1d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden/* 2d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * Copyright 2015 The Android Open Source Project 3d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * 4d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * Licensed under the Apache License, Version 2.0 (the "License"); 5d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * you may not use this file except in compliance with the License. 6d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * You may obtain a copy of the License at 7d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * 8d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * http://www.apache.org/licenses/LICENSE-2.0 9d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * 10d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * Unless required by applicable law or agreed to in writing, software 11d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * distributed under the License is distributed on an "AS IS" BASIS, 12d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * See the License for the specific language governing permissions and 14d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * limitations under the License. 15d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden */ 16d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 17d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#ifndef SYSTEM_KEYMASTER_KEYMASTER1_ENGINE_H_ 18d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#define SYSTEM_KEYMASTER_KEYMASTER1_ENGINE_H_ 19d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 20d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <memory> 21d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 22d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <openssl/ec.h> 23d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <openssl/engine.h> 24d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <openssl/ex_data.h> 25d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <openssl/rsa.h> 26d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 27d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <hardware/keymaster1.h> 28d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <hardware/keymaster_defs.h> 29d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 30d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <keymaster/android_keymaster_utils.h> 31d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include <keymaster/authorization_set.h> 32d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 33d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#include "openssl_utils.h" 34d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 35d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdennamespace keymaster { 36d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 37d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willdenclass Keymaster1Engine { 38d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden public: 39d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden /** 40d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * Create a Keymaster1Engine, wrapping the provided keymaster1_device. The engine takes 41d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden * ownership of the device, and will close it during destruction. 42d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden */ 43d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden Keymaster1Engine(const keymaster1_device_t* keymaster1_device); 44d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden ~Keymaster1Engine(); 45d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 46d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_error_t GenerateKey(const AuthorizationSet& key_description, 47d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KeymasterKeyBlob* key_material, AuthorizationSet* hw_enforced, 48d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden AuthorizationSet* sw_enforced) const; 49d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 50d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_error_t ImportKey(const AuthorizationSet& key_description, 51d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_key_format_t input_key_material_format, 52d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const KeymasterKeyBlob& input_key_material, 53d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KeymasterKeyBlob* output_key_blob, AuthorizationSet* hw_enforced, 54d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden AuthorizationSet* sw_enforced) const; 5501d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden keymaster_error_t DeleteKey(const KeymasterKeyBlob& blob) const; 5601d8f24c45067bc3d909e3aae9a72582f3c985a1Shawn Willden keymaster_error_t DeleteAllKeys() const; 57d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 58d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden struct KeyData { 59d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KeyData(const KeymasterKeyBlob& blob, const AuthorizationSet& params) 60d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden : op_handle(0), begin_params(params), key_material(blob), error(KM_ERROR_OK), 61d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden expected_openssl_padding(-1) {} 62d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 63d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_operation_handle_t op_handle; 64d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden AuthorizationSet begin_params; 65d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden AuthorizationSet finish_params; 66d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KeymasterKeyBlob key_material; 67d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_error_t error; 68d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden int expected_openssl_padding; 69d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden }; 70d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 71d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden RSA* BuildRsaKey(const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params, 72d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_error_t* error) const; 73d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden EC_KEY* BuildEcKey(const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params, 74d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_error_t* error) const; 75d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 76d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KeyData* GetData(EVP_PKEY* key) const; 77d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KeyData* GetData(const RSA* rsa) const; 78d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden KeyData* GetData(const EC_KEY* rsa) const; 79d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 80d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const keymaster1_device_t* device() const { return keymaster1_device_; } 81d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 82d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden EVP_PKEY* GetKeymaster1PublicKey(const KeymasterKeyBlob& blob, 83d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const AuthorizationSet& additional_params, 84d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_error_t* error) const; 85d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 86d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden private: 87d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden Keymaster1Engine(const Keymaster1Engine&); // Uncopyable 88d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden void operator=(const Keymaster1Engine&); // Unassignable 89d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 90d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden RSA_METHOD BuildRsaMethod(); 91d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden ECDSA_METHOD BuildEcdsaMethod(); 92d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden void ConfigureEngineForRsa(); 93d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden void ConfigureEngineForEcdsa(); 94d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 95d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_error_t Keymaster1Finish(const KeyData* key_data, const keymaster_blob_t& input, 96d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden keymaster_blob_t* output); 97d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 98d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden static int duplicate_key_data(CRYPTO_EX_DATA* to, const CRYPTO_EX_DATA* from, void** from_d, 99d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden int index, long argl, void* argp); 100d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden static void free_key_data(void* parent, void* ptr, CRYPTO_EX_DATA* data, int index, long argl, 101d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden void* argp); 102d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 103d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden static int rsa_sign_raw(RSA* rsa, size_t* out_len, uint8_t* out, size_t max_out, 104d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const uint8_t* in, size_t in_len, int padding); 105d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden static int rsa_decrypt(RSA* rsa, size_t* out_len, uint8_t* out, size_t max_out, 106d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const uint8_t* in, size_t in_len, int padding); 107d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden static int ecdsa_sign(const uint8_t* digest, size_t digest_len, uint8_t* sig, 108d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden unsigned int* sig_len, EC_KEY* ec_key); 109d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 110d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const keymaster1_device_t* const keymaster1_device_; 111d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const std::unique_ptr<ENGINE, ENGINE_Delete> engine_; 112d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const int rsa_index_; 113d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const int ec_key_index_; 114d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 115d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const RSA_METHOD rsa_method_; 116d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden const ECDSA_METHOD ecdsa_method_; 117d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 118d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden static Keymaster1Engine* instance_; 119d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden}; 120d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 121d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden} // namespace keymaster 122d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden 123d599b15c0693950bdc72fb867872044fdc484ef5Shawn Willden#endif // SYSTEM_KEYMASTER_KEYMASTER1_ENGINE_H_ 124