1 /*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #ifndef SYSTEM_KEYMASTER_AUTHORIZATION_SET_H_
18 #define SYSTEM_KEYMASTER_AUTHORIZATION_SET_H_
19
20 #include <UniquePtr.h>
21
22 #include <hardware/keymaster_defs.h>
23 #include <keymaster/keymaster_tags.h>
24 #include <keymaster/serializable.h>
25
26 namespace keymaster {
27
28 class AuthorizationSetBuilder;
29
30 /**
31 * An extension of the keymaster_key_param_set_t struct, which provides serialization memory
32 * management and methods for easy manipulation and construction.
33 */
34 class AuthorizationSet : public Serializable, public keymaster_key_param_set_t {
35 public:
36 /**
37 * Construct an empty, dynamically-allocated, growable AuthorizationSet. Does not actually
38 * allocate any storage until elements are added, so there is no cost to creating an
39 * AuthorizationSet with this constructor and then reinitializing it to point at pre-allocated
40 * buffers, with \p Reinitialize.
41 */
AuthorizationSet()42 AuthorizationSet()
43 : elems_capacity_(0), indirect_data_(NULL), indirect_data_size_(0),
44 indirect_data_capacity_(0), error_(OK) {
45 elems_ = nullptr;
46 elems_size_ = 0;
47 }
48
49 /**
50 * Construct an AuthorizationSet from the provided array. The AuthorizationSet copies the data
51 * from the provided array (and the data referenced by its embedded pointers, if any) into
52 * dynamically-allocated storage. If allocation of the needed storage fails, \p is_valid() will
53 * return ALLOCATION_FAILURE. It is the responsibility of the caller to check before using the
54 * set, if allocations might fail.
55 */
AuthorizationSet(const keymaster_key_param_t * elems,size_t count)56 AuthorizationSet(const keymaster_key_param_t* elems, size_t count) : indirect_data_(nullptr) {
57 elems_ = nullptr;
58 Reinitialize(elems, count);
59 }
60
AuthorizationSet(const keymaster_key_param_set_t & set)61 explicit AuthorizationSet(const keymaster_key_param_set_t& set) : indirect_data_(nullptr) {
62 elems_ = nullptr;
63 Reinitialize(set.params, set.length);
64 }
65
AuthorizationSet(const uint8_t * serialized_set,size_t serialized_size)66 explicit AuthorizationSet(const uint8_t* serialized_set, size_t serialized_size)
67 : indirect_data_(nullptr) {
68 elems_ = nullptr;
69 Deserialize(&serialized_set, serialized_set + serialized_size);
70 }
71
72 /**
73 * Construct an AuthorizationSet from the provided builder. This extracts the data from the
74 * builder, rather than copying it, so after this call the builder is empty.
75 */
76 explicit AuthorizationSet(/* NOT const */ AuthorizationSetBuilder& builder);
77
78 // Copy constructor.
AuthorizationSet(const AuthorizationSet & set)79 AuthorizationSet(const AuthorizationSet& set) : Serializable(), indirect_data_(nullptr) {
80 elems_ = nullptr;
81 Reinitialize(set.elems_, set.elems_size_);
82 error_ = set.error_;
83 }
84
85 // Move constructor.
AuthorizationSet(AuthorizationSet && set)86 AuthorizationSet(AuthorizationSet&& set) : Serializable() {
87 MoveFrom(set);
88 }
89
90 // Copy assignment.
91 AuthorizationSet& operator=(const AuthorizationSet& set) {
92 Reinitialize(set.elems_, set.elems_size_);
93 error_ = set.error_;
94 return *this;
95 }
96
97 // Move assignment.
98 AuthorizationSet& operator=(AuthorizationSet&& set) {
99 FreeData();
100 MoveFrom(set);
101 return *this;
102 }
103
104 /**
105 * Clear existing authorization set data
106 */
107 void Clear();
108
109 /**
110 * Reinitialize an AuthorizationSet as a dynamically-allocated, growable copy of the data in the
111 * provided array (and the data referenced by its embedded pointers, if any). If the allocation
112 * of the needed storage fails this method will return false and \p is_valid() will return
113 * ALLOCATION_FAILURE.
