1/* 2 * Copyright 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include "rsa_keymaster1_key.h" 18 19#include <memory> 20 21#include <keymaster/logger.h> 22#include <keymaster/soft_keymaster_context.h> 23 24#include "rsa_keymaster1_operation.h" 25 26using std::unique_ptr; 27 28namespace keymaster { 29 30RsaKeymaster1KeyFactory::RsaKeymaster1KeyFactory(const SoftKeymasterContext* context, 31 const Keymaster1Engine* engine) 32 : RsaKeyFactory(context), engine_(engine), 33 sign_factory_(new RsaKeymaster1OperationFactory(KM_PURPOSE_SIGN, engine)), 34 decrypt_factory_(new RsaKeymaster1OperationFactory(KM_PURPOSE_DECRYPT, engine)), 35 // For pubkey ops we can use the normal operation factories. 36 verify_factory_(new RsaVerificationOperationFactory), 37 encrypt_factory_(new RsaEncryptionOperationFactory) {} 38 39static bool is_supported(uint32_t digest) { 40 return digest == KM_DIGEST_NONE || digest == KM_DIGEST_SHA_2_256; 41} 42 43static void UpdateToWorkAroundUnsupportedDigests(const AuthorizationSet& key_description, 44 AuthorizationSet* new_description) { 45 bool have_unsupported_digests = false; 46 bool have_digest_none = false; 47 bool have_pad_none = false; 48 bool have_padding_requiring_digest = false; 49 for (const keymaster_key_param_t& entry : key_description) { 50 new_description->push_back(entry); 51 52 if (entry.tag == TAG_DIGEST) { 53 if (entry.enumerated == KM_DIGEST_NONE) { 54 have_digest_none = true; 55 } else if (!is_supported(entry.enumerated)) { 56 LOG_D("Found request for unsupported digest %u", entry.enumerated); 57 have_unsupported_digests = true; 58 } 59 } 60 61 if (entry.tag == TAG_PADDING) { 62 switch (entry.enumerated) { 63 case KM_PAD_RSA_PSS: 64 case KM_PAD_RSA_OAEP: 65 have_padding_requiring_digest = true; 66 break; 67 case KM_PAD_NONE: 68 have_pad_none = true; 69 break; 70 } 71 } 72 } 73 74 if (have_unsupported_digests && !have_digest_none) { 75 LOG_I("Adding KM_DIGEST_NONE to key authorization, to enable software digesting", 0); 76 new_description->push_back(TAG_DIGEST, KM_DIGEST_NONE); 77 } 78 79 if (have_unsupported_digests && have_padding_requiring_digest && !have_pad_none) { 80 LOG_I("Adding KM_PAD_NONE to key authorization, to enable PSS or OAEP software padding", 0); 81 new_description->push_back(TAG_PADDING, KM_PAD_NONE); 82 } 83} 84 85keymaster_error_t RsaKeymaster1KeyFactory::GenerateKey(const AuthorizationSet& key_description, 86 KeymasterKeyBlob* key_blob, 87 AuthorizationSet* hw_enforced, 88 AuthorizationSet* sw_enforced) const { 89 AuthorizationSet key_params_copy; 90 UpdateToWorkAroundUnsupportedDigests(key_description, &key_params_copy); 91 return engine_->GenerateKey(key_params_copy, key_blob, hw_enforced, sw_enforced); 92} 93 94keymaster_error_t RsaKeymaster1KeyFactory::ImportKey( 95 const AuthorizationSet& key_description, keymaster_key_format_t input_key_material_format, 96 const KeymasterKeyBlob& input_key_material, KeymasterKeyBlob* output_key_blob, 97 AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced) const { 98 AuthorizationSet key_params_copy; 99 UpdateToWorkAroundUnsupportedDigests(key_description, &key_params_copy); 100 return engine_->ImportKey(key_params_copy, input_key_material_format, input_key_material, 101 output_key_blob, hw_enforced, sw_enforced); 102} 103 104keymaster_error_t RsaKeymaster1KeyFactory::LoadKey(const KeymasterKeyBlob& key_material, 105 const AuthorizationSet& additional_params, 106 const AuthorizationSet& hw_enforced, 107 const AuthorizationSet& sw_enforced, 108 UniquePtr<Key>* key) const { 109 if (!key) 110 return KM_ERROR_OUTPUT_PARAMETER_NULL; 111 112 keymaster_error_t error; 113 unique_ptr<RSA, RSA_Delete> rsa(engine_->BuildRsaKey(key_material, additional_params, &error)); 114 if (!rsa) 115 return error; 116 117 key->reset(new (std::nothrow) 118 RsaKeymaster1Key(rsa.release(), hw_enforced, sw_enforced, &error)); 119 if (!key->get()) 120 error = KM_ERROR_MEMORY_ALLOCATION_FAILED; 121 122 if (error != KM_ERROR_OK) 123 return error; 124 125 return KM_ERROR_OK; 126} 127 128OperationFactory* RsaKeymaster1KeyFactory::GetOperationFactory(keymaster_purpose_t purpose) const { 129 switch (purpose) { 130 case KM_PURPOSE_SIGN: 131 return sign_factory_.get(); 132 case KM_PURPOSE_VERIFY: 133 return verify_factory_.get(); 134 case KM_PURPOSE_ENCRYPT: 135 return encrypt_factory_.get(); 136 case KM_PURPOSE_DECRYPT: 137 return decrypt_factory_.get(); 138 case KM_PURPOSE_DERIVE_KEY: 139 break; 140 } 141 return nullptr; 142} 143 144} // namespace keymaster 145