diff --git a/keymaster/4.0/IKeymasterDevice.hal b/keymaster/4.0/IKeymasterDevice.hal index 14c9c354d0..5dac9291b6 100644 --- a/keymaster/4.0/IKeymasterDevice.hal +++ b/keymaster/4.0/IKeymasterDevice.hal @@ -274,6 +274,23 @@ interface IKeymasterDevice { * @param maskingKey The 32-byte value XOR'd with the transport key in the SecureWrappedKey * structure. * + * @param unwrappingParams must contain any parameters needed to perform the unwrapping + * operation. For example, if the wrapping key is an AES key the block and padding modes + * must be specified in this argument. + * + * @param passwordSid specifies the password secure ID (SID) of the user that owns the key being + * installed. If the authorization list in wrappedKeyData contains a Tag::USER_SECURE_ID + * with a value that has the HardwareAuthenticatorType::PASSWORD bit set, the constructed + * key must be bound to the SID value provided by this argument. If the wrappedKeyData + * does not contain such a tag and value, this argument must be ignored. + * + * @param biometricSid specifies the biometric secure ID (SID) of the user that owns the key + * being installed. If the authorization list in wrappedKeyData contains a + * Tag::USER_SECURE_ID with a value that has the HardwareAuthenticatorType::FINGERPRINT + * bit set, the constructed key must be bound to the SID value provided by this argument. + * If the wrappedKeyData does not contain such a tag and value, this argument must be + * ignored. + * * @return error See the ErrorCode enum. * * @return keyBlob Opaque descriptor of the imported key. It is recommended that the keyBlob @@ -281,8 +298,9 @@ interface IKeymasterDevice { * hardware. */ importWrappedKey(vec wrappedKeyData, vec wrappingKeyBlob, - vec maskingKey) - generates (ErrorCode error, vec keyBlob, KeyCharacteristics keyCharacteristics); + vec maskingKey, vec unwrappingParams, + uint64_t passwordSid, uint64_t biometricSid) + generates(ErrorCode error, vec keyBlob, KeyCharacteristics keyCharacteristics); /** * Returns the characteristics of the specified key, if the keyBlob is valid (implementations diff --git a/keymaster/4.0/support/include/keymasterV4_0/Keymaster3.h b/keymaster/4.0/support/include/keymasterV4_0/Keymaster3.h index 051e5700ac..4054620b61 100644 --- a/keymaster/4.0/support/include/keymasterV4_0/Keymaster3.h +++ b/keymaster/4.0/support/include/keymasterV4_0/Keymaster3.h @@ -74,8 +74,12 @@ class Keymaster3 : public Keymaster { Return importKey(const hidl_vec& params, KeyFormat keyFormat, const hidl_vec& keyData, importKey_cb _hidl_cb) override; - Return importWrappedKey(const hidl_vec&, const hidl_vec&, - const hidl_vec&, importWrappedKey_cb _hidl_cb) { + Return importWrappedKey(const hidl_vec& /* wrappedKeyData */, + const hidl_vec& /* wrappingKeyBlob */, + const hidl_vec& /* maskingKey */, + const hidl_vec& /* unwrappingParams */, + uint64_t /* passwordSid */, uint64_t /* biometricSid */, + importWrappedKey_cb _hidl_cb) { _hidl_cb(ErrorCode::UNIMPLEMENTED, {}, {}); return Void(); } diff --git a/keymaster/4.0/support/include/keymasterV4_0/Keymaster4.h b/keymaster/4.0/support/include/keymasterV4_0/Keymaster4.h index ffddcac2d6..86ef4f8554 100644 --- a/keymaster/4.0/support/include/keymasterV4_0/Keymaster4.h +++ b/keymaster/4.0/support/include/keymasterV4_0/Keymaster4.h @@ -81,8 +81,11 @@ class Keymaster4 : public Keymaster { Return importWrappedKey(const hidl_vec& wrappedKeyData, const hidl_vec& wrappingKeyBlob, const hidl_vec& maskingKey, + const hidl_vec& unwrappingParams, + uint64_t passwordSid, uint64_t biometricSid, importWrappedKey_cb _hidl_cb) { - return dev_->importWrappedKey(wrappedKeyData, wrappingKeyBlob, maskingKey, _hidl_cb); + return dev_->importWrappedKey(wrappedKeyData, wrappingKeyBlob, maskingKey, unwrappingParams, + passwordSid, biometricSid, _hidl_cb); } Return