1b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales/* 2b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * Copyright 2014 The Android Open Source Project 3b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * 4b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * Licensed under the Apache License, Version 2.0 (the "License"); 5b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * you may not use this file except in compliance with the License. 6b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * You may obtain a copy of the License at 7b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * 8b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * http://www.apache.org/licenses/LICENSE-2.0 9b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * 10b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * Unless required by applicable law or agreed to in writing, software 11b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * distributed under the License is distributed on an "AS IS" BASIS, 12b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * See the License for the specific language governing permissions and 14b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales * limitations under the License. 15b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales */ 16b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 1766ce3e08c5632a20ea66bde6dd76397041edf034Mark Salyzyn#define LOG_TAG "TrustyKeymaster" 18b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 19b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales#include <assert.h> 2066ce3e08c5632a20ea66bde6dd76397041edf034Mark Salyzyn#include <openssl/evp.h> 2166ce3e08c5632a20ea66bde6dd76397041edf034Mark Salyzyn#include <openssl/x509.h> 2266ce3e08c5632a20ea66bde6dd76397041edf034Mark Salyzyn#include <stddef.h> 23b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales#include <stdio.h> 24b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales#include <stdlib.h> 25b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales#include <string.h> 26b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales#include <time.h> 27b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 28b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales#include <type_traits> 29b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 30b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales#include <hardware/keymaster0.h> 31b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales#include <keymaster/authorization_set.h> 3230f991f251940be3ed11566fb71139852286f68aMark Salyzyn#include <log/log.h> 33b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 3466ce3e08c5632a20ea66bde6dd76397041edf034Mark Salyzyn#include "trusty_keymaster_device.h" 35b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales#include "trusty_keymaster_ipc.h" 36b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales#include "keymaster_ipc.h" 37b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 38b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesconst uint32_t SEND_BUF_SIZE = 8192; 39b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesconst uint32_t RECV_BUF_SIZE = 8192; 40b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 41b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesnamespace keymaster { 42b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 43b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesstatic keymaster_error_t translate_error(int err) { 44b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales switch (err) { 45b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case 0: 46b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_OK; 47b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case -EPERM: 48b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case -EACCES: 49b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_SECURE_HW_ACCESS_DENIED; 50b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 51b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case -ECANCELED: 52b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_OPERATION_CANCELLED; 53b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 54b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case -ENODEV: 55b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNIMPLEMENTED; 56b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 57b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case -ENOMEM: 58b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_MEMORY_ALLOCATION_FAILED; 59b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 60b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case -EBUSY: 61b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_SECURE_HW_BUSY; 62b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 63b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case -EIO: 64b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_SECURE_HW_COMMUNICATION_FAILED; 65b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 66b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case -EOVERFLOW: 67b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_INVALID_INPUT_LENGTH; 68b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 69b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales default: 70b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNKNOWN_ERROR; 71b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 72b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 73b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 74b33c9b8ffa5e687a08311eae917c50fd615020d0Andres MoralesTrustyKeymasterDevice::TrustyKeymasterDevice(const hw_module_t* module) { 75b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales static_assert(std::is_standard_layout<TrustyKeymasterDevice>::value, 76b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales "TrustyKeymasterDevice must be standard layout"); 77b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales static_assert(offsetof(TrustyKeymasterDevice, device_) == 0, 78b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales "device_ must be the first member of KeymasterOpenSsl"); 79b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales static_assert(offsetof(TrustyKeymasterDevice, device_.common) == 0, 80b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales "common must be the first member of keymaster_device"); 81b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 82b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGI("Creating device"); 83b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Device address: %p", this); 84b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 85b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales memset(&device_, 0, sizeof(device_)); 86b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 87b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.common.tag = HARDWARE_DEVICE_TAG; 88b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.common.version = 1; 89b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.common.module = const_cast<hw_module_t*>(module); 90b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.common.close = close_device; 91b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 92b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.flags = KEYMASTER_BLOBS_ARE_STANDALONE | KEYMASTER_SUPPORTS_EC; 93b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 94b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.generate_keypair = generate_keypair; 95b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.import_keypair = import_keypair; 96b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.get_keypair_public = get_keypair_public; 97b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.delete_keypair = NULL; 98b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.delete_all = NULL; 99b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.sign_data = sign_data; 100b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.verify_data = verify_data; 101b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 102b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales device_.context = NULL; 103b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 104b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales int rc = trusty_keymaster_connect(); 105b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales error_ = translate_error(rc); 106b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (rc < 0) { 107b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("failed to connect to keymaster (%d)", rc); 108b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return; 109b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 110b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 111b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales GetVersionRequest version_request; 112b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales GetVersionResponse version_response; 113b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales error_ = Send(version_request, &version_response); 114b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (error_ == KM_ERROR_INVALID_ARGUMENT || error_ == KM_ERROR_UNIMPLEMENTED) { 115b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGI("\"Bad parameters\" error on GetVersion call. Assuming version 0."); 116b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales message_version_ = 0; 117b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales error_ = KM_ERROR_OK; 118b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 119b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales message_version_ = MessageVersion(version_response.major_ver, version_response.minor_ver, 120b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales version_response.subminor_ver); 121b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (message_version_ < 0) { 122b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales // Can't translate version? Keymaster implementation must be newer. 123b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Keymaster version %d.%d.%d not supported.", version_response.major_ver, 124b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales version_response.minor_ver, version_response.subminor_ver); 125b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales error_ = KM_ERROR_VERSION_MISMATCH; 126b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 127b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 128b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 129b33c9b8ffa5e687a08311eae917c50fd615020d0Andres MoralesTrustyKeymasterDevice::~TrustyKeymasterDevice() { 130b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales trusty_keymaster_disconnect(); 131b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 132b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 133b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesconst uint64_t HUNDRED_YEARS = 1000LL * 60 * 60 * 24 * 365 * 100; 134b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 135b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::generate_keypair(const keymaster_keypair_t key_type, 136b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const void* key_params, uint8_t** key_blob, 137b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales size_t* key_blob_length) { 138b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Device received generate_keypair"); 139b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 140b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (error_ != KM_ERROR_OK) 141b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return error_; 142b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 143b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales GenerateKeyRequest req(message_version_); 144b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales StoreNewKeyParams(&req.key_description); 145b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 146b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales switch (key_type) { 147b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case TYPE_RSA: { 148b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales req.key_description.push_back(TAG_ALGORITHM, KM_ALGORITHM_RSA); 149b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const keymaster_rsa_keygen_params_t* rsa_params = 150b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales static_cast<const keymaster_rsa_keygen_params_t*>(key_params); 151b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Generating RSA pair, modulus size: %u, public exponent: %lu", 152b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales rsa_params->modulus_size, rsa_params->public_exponent); 153b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales req.key_description.push_back(TAG_KEY_SIZE, rsa_params->modulus_size); 154b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales req.key_description.push_back(TAG_RSA_PUBLIC_EXPONENT, rsa_params->public_exponent); 155b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales break; 156b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 157b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 158b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case TYPE_EC: { 159b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales req.key_description.push_back(TAG_ALGORITHM, KM_ALGORITHM_EC); 160b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const keymaster_ec_keygen_params_t* ec_params = 161b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales static_cast<const keymaster_ec_keygen_params_t*>(key_params); 162b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Generating ECDSA pair, key size: %u", ec_params->field_size); 163b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales req.key_description.push_back(TAG_KEY_SIZE, ec_params->field_size); 164b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales break; 165b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 166b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales default: 167b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Received request for unsuported key type %d", key_type); 168b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNSUPPORTED_ALGORITHM; 169b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 170b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 171b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales GenerateKeyResponse rsp(message_version_); 172b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Sending generate request"); 173b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales keymaster_error_t err = Send(req, &rsp); 174b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) { 175b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Got error %d from send", err); 176b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 177b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 178b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 179b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales *key_blob_length = rsp.key_blob.key_material_size; 180b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales *key_blob = static_cast<uint8_t*>(malloc(*key_blob_length)); 181b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales memcpy(*key_blob, rsp.key_blob.key_material, *key_blob_length); 182b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Returning %d bytes in key blob\n", (int)*key_blob_length); 183b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 184b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_OK; 185b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 