114 */
115 bool Reinitialize(const keymaster_key_param_t* elems, size_t count);
116
Reinitialize(const AuthorizationSet & set)117 bool Reinitialize(const AuthorizationSet& set) {
118 return Reinitialize(set.elems_, set.elems_size_);
119 }
120
Reinitialize(const keymaster_key_param_set_t & set)121 bool Reinitialize(const keymaster_key_param_set_t& set) {
122 return Reinitialize(set.params, set.length);
123 }
124
125 ~AuthorizationSet();
126
127 enum Error {
128 OK,
129 ALLOCATION_FAILURE,
130 MALFORMED_DATA,
131 };
132
is_valid()133 Error is_valid() const { return error_; }
134
135 /**
136 * Returns the size of the set.
137 */
size()138 size_t size() const { return elems_size_; }
139
140 /**
141 * Returns true if the set is empty.
142 */
empty()143 bool empty() const { return size() == 0; }
144
145 /**
146 * Returns the total size of all indirect data referenced by set elements.
147 */
indirect_size()148 size_t indirect_size() const { return indirect_data_size_; }
149
150 /**
151 * Returns the data in the set, directly. Be careful with this.
152 */
data()153 const keymaster_key_param_t* data() const { return elems_; }
154
155 /**
156 * Sorts the set
157 */
158 void Sort();
159
160 /**
161 * Sorts the set and removes duplicates (inadvertently duplicating tags is easy to do with the
162 * AuthorizationSetBuilder).
163 */
164 void Deduplicate();
165
166 /**
167 * Adds all elements from \p set that are not already present in this AuthorizationSet. As a
168 * side-effect, if \p set is not null this AuthorizationSet will end up sorted.
169 */
170 void Union(const keymaster_key_param_set_t& set);
171
172 /**
173 * Removes all elements in \p set from this AuthorizationSet.
174 */
175 void Difference(const keymaster_key_param_set_t& set);
176
177 /**
178 * Returns the data in a keymaster_key_param_set_t, suitable for returning to C code. For C
179 * compatibility, the contents are malloced, not new'ed, and so must be freed with free(), or
180 * better yet with keymaster_free_param_set, not delete. The caller takes ownership.
181 */
182 void CopyToParamSet(keymaster_key_param_set_t* set) const;
183
184 /**
185 * Returns the offset of the next entry that matches \p tag, starting from the element after \p
186 * begin. If not found, returns -1.
187 */
188 int find(keymaster_tag_t tag, int begin = -1) const;
189
190 /**
191 * Removes the entry at the specified index. Returns true if successful, false if the index was
192 * out of bounds.
193 */
194 bool erase(int index);
195
196 /**
197 * Returns iterator (pointer) to beginning of elems array, to enable STL-style iteration
198 */
begin()199 const keymaster_key_param_t* begin() const { return elems_; }
200
201 /**
202 * Returns iterator (pointer) one past end of elems array, to enable STL-style iteration
203 */
end()204 const keymaster_key_param_t* end() const { return elems_ + elems_size_; }
205
206 /**
207 * Returns the nth element of the set.
208 */
209 keymaster_key_param_t& operator[](int n);
210
211 /**
212 * Returns the nth element of the set.
213 */
214 keymaster_key_param_t operator[](int n) const;
215
216 /**
217 * Returns true if the set contains at least one instance of \p tag
218 */
Contains(keymaster_tag_t tag)219 bool Contains(keymaster_tag_t tag) const {
220 return find(tag) != -1;
221 }
222
223 /**
224 * Returns the number of \p tag entries.
225 */
226 size_t GetTagCount(keymaster_tag_t tag) const;
227
228 /**
229 * Returns true if the set contains the specified tag and value.
