Port to binder based keymaster hal
Bug: 32020919 Change-Id: If45ece76fdaf4d2c80eddc537e429633e4d42f9d
This commit is contained in:
parent
7ec25c715f
commit
8e537b8002
4 changed files with 173 additions and 265 deletions
|
@ -53,10 +53,11 @@ common_shared_libraries := \
|
|||
libselinux \
|
||||
libutils \
|
||||
libhardware \
|
||||
libsoftkeymaster \
|
||||
libbase \
|
||||
libsoftkeymasterdevice \
|
||||
libkeymaster_messages \
|
||||
libhwbinder \
|
||||
libhidlbase \
|
||||
android.hardware.keymaster@3.0 \
|
||||
libkeystore_binder
|
||||
|
||||
common_static_libraries := \
|
||||
libbootloader_message \
|
||||
|
|
|
@ -38,7 +38,8 @@
|
|||
|
||||
#include <hardware/hw_auth_token.h>
|
||||
|
||||
#include <keymaster/authorization_set.h>
|
||||
#include <keystore/authorization_set.h>
|
||||
#include <keystore/keystore_hidl_support.h>
|
||||
|
||||
extern "C" {
|
||||
|
||||
|
@ -47,6 +48,7 @@ extern "C" {
|
|||
|
||||
namespace android {
|
||||
namespace vold {
|
||||
using namespace keystore;
|
||||
|
||||
const KeyAuthentication kEmptyAuthentication{"", ""};
|
||||
|
||||
|
@ -100,15 +102,15 @@ static std::string hashSecdiscardable(const std::string& secdiscardable) {
|
|||
|
||||
static bool generateKeymasterKey(Keymaster& keymaster, const KeyAuthentication& auth,
|
||||
const std::string& appId, std::string* key) {
|
||||
auto paramBuilder = keymaster::AuthorizationSetBuilder()
|
||||
auto paramBuilder = AuthorizationSetBuilder()
|
||||
.AesEncryptionKey(AES_KEY_BYTES * 8)
|
||||
.Authorization(keymaster::TAG_BLOCK_MODE, KM_MODE_GCM)
|
||||
.Authorization(keymaster::TAG_MIN_MAC_LENGTH, GCM_MAC_BYTES * 8)
|
||||
.Authorization(keymaster::TAG_PADDING, KM_PAD_NONE);
|
||||
addStringParam(¶mBuilder, keymaster::TAG_APPLICATION_ID, appId);
|
||||
.Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
|
||||
.Authorization(TAG_MIN_MAC_LENGTH, GCM_MAC_BYTES * 8)
|
||||
.Authorization(TAG_PADDING, PaddingMode::NONE)
|
||||
.Authorization(TAG_APPLICATION_ID, blob2hidlVec(appId));
|
||||
if (auth.token.empty()) {
|
||||
LOG(DEBUG) << "Creating key that doesn't need auth token";
|
||||
paramBuilder.Authorization(keymaster::TAG_NO_AUTH_REQUIRED);
|
||||
paramBuilder.Authorization(TAG_NO_AUTH_REQUIRED);
|
||||
} else {
|
||||
LOG(DEBUG) << "Auth token required for key";
|
||||
if (auth.token.size() != sizeof(hw_auth_token_t)) {
|
||||
|
@ -117,25 +119,25 @@ static bool generateKeymasterKey(Keymaster& keymaster, const KeyAuthentication&
|
|||
return false;
|
||||
}
|
||||
const hw_auth_token_t* at = reinterpret_cast<const hw_auth_token_t*>(auth.token.data());
|
||||
paramBuilder.Authorization(keymaster::TAG_USER_SECURE_ID, at->user_id);
|
||||
paramBuilder.Authorization(keymaster::TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD);
|
||||
paramBuilder.Authorization(keymaster::TAG_AUTH_TIMEOUT, AUTH_TIMEOUT);
|
||||
paramBuilder.Authorization(TAG_USER_SECURE_ID, at->user_id);
|
||||
paramBuilder.Authorization(TAG_USER_AUTH_TYPE, HardwareAuthenticatorType::PASSWORD);
|
||||
paramBuilder.Authorization(TAG_AUTH_TIMEOUT, AUTH_TIMEOUT);
|
||||
}
|
||||
return keymaster.generateKey(paramBuilder.build(), key);
|
||||
return keymaster.generateKey(paramBuilder, key);
|
||||
}
|
||||
|
||||
