13daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//
23daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// Copyright (C) 2015 The Android Open Source Project
33daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//
43daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// Licensed under the Apache License, Version 2.0 (the "License");
53daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// you may not use this file except in compliance with the License.
63daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// You may obtain a copy of the License at
73daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//
83daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//      http://www.apache.org/licenses/LICENSE-2.0
93daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//
103daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// Unless required by applicable law or agreed to in writing, software
113daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// distributed under the License is distributed on an "AS IS" BASIS,
123daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
133daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// See the License for the specific language governing permissions and
143daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// limitations under the License.
153daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//
1630a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn
17745de272a4afde07cd3b3a7c376976bd0a972b36Darren Krahn#ifndef ATTESTATION_COMMON_CRYPTO_UTILITY_H_
18745de272a4afde07cd3b3a7c376976bd0a972b36Darren Krahn#define ATTESTATION_COMMON_CRYPTO_UTILITY_H_
1930a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn
2030a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn#include <string>
2130a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn
222e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn#include "attestation/common/common.pb.h"
232e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn
2430a5bba00647d29e324111005deb76a0466f8c6bDarren Krahnnamespace attestation {
2530a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn
2630a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn// A class which provides helpers for cryptography-related tasks.
2730a5bba00647d29e324111005deb76a0466f8c6bDarren Krahnclass CryptoUtility {
2830a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn public:
2930a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  virtual ~CryptoUtility() = default;
3030a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn
31d66389850c33614ffbbbbc3f768621182fd853baDarren Krahn  // Generates |num_bytes| of |random_data|. Returns true on success.
32d66389850c33614ffbbbbc3f768621182fd853baDarren Krahn  virtual bool GetRandom(size_t num_bytes, std::string* random_data) const = 0;
33d66389850c33614ffbbbbc3f768621182fd853baDarren Krahn
3430a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // Creates a random |aes_key| and seals it to the TPM's PCR0, producing a
3530a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // |sealed_key|. Returns true on success.
3630a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  virtual bool CreateSealedKey(std::string* aes_key,
37d569cf62b11f74b7ca2ff2db53414927f7e2d66aDarren Krahn                               std::string* sealed_key) = 0;
3830a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn
3930a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // Encrypts the given |data| using the |aes_key|. The |sealed_key| will be
4030a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // embedded in the |encrypted_data| to assist with decryption. It can be
4130a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // extracted from the |encrypted_data| using UnsealKey(). Returns true on
4230a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // success.
4330a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  virtual bool EncryptData(const std::string& data,
4430a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn                           const std::string& aes_key,
4530a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn                           const std::string& sealed_key,
46d569cf62b11f74b7ca2ff2db53414927f7e2d66aDarren Krahn                           std::string* encrypted_data) = 0;
4730a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn
4830a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // Extracts and unseals the |aes_key| from the |sealed_key| embedded in
4930a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // the given |encrypted_data|. The |sealed_key| is also provided as an output
5030a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // so callers can make subsequent calls to EncryptData() with the same key.
5130a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // Returns true on success.
5230a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  virtual bool UnsealKey(const std::string& encrypted_data,
5330a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn                         std::string* aes_key,
54d569cf62b11f74b7ca2ff2db53414927f7e2d66aDarren Krahn                         std::string* sealed_key) = 0;
5530a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn
5630a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // Decrypts |encrypted_data| using |aes_key|, producing the decrypted |data|.
5730a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  // Returns true on success.
5830a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn  virtual bool DecryptData(const std::string& encrypted_data,
5930a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn                           const std::string& aes_key,
60d569cf62b11f74b7ca2ff2db53414927f7e2d66aDarren Krahn                           std::string* data) = 0;
616222defa52eb13c0d90673f642f2647f7753478bDarren Krahn
626222defa52eb13c0d90673f642f2647f7753478bDarren Krahn  // Convert |public_key| from PKCS #1 RSAPublicKey to X.509
632e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn  // SubjectPublicKeyInfo. On success returns true and provides the
642e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn  // |public_key_info|.
656222defa52eb13c0d90673f642f2647f7753478bDarren Krahn  virtual bool GetRSASubjectPublicKeyInfo(const std::string& public_key,
662e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn                                          std::string* public_key_info) = 0;
672e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn
682e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn  // Convert |public_key_info| from X.509 SubjectPublicKeyInfo to PKCS #1
692e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn  // RSAPublicKey. On success returns true and provides the |public_key|.
702e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn  virtual bool GetRSAPublicKey(const std::string& public_key_info,
712e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn                               std::string* public_key) = 0;
722e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn
732e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn  // Encrypts a |credential| in a format compatible with TPM attestation key
742e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn  // activation. The |ek_public_key_info| must be provided in X.509
752e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn  // SubjectPublicKeyInfo format and the |aik_public_key| must be provided in
762e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn  // TPM_PUBKEY format.
772e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn  virtual bool EncryptIdentityCredential(
782e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn      const std::string& credential,
792e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn      const std::string& ek_public_key_info,
802e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn      const std::string& aik_public_key,
812e89ba764046e015ae90a1668f7cb3eb29cf509dDarren Krahn      EncryptedIdentityCredential* encrypted) = 0;
82bc0c74963418442991072b2c87baec839eec9c20Darren Krahn
83bc0c74963418442991072b2c87baec839eec9c20Darren Krahn  // Encrypts |data| in a format compatible with the TPM unbind operation. The
84bc0c74963418442991072b2c87baec839eec9c20Darren Krahn  // |public_key| must be provided in X.509 SubjectPublicKeyInfo format.
85bc0c74963418442991072b2c87baec839eec9c20Darren Krahn  virtual bool EncryptForUnbind(const std::string& public_key,
86bc0c74963418442991072b2c87baec839eec9c20Darren Krahn                                const std::string& data,
87bc0c74963418442991072b2c87baec839eec9c20Darren Krahn                                std::string* encrypted_data) = 0;
88ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn
89ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn  // Verifies a PKCS #1 v1.5 SHA-256 |signature| over |data|. The |public_key|
90ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn  // must be provided in X.509 SubjectPublicKeyInfo format.
91ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn  virtual bool VerifySignature(const std::string& public_key,
92ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn                               const std::string& data,
93ccf90703bb6989e659b12a6494e84fdb921008edDarren Krahn                               const std::string& signature) = 0;
9430a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn};
9530a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn
9630a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn}  // namespace attestation
9730a5bba00647d29e324111005deb76a0466f8c6bDarren Krahn
98745de272a4afde07cd3b3a7c376976bd0a972b36Darren Krahn#endif  // ATTESTATION_COMMON_CRYPTO_UTILITY_H_
99