230 */
231 template <keymaster_tag_t Tag, typename T>
Contains(TypedEnumTag<KM_ENUM_REP,Tag,T> tag,T val)232 bool Contains(TypedEnumTag<KM_ENUM_REP, Tag, T> tag, T val) const {
233 return ContainsEnumValue(tag, val);
234 }
235
236 /**
237 * Returns true if the set contains the specified tag and value.
238 */
239 template <keymaster_tag_t Tag, typename T>
Contains(TypedEnumTag<KM_ENUM,Tag,T> tag,T val)240 bool Contains(TypedEnumTag<KM_ENUM, Tag, T> tag, T val) const {
241 return ContainsEnumValue(tag, val);
242 }
243
244 /**
245 * Returns true if the set contains the specified tag and value.
246 */
247 template <keymaster_tag_t Tag>
Contains(TypedTag<KM_UINT,Tag> tag,uint32_t val)248 bool Contains(TypedTag<KM_UINT, Tag> tag, uint32_t val) const {
249 return ContainsIntValue(tag, val);
250 }
251
252 /**
253 * If the specified integer-typed \p tag exists, places its value in \p val and returns true.
254 * If \p tag is not present, leaves \p val unmodified and returns false.
255 */
256 template <keymaster_tag_t T>
GetTagValue(TypedTag<KM_UINT,T> tag,uint32_t * val)257 inline bool GetTagValue(TypedTag<KM_UINT, T> tag, uint32_t* val) const {
258 return GetTagValueInt(tag, val);
259 }
260
261 /**
262 * If the specified instance of the specified integer-typed \p tag exists, places its value
263 * in \p val and returns true. If \p tag is not present, leaves \p val unmodified and returns
264 * false.
265 */
266 template <keymaster_tag_t Tag>
GetTagValue(TypedTag<KM_UINT_REP,Tag> tag,size_t instance,uint32_t * val)267 bool GetTagValue(TypedTag<KM_UINT_REP, Tag> tag, size_t instance, uint32_t* val) const {
268 return GetTagValueIntRep(tag, instance, val);
269 }
270
271 /**
272 * If the specified long-typed \p tag exists, places its value in \p val and returns true.
273 * If \p tag is not present, leaves \p val unmodified and returns false.
274 */
275 template <keymaster_tag_t T>
GetTagValue(TypedTag<KM_ULONG,T> tag,uint64_t * val)276 inline bool GetTagValue(TypedTag<KM_ULONG, T> tag, uint64_t* val) const {
277 return GetTagValueLong(tag, val);
278 }
279
280 /**
281 * If the specified instance of the specified integer-typed \p tag exists, places its value
282 * in \p val and returns true. If \p tag is not present, leaves \p val unmodified and returns
283 * false.
284 */
285 template <keymaster_tag_t Tag>
GetTagValue(TypedTag<KM_ULONG_REP,Tag> tag,size_t instance,uint64_t * val)286 bool GetTagValue(TypedTag<KM_ULONG_REP, Tag> tag, size_t instance, uint64_t* val) const {
287 return GetTagValueLongRep(tag, instance, val);
288 }
289
290 /**
291 * If the specified enumeration-typed \p tag exists, places its value in \p val and returns
292 * true. If \p tag is not present, leaves \p val unmodified and returns false.
293 */
294 template <keymaster_tag_t Tag, typename T>
GetTagValue(TypedEnumTag<KM_ENUM,Tag,T> tag,T * val)295 bool GetTagValue(TypedEnumTag<KM_ENUM, Tag, T> tag, T* val) const {
296 return GetTagValueEnum(tag, reinterpret_cast<uint32_t*>(val));
297 }
298
299 /**
300 * If the specified instance of the specified enumeration-typed \p tag exists, places its value
301 * in \p val and returns true. If \p tag is not present, leaves \p val unmodified and returns
302 * false.
303 */
304 template <keymaster_tag_t Tag, typename T>
GetTagValue(TypedEnumTag<KM_ENUM_REP,Tag,T> tag,size_t instance,T * val)305 bool GetTagValue(TypedEnumTag<KM_ENUM_REP, Tag, T> tag, size_t instance, T* val) const {
306 return GetTagValueEnumRep(tag, instance, reinterpret_cast<uint32_t*>(val));
307 }
308
309 /**
310 * If exactly one instance of the specified enumeration-typed \p tag exists, places its value in
311 * \p val and returns true. If \p tag is not present or if multiple copies are present, leaves
312 * \p val unmodified and returns false.