static keymaster::AuthorizationSet beginParams(const KeyAuthentication& auth,
|
||||
static AuthorizationSet beginParams(const KeyAuthentication& auth,
|
||||
const std::string& appId) {
|
||||
auto paramBuilder = keymaster::AuthorizationSetBuilder()
|
||||
.Authorization(keymaster::TAG_BLOCK_MODE, KM_MODE_GCM)
|
||||
.Authorization(keymaster::TAG_MAC_LENGTH, GCM_MAC_BYTES * 8)
|
||||
.Authorization(keymaster::TAG_PADDING, KM_PAD_NONE);
|
||||
addStringParam(¶mBuilder, keymaster::TAG_APPLICATION_ID, appId);
|
||||
auto paramBuilder = AuthorizationSetBuilder()
|
||||
.Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
|
||||
.Authorization(TAG_MAC_LENGTH, GCM_MAC_BYTES * 8)
|
||||
.Authorization(TAG_PADDING, PaddingMode::NONE)
|
||||
.Authorization(TAG_APPLICATION_ID, blob2hidlVec(appId));
|
||||
if (!auth.token.empty()) {
|
||||
LOG(DEBUG) << "Supplying auth token to Keymaster";
|
||||
addStringParam(¶mBuilder, keymaster::TAG_AUTH_TOKEN, auth.token);
|
||||
paramBuilder.Authorization(TAG_AUTH_TOKEN, blob2hidlVec(auth.token));
|
||||
}
|
||||
return paramBuilder.build();
|
||||
return paramBuilder;
|
||||
}
|
||||
|
||||
static bool readFileToString(const std::string& filename, std::string* result) {
|
||||
|
@ -155,22 +157,21 @@ static bool writeStringToFile(const std::string& payload, const std::string& fil
|
|||
}
|
||||
|
||||
static KeymasterOperation begin(Keymaster& keymaster, const std::string& dir,
|
||||
keymaster_purpose_t purpose,
|
||||
const keymaster::AuthorizationSet &keyParams,
|
||||
const keymaster::AuthorizationSet &opParams,
|
||||
keymaster::AuthorizationSet* outParams) {
|
||||
KeyPurpose purpose,
|
||||
const AuthorizationSet &keyParams,
|
||||
const AuthorizationSet &opParams,
|
||||
AuthorizationSet* outParams) {
|
||||
auto kmKeyPath = dir + "/" + kFn_keymaster_key_blob;
|
||||
std::string kmKey;
|
||||
if (!readFileToString(kmKeyPath, &kmKey)) return KeymasterOperation();
|
||||
keymaster::AuthorizationSet inParams;
|
||||
inParams.push_back(keyParams);
|
||||
inParams.push_back(opParams);
|
||||
AuthorizationSet inParams(keyParams);
|
||||
inParams.append(opParams.begin(), opParams.end());
|
||||
for (;;) {
|
||||
auto opHandle = keymaster.begin(purpose, kmKey, inParams, outParams);
|
||||
if (opHandle) {
|
||||
return opHandle;
|
||||
}
|
||||
if (opHandle.error() != KM_ERROR_KEY_REQUIRES_UPGRADE) return opHandle;
|
||||
if (opHandle.error() != ErrorCode::KEY_REQUIRES_UPGRADE) return opHandle;
|
||||
LOG(DEBUG) << "Upgrading key: " << dir;
|
||||
std::string newKey;
|
||||
if (!keymaster.upgradeKey(kmKey, keyParams, &newKey)) return KeymasterOperation();
|
||||
|
@ -189,19 +190,19 @@ static KeymasterOperation begin(Keymaster& keymaster, const std::string& dir,
|
|||
}
|
||||
|
||||
static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
|
||||
const keymaster::AuthorizationSet &keyParams,
|
||||
const AuthorizationSet &keyParams,
|
||||
const std::string& message, std::string* ciphertext) {
|
||||
keymaster::AuthorizationSet opParams;
|
||||
keymaster::AuthorizationSet outParams;
|
||||
auto opHandle = begin(keymaster, dir, KM_PURPOSE_ENCRYPT, keyParams, opParams, &outParams);
|
||||
AuthorizationSet opParams;
|
||||
AuthorizationSet outParams;
|
||||
