/* ** ** Copyright 2017, The Android Open Source Project ** ** Licensed under the Apache License, Version 2.0 (the "License"); ** you may not use this file except in compliance with the License. ** You may obtain a copy of the License at ** ** http://www.apache.org/licenses/LICENSE-2.0 ** ** Unless required by applicable law or agreed to in writing, software ** distributed under the License is distributed on an "AS IS" BASIS, ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ** See the License for the specific language governing permissions and ** limitations under the License. */ #define LOG_TAG "android.hardware.keymaster@4.0-impl" #include #include "include/AndroidKeymaster4Device.h" #include #include #include #include #include #include #include #include #include using android::hardware::keymaster::V4_0::support::authToken2HidlVec; namespace keymaster { namespace V4_0 { namespace ng { namespace { constexpr size_t kOperationTableSize = 16; inline keymaster_tag_t legacy_enum_conversion(const Tag value) { return keymaster_tag_t(value); } inline Tag legacy_enum_conversion(const keymaster_tag_t value) { return Tag(value); } inline keymaster_purpose_t legacy_enum_conversion(const KeyPurpose value) { return static_cast(value); } inline keymaster_key_format_t legacy_enum_conversion(const KeyFormat value) { return static_cast(value); } inline SecurityLevel legacy_enum_conversion(const keymaster_security_level_t value) { return static_cast(value); } inline hw_authenticator_type_t legacy_enum_conversion(const HardwareAuthenticatorType value) { return static_cast(value); } inline ErrorCode legacy_enum_conversion(const keymaster_error_t value) { return static_cast(value); } inline keymaster_tag_type_t typeFromTag(const keymaster_tag_t tag) { return keymaster_tag_get_type(tag); } class KmParamSet : public keymaster_key_param_set_t { public: explicit KmParamSet(const hidl_vec& keyParams) : keymaster_key_param_set_t(hidlKeyParams2Km(keyParams)) {} KmParamSet(KmParamSet&& other) : keymaster_key_param_set_t{other.params, other.length} { other.length = 0; other.params = nullptr; } KmParamSet(const KmParamSet&) = delete; ~KmParamSet() { delete[] params; } }; inline hidl_vec kmBlob2hidlVec(const keymaster_key_blob_t& blob) { hidl_vec result; result.setToExternal(const_cast(blob.key_material), blob.key_material_size); return result; } inline hidl_vec kmBlob2hidlVec(const keymaster_blob_t& blob) { hidl_vec result; result.setToExternal(const_cast(blob.data), blob.data_length); return result; } inline hidl_vec kmBuffer2hidlVec(const ::keymaster::Buffer& buf) { hidl_vec result; result.setToExternal(const_cast(buf.peek_read()), buf.available_read()); return result; } inline static hidl_vec> kmCertChain2Hidl(const keymaster_cert_chain_t& cert_chain) { hidl_vec> result; if (!cert_chain.entry_count || !cert_chain.entries) return result; result.resize(cert_chain.entry_count); for (size_t i = 0; i < cert_chain.entry_count; ++i) { result[i] = kmBlob2hidlVec(cert_chain.entries[i]); } return result; } static inline hidl_vec kmParamSet2Hidl(const keymaster_key_param_set_t& set) { hidl_vec result; if (set.length == 0 || set.params == nullptr) return result; result.resize(set.length); keymaster_key_param_t* params = set.params; for (size_t i = 0; i < set.length; ++i) { auto tag = params[i].tag; result[i].tag = legacy_enum_conversion(tag); switch (typeFromTag(tag)) { case KM_ENUM: case KM_ENUM_REP: result[i].f.integer = params[i].enumerated; break; case KM_UINT: case KM_UINT_REP: result[i].f.integer = params[i].integer; break; case KM_ULONG: case KM_ULONG_REP: result[i].f.longInteger = params[i].long_integer; break; case KM_DATE: result[i].f.dateTime = params[i].date_time; break; case KM_BOOL: result[i].f.boolValue = params[i].boolean; break; case KM_BIGNUM: case KM_BYTES: result[i].blob.setToExternal(const_cast(params[i].blob.data), params[i].blob.data_length); break; case