROR_OK;
1434 }
1435
1436 auto& impl_ = convert_device(dev)->impl_;
1437 FinishOperationRequest request(impl_->message_version());
1438 request.op_handle = operation_handle;
1439 if (signature && signature->data_length > 0)
1440 request.signature.Reinitialize(signature->data, signature->data_length);
1441 if (input && input->data_length > 0)
1442 request.input.Reinitialize(input->data, input->data_length);
1443 request.additional_params.Reinitialize(*params);
1444
1445 FinishOperationResponse response(impl_->message_version());
1446 impl_->FinishOperation(request, &response);
1447 if (response.error != KM_ERROR_OK) return response.error;
1448
1449 if (response.output_params.size() > 0) {
1450 if (out_params)
1451 response.output_params.CopyToParamSet(out_params);
1452 else
1453 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1454 }
1455 if (output) {
1456 output->data_length = response.output.available_read();
1457 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(output->data_length));
1458 if (!tmp) return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1459 memcpy(tmp, response.output.peek_read(), output->data_length);
1460 output->data = tmp;
1461 } else if (response.output.available_read() > 0) {
1462 return KM_ERROR_OUTPUT_PARAMETER_NULL;
1463 }
1464
1465 return KM_ERROR_OK;
1466 }
1467
1468 /* static */
abort(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle)1469 keymaster_error_t SoftKeymasterDevice::abort(const keymaster1_device_t* dev,
1470 keymaster_operation_handle_t operation_handle) {
1471 const keymaster1_device_t* km1_dev = convert_device(dev)->wrapped_km1_device_;
1472 if (km1_dev && !convert_device(dev)->impl_->has_operation(operation_handle)) {
1473 // This operation is being handled by km1_dev (or doesn't exist). Pass it through to
1474 // km1_dev. Otherwise, we'll use the software AndroidKeymaster, which may delegate to
1475 // km1_dev.
1476 return km1_dev->abort(km1_dev, operation_handle);
1477 }
1478
1479 auto& impl_ = convert_device(dev)->impl_;
1480 AbortOperationRequest request(impl_->message_version());
1481 request.op_handle = operation_handle;
1482 AbortOperationResponse response(impl_->message_version());
1483 impl_->AbortOperation(request, &response);
1484 return response.error;
1485 }
1486
1487 /* static */
abort(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle)1488 keymaster_error_t SoftKeymasterDevice::abort(const keymaster2_device_t* dev,
1489 keymaster_operation_handle_t operation_handle) {
1490 if (!dev) return KM_ERROR_UNEXPECTED_NULL_POINTER;
1491
1492 if (!convert_device(dev)->configured()) return KM_ERROR_KEYMASTER_NOT_CONFIGURED;
1493
1494 SoftKeymasterDevice* sk_dev = convert_device(dev);
1495 return abort(&sk_dev->km1_device_, operation_handle);
1496 }
1497
1498 /* static */
StoreDefaultNewKeyParams(keymaster_algorithm_t algorithm,AuthorizationSet * auth_set)1499 void SoftKeymasterDevice::StoreDefaultNewKeyParams(keymaster_algorithm_t algorithm,
1500 AuthorizationSet* auth_set) {
1501 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_SIGN);
1502 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_VERIFY);
1503 auth_set->push_back(TAG_ALL_USERS);
1504 auth_set->push_back(TAG_NO_AUTH_REQUIRED);
1505
1506 // All digests.
1507 auth_set->push_back(TAG_DIGEST, KM_DIGEST_NONE);
1508 auth_set->push_back(TAG_DIGEST, KM_DIGEST_MD5);
1509 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA1);
1510 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_224);
1511 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1512 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384);
1513 auth_set->push_back(TAG_DIGEST, KM_DIGEST_SHA_2_512);
1514
1515 if (algorithm == KM_ALGORITHM_RSA) {
1516 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_ENCRYPT);
1517 auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_DECRYPT);
1518 auth_set->push_back(TAG_PADDING, KM_PAD_NONE);
1519 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1520 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
1521 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1522 auth_set->push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
1523 }
1524 }
1525
1526 } // namespace keymaster
1527