/*
**
** Copyright 2017, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#define LOG_TAG "android.hardware.keymaster@4.0-impl"
#include <log/log.h>
#include "include/AndroidKeymaster4Device.h"
#include <keymasterV4_0/authorization_set.h>
#include <keymaster/android_keymaster.h>
#include <keymaster/android_keymaster_messages.h>
#include <keymaster/contexts/pure_soft_keymaster_context.h>
#include <keymaster/contexts/soft_keymaster_context.h>
#include <keymaster/keymaster_configuration.h>
#include <keymaster/keymaster_enforcement.h>
#include <keymaster/km_openssl/soft_keymaster_enforcement.h>
namespace keymaster {
namespace V4_0 {
namespace ng {
namespace {
constexpr size_t kOperationTableSize = 16;
inline keymaster_tag_t legacy_enum_conversion(const Tag value) {
return keymaster_tag_t(value);
}
inline Tag legacy_enum_conversion(const keymaster_tag_t value) {
return Tag(value);
}
inline keymaster_purpose_t legacy_enum_conversion(const KeyPurpose value) {
return static_cast<keymaster_purpose_t>(value);
}
inline keymaster_key_format_t legacy_enum_conversion(const KeyFormat value) {
return static_cast<keymaster_key_format_t>(value);
}
inline SecurityLevel legacy_enum_conversion(const keymaster_security_level_t value) {
return static_cast<SecurityLevel>(value);
}
inline hw_authenticator_type_t legacy_enum_conversion(const HardwareAuthenticatorType value) {
return static_cast<hw_authenticator_type_t>(value);
}
inline ErrorCode legacy_enum_conversion(const keymaster_error_t value) {
return static_cast<ErrorCode>(value);
}
inline keymaster_tag_type_t typeFromTag(const keymaster_tag_t tag) {
return keymaster_tag_get_type(tag);
}
class KmParamSet : public keymaster_key_param_set_t {
public:
KmParamSet(const hidl_vec<KeyParameter>& keyParams) {
params = new keymaster_key_param_t[keyParams.size()];
length = keyParams.size();
for (size_t i = 0; i < keyParams.size(); ++i) {
auto tag = legacy_enum_conversion(keyParams[i].tag);
switch (typeFromTag(tag)) {
case KM_ENUM:
case KM_ENUM_REP:
params[i] = keymaster_param_enum(tag, keyParams[i].f.integer);
break;
case KM_UINT:
case KM_UINT_REP:
params[i] = keymaster_param_int(tag, keyParams[i].f.integer);
break;
case KM_ULONG:
case KM_ULONG_REP:
params[i] = keymaster_param_long(tag, keyParams[i].f.longInteger);
break;
case KM_DATE:
params[i] = keymaster_param_date(tag, keyParams[i].f.dateTime);
break;
case KM_BOOL:
if (keyParams[i].f.boolValue)
params[i] = keymaster_param_bool(tag);
else
params[i].tag = KM_TAG_INVALID;
break;
case KM_BIGNUM:
case KM_BYTES:
params[i] =
keymaster_param_blob(tag, &keyParams[i].blob[0], keyParams[i].blob.size());
break;
case KM_INVALID:
default:
params[i].tag = KM_TAG_INVALID;
/* just skip */
break;
}
}
}
KmParamSet(KmParamSet&& other) : keymaster_key_param_set_t{other.params, other.length} {
other.length = 0;
other.params = nullptr;
}
KmParamSet(const KmParamSet&) = delete;
~KmParamSet() { delete[] params; }
};
inline hidl_vec<uint8_t> kmBlob2hidlVec(const keymaster_key_blob_t& blob) {
hidl_vec<uint8_t> result;
result.setToExternal(const_cast<unsigned char*>(blob.key_material), blob.key_material_size);
return result;
}
inline hidl_vec<uint8_t> kmBlob2hidlVec(const keymaster_blob_t& blob) {
hidl_vec<uint8_t> result;
result.setToExternal(const_cast<unsigned char*>(blob.data), blob.data_length);
return result;
}
inline hidl_vec<uint8_t> kmBuffer2hidlVec(const ::keymaster::Buffer& buf) {
hidl_vec<uint8_t> result;
result.setToExternal(const_cast<unsigned char*>(buf.peek_read()), buf.available_read());
return result;
}
inline static hidl_vec<hidl_vec<uint8_t>>
kmCertChain2Hidl(const keymaster_cert_chain_t& cert_chain) {
