Clang-format Keymaster.{cpp|h} and KeyStorage.{cpp|h}
Test: Build & boot Change-Id: I92bb107409f493770028cf6fd637d34af7644262
This commit is contained in:
parent
71cd43f434
commit
785365b2f7
3 changed files with 73 additions and 84 deletions
|
@ -41,7 +41,6 @@
|
||||||
|
|
||||||
#include <hardware/hw_auth_token.h>
|
#include <hardware/hw_auth_token.h>
|
||||||
|
|
||||||
|
|
||||||
extern "C" {
|
extern "C" {
|
||||||
|
|
||||||
#include "crypto_scrypt.h"
|
#include "crypto_scrypt.h"
|
||||||
|
@ -63,7 +62,7 @@ static constexpr size_t SALT_BYTES = 1 << 4;
|
||||||
static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14;
|
static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14;
|
||||||
static constexpr size_t STRETCHED_BYTES = 1 << 6;
|
static constexpr size_t STRETCHED_BYTES = 1 << 6;
|
||||||
|
|
||||||
static constexpr uint32_t AUTH_TIMEOUT = 30; // Seconds
|
static constexpr uint32_t AUTH_TIMEOUT = 30; // Seconds
|
||||||
|
|
||||||
static const char* kCurrentVersion = "1";
|
static const char* kCurrentVersion = "1";
|
||||||
static const char* kRmPath = "/system/bin/rm";
|
static const char* kRmPath = "/system/bin/rm";
|
||||||
|
@ -131,8 +130,7 @@ static bool generateKeymasterKey(Keymaster& keymaster, const KeyAuthentication&
|
||||||
return keymaster.generateKey(paramBuilder, key);
|
return keymaster.generateKey(paramBuilder, key);
|
||||||
}
|
}
|
||||||
|
|
||||||
static AuthorizationSet beginParams(const KeyAuthentication& auth,
|
static AuthorizationSet beginParams(const KeyAuthentication& auth, const std::string& appId) {
|
||||||
const std::string& appId) {
|
|
||||||
auto paramBuilder = AuthorizationSetBuilder()
|
auto paramBuilder = AuthorizationSetBuilder()
|
||||||
.Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
|
.Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
|
||||||
.Authorization(TAG_MAC_LENGTH, GCM_MAC_BYTES * 8)
|
.Authorization(TAG_MAC_LENGTH, GCM_MAC_BYTES * 8)
|
||||||
|
@ -204,10 +202,8 @@ bool readSecdiscardable(const std::string& filename, std::string* hash) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static KeymasterOperation begin(Keymaster& keymaster, const std::string& dir,
|
static KeymasterOperation begin(Keymaster& keymaster, const std::string& dir, KeyPurpose purpose,
|
||||||
KeyPurpose purpose,
|
const AuthorizationSet& keyParams, const AuthorizationSet& opParams,
|
||||||
const AuthorizationSet &keyParams,
|
|
||||||
const AuthorizationSet &opParams,
|
|
||||||
AuthorizationSet* outParams) {
|
AuthorizationSet* outParams) {
|
||||||
auto kmKeyPath = dir + "/" + kFn_keymaster_key_blob;
|
auto kmKeyPath = dir + "/" + kFn_keymaster_key_blob;
|
||||||
std::string kmKey;
|
std::string kmKey;
|
||||||
|
@ -238,8 +234,8 @@ static KeymasterOperation begin(Keymaster& keymaster, const std::string& dir,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
|
static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
|
||||||
const AuthorizationSet &keyParams,
|
const AuthorizationSet& keyParams, const KeyBuffer& message,
|
||||||
const KeyBuffer& message, std::string* ciphertext) {
|
std::string* ciphertext) {
|
||||||
AuthorizationSet opParams;
|
AuthorizationSet opParams;
|
||||||
AuthorizationSet outParams;
|
AuthorizationSet outParams;
|
||||||
