1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef SYSTEM_KEYMASTER_GOOGLE_KEYMASTER_H_
18#define SYSTEM_KEYMASTER_GOOGLE_KEYMASTER_H_
19
20#include <keymaster/authorization_set.h>
21#include <keymaster/google_keymaster_messages.h>
22#include <keymaster/logger.h>
23
24namespace keymaster {
25
26class Key;
27class KeyBlob;
28class Operation;
29
30/**
31 * OpenSSL-based Keymaster backing implementation, for use as a pure software implmentation
32 * (softkeymaster) and in a trusted execution environment (TEE), like ARM TrustZone.  This class
33 * doesn't actually implement the Keymaster HAL interface, instead it implements an alternative API
34 * which is similar to and based upon the HAL, but uses C++ "message" classes which support
35 * serialization.
36 *
37 * For non-secure, pure software implementation there is a HAL translation layer that converts the
38 * HAL's parameters to and from the message representations, which are then passed in to this
39 * API.
40 *
41 * For secure implementation there is another HAL translation layer that serializes the messages to
42 * the TEE. In the TEE implementation there's another component which deserializes the messages,
43 * extracts the relevant parameters and calls this API.
44 */
45class GoogleKeymaster {
46  public:
47    GoogleKeymaster(size_t operation_table_size, Logger* logger);
48    virtual ~GoogleKeymaster();
49
50    void SupportedAlgorithms(SupportedResponse<keymaster_algorithm_t>* response) const;
51    void SupportedBlockModes(keymaster_algorithm_t algorithm,
52                             SupportedResponse<keymaster_block_mode_t>* response) const;
53    void SupportedPaddingModes(keymaster_algorithm_t algorithm,
54                               SupportedResponse<keymaster_padding_t>* response) const;
55    void SupportedDigests(keymaster_algorithm_t algorithm,
56                          SupportedResponse<keymaster_digest_t>* response) const;
57    void SupportedImportFormats(keymaster_algorithm_t algorithm,
58                                SupportedResponse<keymaster_key_format_t>* response) const;
59    void SupportedExportFormats(keymaster_algorithm_t algorithm,
60                                SupportedResponse<keymaster_key_format_t>* response) const;
61
62    virtual keymaster_error_t AddRngEntropy(AddEntropyRequest& /* request */) {
63        // Not going to implement until post-L.
64        return KM_ERROR_UNIMPLEMENTED;
65    }
66    void GenerateKey(const GenerateKeyRequest& request, GenerateKeyResponse* response);
67    void GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request,
68                               GetKeyCharacteristicsResponse* response);
69    void Rescope(const RescopeRequest& /* request */, RescopeResponse* response) {
70        // Not going to implement until post-L.
71        response->error = KM_ERROR_UNIMPLEMENTED;
72    }
73    void ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response);
74    void ExportKey(const ExportKeyRequest& request, ExportKeyResponse* response);
75    void BeginOperation(const BeginOperationRequest& request, BeginOperationResponse* response);
76    void UpdateOperation(const UpdateOperationRequest& request, UpdateOperationResponse* response);
77    void FinishOperation(const FinishOperationRequest& request, FinishOperationResponse* response);
78    keymaster_error_t AbortOperation(const keymaster_operation_handle_t op_handle);
79
80    const Logger& logger() const { return *logger_; }
81
82  private:
83    virtual bool is_enforced(keymaster_tag_t tag) = 0;
84    virtual keymaster_key_origin_t origin() = 0;
85    virtual keymaster_key_param_t RootOfTrustTag() = 0;
86    virtual keymaster_key_blob_t MasterKey() = 0;
87    virtual void GenerateNonce(uint8_t* nonce, size_t length) = 0;
88
89    keymaster_error_t SerializeKey(const Key* key, keymaster_key_origin_t origin,
90                                   keymaster_key_blob_t* keymaster_blob, AuthorizationSet* enforced,
91                                   AuthorizationSet* unenforced);
92    Key* LoadKey(const keymaster_key_blob_t& key, const AuthorizationSet& client_params,
93                 keymaster_error_t* error);
94    KeyBlob* LoadKeyBlob(const keymaster_key_blob_t& key, const AuthorizationSet& client_params,
95                         keymaster_error_t* error);
96
97    keymaster_error_t SetAuthorizations(const AuthorizationSet& key_description,
98                                        keymaster_key_origin_t origin, AuthorizationSet* enforced,
99                                        AuthorizationSet* unenforced);
100    keymaster_error_t BuildHiddenAuthorizations(const AuthorizationSet& input_set,
101                                                AuthorizationSet* hidden);
102
103    void AddAuthorization(const keymaster_key_param_t& auth, AuthorizationSet* enforced,
104                          AuthorizationSet* unenforced);
105    bool GenerateRsa(const AuthorizationSet& key_auths, GenerateKeyResponse* response,
106                     AuthorizationSet* hidden_auths);
107    bool GenerateDsa(const AuthorizationSet& key_auths, GenerateKeyResponse* response,
108                     AuthorizationSet* hidden_auths);
109    bool GenerateEcdsa(const AuthorizationSet& key_auths, GenerateKeyResponse* response,
110                       AuthorizationSet* hidden_auths);
111    keymaster_error_t WrapKey(const uint8_t* key_material, size_t key_material_length,
112                              KeyBlob* blob);
113    keymaster_error_t UnwrapKey(const KeyBlob* blob, uint8_t* key, size_t key_length);
114
115    struct OpTableEntry {
116        OpTableEntry() {
117            handle = 0;
118            operation = NULL;
119        }
120        keymaster_operation_handle_t handle;
121        Operation* operation;
122    };
123
124    keymaster_error_t AddOperation(Operation* operation, keymaster_operation_handle_t* op_handle);
125    OpTableEntry* FindOperation(keymaster_operation_handle_t op_handle);
126    void DeleteOperation(OpTableEntry* entry);
127    bool is_supported_export_format(keymaster_key_format_t test_format);
128    bool is_supported_import_format(keymaster_key_format_t test_format);
129
130    UniquePtr<OpTableEntry[]> operation_table_;
131    size_t operation_table_size_;
132    UniquePtr<Logger> logger_;
133};
134
135}  // namespace keymaster
136
137#endif  //  SYSTEM_KEYMASTER_GOOGLE_KEYMASTER_H_
138