auto opHandle = begin(keymaster, dir, KeyPurpose::ENCRYPT, keyParams, opParams, &outParams);
|
||||
if (!opHandle) return false;
|
||||
keymaster_blob_t nonceBlob;
|
||||
if (!outParams.GetTagValue(keymaster::TAG_NONCE, &nonceBlob)) {
|
||||
auto nonceBlob = outParams.GetTagValue(TAG_NONCE);
|
||||
if (!nonceBlob.isOk()) {
|
||||
LOG(ERROR) << "GCM encryption but no nonce generated";
|
||||
return false;
|
||||
}
|
||||
// nonceBlob here is just a pointer into existing data, must not be freed
|
||||
std::string nonce(reinterpret_cast<const char*>(nonceBlob.data), nonceBlob.data_length);
|
||||
std::string nonce(reinterpret_cast<const char*>(&nonceBlob.value()[0]), nonceBlob.value().size());
|
||||
if (!checkSize("nonce", nonce.size(), GCM_NONCE_BYTES)) return false;
|
||||
std::string body;
|
||||
if (!opHandle.updateCompletely(message, &body)) return false;
|
||||
|
@ -214,13 +215,13 @@ static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir
|
|||
}
|
||||
|
||||
static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
|
||||
const keymaster::AuthorizationSet &keyParams,
|
||||
const AuthorizationSet &keyParams,
|
||||
const std::string& ciphertext, std::string* message) {
|
||||
auto nonce = ciphertext.substr(0, GCM_NONCE_BYTES);
|
||||
auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES);
|
||||
auto opParams = addStringParam(keymaster::AuthorizationSetBuilder(),
|
||||
keymaster::TAG_NONCE, nonce).build();
|
||||
auto opHandle = begin(keymaster, dir, KM_PURPOSE_DECRYPT, keyParams, opParams, nullptr);
|
||||
auto opParams = AuthorizationSetBuilder()
|
||||
.Authorization(TAG_NONCE, blob2hidlVec(nonce));
|
||||
auto opHandle = begin(keymaster, dir, KeyPurpose::DECRYPT, keyParams, opParams, nullptr);
|
||||
if (!opHandle) return false;
|
||||
if (!opHandle.updateCompletely(bodyAndMac, message)) return false;
|
||||
if (!opHandle.finish(nullptr)) return false;
|
||||
|
|
296
Keymaster.cpp
296
Keymaster.cpp
|
@ -17,135 +17,48 @@
|
|||
#include "Keymaster.h"
|
||||
|
||||
#include <android-base/logging.h>
|
||||
#include <hardware/hardware.h>
|
||||
#include <hardware/keymaster1.h>
|
||||
#include <hardware/keymaster2.h>
|
||||
#include <keymaster/keymaster_configuration.h>
|
||||
#include <keystore/keymaster_tags.h>
|
||||
#include <keystore/authorization_set.h>
|
||||
#include <keystore/keystore_hidl_support.h>
|
||||
|
||||
using namespace ::keystore;
|
||||
|
||||
namespace android {
|
||||
namespace vold {
|
||||
|
||||
class IKeymasterDevice {
|
||||
public:
|
||||
IKeymasterDevice() {}
|
||||
virtual ~IKeymasterDevice() {}
|
||||
virtual keymaster_error_t generate_key(const keymaster_key_param_set_t* params,
|
||||
keymaster_key_blob_t* key_blob) const = 0;
|
||||
virtual keymaster_error_t delete_key(const keymaster_key_blob_t* key) const = 0;
|
||||
virtual keymaster_error_t upgrade_key(const keymaster_key_blob_t* key_to_upgrade,
|
||||
const keymaster_key_param_set_t* upgrade_params,
|
||||
keymaster_key_blob_t* upgraded_key) const = 0;
|
||||
virtual keymaster_error_t begin(keymaster_purpose_t purpose, const keymaster_key_blob_t* key,
|
||||
const keymaster_key_param_set_t* in_params,
|
||||
keymaster_key_param_set_t* out_params,
|
||||
keymaster_operation_handle_t* operation_handle) const = 0;
|
||||