auto opHandle = begin(keymaster, dir, KeyPurpose::ENCRYPT, keyParams, opParams, &outParams);
|
auto opHandle = begin(keymaster, dir, KeyPurpose::ENCRYPT, keyParams, opParams, &outParams);
|
||||||
|
@ -250,7 +246,8 @@ static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
// nonceBlob here is just a pointer into existing data, must not be freed
|
// nonceBlob here is just a pointer into existing data, must not be freed
|
||||||
std::string nonce(reinterpret_cast<const char*>(&nonceBlob.value()[0]), nonceBlob.value().size());
|
std::string nonce(reinterpret_cast<const char*>(&nonceBlob.value()[0]),
|
||||||
|
nonceBlob.value().size());
|
||||||
if (!checkSize("nonce", nonce.size(), GCM_NONCE_BYTES)) return false;
|
if (!checkSize("nonce", nonce.size(), GCM_NONCE_BYTES)) return false;
|
||||||
std::string body;
|
std::string body;
|
||||||
if (!opHandle.updateCompletely(message, &body)) return false;
|
if (!opHandle.updateCompletely(message, &body)) return false;
|
||||||
|
@ -263,12 +260,11 @@ static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
|
static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
|
||||||
const AuthorizationSet &keyParams,
|
const AuthorizationSet& keyParams,
|
||||||
const std::string& ciphertext, KeyBuffer* message) {
|
const std::string& ciphertext, KeyBuffer* message) {
|
||||||
auto nonce = ciphertext.substr(0, GCM_NONCE_BYTES);
|
auto nonce = ciphertext.substr(0, GCM_NONCE_BYTES);
|
||||||
auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES);
|
auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES);
|
||||||
auto opParams = AuthorizationSetBuilder()
|
auto opParams = AuthorizationSetBuilder().Authorization(TAG_NONCE, blob2hidlVec(nonce));
|
||||||
.Authorization(TAG_NONCE, blob2hidlVec(nonce));
|
|
||||||
auto opHandle = begin(keymaster, dir, KeyPurpose::DECRYPT, keyParams, opParams, nullptr);
|
auto opHandle = begin(keymaster, dir, KeyPurpose::DECRYPT, keyParams, opParams, nullptr);
|
||||||
if (!opHandle) return false;
|
if (!opHandle) return false;
|
||||||
if (!opHandle.updateCompletely(bodyAndMac, message)) return false;
|
if (!opHandle.updateCompletely(bodyAndMac, message)) return false;
|
||||||
|
@ -313,9 +309,9 @@ static bool stretchSecret(const std::string& stretching, const std::string& secr
|
||||||
}
|
}
|
||||||
stretched->assign(STRETCHED_BYTES, '\0');
|
stretched->assign(STRETCHED_BYTES, '\0');
|
||||||
if (crypto_scrypt(reinterpret_cast<const uint8_t*>(secret.data()), secret.size(),
|
if (crypto_scrypt(reinterpret_cast<const uint8_t*>(secret.data()), secret.size(),
|
||||||
reinterpret_cast<const uint8_t*>(salt.data()), salt.size(),
|
reinterpret_cast<const uint8_t*>(salt.data()), salt.size(), 1 << Nf,
|
||||||
1 << Nf, 1 << rf, 1 << pf,
|
1 << rf, 1 << pf, reinterpret_cast<uint8_t*>(&(*stretched)[0]),
|
||||||
reinterpret_cast<uint8_t*>(&(*stretched)[0]), stretched->size()) != 0) {
|
stretched->size()) != 0) {
|
||||||
LOG(ERROR) << "scrypt failed with params: " << stretching;
|
LOG(ERROR) << "scrypt failed with params: " << stretching;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -339,8 +335,8 @@ static void logOpensslError() {
|
||||||
LOG(ERROR) << "Openssl error: " << ERR_get_error();
|
LOG(ERROR) << "Openssl error: " << ERR_get_error();