hidl_vec<hidl_vec<uint8_t>> result;
if (!cert_chain.entry_count || !cert_chain.entries)
return result;
result.resize(cert_chain.entry_count);
for (size_t i = 0; i < cert_chain.entry_count; ++i) {
result[i] = kmBlob2hidlVec(cert_chain.entries[i]);
}
return result;
}
static inline hidl_vec<KeyParameter> kmParamSet2Hidl(const keymaster_key_param_set_t& set) {
hidl_vec<KeyParameter> result;
if (set.length == 0 || set.params == nullptr)
return result;
result.resize(set.length);
keymaster_key_param_t* params = set.params;
for (size_t i = 0; i < set.length; ++i) {
auto tag = params[i].tag;
result[i].tag = legacy_enum_conversion(tag);
switch (typeFromTag(tag)) {
case KM_ENUM:
case KM_ENUM_REP:
result[i].f.integer = params[i].enumerated;
break;
case KM_UINT:
case KM_UINT_REP:
result[i].f.integer = params[i].integer;
break;
case KM_ULONG:
case KM_ULONG_REP:
result[i].f.longInteger = params[i].long_integer;
break;
case KM_DATE:
result[i].f.dateTime = params[i].date_time;
break;
case KM_BOOL:
result[i].f.boolValue = params[i].boolean;
break;
case KM_BIGNUM:
case KM_BYTES:
result[i].blob.setToExternal(const_cast<unsigned char*>(params[i].blob.data),
params[i].blob.data_length);
break;
case KM_INVALID:
default:
params[i].tag = KM_TAG_INVALID;
/* just skip */
break;
}
}
return result;
}
void addClientAndAppData(const hidl_vec<uint8_t>& clientId, const hidl_vec<uint8_t>& appData,
::keymaster::AuthorizationSet* params) {
params->Clear();
if (clientId.size()) {
params->push_back(::keymaster::TAG_APPLICATION_ID, clientId.data(), clientId.size());
}
if (appData.size()) {
params->push_back(::keymaster::TAG_APPLICATION_DATA, appData.data(), appData.size());
}
}
} // anonymous namespace
AndroidKeymaster4Device::AndroidKeymaster4Device(SecurityLevel securityLevel)
: impl_(new ::keymaster::AndroidKeymaster(
[]() -> auto {
auto context = new PureSoftKeymasterContext();
context->SetSystemVersion(GetOsVersion(), GetOsPatchlevel());
return context;
}(),
kOperationTableSize)), securityLevel_(securityLevel) {}
AndroidKeymaster4Device::~AndroidKeymaster4Device() {}
Return<void> AndroidKeymaster4Device::getHardwareInfo(getHardwareInfo_cb _hidl_cb) {
_hidl_cb(securityLevel_,
"SoftwareKeymasterDevice", "Google");
return Void();
}
Return<void>
AndroidKeymaster4Device::getHmacSharingParameters(getHmacSharingParameters_cb _hidl_cb) {
auto response = impl_->GetHmacSharingParameters();
::android::hardware::keymaster::V4_0::HmacSharingParameters params;
params.seed.setToExternal(const_cast<uint8_t*>(response.params.seed.data),
response.params.seed.data_length);
static_assert(sizeof(response.params.nonce) == params.nonce.size(), "Nonce sizes don't match");
memcpy(params.nonce.data(), response.params.nonce, params.nonce.size());
_hidl_cb(legacy_enum_conversion(response.error), params);
return Void();
}
Return<void> AndroidKeymaster4Device::computeSharedHmac(
const hidl_vec<::android::hardware::keymaster::V4_0::HmacSharingParameters>& params,
computeSharedHmac_cb _hidl_cb) {
ComputeSharedHmacRequest request;
request.params_array.params_array = new keymaster::HmacSharingParameters[params.size()];
request.params_array.num_params = params.size();
for (size_t i = 0; i < params.size(); ++i) {
request.params_array.params_array[i].seed = {params[i].seed.data(), params[i].seed.size()};
static_assert(sizeof(request.params_array.params_array[i].nonce) ==
decltype(params[i].nonce)::size(),
"Nonce sizes don't match");
memcpy(request.params_array.params_array[i].nonce, params[i].nonce.data(),
params[i].nonce.size());
}
auto response = impl_->ComputeSharedHmac(request);
hidl_vec<uint8_t> sharing_check;