KM_INVALID: default: params[i].tag = KM_TAG_INVALID; /* just skip */ break; } } return result; } void addClientAndAppData(const hidl_vec& clientId, const hidl_vec& appData, ::keymaster::AuthorizationSet* params) { params->Clear(); if (clientId.size()) { params->push_back(::keymaster::TAG_APPLICATION_ID, clientId.data(), clientId.size()); } if (appData.size()) { params->push_back(::keymaster::TAG_APPLICATION_DATA, appData.data(), appData.size()); } } } // anonymous namespace keymaster_key_param_set_t hidlKeyParams2Km(const hidl_vec& keyParams) { keymaster_key_param_set_t set; set.params = new (std::nothrow) keymaster_key_param_t[keyParams.size()]; set.length = keyParams.size(); for (size_t i = 0; i < keyParams.size(); ++i) { auto tag = legacy_enum_conversion(keyParams[i].tag); switch (typeFromTag(tag)) { case KM_ENUM: case KM_ENUM_REP: set.params[i] = keymaster_param_enum(tag, keyParams[i].f.integer); break; case KM_UINT: case KM_UINT_REP: set.params[i] = keymaster_param_int(tag, keyParams[i].f.integer); break; case KM_ULONG: case KM_ULONG_REP: set.params[i] = keymaster_param_long(tag, keyParams[i].f.longInteger); break; case KM_DATE: set.params[i] = keymaster_param_date(tag, keyParams[i].f.dateTime); break; case KM_BOOL: if (keyParams[i].f.boolValue) set.params[i] = keymaster_param_bool(tag); else set.params[i].tag = KM_TAG_INVALID; break; case KM_BIGNUM: case KM_BYTES: set.params[i] = keymaster_param_blob(tag, &keyParams[i].blob[0], keyParams[i].blob.size()); break; case KM_INVALID: default: set.params[i].tag = KM_TAG_INVALID; /* just skip */ break; } } return set; } AndroidKeymaster4Device::AndroidKeymaster4Device(KmVersion version, SecurityLevel securityLevel) : impl_(new (std::nothrow)::keymaster::AndroidKeymaster( [&]() -> auto{ auto context = new (std::nothrow) PureSoftKeymasterContext( version, static_cast(securityLevel)); context->SetSystemVersion(GetOsVersion(), GetOsPatchlevel()); context->SetVendorPatchlevel(GetVendorPatchlevel()); // Software devices cannot be configured by the boot loader but they have // to return a boot patch level. So lets just return the OS patch level. // The OS patch level only has a year and a month so we just add the 1st // of the month as day field. context->SetBootPatchlevel(GetOsPatchlevel() * 100 + 1); return context; }(), kOperationTableSize)), securityLevel_(securityLevel) {} AndroidKeymaster4Device::~AndroidKeymaster4Device() {} Return AndroidKeymaster4Device::getHardwareInfo(getHardwareInfo_cb _hidl_cb) { _hidl_cb(securityLevel_, "SoftwareKeymasterDevice", "Google"); return Void(); } Return AndroidKeymaster4Device::getHmacSharingParameters(getHmacSharingParameters_cb _hidl_cb) { auto response = impl_->GetHmacSharingParameters(); ::android::hardware::keymaster::V4_0::HmacSharingParameters params; params.seed.setToExternal(const_cast(response.params.seed.data), response.params.seed.data_length); static_assert(sizeof(response.params.nonce) == params.nonce.size(), "Nonce sizes don't match"); memcpy(params.nonce.data(), response.params.nonce, params.nonce.size()); _hidl_cb(legacy_enum_conversion(response.error), params); return Void(); } Return AndroidKeymaster4Device::computeSharedHmac( const hidl_vec<::android::hardware::keymaster::V4_0::HmacSharingParameters>& params, computeSharedHmac_cb _hidl_cb) { ComputeSharedHmacRequest request(impl_->message_version()); request.params_array.params_array = new (std::nothrow) keymaster::HmacSharingParameters[params.size()]; request.params_array.num_params = params.size(); for (size_t i = 0; i < params.size(); ++i) { request.params_array.params_array[i].seed = {params[i].seed.data(), params[i].seed.size()}; static_assert(sizeof(request.params_array.params_array[i].nonce) == decltype(params[i].nonce)::size(), "Nonce sizes don't match"); memcpy(request.params_array.params_array[i].nonce, params[i].nonce.data(), params[i].nonce.size()); } auto