186b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 187b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesstruct EVP_PKEY_Delete { 188b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales void operator()(EVP_PKEY* p) const { EVP_PKEY_free(p); } 189b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales}; 190b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 191b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesstruct PKCS8_PRIV_KEY_INFO_Delete { 192b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales void operator()(PKCS8_PRIV_KEY_INFO* p) const { PKCS8_PRIV_KEY_INFO_free(p); } 193b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales}; 194b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 195b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::import_keypair(const uint8_t* key, const size_t key_length, 196b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales uint8_t** key_blob, size_t* key_blob_length) { 197b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Device received import_keypair"); 198b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (error_ != KM_ERROR_OK) 199b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return error_; 200b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 201b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (!key) 202b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNEXPECTED_NULL_POINTER; 203b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 204b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (!key_blob || !key_blob_length) 205b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_OUTPUT_PARAMETER_NULL; 206b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 207b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ImportKeyRequest request(message_version_); 208b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales StoreNewKeyParams(&request.key_description); 209b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales keymaster_algorithm_t algorithm; 210b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales keymaster_error_t err = GetPkcs8KeyAlgorithm(key, key_length, &algorithm); 211b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) 212b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 213b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales request.key_description.push_back(TAG_ALGORITHM, algorithm); 214b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 215b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales request.SetKeyMaterial(key, key_length); 216b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales request.key_format = KM_KEY_FORMAT_PKCS8; 217b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ImportKeyResponse response(message_version_); 218b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales err = Send(request, &response); 219b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) 220b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 221b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 222b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales *key_blob_length = response.key_blob.key_material_size; 223b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales *key_blob = static_cast<uint8_t*>(malloc(*key_blob_length)); 224b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales memcpy(*key_blob, response.key_blob.key_material, *key_blob_length); 225b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales printf("Returning %d bytes in key blob\n", (int)*key_blob_length); 226b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 227b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_OK; 228b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 229b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 230b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moraleskeymaster_error_t TrustyKeymasterDevice::GetPkcs8KeyAlgorithm(const uint8_t* key, size_t key_length, 231b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales keymaster_algorithm_t* algorithm) { 232b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (key == NULL) { 233b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("No key specified for import"); 234b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNEXPECTED_NULL_POINTER; 235b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 236b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 237b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete> pkcs8( 238b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales d2i_PKCS8_PRIV_KEY_INFO(NULL, &key, key_length)); 239b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (pkcs8.get() == NULL) { 240b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Could not parse PKCS8 key blob"); 241b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_INVALID_KEY_BLOB; 242b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 243b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 244b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey(EVP_PKCS82PKEY(pkcs8.get())); 245b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (pkey.get() == NULL) { 246b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Could not extract key from PKCS8 key blob"); 247b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_INVALID_KEY_BLOB; 248b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 249b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 250b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales switch (EVP_PKEY_type(pkey->type)) { 251b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case EVP_PKEY_RSA: 252b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales *algorithm = KM_ALGORITHM_RSA; 253b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales break; 254b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case EVP_PKEY_EC: 255b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales *algorithm = KM_ALGORITHM_EC; 256b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales break; 257b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales default: 258b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Unsupported algorithm %d", EVP_PKEY_type(pkey->type)); 259b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNSUPPORTED_ALGORITHM; 260b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 261b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 262b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_OK; 263b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 264b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 265b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::get_keypair_public(const uint8_t* key_blob, const size_t key_blob_length, 266b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales uint8_t** x509_data, size_t* x509_data_length) { 267b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Device received get_keypair_public"); 268b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (error_ != KM_ERROR_OK) 269b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return error_; 270b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 271b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ExportKeyRequest request(message_version_); 272b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales request.SetKeyMaterial(key_blob, key_blob_length); 273b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales request.key_format = KM_KEY_FORMAT_X509; 274b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ExportKeyResponse response(message_version_); 275b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales keymaster_error_t err = Send(request, &response); 276b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) 277b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 278b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 279b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales *x509_data_length = response.key_data_length; 280b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales *x509_data = static_cast<uint8_t*>(malloc(*x509_data_length)); 281b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales memcpy(*x509_data, response.key_data, *x509_data_length); 282b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales printf("Returning %d bytes in x509 key\n", (int)*x509_data_length); 283b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 284b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_OK; 285b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 286b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 287b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::sign_data(const void* signing_params, const uint8_t* key_blob, 288b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const size_t key_blob_length, const uint8_t* data, 289b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const size_t data_length, uint8_t** signed_data, 290b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales size_t* signed_data_length) { 291b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Device received sign_data, %d", error_); 292b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (error_ != KM_ERROR_OK) 293b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return error_; 294b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 295b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales BeginOperationRequest begin_request(message_version_); 296b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales begin_request.purpose = KM_PURPOSE_SIGN; 297b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales begin_request.SetKeyMaterial(key_blob, key_blob_length); 298b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales keymaster_error_t err = StoreSigningParams(signing_params, key_blob, key_blob_length, 299b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales &begin_request.additional_params); 300b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) { 301b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Error extracting signing params: %d", err); 302b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 303b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 304b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 305b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales BeginOperationResponse begin_response(message_version_); 306b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Sending signing request begin"); 307b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales err = Send(begin_request, &begin_response); 308b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) { 309b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Error sending sign begin: %d", err); 310b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 311b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 312b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 313b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales UpdateOperationRequest update_request(message_version_); 314b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales update_request.op_handle = begin_response.op_handle; 315b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales update_request.input.Reinitialize(data, data_length); 316b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales UpdateOperationResponse update_response(message_version_); 317b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Sending signing request update"); 318b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales err = Send(update_request, &update_response); 319b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) { 320b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Error sending sign update: %d", err); 321b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 322b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 323b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 324b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales FinishOperationRequest finish_request(message_version_); 325b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales finish_request.op_handle = begin_response.op_handle; 326b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales FinishOperationResponse finish_response(message_version_); 327b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Sending signing request finish"); 328b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales err = Send(finish_request, &finish_response); 329b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) { 330b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Error sending sign finish: %d", err); 331b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 332b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 333b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 334b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales *signed_data_length = finish_response.output.available_read(); 335b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales *signed_data = static_cast<uint8_t*>(malloc(*signed_data_length)); 336b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (!finish_response.output.read(*signed_data, *signed_data_length)) { 337b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Error reading response data: %d", err); 338b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNKNOWN_ERROR; 339b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 340b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_OK; 341b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 342b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 343b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::verify_data(const void* signing_params, const uint8_t* key_blob, 344b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const size_t key_blob_length, const uint8_t* signed_data, 345b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const size_t signed_data_length, const uint8_t* signature, 346b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const size_t signature_length) { 347b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Device received verify_data"); 348b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (error_ != KM_ERROR_OK) 349b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return error_; 350b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 351b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales BeginOperationRequest begin_request(message_version_); 352b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales begin_request.purpose = KM_PURPOSE_VERIFY; 353b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales begin_request.SetKeyMaterial(key_blob, key_blob_length); 354b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales keymaster_error_t err = StoreSigningParams(signing_params, key_blob, key_blob_length, 355b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales &begin_request.additional_params); 356b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) 357b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 358b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 359b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales BeginOperationResponse begin_response(message_version_); 360b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales err = Send(begin_request, &begin_response); 361b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) 362b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 363b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 364b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales UpdateOperationRequest update_request(message_version_); 365b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales update_request.op_handle = begin_response.op_handle; 366b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales update_request.input.Reinitialize(signed_data, signed_data_length); 367b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales UpdateOperationResponse update_response(message_version_); 368b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales err = Send(update_request, &update_response); 369b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) 370b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 371b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 372b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales FinishOperationRequest finish_request(message_version_); 373b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales finish_request.op_handle = begin_response.op_handle; 374b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales finish_request.signature.Reinitialize(signature, signature_length); 375b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales FinishOperationResponse finish_response(message_version_); 376b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales err = Send(finish_request, &finish_response); 377b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err != KM_ERROR_OK) 378b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return err; 379b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_OK; 380b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 381b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 382b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moraleshw_device_t* TrustyKeymasterDevice::hw_device() { 383b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return &device_.common; 384b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 385b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 386b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesstatic inline TrustyKeymasterDevice* convert_device(const keymaster0_device_t* dev) { 387b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return reinterpret_cast<TrustyKeymasterDevice*>(const_cast<keymaster0_device_t*>(dev)); 388b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 389b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 390b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales/* static */ 391b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::close_device(hw_device_t* dev) { 392b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales delete reinterpret_cast<TrustyKeymasterDevice*>(dev); 393b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return 0; 394b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 395b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 396b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales/* static */ 397b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::generate_keypair(const keymaster0_device_t* dev, 398b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const keymaster_keypair_t key_type, 399b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const void* key_params, uint8_t** keyBlob, 400b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales size_t* keyBlobLength) { 401b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGD("Generate keypair, sending to device: %p", convert_device(dev)); 402b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return convert_device(dev)->generate_keypair(key_type, key_params, keyBlob, keyBlobLength); 403b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 404b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 405b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales/* static */ 406b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::import_keypair(const keymaster0_device_t* dev, const uint8_t* key, 407b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const size_t key_length, uint8_t** key_blob, 408b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales size_t* key_blob_length) { 409b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return convert_device(dev)->import_keypair(key, key_length, key_blob, key_blob_length); 410b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 411b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 412b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales/* static */ 413b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::get_keypair_public(const keymaster0_device_t* dev, 414b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const uint8_t* key_blob, const size_t key_blob_length, 415b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales uint8_t** x509_data, size_t* x509_data_length) { 416b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return convert_device(dev) 417b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ->get_keypair_public(key_blob, key_blob_length, x509_data, x509_data_length); 418b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 419b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 420b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales/* static */ 421b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::sign_data(const keymaster0_device_t* dev, const void* params, 422b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const uint8_t* keyBlob, const size_t keyBlobLength, 423b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const uint8_t* data, const size_t dataLength, 424b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales uint8_t** signedData, size_t* signedDataLength) { 425b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return convert_device(dev) 426b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ->sign_data(params, keyBlob, keyBlobLength, data, dataLength, signedData, signedDataLength); 427b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 428b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 429b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales/* static */ 430b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesint TrustyKeymasterDevice::verify_data(const keymaster0_device_t* dev, const void* params, 431b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const uint8_t* keyBlob, const size_t keyBlobLength, 432b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const uint8_t* signedData, const size_t signedDataLength, 433b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const uint8_t* signature, const size_t signatureLength) { 434b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return convert_device(dev)->verify_data(params, keyBlob, keyBlobLength, signedData, 435b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales signedDataLength, signature, signatureLength); 436b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 437b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 438b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moraleskeymaster_error_t TrustyKeymasterDevice::Send(uint32_t command, const Serializable& req, 439b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales KeymasterResponse* rsp) { 440b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales uint32_t req_size = req.SerializedSize(); 441b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (req_size > SEND_BUF_SIZE) 442b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_MEMORY_ALLOCATION_FAILED; 443b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales uint8_t send_buf[SEND_BUF_SIZE]; 444b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales Eraser send_buf_eraser(send_buf, SEND_BUF_SIZE); 445b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales req.Serialize(send_buf, send_buf + req_size); 446b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 447b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales // Send it 448b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales uint8_t recv_buf[RECV_BUF_SIZE]; 449b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales Eraser recv_buf_eraser(recv_buf, RECV_BUF_SIZE); 450b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales uint32_t rsp_size = RECV_BUF_SIZE; 451b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales printf("Sending %d byte request\n", (int)req.SerializedSize()); 452b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales int rc = trusty_keymaster_call(command, send_buf, req_size, recv_buf, &rsp_size); 453b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (rc < 0) { 454b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("tipc error: %d\n", rc); 455b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales // TODO(swillden): Distinguish permanent from transient errors and set error_ appropriately. 