virtual keymaster_error_t update(keymaster_operation_handle_t operation_handle,
|
||||
const keymaster_key_param_set_t* in_params,
|
||||
const keymaster_blob_t* input, size_t* input_consumed,
|
||||
keymaster_key_param_set_t* out_params,
|
||||
keymaster_blob_t* output) const = 0;
|
||||
virtual keymaster_error_t finish(keymaster_operation_handle_t operation_handle,
|
||||
const keymaster_key_param_set_t* in_params,
|
||||
const keymaster_blob_t* signature,
|
||||
keymaster_key_param_set_t* out_params,
|
||||
keymaster_blob_t* output) const = 0;
|
||||
virtual keymaster_error_t abort(keymaster_operation_handle_t operation_handle) const = 0;
|
||||
|
||||
protected:
|
||||
DISALLOW_COPY_AND_ASSIGN(IKeymasterDevice);
|
||||
};
|
||||
|
||||
template <typename T> class KeymasterDevice : public IKeymasterDevice {
|
||||
public:
|
||||
explicit KeymasterDevice(T* d) : mDevice{d} {}
|
||||
keymaster_error_t generate_key(const keymaster_key_param_set_t* params,
|
||||
keymaster_key_blob_t* key_blob) const override final {
|
||||
return mDevice->generate_key(mDevice, params, key_blob, nullptr);
|
||||
}
|
||||
keymaster_error_t delete_key(const keymaster_key_blob_t* key) const override final {
|
||||
if (mDevice->delete_key == nullptr) return KM_ERROR_OK;
|
||||
return mDevice->delete_key(mDevice, key);
|
||||
}
|
||||
keymaster_error_t begin(keymaster_purpose_t purpose, const keymaster_key_blob_t* key,
|
||||
const keymaster_key_param_set_t* in_params,
|
||||
keymaster_key_param_set_t* out_params,
|
||||
keymaster_operation_handle_t* operation_handle) const override final {
|
||||
return mDevice->begin(mDevice, purpose, key, in_params, out_params, operation_handle);
|
||||
}
|
||||
keymaster_error_t update(keymaster_operation_handle_t operation_handle,
|
||||
const keymaster_key_param_set_t* in_params,
|
||||
const keymaster_blob_t* input, size_t* input_consumed,
|
||||
keymaster_key_param_set_t* out_params,
|
||||
keymaster_blob_t* output) const override final {
|
||||
return mDevice->update(mDevice, operation_handle, in_params, input, input_consumed,
|
||||
out_params, output);
|
||||
}
|
||||
keymaster_error_t abort(keymaster_operation_handle_t operation_handle) const override final {
|
||||
return mDevice->abort(mDevice, operation_handle);
|
||||
}
|
||||
|
||||
protected:
|
||||
T* const mDevice;
|
||||
};
|
||||
|
||||
class Keymaster1Device : public KeymasterDevice<keymaster1_device_t> {
|
||||
public:
|
||||
explicit Keymaster1Device(keymaster1_device_t* d) : KeymasterDevice<keymaster1_device_t>{d} {}
|
||||
~Keymaster1Device() override final { keymaster1_close(mDevice); }
|
||||
keymaster_error_t upgrade_key(const keymaster_key_blob_t* key_to_upgrade,
|
||||
const keymaster_key_param_set_t* upgrade_params,
|
||||
keymaster_key_blob_t* upgraded_key) const override final {
|
||||
return KM_ERROR_UNIMPLEMENTED;
|
||||
}
|
||||
keymaster_error_t finish(keymaster_operation_handle_t operation_handle,
|
||||
const keymaster_key_param_set_t* in_params,
|
||||
const keymaster_blob_t* signature,
|
||||
keymaster_key_param_set_t* out_params,
|
||||
keymaster_blob_t* output) const override final {
|
||||
return mDevice->finish(mDevice, operation_handle, in_params, signature, out_params, output);
|
||||
}
|
||||
};
|
||||
|
||||
