12fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis/* 22fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** 32fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** Copyright 2017, The Android Open Source Project 42fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** 52fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** Licensed under the Apache License, Version 2.0 (the "License"); 62fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** you may not use this file except in compliance with the License. 72fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** You may obtain a copy of the License at 82fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** 92fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** http://www.apache.org/licenses/LICENSE-2.0 102fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** 112fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** Unless required by applicable law or agreed to in writing, software 122fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** distributed under the License is distributed on an "AS IS" BASIS, 132fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 142fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** See the License for the specific language governing permissions and 152fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis** limitations under the License. 162fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis*/ 172fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 182fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/contexts/keymaster1_passthrough_context.h> 192fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 202fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/legacy_support/keymaster_passthrough_key.h> 212fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/legacy_support/keymaster_passthrough_engine.h> 222fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/legacy_support/keymaster1_legacy_support.h> 232fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/legacy_support/keymaster1_engine.h> 242fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/legacy_support/rsa_keymaster1_key.h> 252fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/legacy_support/ec_keymaster1_key.h> 262fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/key_blob_utils/software_keyblobs.h> 272fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/key_blob_utils/integrity_assured_key_blob.h> 282fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/key_blob_utils/ocb_utils.h> 292fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/km_openssl/aes_key.h> 302fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/km_openssl/hmac_key.h> 312fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include <keymaster/km_openssl/attestation_utils.h> 322fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis#include "soft_attestation_cert.h" 332fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 342fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskisnamespace keymaster { 352fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 362fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis DanisevskisKeymaster1PassthroughContext::Keymaster1PassthroughContext(keymaster1_device_t* dev) 372fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis : device_(dev), pt_engine_(KeymasterPassthroughEngine::createInstance(dev)), 382fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis km1_engine_(new Keymaster1Engine(dev)) { 392fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 402fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 412fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 422fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskiskeymaster_error_t Keymaster1PassthroughContext::SetSystemVersion(uint32_t os_version, 432fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis uint32_t os_patchlevel) { 442fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis os_version_ = os_version; 452fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis os_patchlevel_ = os_patchlevel; 462fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return KM_ERROR_OK; 472fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 482fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 492fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskisvoid Keymaster1PassthroughContext::GetSystemVersion(uint32_t* os_version, 502fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis uint32_t* os_patchlevel) const { 512fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (os_version) *os_version = os_version_; 522fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (os_patchlevel) *os_patchlevel = os_patchlevel_; 532fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 542fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 552fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis DanisevskisKeyFactory* Keymaster1PassthroughContext::GetKeyFactory(keymaster_algorithm_t algorithm) const { 562fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis auto& result = factories_[algorithm]; 572fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (!result) { 582fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis switch(algorithm) { 592fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis case KM_ALGORITHM_RSA: 602fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis result.reset(new Keymaster1ArbitrationFactory<RsaKeymaster1KeyFactory>(pt_engine_.get(), 612fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis KM_ALGORITHM_RSA, device_, this, km1_engine_.get())); 622fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis break; 632fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis case KM_ALGORITHM_EC: 642fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis result.reset(new Keymaster1ArbitrationFactory<EcdsaKeymaster1KeyFactory>(pt_engine_.get(), 652fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis KM_ALGORITHM_EC, device_, this, km1_engine_.get())); 662fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis break; 672fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis case KM_ALGORITHM_AES: 682fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis result.reset(new Keymaster1ArbitrationFactory<AesKeyFactory>(pt_engine_.get(), 692fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis KM_ALGORITHM_AES, device_, this, this)); 702fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis break; 712fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis case KM_ALGORITHM_HMAC: 722fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis result.reset(new Keymaster1ArbitrationFactory<HmacKeyFactory>(pt_engine_.get(), 732fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis KM_ALGORITHM_HMAC, device_, this, this)); 742fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis break; 757efc77216ead495bcfe4504be9040cb8a8b284caShawn Willden case KM_ALGORITHM_TRIPLE_DES: 767efc77216ead495bcfe4504be9040cb8a8b284caShawn Willden // Not supported by KM1. 