if (response.error == KM_ERROR_OK) sharing_check = kmBlob2hidlVec(response.sharing_check);
_hidl_cb(legacy_enum_conversion(response.error), sharing_check);
return Void();
}
Return<void> AndroidKeymaster4Device::verifyAuthorization(
uint64_t challenge, const hidl_vec<KeyParameter>& parametersToVerify,
const ::android::hardware::keymaster::V4_0::HardwareAuthToken& authToken,
verifyAuthorization_cb _hidl_cb) {
VerifyAuthorizationRequest request;
request.challenge = challenge;
request.parameters_to_verify.Reinitialize(KmParamSet(parametersToVerify));
request.auth_token.challenge = authToken.challenge;
request.auth_token.user_id = authToken.userId;
request.auth_token.authenticator_id = authToken.authenticatorId;
request.auth_token.authenticator_type = legacy_enum_conversion(authToken.authenticatorType);
request.auth_token.timestamp = authToken.timestamp;
KeymasterBlob mac(authToken.mac.data(), authToken.mac.size());
request.auth_token.mac = mac;
auto response = impl_->VerifyAuthorization(request);
::android::hardware::keymaster::V4_0::VerificationToken token;
token.challenge = response.token.challenge;
token.timestamp = response.token.timestamp;
token.parametersVerified = kmParamSet2Hidl(response.token.parameters_verified);
token.securityLevel = legacy_enum_conversion(response.token.security_level);
token.mac = kmBlob2hidlVec(response.token.mac);
_hidl_cb(legacy_enum_conversion(response.error), token);
return Void();
}
Return<ErrorCode> AndroidKeymaster4Device::addRngEntropy(const hidl_vec<uint8_t>& data) {
if (data.size() == 0)
return ErrorCode::OK;
AddEntropyRequest request;
request.random_data.Reinitialize(data.data(), data.size());
AddEntropyResponse response;
impl_->AddRngEntropy(request, &response);
return legacy_enum_conversion(response.error);
}
Return<void> AndroidKeymaster4Device::generateKey(const hidl_vec<KeyParameter>& keyParams,
generateKey_cb _hidl_cb) {
GenerateKeyRequest request;
request.key_description.Reinitialize(KmParamSet(keyParams));
GenerateKeyResponse response;
impl_->GenerateKey(request, &response);
KeyCharacteristics resultCharacteristics;
hidl_vec<uint8_t> resultKeyBlob;
if (response.error == KM_ERROR_OK) {
resultKeyBlob = kmBlob2hidlVec(response.key_blob);
resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced);
resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced);
}
_hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics);
return Void();
}
Return<void> AndroidKeymaster4Device::getKeyCharacteristics(const hidl_vec<uint8_t>& keyBlob,
const hidl_vec<uint8_t>& clientId,
const hidl_vec<uint8_t>& appData,
getKeyCharacteristics_cb _hidl_cb) {
GetKeyCharacteristicsRequest request;
request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
addClientAndAppData(clientId, appData, &request.additional_params);
GetKeyCharacteristicsResponse response;
impl_->GetKeyCharacteristics(request, &response);
KeyCharacteristics resultCharacteristics;
if (response.error == KM_ERROR_OK) {
resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced);
resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced);
}
_hidl_cb(legacy_enum_conversion(response.error), resultCharacteristics);
return Void();
}
Return<void> AndroidKeymaster4Device::importKey(const hidl_vec<KeyParameter>& params,
KeyFormat keyFormat,
const hidl_vec<uint8_t>& keyData,
importKey_cb _hidl_cb) {
ImportKeyRequest request;
request.key_description.Reinitialize(KmParamSet(params));
request.key_format = legacy_enum_conversion(keyFormat);
request.SetKeyMaterial(keyData.data(), keyData.size());
ImportKeyResponse response;
impl_->ImportKey(request, &response);
KeyCharacteristics resultCharacteristics;
hidl_vec<uint8_t> resultKeyBlob;