313 */
314 template <keymaster_tag_t Tag, typename T>
GetTagValue(TypedEnumTag<KM_ENUM_REP,Tag,T> tag,T * val)315 bool GetTagValue(TypedEnumTag<KM_ENUM_REP, Tag, T> tag, T* val) const {
316 if (GetTagCount(tag) != 1)
317 return false;
318 return GetTagValueEnumRep(tag, 0, reinterpret_cast<uint32_t*>(val));
319 }
320
321 /**
322 * If the specified date-typed \p tag exists, places its value in \p val and returns
323 * true. If \p tag is not present, leaves \p val unmodified and returns false.
324 */
325 template <keymaster_tag_t Tag>
GetTagValue(TypedTag<KM_UINT_REP,Tag> tag,size_t instance,typename TypedTag<KM_UINT_REP,Tag>::value_type * val)326 bool GetTagValue(TypedTag<KM_UINT_REP, Tag> tag, size_t instance,
327 typename TypedTag<KM_UINT_REP, Tag>::value_type* val) const {
328 return GetTagValueIntRep(tag, instance, val);
329 }
330
331 /**
332 * If the specified bytes-typed \p tag exists, places its value in \p val and returns
333 * true. If \p tag is not present, leaves \p val unmodified and returns false.
334 */
335 template <keymaster_tag_t Tag>
GetTagValue(TypedTag<KM_BYTES,Tag> tag,keymaster_blob_t * val)336 bool GetTagValue(TypedTag<KM_BYTES, Tag> tag, keymaster_blob_t* val) const {
337 return GetTagValueBlob(tag, val);
338 }
339
340 /**
341 * If the specified bignum-typed \p tag exists, places its value in \p val and returns
342 * true. If \p tag is not present, leaves \p val unmodified and returns false.
343 */
344 template <keymaster_tag_t Tag>
GetTagValue(TypedTag<KM_BIGNUM,Tag> tag,keymaster_blob_t * val)345 bool GetTagValue(TypedTag<KM_BIGNUM, Tag> tag, keymaster_blob_t* val) const {
346 return GetTagValueBlob(tag, val);
347 }
348
349 /**
350 * Returns true if the specified tag is present, and therefore has the value 'true'.
351 */
GetTagValue(TypedTag<KM_BOOL,Tag> tag)352 template <keymaster_tag_t Tag> bool GetTagValue(TypedTag<KM_BOOL, Tag> tag) const {
353 return GetTagValueBool(tag);
354 }
355
356 /**
357 * If the specified \p tag exists, places its value in \p val and returns true. If \p tag is
358 * not present, leaves \p val unmodified and returns false.
359 */
360 template <keymaster_tag_t Tag, keymaster_tag_type_t Type>
GetTagValue(TypedTag<Type,Tag> tag,typename TagValueType<Type>::value_type * val)361 bool GetTagValue(TypedTag<Type, Tag> tag, typename TagValueType<Type>::value_type* val) const {
362 return GetTagValueLong(tag, val);
363 }
364
365 bool push_back(keymaster_key_param_t elem);
366
367 /**
368 * Grow the elements array to ensure it can contain \p count entries. Preserves any existing
369 * entries.
370 */
371 bool reserve_elems(size_t count);
372
373 /**
374 * Grow the indirect data array to ensure it can contain \p length bytes. Preserves any
375 * existing indirect data.
376 */
377 bool reserve_indirect(size_t length);
378
379 bool push_back(const keymaster_key_param_set_t& set);
380
381 /**
382 * Append the tag and enumerated value to the set.