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool encryptWithoutKeymaster(const std::string& preKey,
|
static bool encryptWithoutKeymaster(const std::string& preKey, const KeyBuffer& plaintext,
|
||||||
const KeyBuffer& plaintext, std::string* ciphertext) {
|
std::string* ciphertext) {
|
||||||
std::string key;
|
std::string key;
|
||||||
hashWithPrefix(kHashPrefix_keygen, preKey, &key);
|
hashWithPrefix(kHashPrefix_keygen, preKey, &key);
|
||||||
key.resize(AES_KEY_BYTES);
|
key.resize(AES_KEY_BYTES);
|
||||||
|
@ -352,16 +348,16 @@ static bool encryptWithoutKeymaster(const std::string& preKey,
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (1 != EVP_EncryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL,
|
if (1 != EVP_EncryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL,
|
||||||
reinterpret_cast<const uint8_t*>(key.data()),
|
reinterpret_cast<const uint8_t*>(key.data()),
|
||||||
reinterpret_cast<const uint8_t*>(ciphertext->data()))) {
|
reinterpret_cast<const uint8_t*>(ciphertext->data()))) {
|
||||||
logOpensslError();
|
logOpensslError();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
ciphertext->resize(GCM_NONCE_BYTES + plaintext.size() + GCM_MAC_BYTES);
|
ciphertext->resize(GCM_NONCE_BYTES + plaintext.size() + GCM_MAC_BYTES);
|
||||||
int outlen;
|
int outlen;
|
||||||
if (1 != EVP_EncryptUpdate(ctx.get(),
|
if (1 != EVP_EncryptUpdate(
|
||||||
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES), &outlen,
|
ctx.get(), reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES),
|
||||||
reinterpret_cast<const uint8_t*>(plaintext.data()), plaintext.size())) {
|
&outlen, reinterpret_cast<const uint8_t*>(plaintext.data()), plaintext.size())) {
|
||||||
logOpensslError();
|
logOpensslError();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -369,8 +365,10 @@ static bool encryptWithoutKeymaster(const std::string& preKey,
|
||||||
LOG(ERROR) << "GCM ciphertext length should be " << plaintext.size() << " was " << outlen;
|
LOG(ERROR) << "GCM ciphertext length should be " << plaintext.size() << " was " << outlen;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (1 != EVP_EncryptFinal_ex(ctx.get(),
|
if (1 != EVP_EncryptFinal_ex(
|
||||||
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES + plaintext.size()), &outlen)) {
|
ctx.get(),
|
||||||
|
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES + plaintext.size()),
|
||||||
|
&outlen)) {
|
||||||
logOpensslError();
|
logOpensslError();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -379,15 +377,16 @@ static bool encryptWithoutKeymaster(const std::string& preKey,
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, GCM_MAC_BYTES,
|
if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, GCM_MAC_BYTES,
|
||||||
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES + plaintext.size()))) {
|
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES +
|
||||||
|
plaintext.size()))) {
|
||||||
logOpensslError();
|
logOpensslError();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool decryptWithoutKeymaster(const std::string& preKey,
|
static bool decryptWithoutKeymaster(const std::string& preKey, const std::string& ciphertext,
|
||||||
const std::string& ciphertext, KeyBuffer* plaintext) {
|
KeyBuffer* plaintext) {
|
||||||