response = impl_->ComputeSharedHmac(request); hidl_vec sharing_check; if (response.error == KM_ERROR_OK) sharing_check = kmBlob2hidlVec(response.sharing_check); _hidl_cb(legacy_enum_conversion(response.error), sharing_check); return Void(); } Return AndroidKeymaster4Device::verifyAuthorization( uint64_t challenge, const hidl_vec& parametersToVerify, const ::android::hardware::keymaster::V4_0::HardwareAuthToken& authToken, verifyAuthorization_cb _hidl_cb) { VerifyAuthorizationRequest request(impl_->message_version()); request.challenge = challenge; request.parameters_to_verify.Reinitialize(KmParamSet(parametersToVerify)); request.auth_token.challenge = authToken.challenge; request.auth_token.user_id = authToken.userId; request.auth_token.authenticator_id = authToken.authenticatorId; request.auth_token.authenticator_type = legacy_enum_conversion(authToken.authenticatorType); request.auth_token.timestamp = authToken.timestamp; KeymasterBlob mac(authToken.mac.data(), authToken.mac.size()); request.auth_token.mac = mac; auto response = impl_->VerifyAuthorization(request); ::android::hardware::keymaster::V4_0::VerificationToken token; token.challenge = response.token.challenge; token.timestamp = response.token.timestamp; token.parametersVerified = kmParamSet2Hidl(response.token.parameters_verified); token.securityLevel = legacy_enum_conversion(response.token.security_level); token.mac = kmBlob2hidlVec(response.token.mac); _hidl_cb(legacy_enum_conversion(response.error), token); return Void(); } Return AndroidKeymaster4Device::addRngEntropy(const hidl_vec& data) { if (data.size() == 0) return ErrorCode::OK; AddEntropyRequest request(impl_->message_version()); request.random_data.Reinitialize(data.data(), data.size()); AddEntropyResponse response(impl_->message_version()); impl_->AddRngEntropy(request, &response); return legacy_enum_conversion(response.error); } Return AndroidKeymaster4Device::generateKey(const hidl_vec& keyParams, generateKey_cb _hidl_cb) { GenerateKeyRequest request(impl_->message_version()); request.key_description.Reinitialize(KmParamSet(keyParams)); GenerateKeyResponse response(impl_->message_version()); impl_->GenerateKey(request, &response); KeyCharacteristics resultCharacteristics; hidl_vec resultKeyBlob; if (response.error == KM_ERROR_OK) { resultKeyBlob = kmBlob2hidlVec(response.key_blob); resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced); resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); } _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics); return Void(); } Return AndroidKeymaster4Device::getKeyCharacteristics(const hidl_vec& keyBlob, const hidl_vec& clientId, const hidl_vec& appData, getKeyCharacteristics_cb _hidl_cb) { GetKeyCharacteristicsRequest request(impl_->message_version()); request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); addClientAndAppData(clientId, appData, &request.additional_params); GetKeyCharacteristicsResponse response(impl_->message_version()); impl_->GetKeyCharacteristics(request, &response); KeyCharacteristics resultCharacteristics; if (response.error == KM_ERROR_OK) { resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced); resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); } _hidl_cb(legacy_enum_conversion(response.error), resultCharacteristics); return Void(); } Return AndroidKeymaster4Device::importKey(const hidl_vec& params, KeyFormat keyFormat, const hidl_vec& keyData, importKey_cb _hidl_cb) { ImportKeyRequest request(impl_->message_version()); request.key_description.Reinitialize(KmParamSet(params)); request.key_format = legacy_enum_conversion(keyFormat); request.key_data = KeymasterKeyBlob(keyData.data(), keyData.size()); ImportKeyResponse response(impl_->message_version()); impl_->ImportKey(request, &response); KeyCharacteristics resultCharacteristics; hidl_vec resultKeyBlob; if (response.error == KM_ERROR_OK) { resultKeyBlob = kmBlob2hidlVec(response.key_blob); resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced); resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); } _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics); return Void(); } Return AndroidKeymaster4Device::importWrappedKey( const hidl_vec& wrappedKeyData, const hidl_vec& wrappingKeyBlob, const hidl_vec& maskingKey, const hidl_vec& unwrappingParams, uint64_t passwordSid, uint64_t biometricSid, importWrappedKey_cb _hidl_cb) { ImportWrappedKeyRequest request(impl_->message_version()); request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size()); request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size()); request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size()); request.additional_params.Reinitialize(KmParamSet(unwrappingParams)); request.password_sid = passwordSid; request.biometric_sid = biometricSid; ImportWrappedKeyResponse response(impl_->message_version()); impl_->ImportWrappedKey(request, &response); KeyCharacteristics resultCharacteristics; hidl_vec resultKeyBlob; if (response.error == KM_ERROR_OK) { resultKeyBlob = kmBlob2hidlVec(response.key_blob); resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced); resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); } _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics); return Void(); } Return AndroidKeymaster4Device::exportKey(KeyFormat exportFormat, const hidl_vec& keyBlob, const hidl_vec& clientId, const hidl_vec& appData, exportKey_cb _hidl_cb) { ExportKeyRequest request(impl_->message_version()); request.key_format = legacy_enum_conversion(exportFormat); request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); addClientAndAppData(clientId, appData, &request.additional_params); ExportKeyResponse response(impl_->message_version()); impl_->ExportKey(request, &response); hidl_vec resultKeyBlob; if (response.error == KM_ERROR_OK) { resultKeyBlob.setToExternal(response.key_data, response.key_data_length); } _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob); return Void(); } Return AndroidKeymaster4Device::attestKey(const hidl_vec& keyToAttest, const hidl_vec& attestParams, attestKey_cb _hidl_cb) { AttestKeyRequest request(impl_->message_version()); request.SetKeyMaterial(keyToAttest.data(), keyToAttest.size()); request.attest_params.Reinitialize(KmParamSet(attestParams)); AttestKeyResponse response(impl_->message_version()); impl_->AttestKey(request, &response); hidl_vec> resultCertChain; if (response.error == KM_ERROR_OK) { resultCertChain = kmCertChain2Hidl(response.certificate_chain); } _hidl_cb(legacy_enum_conversion(response.error), resultCertChain); return Void(); } Return AndroidKeymaster4Device::upgradeKey(const hidl_vec& keyBlobToUpgrade, const hidl_vec& upgradeParams, upgradeKey_cb _hidl_cb) { // There's nothing to be done to upgrade software key blobs. Further, the software // implementation never returns ErrorCode::KEY_REQUIRES_UPGRADE, so this should never be called. UpgradeKeyRequest request(impl_->message_version()); request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size()); request.upgrade_params.Reinitialize(KmParamSet(upgradeParams)); UpgradeKeyResponse response(impl_->message_version()); impl_->UpgradeKey(request, &response); if (response.error == KM_ERROR_OK) { _hidl_cb(ErrorCode::OK, kmBlob2hidlVec(response.upgraded_key)); } else { _hidl_cb(legacy_enum_conversion(response.error), hidl_vec()); } return Void(); } Return AndroidKeymaster4Device::deleteKey(const hidl_vec& keyBlob) { // There's nothing to be done to delete software key blobs. DeleteKeyRequest request(impl_->message_version()); request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); DeleteKeyResponse response(impl_->message_version()); impl_->DeleteKey(request, &response); return legacy_enum_conversion(response.error); } Return AndroidKeymaster4Device::deleteAllKeys() { // There's