456b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return translate_error(rc); 457b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } else { 458b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGV("Received %d byte response\n", rsp_size); 459b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 460b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 461b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const keymaster_message* msg = (keymaster_message *) recv_buf; 462b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const uint8_t *p = msg->payload; 463b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (!rsp->Deserialize(&p, p + rsp_size)) { 464b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Error deserializing response of size %d\n", (int)rsp_size); 465b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNKNOWN_ERROR; 466b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } else if (rsp->error != KM_ERROR_OK) { 467b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Response of size %d contained error code %d\n", (int)rsp_size, (int)rsp->error); 468b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return rsp->error; 469b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 470b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return rsp->error; 471b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 472b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 473b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moraleskeymaster_error_t TrustyKeymasterDevice::StoreSigningParams(const void* signing_params, 474b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const uint8_t* key_blob, 475b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales size_t key_blob_length, 476b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales AuthorizationSet* auth_set) { 477b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales uint8_t* pub_key_data; 478b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales size_t pub_key_data_length; 479b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales int err = get_keypair_public(&device_, key_blob, key_blob_length, &pub_key_data, 480b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales &pub_key_data_length); 481b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (err < 0) { 482b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales ALOGE("Error %d extracting public key to determine algorithm", err); 483b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_INVALID_KEY_BLOB; 484b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 485b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales UniquePtr<uint8_t, Malloc_Delete> pub_key(pub_key_data); 486b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 487b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const uint8_t* p = pub_key_data; 488b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales UniquePtr<EVP_PKEY, EVP_PKEY_Delete> pkey( 489b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales d2i_PUBKEY(nullptr /* allocate new struct */, &p, pub_key_data_length)); 490b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 491b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales switch (EVP_PKEY_type(pkey->type)) { 492b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case EVP_PKEY_RSA: { 493b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const keymaster_rsa_sign_params_t* rsa_params = 494b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales reinterpret_cast<const keymaster_rsa_sign_params_t*>(signing_params); 495b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (rsa_params->digest_type != DIGEST_NONE) 496b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNSUPPORTED_DIGEST; 497b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (rsa_params->padding_type != PADDING_NONE) 498b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNSUPPORTED_PADDING_MODE; 499b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (!auth_set->push_back(TAG_DIGEST, KM_DIGEST_NONE) || 500b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales !auth_set->push_back(TAG_PADDING, KM_PAD_NONE)) 501b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_MEMORY_ALLOCATION_FAILED; 502b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } break; 503b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales case EVP_PKEY_EC: { 504b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales const keymaster_ec_sign_params_t* ecdsa_params = 505b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales reinterpret_cast<const keymaster_ec_sign_params_t*>(signing_params); 506b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (ecdsa_params->digest_type != DIGEST_NONE) 507b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNSUPPORTED_DIGEST; 508b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (!auth_set->push_back(TAG_DIGEST, KM_DIGEST_NONE)) 509b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_MEMORY_ALLOCATION_FAILED; 510b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } break; 511b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales default: 512b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_UNSUPPORTED_ALGORITHM; 513b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 514b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales return KM_ERROR_OK; 515b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 516b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 517b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Moralesvoid TrustyKeymasterDevice::StoreNewKeyParams(AuthorizationSet* auth_set) { 518b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_SIGN); 519b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales auth_set->push_back(TAG_PURPOSE, KM_PURPOSE_VERIFY); 520b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales auth_set->push_back(TAG_ALL_USERS); 521b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales auth_set->push_back(TAG_NO_AUTH_REQUIRED); 522b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales uint64_t now = java_time(time(NULL)); 523b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales auth_set->push_back(TAG_CREATION_DATETIME, now); 524b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales auth_set->push_back(TAG_ORIGINATION_EXPIRE_DATETIME, now + HUNDRED_YEARS); 525b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales if (message_version_ == 0) { 526b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales auth_set->push_back(TAG_DIGEST_OLD, KM_DIGEST_NONE); 527b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales auth_set->push_back(TAG_PADDING_OLD, KM_PAD_NONE); 528b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } else { 529b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales auth_set->push_back(TAG_DIGEST, KM_DIGEST_NONE); 530b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales auth_set->push_back(TAG_PADDING, KM_PAD_NONE); 531b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales } 532b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} 533b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales 534b33c9b8ffa5e687a08311eae917c50fd615020d0Andres Morales} // namespace keymaster 535