class Keymaster2Device : public KeymasterDevice<keymaster2_device_t> {
|
||||
public:
|
||||
explicit Keymaster2Device(keymaster2_device_t* d) : KeymasterDevice<keymaster2_device_t>{d} {}
|
||||
~Keymaster2Device() override final { keymaster2_close(mDevice); }
|
||||
keymaster_error_t upgrade_key(const keymaster_key_blob_t* key_to_upgrade,
|
||||
const keymaster_key_param_set_t* upgrade_params,
|
||||
keymaster_key_blob_t* upgraded_key) const override final {
|
||||
return mDevice->upgrade_key(mDevice, key_to_upgrade, upgrade_params, upgraded_key);
|
||||
}
|
||||
keymaster_error_t finish(keymaster_operation_handle_t operation_handle,
|
||||
const keymaster_key_param_set_t* in_params,
|
||||
const keymaster_blob_t* signature,
|
||||
keymaster_key_param_set_t* out_params,
|
||||
keymaster_blob_t* output) const override final {
|
||||
return mDevice->finish(mDevice, operation_handle, in_params, nullptr, signature, out_params,
|
||||
output);
|
||||
}
|
||||
};
|
||||
|
||||
KeymasterOperation::~KeymasterOperation() {
|
||||
if (mDevice) mDevice->abort(mOpHandle);
|
||||
if (mDevice.get()) mDevice->abort(mOpHandle);
|
||||
}
|
||||
|
||||
bool KeymasterOperation::updateCompletely(const std::string& input, std::string* output) {
|
||||
output->clear();
|
||||
auto it = input.begin();
|
||||
uint32_t inputConsumed;
|
||||
|
||||
ErrorCode km_error;
|
||||
auto hidlCB = [&] (ErrorCode ret, uint32_t _inputConsumed,
|
||||
const hidl_vec<KeyParameter>& /*ignored*/, const hidl_vec<uint8_t>& _output) {
|
||||
km_error = ret;
|
||||
if (km_error != ErrorCode::OK) return;
|
||||
inputConsumed = _inputConsumed;
|
||||
if (output)
|
||||
output->append(reinterpret_cast<const char*>(&_output[0]), _output.size());
|
||||
};
|
||||
|
||||
while (it != input.end()) {
|
||||
size_t toRead = static_cast<size_t>(input.end() - it);
|
||||
keymaster_blob_t inputBlob{reinterpret_cast<const uint8_t*>(&*it), toRead};
|
||||
keymaster_blob_t outputBlob;
|
||||
size_t inputConsumed;
|
||||
auto error =
|
||||
mDevice->update(mOpHandle, nullptr, &inputBlob, &inputConsumed, nullptr, &outputBlob);
|
||||
if (error != KM_ERROR_OK) {
|
||||
LOG(ERROR) << "update failed, code " << error;
|
||||
auto inputBlob = blob2hidlVec(reinterpret_cast<const uint8_t*>(&*it), toRead);
|
||||
auto error = mDevice->update(mOpHandle, hidl_vec<KeyParameter>(), inputBlob, hidlCB);
|
||||
if (!error.isOk()) {
|
||||
LOG(ERROR) << "update failed: " << error.description();
|
||||
mDevice = nullptr;
|
||||
return false;
|
||||
}
|
||||
if (km_error != ErrorCode::OK) {
|
||||
LOG(ERROR) << "update failed, code " << uint32_t(km_error);
|
||||
mDevice = nullptr;
|
||||
return false;
|
||||
}
|
||||
output->append(reinterpret_cast<const char*>(outputBlob.data), outputBlob.data_length);
|
||||
free(const_cast<uint8_t*>(outputBlob.data));
|
||||
if (inputConsumed > toRead) {
|
||||
LOG(ERROR) << "update reported too much input consumed";
|
||||
mDevice = nullptr;
|
||||
|
@ -157,74 +70,63 @@ bool KeymasterOperation::updateCompletely(const std::string& input, std::string*
|
|||
}
|
||||
|
||||
bool KeymasterOperation::finish(std::string* output) {
|
||||
keymaster_blob_t outputBlob;
|
||||
auto error = mDevice->finish(mOpHandle, nullptr, nullptr, nullptr,
|
||||