if (ciphertext.size() < GCM_NONCE_BYTES + GCM_MAC_BYTES) {
|
if (ciphertext.size() < GCM_NONCE_BYTES + GCM_MAC_BYTES) {
|
||||||
LOG(ERROR) << "GCM ciphertext too small: " << ciphertext.size();
|
LOG(ERROR) << "GCM ciphertext too small: " << ciphertext.size();
|
||||||
return false;
|
return false;
|
||||||
|
@ -402,16 +401,16 @@ static bool decryptWithoutKeymaster(const std::string& preKey,
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (1 != EVP_DecryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL,
|
if (1 != EVP_DecryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL,
|
||||||
reinterpret_cast<const uint8_t*>(key.data()),
|
reinterpret_cast<const uint8_t*>(key.data()),
|
||||||
reinterpret_cast<const uint8_t*>(ciphertext.data()))) {
|
reinterpret_cast<const uint8_t*>(ciphertext.data()))) {
|
||||||
logOpensslError();
|
logOpensslError();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
*plaintext = KeyBuffer(ciphertext.size() - GCM_NONCE_BYTES - GCM_MAC_BYTES);
|
*plaintext = KeyBuffer(ciphertext.size() - GCM_NONCE_BYTES - GCM_MAC_BYTES);
|
||||||
int outlen;
|
int outlen;
|
||||||
if (1 != EVP_DecryptUpdate(ctx.get(),
|
if (1 != EVP_DecryptUpdate(ctx.get(), reinterpret_cast<uint8_t*>(&(*plaintext)[0]), &outlen,
|
||||||
reinterpret_cast<uint8_t*>(&(*plaintext)[0]), &outlen,
|
reinterpret_cast<const uint8_t*>(ciphertext.data() + GCM_NONCE_BYTES),
|
||||||
reinterpret_cast<const uint8_t*>(ciphertext.data() + GCM_NONCE_BYTES), plaintext->size())) {
|
plaintext->size())) {
|
||||||
logOpensslError();
|
logOpensslError();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -420,13 +419,14 @@ static bool decryptWithoutKeymaster(const std::string& preKey,
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, GCM_MAC_BYTES,
|
if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, GCM_MAC_BYTES,
|
||||||
const_cast<void *>(
|
const_cast<void*>(reinterpret_cast<const void*>(
|
||||||
reinterpret_cast<const void*>(ciphertext.data() + GCM_NONCE_BYTES + plaintext->size())))) {
|
ciphertext.data() + GCM_NONCE_BYTES + plaintext->size())))) {
|
||||||
logOpensslError();
|
logOpensslError();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (1 != EVP_DecryptFinal_ex(ctx.get(),
|
if (1 != EVP_DecryptFinal_ex(ctx.get(),
|
||||||
reinterpret_cast<uint8_t*>(&(*plaintext)[0] + plaintext->size()), &outlen)) {
|
reinterpret_cast<uint8_t*>(&(*plaintext)[0] + plaintext->size()),
|
||||||
|
&outlen)) {
|
||||||
logOpensslError();
|
logOpensslError();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -519,7 +519,8 @@ bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffe
|
||||||
Keymaster keymaster;
|
Keymaster keymaster;
|
||||||
if (!keymaster) return false;
|
if (!keymaster) return false;
|
||||||
auto keyParams = beginParams(auth, appId);
|
auto keyParams = beginParams(auth, appId);
|
||||||
if (!decryptWithKeymasterKey(keymaster, dir, keyParams, encryptedMessage, key)) return false;
|
if (!decryptWithKeymasterKey(keymaster, dir, keyParams, encryptedMessage, key))
|
||||||
|
return false;
|
||||||
} else {
|
} else {
|
||||||
if (!decryptWithoutKeymaster(appId, encryptedMessage, key)) return false;
|
if (!decryptWithoutKeymaster(appId, encryptedMessage, key)) return false;
|
||||||
}
|
}
|
||||||
|