383 */
384 template <keymaster_tag_t Tag, keymaster_tag_type_t Type, typename KeymasterEnum>
push_back(TypedEnumTag<Type,Tag,KeymasterEnum> tag,KeymasterEnum val)385 bool push_back(TypedEnumTag<Type, Tag, KeymasterEnum> tag, KeymasterEnum val) {
386 return push_back(Authorization(tag, val));
387 }
388
389 /**
390 * Append the boolean tag (value "true") to the set.
391 */
push_back(TypedTag<KM_BOOL,Tag> tag)392 template <keymaster_tag_t Tag> bool push_back(TypedTag<KM_BOOL, Tag> tag) {
393 return push_back(Authorization(tag));
394 }
395
396 /**
397 * Append the tag and byte array to the set. Copies the array into internal storage; does not
398 * take ownership of the passed-in array.
399 */
400 template <keymaster_tag_t Tag>
push_back(TypedTag<KM_BYTES,Tag> tag,const void * bytes,size_t bytes_len)401 bool push_back(TypedTag<KM_BYTES, Tag> tag, const void* bytes, size_t bytes_len) {
402 return push_back(keymaster_param_blob(tag, static_cast<const uint8_t*>(bytes), bytes_len));
403 }
404
405 /**
406 * Append the tag and blob to the set. Copies the blob contents into internal storage; does not
407 * take ownership of the blob's data.
408 */
409 template <keymaster_tag_t Tag>
push_back(TypedTag<KM_BYTES,Tag> tag,const keymaster_blob_t & blob)410 bool push_back(TypedTag<KM_BYTES, Tag> tag, const keymaster_blob_t& blob) {
411 return push_back(tag, blob.data, blob.data_length);
412 }
413
414 /**
415 * Append the tag and bignum array to the set. Copies the array into internal storage; does not
416 * take ownership of the passed-in array.
417 */
418 template <keymaster_tag_t Tag>
push_back(TypedTag<KM_BIGNUM,Tag> tag,const void * bytes,size_t bytes_len)419 bool push_back(TypedTag<KM_BIGNUM, Tag> tag, const void* bytes, size_t bytes_len) {
420 return push_back(keymaster_param_blob(tag, static_cast<const uint8_t*>(bytes), bytes_len));
421 }
422
423 template <keymaster_tag_t Tag, keymaster_tag_type_t Type>
push_back(TypedTag<Type,Tag> tag,typename TypedTag<Type,Tag>::value_type val)424 bool push_back(TypedTag<Type, Tag> tag, typename TypedTag<Type, Tag>::value_type val) {
425 return push_back(Authorization(tag, val));
426 }
427
428 template <keymaster_tag_t Tag, keymaster_tag_type_t Type>
push_back(TypedTag<Type,Tag> tag,const void * bytes,size_t bytes_len)429 bool push_back(TypedTag<Type, Tag> tag, const void* bytes, size_t bytes_len) {
430 return push_back(Authorization(tag, bytes, bytes_len));
431 }
432
433 /* Virtual methods from Serializable */
434 size_t SerializedSize() const;
435 uint8_t* Serialize(uint8_t* serialized_set, const uint8_t* end) const;
436 bool Deserialize(const uint8_t** buf_ptr, const uint8_t* end);
437
438 size_t SerializedSizeOfElements() const;
439
440 private:
441 void FreeData();
442 void MoveFrom(AuthorizationSet& set);
443
444 void set_invalid(Error err);
445
446 static size_t ComputeIndirectDataSize(const keymaster_key_param_t* elems, size_t count);
447 void CopyIndirectData();
448 bool CheckIndirectData();
449
450 bool DeserializeIndirectData(const uint8_t** buf_ptr, const uint8_t* end);
451 bool DeserializeElementsData(const uint8_t** buf_ptr, const uint8_t* end);
452
453 bool GetTagValueEnum(keymaster_tag_t tag, uint32_t* val) const;
454 bool GetTagValueEnumRep(keymaster_tag_t tag, size_t instance, uint32_t* val) const;
455 bool GetTagValueInt(keymaster_tag_t tag, uint32_t* val) const;
456 bool GetTagValueIntRep(keymaster_tag_t tag, size_t instance, uint32_t* val) const;
457 bool GetTagValueLong(keymaster_tag_t tag, uint64_t* val) const;
458 bool GetTagValueLongRep(keymaster_tag_t tag, size_t instance, uint64_t* val) const;
459 bool GetTagValueDate(keymaster_tag_t tag, uint64_t* val) const;
460 bool GetTagValueBlob(keymaster_tag_t tag, keymaster_blob_t* val) const;
461 bool GetTagValueBool(keymaster_tag_t tag) const;
462
463 bool ContainsEnumValue(keymaster_tag_t tag, uint32_t val) const;
464 bool ContainsIntValue(keymaster_tag_t tag, uint32_t val) const;
465
466 // Define elems_ and elems_size_ as aliases to params and length, respectively. This is to
467 // avoid using the variables without the trailing underscore in the implementation.