777efc77216ead495bcfe4504be9040cb8a8b284caShawn Willden return nullptr; 782fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis } 792fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis } 802fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return result.get(); 812fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 822fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis DanisevskisOperationFactory* Keymaster1PassthroughContext::GetOperationFactory(keymaster_algorithm_t algorithm, 832fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_purpose_t purpose) const { 842fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis auto keyfactory = GetKeyFactory(algorithm); 852fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return keyfactory->GetOperationFactory(purpose); 862fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 872fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskiskeymaster_algorithm_t* Keymaster1PassthroughContext::GetSupportedAlgorithms( 882fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis size_t* algorithms_count) const { 892fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (algorithms_count) *algorithms_count = 0; 902fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return nullptr; 912fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 922fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 932fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskiskeymaster_error_t Keymaster1PassthroughContext::UpgradeKeyBlob( 942fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis const KeymasterKeyBlob& key_to_upgrade, const AuthorizationSet& upgrade_params, 952fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis KeymasterKeyBlob* upgraded_key) const { 962fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 972fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis UniquePtr<Key> key; 982fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_error_t error = ParseKeyBlob(key_to_upgrade, upgrade_params, &key); 992fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error != KM_ERROR_OK) 1002fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return error; 1012fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1022fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (key->hw_enforced().Contains(TAG_PURPOSE) && 1032fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis !key->hw_enforced().Contains(TAG_OS_PATCHLEVEL)) { 1042fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return KM_ERROR_INVALID_ARGUMENT; 1052fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis } 1062fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1072fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return UpgradeSoftKeyBlob(key, os_version_, os_patchlevel_, upgrade_params, upgraded_key); 1082fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 1092fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1102fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskisstatic keymaster_error_t parseKeymaster1HwBlob(const keymaster1_device_t* device, 1112fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis const KeymasterKeyBlob& blob, 1122fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis const AuthorizationSet& additional_params, 1132fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis KeymasterKeyBlob* key_material, 1142fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis AuthorizationSet* hw_enforced, 1152fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis AuthorizationSet* sw_enforced) { 1162fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_blob_t client_id = {nullptr, 0}; 1172fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_blob_t app_data = {nullptr, 0}; 1182fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_blob_t* client_id_ptr = nullptr; 1192fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_blob_t* app_data_ptr = nullptr; 1202fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (additional_params.GetTagValue(TAG_APPLICATION_ID, &client_id)) 1212fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis client_id_ptr = &client_id; 1222fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (additional_params.GetTagValue(TAG_APPLICATION_DATA, &app_data)) 1232fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis app_data_ptr = &app_data; 1242fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1252fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // Get key characteristics, which incidentally verifies that the HW recognizes the key. 1262fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_key_characteristics_t* characteristics; 1272fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_error_t error = device->get_key_characteristics(device, &blob, client_id_ptr, 1282fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis app_data_ptr, &characteristics); 1292fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error != KM_ERROR_OK) 1302fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return error; 1312fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1322fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis UniquePtr<keymaster_key_characteristics_t, Characteristics_Delete> characteristics_deleter( 1332fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis characteristics); 1342fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1352fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis hw_enforced->Reinitialize(characteristics->hw_enforced); 1362fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis sw_enforced->Reinitialize(characteristics->sw_enforced); 1372fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis *key_material = blob; 1382fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return KM_ERROR_OK; 1392fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 1402fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1412fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskiskeymaster_error_t Keymaster1PassthroughContext::ParseKeyBlob(const KeymasterKeyBlob& blob, 1422fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis const AuthorizationSet& additional_params, UniquePtr<Key>* key) const { 1432fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis AuthorizationSet hw_enforced; 1442fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis AuthorizationSet sw_enforced; 1452fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis KeymasterKeyBlob key_material; 1462fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1472fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis AuthorizationSet hidden; 1482fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_error_t error = BuildHiddenAuthorizations(additional_params, &hidden, 1492fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis softwareRootOfTrust); 1502fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error != KM_ERROR_OK) 1512fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return error; 1522fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1532fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // Assume it's an integrity-assured blob (new software-only blob 1542fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis error = DeserializeIntegrityAssuredBlob(blob, hidden, &key_material, &hw_enforced, &sw_enforced); 1552fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error != KM_ERROR_INVALID_KEY_BLOB && error != KM_ERROR_OK) 1562fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return error; 1572fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1582fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error == KM_ERROR_INVALID_KEY_BLOB) { 1592fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis error = parseKeymaster1HwBlob(km1_engine_->device(), blob, additional_params, 1602fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis &key_material, &hw_enforced, &sw_enforced); 1612fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error != KM_ERROR_OK) return error; 1622fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis } 1632fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1642fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // GetKeyFactory 1652fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_algorithm_t algorithm; 1662fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (!hw_enforced.GetTagValue(TAG_ALGORITHM, &algorithm) && 1672fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis !sw_enforced.GetTagValue(TAG_ALGORITHM, &algorithm)) { 1682fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return KM_ERROR_INVALID_ARGUMENT; 1692fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis } 1702fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis auto factory = GetKeyFactory(algorithm); 1712fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1722fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return factory->LoadKey(move(key_material), additional_params, move(hw_enforced), 1732fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis move(sw_enforced), key); 1742fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 1752fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1762fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskiskeymaster_error_t Keymaster1PassthroughContext::DeleteKey(const KeymasterKeyBlob& blob) const { 1772fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // HACK. Due to a bug with Qualcomm's Keymaster implementation, which causes the device to 1782fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // reboot if we pass it a key blob it doesn't understand, we need to check for software 1792fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // keys. If it looks like a software key there's nothing to do so we just return. 