@ -536,9 +537,7 @@ static bool deleteKey(const std::string& dir) {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool runSecdiscardSingle(const std::string& file) {
|
bool runSecdiscardSingle(const std::string& file) {
|
||||||
if (ForkExecvp(
|
if (ForkExecvp(std::vector<std::string>{kSecdiscardPath, "--", file}) != 0) {
|
||||||
std::vector<std::string>{kSecdiscardPath, "--",
|
|
||||||
file}) != 0) {
|
|
||||||
LOG(ERROR) << "secdiscard failed";
|
LOG(ERROR) << "secdiscard failed";
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -33,12 +33,12 @@ KeymasterOperation::~KeymasterOperation() {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool KeymasterOperation::updateCompletely(const char* input, size_t inputLen,
|
bool KeymasterOperation::updateCompletely(const char* input, size_t inputLen,
|
||||||
const std::function<void(const char*, size_t)> consumer) {
|
const std::function<void(const char*, size_t)> consumer) {
|
||||||
uint32_t inputConsumed = 0;
|
uint32_t inputConsumed = 0;
|
||||||
|
|
||||||
ErrorCode km_error;
|
ErrorCode km_error;
|
||||||
auto hidlCB = [&] (ErrorCode ret, uint32_t inputConsumedDelta,
|
auto hidlCB = [&](ErrorCode ret, uint32_t inputConsumedDelta,
|
||||||
const hidl_vec<KeyParameter>& /*ignored*/, const hidl_vec<uint8_t>& _output) {
|
const hidl_vec<KeyParameter>& /*ignored*/, const hidl_vec<uint8_t>& _output) {
|
||||||
km_error = ret;
|
km_error = ret;
|
||||||
if (km_error != ErrorCode::OK) return;
|
if (km_error != ErrorCode::OK) return;
|
||||||
inputConsumed += inputConsumedDelta;
|
inputConsumed += inputConsumedDelta;
|
||||||
|
@ -48,7 +48,7 @@ bool KeymasterOperation::updateCompletely(const char* input, size_t inputLen,
|
||||||
while (inputConsumed != inputLen) {
|
while (inputConsumed != inputLen) {
|
||||||
size_t toRead = static_cast<size_t>(inputLen - inputConsumed);
|
size_t toRead = static_cast<size_t>(inputLen - inputConsumed);
|
||||||
auto inputBlob =
|
auto inputBlob =
|
||||||
blob2hidlVec(reinterpret_cast<const uint8_t*>(&input[inputConsumed]), toRead);
|
blob2hidlVec(reinterpret_cast<const uint8_t*>(&input[inputConsumed]), toRead);
|
||||||
auto error = mDevice->update(mOpHandle, hidl_vec<KeyParameter>(), inputBlob, hidlCB);
|
auto error = mDevice->update(mOpHandle, hidl_vec<KeyParameter>(), inputBlob, hidlCB);
|
||||||
if (!error.isOk()) {
|
if (!error.isOk()) {
|
||||||
LOG(ERROR) << "update failed: " << error.description();
|
LOG(ERROR) << "update failed: " << error.description();
|
||||||
|
@ -71,15 +71,14 @@ bool KeymasterOperation::updateCompletely(const char* input, size_t inputLen,
|
||||||
|
|
||||||
bool KeymasterOperation::finish(std::string* output) {
|
bool KeymasterOperation::finish(std::string* output) {
|
||||||
ErrorCode km_error;
|
ErrorCode km_error;
|
||||||
auto hidlCb = [&] (ErrorCode ret, const hidl_vec<KeyParameter>& /*ignored*/,
|
auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& /*ignored*/,
|
||||||
const hidl_vec<uint8_t>& _output) {
|
const hidl_vec<uint8_t>& _output) {
|
||||||
km_error = ret;
|
km_error = ret;
|
||||||
if (km_error != ErrorCode::OK) return;
|
if (km_error != ErrorCode::OK) return;
|
||||||
if (output)
|
if (output) output->assign(reinterpret_cast<const char*>(&_output[0]), _output.size());
|
||||||