468 keymaster_key_param_t*& elems_ = keymaster_key_param_set_t::params;
469 size_t& elems_size_ = keymaster_key_param_set_t::length;
470
471 size_t elems_capacity_;
472 uint8_t* indirect_data_;
473 size_t indirect_data_size_;
474 size_t indirect_data_capacity_;
475 Error error_;
476 };
477
478 class AuthorizationSetBuilder {
479 public:
480 template <typename TagType, typename ValueType>
Authorization(TagType tag,ValueType value)481 AuthorizationSetBuilder& Authorization(TagType tag, ValueType value) {
482 set.push_back(tag, value);
483 return *this;
484 }
485
486 template <keymaster_tag_t Tag>
Authorization(TypedTag<KM_BOOL,Tag> tag)487 AuthorizationSetBuilder& Authorization(TypedTag<KM_BOOL, Tag> tag) {
488 set.push_back(tag);
489 return *this;
490 }
491
492 template <keymaster_tag_t Tag>
Authorization(TypedTag<KM_INVALID,Tag> tag)493 AuthorizationSetBuilder& Authorization(TypedTag<KM_INVALID, Tag> tag) {
494 keymaster_key_param_t param;
495 param.tag = tag;
496 set.push_back(param);
497 return *this;
498 }
499
500 template <keymaster_tag_t Tag>
Authorization(TypedTag<KM_BYTES,Tag> tag,const uint8_t * data,size_t data_length)501 AuthorizationSetBuilder& Authorization(TypedTag<KM_BYTES, Tag> tag, const uint8_t* data,
502 size_t data_length) {
503 set.push_back(tag, data, data_length);
504 return *this;
505 }
506
507 template <keymaster_tag_t Tag>
Authorization(TypedTag<KM_BYTES,Tag> tag,const char * data,size_t data_length)508 AuthorizationSetBuilder& Authorization(TypedTag<KM_BYTES, Tag> tag, const char* data,
509 size_t data_length) {
510 return Authorization(tag, reinterpret_cast<const uint8_t*>(data), data_length);
511 }
512
513 AuthorizationSetBuilder& RsaKey(uint32_t key_size, uint64_t public_exponent);
514 AuthorizationSetBuilder& EcdsaKey(uint32_t key_size);
515 AuthorizationSetBuilder& AesKey(uint32_t key_size);
516 AuthorizationSetBuilder& HmacKey(uint32_t key_size);
517
518 AuthorizationSetBuilder& RsaSigningKey(uint32_t key_size, uint64_t public_exponent);
519 AuthorizationSetBuilder& RsaEncryptionKey(uint32_t key_size, uint64_t public_exponent);
520 AuthorizationSetBuilder& EcdsaSigningKey(uint32_t key_size);
521 AuthorizationSetBuilder& AesEncryptionKey(uint32_t key_size);
522
523 AuthorizationSetBuilder& SigningKey();
524 AuthorizationSetBuilder& EncryptionKey();
525 AuthorizationSetBuilder& NoDigestOrPadding();
526 AuthorizationSetBuilder& EcbMode();
527
Digest(keymaster_digest_t digest)528 AuthorizationSetBuilder& Digest(keymaster_digest_t digest) {
529 return Authorization(TAG_DIGEST, digest);
530 }
531
Padding(keymaster_padding_t padding)532 AuthorizationSetBuilder& Padding(keymaster_padding_t padding) {
533 return Authorization(TAG_PADDING, padding);
534 }
535
Deduplicate()536 AuthorizationSetBuilder& Deduplicate() {
537 set.Deduplicate();
538 return *this;
539 }
540
build()541 AuthorizationSet build() const { return set; }
542
543 private:
544 friend AuthorizationSet;
