1 /*
2 * Copyright 2020, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "android.hardware.security.keymint-impl.remote"
18 #include <log/log.h>
19
20 #include "guest/hals/keymint/remote/remote_keymint_operation.h"
21
22 #include <aidl/android/hardware/security/keymint/ErrorCode.h>
23 #include <aidl/android/hardware/security/secureclock/ISecureClock.h>
24
25 #include <keymaster/android_keymaster.h>
26
27 #include "KeyMintUtils.h"
28
29 namespace aidl::android::hardware::security::keymint {
30
31 using ::keymaster::AbortOperationRequest;
32 using ::keymaster::AbortOperationResponse;
33 using ::keymaster::Buffer;
34 using ::keymaster::FinishOperationRequest;
35 using ::keymaster::FinishOperationResponse;
36 using ::keymaster::TAG_ASSOCIATED_DATA;
37 using ::keymaster::UpdateOperationRequest;
38 using ::keymaster::UpdateOperationResponse;
39 using secureclock::TimeStampToken;
40 using namespace km_utils;
41
RemoteKeyMintOperation(::keymaster::RemoteKeymaster & impl,keymaster_operation_handle_t opHandle)42 RemoteKeyMintOperation::RemoteKeyMintOperation(
43 ::keymaster::RemoteKeymaster& impl, keymaster_operation_handle_t opHandle)
44 : impl_(impl), opHandle_(opHandle) {}
45
~RemoteKeyMintOperation()46 RemoteKeyMintOperation::~RemoteKeyMintOperation() {
47 if (opHandle_ != 0) {
48 abort();
49 }
50 }
51
updateAad(const vector<uint8_t> & input,const optional<HardwareAuthToken> & authToken,const optional<TimeStampToken> &)52 ScopedAStatus RemoteKeyMintOperation::updateAad(
53 const vector<uint8_t>& input, const optional<HardwareAuthToken>& authToken,
54 const optional<TimeStampToken>& /* timestampToken */) {
55 UpdateOperationRequest request(impl_.message_version());
56 request.op_handle = opHandle_;
57 request.additional_params.push_back(TAG_ASSOCIATED_DATA, input.data(),
58 input.size());
59 if (authToken) {
60 auto tokenAsVec(authToken2AidlVec(*authToken));
61 request.additional_params.push_back(keymaster::TAG_AUTH_TOKEN,
62 tokenAsVec.data(), tokenAsVec.size());
63 }
64
65 UpdateOperationResponse response(impl_.message_version());
66 impl_.UpdateOperation(request, &response);
67
68 return kmError2ScopedAStatus(response.error);
69 }
70
update(const vector<uint8_t> & input,const optional<HardwareAuthToken> & authToken,const optional<TimeStampToken> &,vector<uint8_t> * output)71 ScopedAStatus RemoteKeyMintOperation::update(
72 const vector<uint8_t>& input, const optional<HardwareAuthToken>& authToken,
73 const optional<TimeStampToken>&
74 /* timestampToken */,
75 vector<uint8_t>* output) {
76 if (!output) return kmError2ScopedAStatus(KM_ERROR_OUTPUT_PARAMETER_NULL);
77
78 UpdateOperationRequest request(impl_.message_version());
79 request.op_handle = opHandle_;
80 request.input.Reinitialize(input.data(), input.size());
81 if (authToken) {
82 auto tokenAsVec(authToken2AidlVec(*authToken));
83 request.additional_params.push_back(keymaster::TAG_AUTH_TOKEN,
84 tokenAsVec.data(), tokenAsVec.size());
85 }
86
87 UpdateOperationResponse response(impl_.message_version());
88 impl_.UpdateOperation(request, &response);
89
90 if (response.error != KM_ERROR_OK)
91 return kmError2ScopedAStatus(response.error);
92 if (response.input_consumed != request.input.buffer_size()) {
93 return kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
94 }
95
96 *output = kmBuffer2vector(response.output);
97 return ScopedAStatus::ok();
98 }
99
finish(const optional<vector<uint8_t>> & input,const optional<vector<uint8_t>> & signature,const optional<HardwareAuthToken> & authToken,const optional<TimeStampToken> &,const optional<vector<uint8_t>> & confirmationToken,vector<uint8_t> * output)100 ScopedAStatus RemoteKeyMintOperation::finish(
101 const optional<vector<uint8_t>>& input, //
102 const optional<vector<uint8_t>>& signature, //
103 const optional<HardwareAuthToken>& authToken,
104 const optional<TimeStampToken>& /* timestampToken */,
105 const optional<vector<uint8_t>>& confirmationToken,
106 vector<uint8_t>* output) {
107 if (!output) {
108 return ScopedAStatus(AStatus_fromServiceSpecificError(
109 static_cast<int32_t>(ErrorCode::OUTPUT_PARAMETER_NULL)));
110 }
111
112 FinishOperationRequest request(impl_.message_version());
113 request.op_handle = opHandle_;
114 if (input) request.input.Reinitialize(input->data(), input->size());
115 if (signature) {
116 request.signature.Reinitialize(signature->data(), signature->size());
117 }
118 if (authToken) {
119 auto tokenAsVec(authToken2AidlVec(*authToken));
120 request.additional_params.push_back(keymaster::TAG_AUTH_TOKEN,
121 tokenAsVec.data(), tokenAsVec.size());
122 }
123 if (confirmationToken) {
124 request.additional_params.push_back(keymaster::TAG_CONFIRMATION_TOKEN,
125 confirmationToken->data(),
126 confirmationToken->size());
127 }
128
129 FinishOperationResponse response(impl_.message_version());
130 impl_.FinishOperation(request, &response);
131 opHandle_ = 0;
132
133 if (response.error != KM_ERROR_OK)
134 return kmError2ScopedAStatus(response.error);
135
136 *output = kmBuffer2vector(response.output);
137 return ScopedAStatus::ok();
138 }
139
abort()140 ScopedAStatus RemoteKeyMintOperation::abort() {
141 AbortOperationRequest request(impl_.message_version());
142 request.op_handle = opHandle_;
143
144 AbortOperationResponse response(impl_.message_version());
145 impl_.AbortOperation(request, &response);
146 opHandle_ = 0;
147
148 return kmError2ScopedAStatus(response.error);
149 }
150
151 } // namespace aidl::android::hardware::security::keymint
152