output ? &outputBlob : nullptr);
|
||||
ErrorCode km_error;
|
||||
auto hidlCb = [&] (ErrorCode ret, const hidl_vec<KeyParameter>& /*ignored*/,
|
||||
const hidl_vec<uint8_t>& _output) {
|
||||
km_error = ret;
|
||||
if (km_error != ErrorCode::OK) return;
|
||||
if (output)
|
||||
output->assign(reinterpret_cast<const char*>(&_output[0]), _output.size());
|
||||
};
|
||||
auto error = mDevice->finish(mOpHandle, hidl_vec<KeyParameter>(), hidl_vec<uint8_t>(),
|
||||
hidl_vec<uint8_t>(), hidlCb);
|
||||
mDevice = nullptr;
|
||||
if (error != KM_ERROR_OK) {
|
||||
LOG(ERROR) << "finish failed, code " << error;
|
||||
if (!error.isOk()) {
|
||||
LOG(ERROR) << "finish failed: " << error.description();
|
||||
return false;
|
||||
}
|
||||
if (output) {
|
||||
output->assign(reinterpret_cast<const char*>(outputBlob.data), outputBlob.data_length);
|
||||
free(const_cast<uint8_t*>(outputBlob.data));
|
||||
if (km_error != ErrorCode::OK) {
|
||||
LOG(ERROR) << "finish failed, code " << uint32_t(km_error);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
Keymaster::Keymaster() {
|
||||
mDevice = nullptr;
|
||||
const hw_module_t* module;
|
||||
int ret = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &module);
|
||||
if (ret != 0) {
|
||||
LOG(ERROR) << "hw_get_module_by_class returned " << ret;
|
||||
return;
|
||||
}
|
||||
LOG(DEBUG) << "module_api_version is " << module->module_api_version;
|
||||
if (module->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
|
||||
keymaster1_device_t* device;
|
||||
ret = keymaster1_open(module, &device);
|
||||
if (ret != 0) {
|
||||
LOG(ERROR) << "keymaster1_open returned " << ret;
|
||||
return;
|
||||
}
|
||||
mDevice = std::make_shared<Keymaster1Device>(device);
|
||||
} else if (module->module_api_version == KEYMASTER_MODULE_API_VERSION_2_0) {
|
||||
keymaster2_device_t* device;
|
||||
ret = keymaster2_open(module, &device);
|
||||
if (ret != 0) {
|
||||
LOG(ERROR) << "keymaster2_open returned " << ret;
|
||||
return;
|
||||
}
|
||||
auto error = ConfigureDevice(device);
|
||||
if (error != KM_ERROR_OK) {
|
||||
LOG(ERROR) << "ConfigureDevice returned " << error;
|
||||
return;
|
||||
}
|
||||
mDevice = std::make_shared<Keymaster2Device>(device);
|
||||
} else {
|
||||
LOG(ERROR) << "module_api_version is " << module->module_api_version;
|
||||
return;
|
||||
}
|
||||
mDevice = ::android::hardware::keymaster::V3_0::IKeymasterDevice::getService("keymaster");
|
||||
}
|
||||
|
||||
bool Keymaster::generateKey(const keymaster::AuthorizationSet& inParams, std::string* key) {
|
||||
keymaster_key_blob_t keyBlob;
|
||||
auto error = mDevice->generate_key(&inParams, &keyBlob);
|
||||
if (error != KM_ERROR_OK) {
|
||||
LOG(ERROR) << "generate_key failed, code " << error;
|
||||
bool Keymaster::generateKey(const AuthorizationSet& inParams, std::string* key) {
|
||||
ErrorCode km_error;
|
||||
auto hidlCb = [&] (ErrorCode ret, const hidl_vec<uint8_t>& keyBlob,
|
||||
const KeyCharacteristics& /*ignored*/) {
|
||||
km_error = ret;
|
||||
if (km_error != ErrorCode::OK) return;
|
||||
if (key)
|
||||
key->assign(reinterpret_cast<const char*>(&keyBlob[0]), keyBlob.size());
|
||||
};
|
||||
|
||||
auto error = mDevice->generateKey(inParams.hidl_data(), hidlCb);
|
||||
if (!error.isOk()) {