output->assign(reinterpret_cast<const char*>(&_output[0]), _output.size());
|
|
||||||
};
|
};
|
||||||
auto error = mDevice->finish(mOpHandle, hidl_vec<KeyParameter>(), hidl_vec<uint8_t>(),
|
auto error = mDevice->finish(mOpHandle, hidl_vec<KeyParameter>(), hidl_vec<uint8_t>(),
|
||||||
hidl_vec<uint8_t>(), hidlCb);
|
hidl_vec<uint8_t>(), hidlCb);
|
||||||
mDevice = nullptr;
|
mDevice = nullptr;
|
||||||
if (!error.isOk()) {
|
if (!error.isOk()) {
|
||||||
LOG(ERROR) << "finish failed: " << error.description();
|
LOG(ERROR) << "finish failed: " << error.description();
|
||||||
|
@ -98,12 +97,11 @@ Keymaster::Keymaster() {
|
||||||
|
|
||||||
bool Keymaster::generateKey(const AuthorizationSet& inParams, std::string* key) {
|
bool Keymaster::generateKey(const AuthorizationSet& inParams, std::string* key) {
|
||||||
ErrorCode km_error;
|
ErrorCode km_error;
|
||||||
auto hidlCb = [&] (ErrorCode ret, const hidl_vec<uint8_t>& keyBlob,
|
auto hidlCb = [&](ErrorCode ret, const hidl_vec<uint8_t>& keyBlob,
|
||||||
const KeyCharacteristics& /*ignored*/) {
|
const KeyCharacteristics& /*ignored*/) {
|
||||||
km_error = ret;
|
km_error = ret;
|
||||||
if (km_error != ErrorCode::OK) return;
|
if (km_error != ErrorCode::OK) return;
|
||||||
if (key)
|
if (key) key->assign(reinterpret_cast<const char*>(&keyBlob[0]), keyBlob.size());
|
||||||
key->assign(reinterpret_cast<const char*>(&keyBlob[0]), keyBlob.size());
|
|
||||||
};
|
};
|
||||||
|
|
||||||
auto error = mDevice->generateKey(inParams.hidl_data(), hidlCb);
|
auto error = mDevice->generateKey(inParams.hidl_data(), hidlCb);
|
||||||
|
@ -136,12 +134,12 @@ bool Keymaster::upgradeKey(const std::string& oldKey, const AuthorizationSet& in
|
||||||
std::string* newKey) {
|
std::string* newKey) {
|
||||||
auto oldKeyBlob = blob2hidlVec(oldKey);
|
auto oldKeyBlob = blob2hidlVec(oldKey);
|
||||||
ErrorCode km_error;
|
ErrorCode km_error;
|
||||||
auto hidlCb = [&] (ErrorCode ret, const hidl_vec<uint8_t>& upgradedKeyBlob) {
|
auto hidlCb = [&](ErrorCode ret, const hidl_vec<uint8_t>& upgradedKeyBlob) {
|
||||||
km_error = ret;
|
km_error = ret;
|
||||||
if (km_error != ErrorCode::OK) return;
|
if (km_error != ErrorCode::OK) return;
|
||||||
if (newKey)
|
if (newKey)
|
||||||
newKey->assign(reinterpret_cast<const char*>(&upgradedKeyBlob[0]),
|
newKey->assign(reinterpret_cast<const char*>(&upgradedKeyBlob[0]),
|
||||||
upgradedKeyBlob.size());
|
upgradedKeyBlob.size());
|
||||||
};
|
};
|
||||||
auto error = mDevice->upgradeKey(oldKeyBlob, inParams.hidl_data(), hidlCb);
|
auto error = mDevice->upgradeKey(oldKeyBlob, inParams.hidl_data(), hidlCb);
|
||||||
if (!error.isOk()) {
|
if (!error.isOk()) {
|
||||||
|
@ -156,18 +154,16 @@ bool Keymaster::upgradeKey(const std::string& oldKey, const AuthorizationSet& in
|
||||||
}
|
}
|
||||||
|
|
||||||
KeymasterOperation Keymaster::begin(KeyPurpose purpose, const std::string& key,
|
KeymasterOperation Keymaster::begin(KeyPurpose purpose, const std::string& key,
|
||||||
const AuthorizationSet& inParams,
|
const AuthorizationSet& inParams, AuthorizationSet* outParams) {
|
||||||
AuthorizationSet* outParams) {
|
|
||||||
auto keyBlob = blob2hidlVec(key);
|
auto keyBlob = blob2hidlVec(key);
|
||||||
uint64_t mOpHandle;
|
uint64_t mOpHandle;
|
||||||
