13daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// 23daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// Copyright (C) 2015 The Android Open Source Project 33daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// 43daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// Licensed under the Apache License, Version 2.0 (the "License"); 53daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// you may not use this file except in compliance with the License. 63daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// You may obtain a copy of the License at 73daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// 83daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// http://www.apache.org/licenses/LICENSE-2.0 93daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// 103daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// Unless required by applicable law or agreed to in writing, software 113daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// distributed under the License is distributed on an "AS IS" BASIS, 123daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 133daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// See the License for the specific language governing permissions and 143daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// limitations under the License. 153daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// 1630a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn 17745de272a4afde07cd3b3a7c376976bd0a972b36Darren Krahn#ifndef ATTESTATION_COMMON_CRYPTO_UTILITY_H_ 18745de272a4afde07cd3b3a7c376976bd0a972b36Darren Krahn#define ATTESTATION_COMMON_CRYPTO_UTILITY_H_ 1930a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn 2030a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn#include <string> 2130a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn 222e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn#include "attestation/common/common.pb.h" 232e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn 2430a5bba00647d29e324111005deb76a0466f8c6bDarren Krahnnamespace attestation { 2530a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn 2630a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn// A class which provides helpers for cryptography-related tasks. 2730a5bba00647d29e324111005deb76a0466f8c6bDarren Krahnclass CryptoUtility { 2830a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn public: 2930a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn virtual ~CryptoUtility() = default; 3030a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn 31d66389850c33614ffbbbbc3f768621182fd853baDarren Krahn // Generates |num_bytes| of |random_data|. Returns true on success. 32d66389850c33614ffbbbbc3f768621182fd853baDarren Krahn virtual bool GetRandom(size_t num_bytes, std::string* random_data) const = 0; 33d66389850c33614ffbbbbc3f768621182fd853baDarren Krahn 3430a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // Creates a random |aes_key| and seals it to the TPM's PCR0, producing a 3530a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // |sealed_key|. Returns true on success. 3630a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn virtual bool CreateSealedKey(std::string* aes_key, 37d569cf62b11f74b7ca2ff2db53414927f7e2d66aDarren Krahn std::string* sealed_key) = 0; 3830a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn 3930a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // Encrypts the given |data| using the |aes_key|. The |sealed_key| will be 4030a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // embedded in the |encrypted_data| to assist with decryption. It can be 4130a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // extracted from the |encrypted_data| using UnsealKey(). Returns true on 4230a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // success. 4330a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn virtual bool EncryptData(const std::string& data, 4430a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn const std::string& aes_key, 4530a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn const std::string& sealed_key, 46d569cf62b11f74b7ca2ff2db53414927f7e2d66aDarren Krahn std::string* encrypted_data) = 0; 4730a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn 4830a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // Extracts and unseals the |aes_key| from the |sealed_key| embedded in 4930a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // the given |encrypted_data|. The |sealed_key| is also provided as an output 5030a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // so callers can make subsequent calls to EncryptData() with the same key. 5130a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // Returns true on success. 5230a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn virtual bool UnsealKey(const std::string& encrypted_data, 5330a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn std::string* aes_key, 54d569cf62b11f74b7ca2ff2db53414927f7e2d66aDarren Krahn std::string* sealed_key) = 0; 5530a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn 5630a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // Decrypts |encrypted_data| using |aes_key|, producing the decrypted |data|. 5730a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn // Returns true on success. 5830a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn virtual bool DecryptData(const std::string& encrypted_data, 5930a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn const std::string& aes_key, 60d569cf62b11f74b7ca2ff2db53414927f7e2d66aDarren Krahn std::string* data) = 0; 616222defa52eb13c0d90673f642f2647f7753478bDarren Krahn 626222defa52eb13c0d90673f642f2647f7753478bDarren Krahn // Convert |public_key| from PKCS #1 RSAPublicKey to X.509 632e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn // SubjectPublicKeyInfo. On success returns true and provides the 642e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn // |public_key_info|. 656222defa52eb13c0d90673f642f2647f7753478bDarren Krahn virtual bool GetRSASubjectPublicKeyInfo(const std::string& public_key, 662e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn std::string* public_key_info) = 0; 672e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn 682e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn // Convert |public_key_info| from X.509 SubjectPublicKeyInfo to PKCS #1 692e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn // RSAPublicKey. On success returns true and provides the |public_key|. 702e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn virtual bool GetRSAPublicKey(const std::string& public_key_info, 712e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn std::string* public_key) = 0; 722e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn 732e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn // Encrypts a |credential| in a format compatible with TPM attestation key 742e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn // activation. The |ek_public_key_info| must be provided in X.509 752e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn // SubjectPublicKeyInfo format and the |aik_public_key| must be provided in 762e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn // TPM_PUBKEY format. 772e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn virtual bool EncryptIdentityCredential( 782e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn const std::string& credential, 792e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn const std::string& ek_public_key_info, 802e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn const std::string& aik_public_key, 812e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn EncryptedIdentityCredential* encrypted) = 0; 82bc0c74963418442991072b2c87baec839eec9c20Darren Krahn 83bc0c74963418442991072b2c87baec839eec9c20Darren Krahn // Encrypts |data| in a format compatible with the TPM unbind operation. The 84bc0c74963418442991072b2c87baec839eec9c20Darren Krahn // |public_key| must be provided in X.509 SubjectPublicKeyInfo format. 85bc0c74963418442991072b2c87baec839eec9c20Darren Krahn virtual bool EncryptForUnbind(const std::string& public_key, 86bc0c74963418442991072b2c87baec839eec9c20Darren Krahn const std::string& data, 87bc0c74963418442991072b2c87baec839eec9c20Darren Krahn std::string* encrypted_data) = 0; 88ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn 89ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn // Verifies a PKCS #1 v1.5 SHA-256 |signature| over |data|. The |public_key| 90ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn // must be provided in X.509 SubjectPublicKeyInfo format. 91ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn virtual bool VerifySignature(const std::string& public_key, 92ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn const std::string& data, 93ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn const std::string& signature) = 0; 9430a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn}; 9530a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn 9630a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn} // namespace attestation 9730a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn 98745de272a4afde07cd3b3a7c376976bd0a972b36Darren Krahn#endif // ATTESTATION_COMMON_CRYPTO_UTILITY_H_ 99