if (response.error == KM_ERROR_OK) {
resultKeyBlob = kmBlob2hidlVec(response.key_blob);
resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced);
resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced);
}
_hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics);
return Void();
}
Return<void> AndroidKeymaster4Device::importWrappedKey(
const hidl_vec<uint8_t>& wrappedKeyData, const hidl_vec<uint8_t>& wrappingKeyBlob,
const hidl_vec<uint8_t>& maskingKey, const hidl_vec<KeyParameter>& unwrappingParams,
uint64_t passwordSid, uint64_t biometricSid, importWrappedKey_cb _hidl_cb) {
ImportWrappedKeyRequest request;
request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size());
request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size());
request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size());
request.additional_params.Reinitialize(KmParamSet(unwrappingParams));
request.password_sid = passwordSid;
request.biometric_sid = biometricSid;
ImportWrappedKeyResponse response;
impl_->ImportWrappedKey(request, &response);
KeyCharacteristics resultCharacteristics;
hidl_vec<uint8_t> resultKeyBlob;
if (response.error == KM_ERROR_OK) {
resultKeyBlob = kmBlob2hidlVec(response.key_blob);
resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced);
resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced);
}
_hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics);
return Void();
}
Return<void> AndroidKeymaster4Device::exportKey(KeyFormat exportFormat,
const hidl_vec<uint8_t>& keyBlob,
const hidl_vec<uint8_t>& clientId,
const hidl_vec<uint8_t>& appData,
exportKey_cb _hidl_cb) {
ExportKeyRequest request;
request.key_format = legacy_enum_conversion(exportFormat);
request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
addClientAndAppData(clientId, appData, &request.additional_params);
ExportKeyResponse response;
impl_->ExportKey(request, &response);
hidl_vec<uint8_t> resultKeyBlob;
if (response.error == KM_ERROR_OK) {
resultKeyBlob.setToExternal(response.key_data, response.key_data_length);
}
_hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob);
return Void();
}
Return<void> AndroidKeymaster4Device::attestKey(const hidl_vec<uint8_t>& keyToAttest,
const hidl_vec<KeyParameter>& attestParams,
attestKey_cb _hidl_cb) {
AttestKeyRequest request;
request.SetKeyMaterial(keyToAttest.data(), keyToAttest.size());
request.attest_params.Reinitialize(KmParamSet(attestParams));
AttestKeyResponse response;
impl_->AttestKey(request, &response);
hidl_vec<hidl_vec<uint8_t>> resultCertChain;
if (response.error == KM_ERROR_OK) {
resultCertChain = kmCertChain2Hidl(response.certificate_chain);
}
_hidl_cb(legacy_enum_conversion(response.error), resultCertChain);
return Void();
}
Return<void> AndroidKeymaster4Device::upgradeKey(const hidl_vec<uint8_t>& keyBlobToUpgrade,
const hidl_vec<KeyParameter>& upgradeParams,
upgradeKey_cb _hidl_cb) {
// There's nothing to be done to upgrade software key blobs. Further, the software
// implementation never returns ErrorCode::KEY_REQUIRES_UPGRADE, so this should never be called.
UpgradeKeyRequest request;
request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size());
request.upgrade_params.Reinitialize(KmParamSet(upgradeParams));
UpgradeKeyResponse response;
impl_->UpgradeKey(request, &response);
if (response.error == KM_ERROR_OK) {
_hidl_cb(ErrorCode::OK, kmBlob2hidlVec(response.upgraded_key));
} else {
_hidl_cb(legacy_enum_conversion(response.error), hidl_vec<uint8_t>());
}
return Void();
}
Return<ErrorCode> AndroidKeymaster4Device::deleteKey(const hidl_vec<uint8_t>& keyBlob) {
// There's nothing to be done to delete software key blobs.