exportKey(KeyFormat exportFormat, const hidl_vec& keyBlob, diff --git a/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp b/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp index 13b6b2f7d7..37d8c4251f 100644 --- a/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp +++ b/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp @@ -137,11 +137,14 @@ ErrorCode KeymasterHidlTest::ImportKey(const AuthorizationSet& key_desc, KeyForm ErrorCode KeymasterHidlTest::ImportWrappedKey(string wrapped_key, string wrapping_key, const AuthorizationSet& wrapping_key_desc, - string masking_key) { + string masking_key, + const AuthorizationSet& unwrapping_params) { ErrorCode error; ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key); EXPECT_TRUE(keymaster_ ->importWrappedKey(HidlBuf(wrapped_key), key_blob_, HidlBuf(masking_key), + unwrapping_params.hidl_data(), 0 /* passwordSid */, + 0 /* biometricSid */, [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob, const KeyCharacteristics& hidl_key_characteristics) { error = hidl_error; diff --git a/keymaster/4.0/vts/functional/KeymasterHidlTest.h b/keymaster/4.0/vts/functional/KeymasterHidlTest.h index 0c73f05bfd..3e84bfd388 100644 --- a/keymaster/4.0/vts/functional/KeymasterHidlTest.h +++ b/keymaster/4.0/vts/functional/KeymasterHidlTest.h @@ -116,7 +116,8 @@ class KeymasterHidlTest : public ::testing::VtsHalHidlTargetTestBase { const string& key_material); ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key, - const AuthorizationSet& wrapping_key_desc, string masking_key); + const AuthorizationSet& wrapping_key_desc, string masking_key, + const AuthorizationSet& unwrapping_params); ErrorCode ExportKey(KeyFormat format, const HidlBuf& key_blob, const HidlBuf& client_id, const HidlBuf& app_data, HidlBuf* key_material); diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp index cb6ade287e..49090e8191 100644 --- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp +++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp @@ -1943,7 +1943,9 @@ TEST_F(ImportWrappedKeyTest, Success) { .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY); ASSERT_EQ(ErrorCode::OK, - ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key)); + ImportWrappedKey( + wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key, + AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP))); string message = "Hello World!"; auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7); @@ -1960,7 +1962,9 @@ TEST_F(ImportWrappedKeyTest, SuccessMasked) { .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY); ASSERT_EQ(ErrorCode::OK, - ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key)); + ImportWrappedKey( + wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key, + AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP))); } TEST_F(ImportWrappedKeyTest, WrongMask) { @@ -1970,9 +1974,10 @@ TEST_F(ImportWrappedKeyTest, WrongMask) { .Padding(PaddingMode::RSA_OAEP) .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY); - ASSERT_EQ( - ErrorCode::VERIFICATION_FAILED, - ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key)); + ASSERT_EQ(ErrorCode::VERIFICATION_FAILED, + ImportWrappedKey( + wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key, + AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP))); } TEST_F(ImportWrappedKeyTest, WrongPurpose) { @@ -1981,9 +1986,10 @@ TEST_F(ImportWrappedKeyTest, WrongPurpose) { .Digest(Digest::SHA1) .Padding(PaddingMode::RSA_OAEP); - ASSERT_EQ( - ErrorCode::INCOMPATIBLE_PURPOSE, - ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key)); + ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, + ImportWrappedKey( + wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key, + AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP))); } typedef KeymasterHidlTest EncryptionOperationsTest;