1802fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // Can be removed once b/33385206 is fixed 1812fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis KeymasterKeyBlob key_material; 1822fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis AuthorizationSet hw_enforced, sw_enforced; 1832fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_error_t error = DeserializeIntegrityAssuredBlob_NoHmacCheck( 1842fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis blob, &key_material, &hw_enforced, &sw_enforced); 1852fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error == KM_ERROR_OK) { 1862fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return KM_ERROR_OK; 1872fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis } 1882fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1892fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis error = km1_engine_->DeleteKey(blob); 1902fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error == KM_ERROR_INVALID_KEY_BLOB) { 1912fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // Some implementations diagnose invalid keys. 1922fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // However, all care we about is that the key blob, as supplied, is not usable after the 1932fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // call. 1942fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return KM_ERROR_OK; 1952fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis } 1962fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return error; 1972fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 1982fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 1992fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskiskeymaster_error_t Keymaster1PassthroughContext::DeleteAllKeys() const { 2002fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return km1_engine_->DeleteAllKeys(); 2012fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 2022fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2032fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskiskeymaster_error_t Keymaster1PassthroughContext::AddRngEntropy(const uint8_t* buf, 2042fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis size_t length) const { 2052fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return device_->add_rng_entropy(device_, buf, length); 2062fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 2072fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2082fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2092fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis DanisevskisKeymasterEnforcement* Keymaster1PassthroughContext::enforcement_policy() { 2102fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return nullptr; 2112fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 2122fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2132fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskiskeymaster_error_t Keymaster1PassthroughContext::CreateKeyBlob(const AuthorizationSet& key_description, 2142fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis const keymaster_key_origin_t origin, 2152fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis const KeymasterKeyBlob& key_material, 2162fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis KeymasterKeyBlob* blob, 2172fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis AuthorizationSet* hw_enforced, 2182fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis AuthorizationSet* sw_enforced) const { 2192fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_error_t error = SetKeyBlobAuthorizations(key_description, origin, os_version_, 2202fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis os_patchlevel_, hw_enforced, sw_enforced); 2212fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error != KM_ERROR_OK) 2222fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return error; 2232fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2242fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis AuthorizationSet hidden; 2252fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis error = BuildHiddenAuthorizations(key_description, &hidden, softwareRootOfTrust); 2262fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error != KM_ERROR_OK) 2272fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return error; 2282fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2292fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return SerializeIntegrityAssuredBlob(key_material, hidden, *hw_enforced, *sw_enforced, blob); 2302fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 2312fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2322fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskiskeymaster_error_t Keymaster1PassthroughContext::GenerateAttestation(const Key& key, 2332fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis const AuthorizationSet& attest_params, CertChainPtr* cert_chain) const { 2342fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_error_t error = KM_ERROR_OK; 2352fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis keymaster_algorithm_t key_algorithm; 2362fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (!key.authorizations().GetTagValue(TAG_ALGORITHM, &key_algorithm)) { 2372fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return KM_ERROR_UNKNOWN_ERROR; 2382fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis } 2392fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2402fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if ((key_algorithm != KM_ALGORITHM_RSA && key_algorithm != KM_ALGORITHM_EC)) 2412fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return KM_ERROR_INCOMPATIBLE_ALGORITHM; 2422fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2432fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // We have established that the given key has the correct algorithm, and because this is the 2442fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis // SoftKeymasterContext we can assume that the Key is an AsymmetricKey. So we can downcast. 2452fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis const AsymmetricKey& asymmetric_key = static_cast<const AsymmetricKey&>(key); 2462fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2472fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis auto attestation_chain = getAttestationChain(key_algorithm, &error); 2482fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error != KM_ERROR_OK) return error; 2492fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2502fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis auto attestation_key = getAttestationKey(key_algorithm, &error); 2512fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis if (error != KM_ERROR_OK) return error; 2522fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 2532fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis return generate_attestation(asymmetric_key, attest_params, 2542fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis *attestation_chain, *attestation_key, *this, cert_chain); 2552fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} 2562fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis 257dd7e8a099bdc6310c066d7b99f29faa8d0932c86Shawn Willdenkeymaster_error_t Keymaster1PassthroughContext::UnwrapKey( 258dd7e8a099bdc6310c066d7b99f29faa8d0932c86Shawn Willden const KeymasterKeyBlob&, const KeymasterKeyBlob&, const AuthorizationSet&, 259dd7e8a099bdc6310c066d7b99f29faa8d0932c86Shawn Willden const KeymasterKeyBlob&, AuthorizationSet*, keymaster_key_format_t*, KeymasterKeyBlob*) const { 260dd7e8a099bdc6310c066d7b99f29faa8d0932c86Shawn Willden return KM_ERROR_UNIMPLEMENTED; 261dd7e8a099bdc6310c066d7b99f29faa8d0932c86Shawn Willden} 262dd7e8a099bdc6310c066d7b99f29faa8d0932c86Shawn Willden 2632fea23526da2de688d8a18a388e2bfdf2f3a5e57Janis Danisevskis} // namespace keymaster 264