DeleteKeyRequest request;
request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
DeleteKeyResponse response;
impl_->DeleteKey(request, &response);
return legacy_enum_conversion(response.error);
}
Return<ErrorCode> AndroidKeymaster4Device::deleteAllKeys() {
// There's nothing to be done to delete software key blobs.
DeleteAllKeysRequest request;
DeleteAllKeysResponse response;
impl_->DeleteAllKeys(request, &response);
return legacy_enum_conversion(response.error);
}
Return<ErrorCode> AndroidKeymaster4Device::destroyAttestationIds() {
return ErrorCode::UNIMPLEMENTED;
}
Return<void> AndroidKeymaster4Device::begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key,
const hidl_vec<KeyParameter>& inParams,
const HardwareAuthToken& /* authToken */,
begin_cb _hidl_cb) {
BeginOperationRequest request;
request.purpose = legacy_enum_conversion(purpose);
request.SetKeyMaterial(key.data(), key.size());
request.additional_params.Reinitialize(KmParamSet(inParams));
BeginOperationResponse response;
impl_->BeginOperation(request, &response);
hidl_vec<KeyParameter> resultParams;
if (response.error == KM_ERROR_OK) {
resultParams = kmParamSet2Hidl(response.output_params);
}
_hidl_cb(legacy_enum_conversion(response.error), resultParams, response.op_handle);
return Void();
}
Return<void> AndroidKeymaster4Device::update(uint64_t operationHandle,
const hidl_vec<KeyParameter>& inParams,
const hidl_vec<uint8_t>& input,
const HardwareAuthToken& /* authToken */,
const VerificationToken& /* verificationToken */,
update_cb _hidl_cb) {
UpdateOperationRequest request;
request.op_handle = operationHandle;
request.input.Reinitialize(input.data(), input.size());
request.additional_params.Reinitialize(KmParamSet(inParams));
UpdateOperationResponse response;
impl_->UpdateOperation(request, &response);
uint32_t resultConsumed = 0;
hidl_vec<KeyParameter> resultParams;
hidl_vec<uint8_t> resultBlob;
if (response.error == KM_ERROR_OK) {
resultConsumed = response.input_consumed;
resultParams = kmParamSet2Hidl(response.output_params);
resultBlob = kmBuffer2hidlVec(response.output);
}
_hidl_cb(legacy_enum_conversion(response.error), resultConsumed, resultParams, resultBlob);
return Void();
}
Return<void> AndroidKeymaster4Device::finish(uint64_t operationHandle,
const hidl_vec<KeyParameter>& inParams,
const hidl_vec<uint8_t>& input,
const hidl_vec<uint8_t>& signature,
const HardwareAuthToken& /* authToken */,
const VerificationToken& /* verificationToken */,
finish_cb _hidl_cb) {
FinishOperationRequest request;
request.op_handle = operationHandle;
request.input.Reinitialize(input.data(), input.size());
request.signature.Reinitialize(signature.data(), signature.size());
request.additional_params.Reinitialize(KmParamSet(inParams));
FinishOperationResponse response;
impl_->FinishOperation(request, &response);
hidl_vec<KeyParameter> resultParams;
hidl_vec<uint8_t> resultBlob;
if (response.error == KM_ERROR_OK) {
resultParams = kmParamSet2Hidl(response.output_params);
resultBlob = kmBuffer2hidlVec(response.output);
}
_hidl_cb(legacy_enum_conversion(response.error), resultParams, resultBlob);
return Void();
}
Return<ErrorCode> AndroidKeymaster4Device::abort(uint64_t operationHandle) {
AbortOperationRequest request;
request.op_handle = operationHandle;
AbortOperationResponse response;
impl_->AbortOperation(request, &response);
return legacy_enum_conversion(response.error);
}
IKeymasterDevice* CreateKeymasterDevice(SecurityLevel securityLevel) {
return new AndroidKeymaster4Device(securityLevel);
}
} // namespace ng
} // namespace V4_0
} // namespace keymaster