ErrorCode km_error;
|
ErrorCode km_error;
|
||||||
|
|
||||||
auto hidlCb = [&] (ErrorCode ret, const hidl_vec<KeyParameter>& _outParams,
|
auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& _outParams,
|
||||||
uint64_t operationHandle) {
|
uint64_t operationHandle) {
|
||||||
km_error = ret;
|
km_error = ret;
|
||||||
if (km_error != ErrorCode::OK) return;
|
if (km_error != ErrorCode::OK) return;
|
||||||
if (outParams)
|
if (outParams) *outParams = _outParams;
|
||||||
*outParams = _outParams;
|
|
||||||
mOpHandle = operationHandle;
|
mOpHandle = operationHandle;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -184,9 +180,9 @@ KeymasterOperation Keymaster::begin(KeyPurpose purpose, const std::string& key,
|
||||||
}
|
}
|
||||||
bool Keymaster::isSecure() {
|
bool Keymaster::isSecure() {
|
||||||
bool _isSecure = false;
|
bool _isSecure = false;
|
||||||
auto rc = mDevice->getHardwareFeatures(
|
auto rc =
|
||||||
[&] (bool isSecure, bool, bool, bool, bool, const hidl_string&, const hidl_string&) {
|
mDevice->getHardwareFeatures([&](bool isSecure, bool, bool, bool, bool, const hidl_string&,
|
||||||
_isSecure = isSecure; });
|
const hidl_string&) { _isSecure = isSecure; });
|
||||||
return rc.isOk() && _isSecure;
|
return rc.isOk() && _isSecure;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -298,7 +294,8 @@ KeymasterSignResult keymaster_sign_object_for_cryptfs_scrypt(
|
||||||
if (op.errorCode() == ErrorCode::KEY_RATE_LIMIT_EXCEEDED) {
|
if (op.errorCode() == ErrorCode::KEY_RATE_LIMIT_EXCEEDED) {
|
||||||
sleep(ratelimit);
|
sleep(ratelimit);
|
||||||
continue;
|
continue;
|
||||||
} else break;
|
} else
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (op.errorCode() == ErrorCode::KEY_REQUIRES_UPGRADE) {
|
if (op.errorCode() == ErrorCode::KEY_REQUIRES_UPGRADE) {
|
||||||
|
@ -318,7 +315,8 @@ KeymasterSignResult keymaster_sign_object_for_cryptfs_scrypt(
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!op.finish(&output)) {
|
if (!op.finish(&output)) {
|
||||||
LOG(ERROR) << "Error finalizing keymaster signature transaction: " << int32_t(op.errorCode());
|
LOG(ERROR) << "Error finalizing keymaster signature transaction: "
|
||||||
|
<< int32_t(op.errorCode());
|
||||||
return KeymasterSignResult::error;
|
return KeymasterSignResult::error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
26
Keymaster.h
26
Keymaster.h
|
@ -23,8 +23,8 @@
|
||||||
#include <string>
|
#include <string>
|
||||||
#include <utility>
|
#include <utility>
|
||||||
|
|
||||||
#include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
|
|
||||||
#include <android-base/macros.h>
|
#include <android-base/macros.h>
|
||||||
|
#include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
|
||||||
|
|
||||||
#include "authorization_set.h"
|
#include "authorization_set.h"
|
||||||
|
|
||||||
|
@ -56,7 +56,7 @@ class KeymasterOperation {
|
||||||
bool updateCompletely(TI& input, TO* output) {
|
bool updateCompletely(TI& input, TO* output) {
|
||||||
if (output) output->clear();
|
if (output) output->clear();
|
||||||
return updateCompletely(input.data(), input.size(), [&](const char* b, size_t n) {
|
return updateCompletely(input.data(), input.size(), [&](const char* b, size_t n) {
|
||||||
if (output) std::copy(b, b+n, std::back_inserter(*output));