nothing to be done to delete software key blobs. DeleteAllKeysRequest request(impl_->message_version()); DeleteAllKeysResponse response(impl_->message_version()); impl_->DeleteAllKeys(request, &response); return legacy_enum_conversion(response.error); } Return AndroidKeymaster4Device::destroyAttestationIds() { return ErrorCode::UNIMPLEMENTED; } Return AndroidKeymaster4Device::begin(KeyPurpose purpose, const hidl_vec& key, const hidl_vec& inParams, const HardwareAuthToken& authToken, begin_cb _hidl_cb) { BeginOperationRequest request(impl_->message_version()); request.purpose = legacy_enum_conversion(purpose); request.SetKeyMaterial(key.data(), key.size()); request.additional_params.Reinitialize(KmParamSet(inParams)); hidl_vec hidl_vec_token = authToken2HidlVec(authToken); request.additional_params.push_back( TAG_AUTH_TOKEN, reinterpret_cast(hidl_vec_token.data()), hidl_vec_token.size()); BeginOperationResponse response(impl_->message_version()); impl_->BeginOperation(request, &response); hidl_vec resultParams; if (response.error == KM_ERROR_OK) resultParams = kmParamSet2Hidl(response.output_params); _hidl_cb(legacy_enum_conversion(response.error), resultParams, response.op_handle); return Void(); } Return AndroidKeymaster4Device::update(uint64_t operationHandle, const hidl_vec& inParams, const hidl_vec& input, const HardwareAuthToken& authToken , const VerificationToken& /* verificationToken */, update_cb _hidl_cb) { UpdateOperationRequest request(impl_->message_version()); request.op_handle = operationHandle; request.input.Reinitialize(input.data(), input.size()); request.additional_params.Reinitialize(KmParamSet(inParams)); hidl_vec hidl_vec_token = authToken2HidlVec(authToken); request.additional_params.push_back( TAG_AUTH_TOKEN, reinterpret_cast(hidl_vec_token.data()), hidl_vec_token.size()); UpdateOperationResponse response(impl_->message_version()); impl_->UpdateOperation(request, &response); uint32_t resultConsumed = 0; hidl_vec resultParams; hidl_vec resultBlob; if (response.error == KM_ERROR_OK) { resultConsumed = response.input_consumed; resultParams = kmParamSet2Hidl(response.output_params); resultBlob = kmBuffer2hidlVec(response.output); } _hidl_cb(legacy_enum_conversion(response.error), resultConsumed, resultParams, resultBlob); return Void(); } Return AndroidKeymaster4Device::finish(uint64_t operationHandle, const hidl_vec& inParams, const hidl_vec& input, const hidl_vec& signature, const HardwareAuthToken& authToken , const VerificationToken& /* verificationToken */, finish_cb _hidl_cb) { FinishOperationRequest request(impl_->message_version()); request.op_handle = operationHandle; request.input.Reinitialize(input.data(), input.size()); request.signature.Reinitialize(signature.data(), signature.size()); request.additional_params.Reinitialize(KmParamSet(inParams)); hidl_vec hidl_vec_token = authToken2HidlVec(authToken); request.additional_params.push_back( TAG_AUTH_TOKEN, reinterpret_cast(hidl_vec_token.data()), hidl_vec_token.size()); FinishOperationResponse response(impl_->message_version()); impl_->FinishOperation(request, &response); hidl_vec resultParams; hidl_vec resultBlob; if (response.error == KM_ERROR_OK) { resultParams = kmParamSet2Hidl(response.output_params); resultBlob = kmBuffer2hidlVec(response.output); } _hidl_cb(legacy_enum_conversion(response.error), resultParams, resultBlob); return Void(); } Return AndroidKeymaster4Device::abort(uint64_t operationHandle) { AbortOperationRequest request(impl_->message_version()); request.op_handle = operationHandle; AbortOperationResponse response(impl_->message_version()); impl_->AbortOperation(request, &response); return legacy_enum_conversion(response.error); } IKeymasterDevice* CreateKeymasterDevice(SecurityLevel securityLevel) { return new (std::nothrow) AndroidKeymaster4Device(securityLevel); } } // namespace ng } // namespace V4_0 } // namespace keymaster