545 AuthorizationSet set;
546 };
547
RsaKey(uint32_t key_size,uint64_t public_exponent)548 inline AuthorizationSetBuilder& AuthorizationSetBuilder::RsaKey(uint32_t key_size,
549 uint64_t public_exponent) {
550 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA);
551 Authorization(TAG_KEY_SIZE, key_size);
552 Authorization(TAG_RSA_PUBLIC_EXPONENT, public_exponent);
553 return *this;
554 }
555
EcdsaKey(uint32_t key_size)556 inline AuthorizationSetBuilder& AuthorizationSetBuilder::EcdsaKey(uint32_t key_size) {
557 Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC);
558 Authorization(TAG_KEY_SIZE, key_size);
559 return *this;
560 }
561
AesKey(uint32_t key_size)562 inline AuthorizationSetBuilder& AuthorizationSetBuilder::AesKey(uint32_t key_size) {
563 Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES);
564 return Authorization(TAG_KEY_SIZE, key_size);
565 }
566
HmacKey(uint32_t key_size)567 inline AuthorizationSetBuilder& AuthorizationSetBuilder::HmacKey(uint32_t key_size) {
568 Authorization(TAG_ALGORITHM, KM_ALGORITHM_HMAC);
569 Authorization(TAG_KEY_SIZE, key_size);
570 return SigningKey();
571 }
572
RsaSigningKey(uint32_t key_size,uint64_t public_exponent)573 inline AuthorizationSetBuilder& AuthorizationSetBuilder::RsaSigningKey(uint32_t key_size,
574 uint64_t public_exponent) {
575 RsaKey(key_size, public_exponent);
576 return SigningKey();
577 }
578
579 inline AuthorizationSetBuilder&
RsaEncryptionKey(uint32_t key_size,uint64_t public_exponent)580 AuthorizationSetBuilder::RsaEncryptionKey(uint32_t key_size, uint64_t public_exponent) {
581 RsaKey(key_size, public_exponent);
582 return EncryptionKey();
583 }
584
EcdsaSigningKey(uint32_t key_size)585 inline AuthorizationSetBuilder& AuthorizationSetBuilder::EcdsaSigningKey(uint32_t key_size) {
586 EcdsaKey(key_size);
587 return SigningKey();
588 }
589
AesEncryptionKey(uint32_t key_size)590 inline AuthorizationSetBuilder& AuthorizationSetBuilder::AesEncryptionKey(uint32_t key_size) {
591 AesKey(key_size);
592 return EncryptionKey();
593 }
594
SigningKey()595 inline AuthorizationSetBuilder& AuthorizationSetBuilder::SigningKey() {
596 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN);
597 return Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY);
598 }
599
EncryptionKey()600 inline AuthorizationSetBuilder& AuthorizationSetBuilder::EncryptionKey() {
601 Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT);
602 return Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT);
603 }
604
NoDigestOrPadding()605 inline AuthorizationSetBuilder& AuthorizationSetBuilder::NoDigestOrPadding() {
606 Authorization(TAG_DIGEST, KM_DIGEST_NONE);
607 return Authorization(TAG_PADDING, KM_PAD_NONE);
608 }
609
EcbMode()610 inline AuthorizationSetBuilder& AuthorizationSetBuilder::EcbMode() {
611 return Authorization(TAG_BLOCK_MODE, KM_MODE_ECB);
612 }
613
614 } // namespace keymaster
615
616 #endif // SYSTEM_KEYMASTER_KEY_AUTHORIZATION_SET_H_
617