|
if (output) std::copy(b, b + n, std::back_inserter(*output));
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -69,11 +69,9 @@ class KeymasterOperation {
|
||||||
mError = std::move(rhs.mError);
|
mError = std::move(rhs.mError);
|
||||||
}
|
}
|
||||||
// Construct an object in an error state for error returns
|
// Construct an object in an error state for error returns
|
||||||
KeymasterOperation()
|
KeymasterOperation() : mDevice{nullptr}, mOpHandle{0}, mError{ErrorCode::UNKNOWN_ERROR} {}
|
||||||
: mDevice{nullptr}, mOpHandle{0},
|
|
||||||
mError {ErrorCode::UNKNOWN_ERROR} {}
|
|
||||||
// Move Assignment
|
// Move Assignment
|
||||||
KeymasterOperation& operator= (KeymasterOperation&& rhs) {
|
KeymasterOperation& operator=(KeymasterOperation&& rhs) {
|
||||||
mDevice = std::move(rhs.mDevice);
|
mDevice = std::move(rhs.mDevice);
|
||||||
mOpHandle = std::move(rhs.mOpHandle);
|
mOpHandle = std::move(rhs.mOpHandle);
|
||||||
mError = std::move(rhs.mError);
|
mError = std::move(rhs.mError);
|
||||||
|
@ -84,10 +82,8 @@ class KeymasterOperation {
|
||||||
|
|
||||||
private:
|
private:
|
||||||
KeymasterOperation(const sp<IKeymasterDevice>& d, uint64_t h)
|
KeymasterOperation(const sp<IKeymasterDevice>& d, uint64_t h)
|
||||||
: mDevice{d}, mOpHandle{h}, mError {ErrorCode::OK} {}
|
: mDevice{d}, mOpHandle{h}, mError{ErrorCode::OK} {}
|
||||||
KeymasterOperation(ErrorCode error)
|
KeymasterOperation(ErrorCode error) : mDevice{nullptr}, mOpHandle{0}, mError{error} {}
|
||||||
: mDevice{nullptr}, mOpHandle{0},
|
|
||||||
mError {error} {}
|
|
||||||
|
|
||||||
bool updateCompletely(const char* input, size_t inputLen,
|
bool updateCompletely(const char* input, size_t inputLen,
|
||||||
const std::function<void(const char*, size_t)> consumer);
|
const std::function<void(const char*, size_t)> consumer);
|
||||||
|
@ -146,12 +142,9 @@ enum class KeymasterSignResult {
|
||||||
};
|
};
|
||||||
|
|
||||||
int keymaster_compatibility_cryptfs_scrypt();
|
int keymaster_compatibility_cryptfs_scrypt();
|
||||||
int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size,
|
int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
|
||||||
uint64_t rsa_exponent,
|
uint32_t ratelimit, uint8_t* key_buffer,
|
||||||
uint32_t ratelimit,
|
uint32_t key_buffer_size, uint32_t* key_out_size);
|
||||||
uint8_t* key_buffer,
|
|
||||||
uint32_t key_buffer_size,
|
|
||||||
uint32_t* key_out_size);
|
|
||||||
|
|
||||||
int keymaster_upgrade_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
|
int keymaster_upgrade_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
|
||||||
uint32_t ratelimit, const uint8_t* key_blob,
|
uint32_t ratelimit, const uint8_t* key_blob,
|
||||||
|
@ -162,5 +155,4 @@ KeymasterSignResult keymaster_sign_object_for_cryptfs_scrypt(
|
||||||
const uint8_t* key_blob, size_t key_blob_size, uint32_t ratelimit, const uint8_t* object,
|
const uint8_t* key_blob, size_t key_blob_size, uint32_t ratelimit, const uint8_t* object,
|
||||||
const size_t object_size, uint8_t** signature_buffer, size_t* signature_buffer_size);
|
const size_t object_size, uint8_t** signature_buffer, size_t* signature_buffer_size);
|
||||||
|
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
Loading…
Reference in a new issue