|
||||
LOG(ERROR) << "generate_key failed: " << error.description();
|
||||
return false;
|
||||
}
|
||||
if (km_error != ErrorCode::OK) {
|
||||
LOG(ERROR) << "generate_key failed, code " << int32_t(km_error);
|
||||
return false;
|
||||
}
|
||||
key->assign(reinterpret_cast<const char*>(keyBlob.key_material), keyBlob.key_material_size);
|
||||
free(const_cast<uint8_t*>(keyBlob.key_material));
|
||||
return true;
|
||||
}
|
||||
|
||||
bool Keymaster::deleteKey(const std::string& key) {
|
||||
keymaster_key_blob_t keyBlob{reinterpret_cast<const uint8_t*>(key.data()), key.size()};
|
||||
auto error = mDevice->delete_key(&keyBlob);
|
||||
if (error != KM_ERROR_OK) {
|
||||
LOG(ERROR) << "delete_key failed, code " << error;
|
||||
auto keyBlob = blob2hidlVec(key);
|
||||
auto error = mDevice->deleteKey(keyBlob);
|
||||
if (!error.isOk()) {
|
||||
LOG(ERROR) << "delete_key failed: " << error.description();
|
||||
return false;
|
||||
}
|
||||
if (ErrorCode(error) != ErrorCode::OK) {
|
||||
LOG(ERROR) << "delete_key failed, code " << uint32_t(ErrorCode(error));
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
|
@ -232,35 +134,51 @@ bool Keymaster::deleteKey(const std::string& key) {
|
|||
|
||||
bool Keymaster::upgradeKey(const std::string& oldKey, const AuthorizationSet& inParams,
|
||||
std::string* newKey) {
|
||||
keymaster_key_blob_t oldKeyBlob{reinterpret_cast<const uint8_t*>(oldKey.data()), oldKey.size()};
|
||||
keymaster_key_blob_t newKeyBlob;
|
||||
auto error = mDevice->upgrade_key(&oldKeyBlob, &inParams, &newKeyBlob);
|
||||
if (error != KM_ERROR_OK) {
|
||||
LOG(ERROR) << "upgrade_key failed, code " << error;
|
||||
auto oldKeyBlob = blob2hidlVec(oldKey);
|
||||
ErrorCode km_error;
|
||||
auto hidlCb = [&] (ErrorCode ret, const hidl_vec<uint8_t>& upgradedKeyBlob) {
|
||||
km_error = ret;
|
||||
if (km_error != ErrorCode::OK) return;
|
||||
if (newKey)
|
||||
newKey->assign(reinterpret_cast<const char*>(&upgradedKeyBlob[0]),
|
||||
upgradedKeyBlob.size());
|
||||
};
|
||||
auto error = mDevice->upgradeKey(oldKeyBlob, inParams.hidl_data(), hidlCb);
|
||||
if (!error.isOk()) {
|
||||
LOG(ERROR) << "upgrade_key failed: " << error.description();
|
||||
return false;
|
||||
}
|
||||
if (km_error != ErrorCode::OK) {
|
||||
LOG(ERROR) << "upgrade_key failed, code " << int32_t(km_error);
|
||||
return false;
|
||||
}
|
||||
newKey->assign(reinterpret_cast<const char*>(newKeyBlob.key_material),
|
||||
newKeyBlob.key_material_size);
|
||||
free(const_cast<uint8_t*>(newKeyBlob.key_material));
|
||||
return true;
|
||||
}
|
||||
|
||||
KeymasterOperation Keymaster::begin(keymaster_purpose_t purpose, const std::string& key,
|
||||
const keymaster::AuthorizationSet& inParams,
|
||||
keymaster::AuthorizationSet* outParams) {
|
||||
keymaster_key_blob_t keyBlob{reinterpret_cast<const uint8_t*>(key.data()), key.size()};
|
||||
keymaster_operation_handle_t mOpHandle;
|
||||
keymaster_key_param_set_t outParams_set;
|
||||
auto error = mDevice->begin(purpose, &keyBlob, &inParams,
|
||||
outParams ? &outParams_set : nullptr, &mOpHandle);
|
||||
if (error != KM_ERROR_OK) {
|
||||
LOG(ERROR) << "begin failed, code " << error;
|
||||
return KeymasterOperation(error);
|
||||
KeymasterOperation Keymaster::begin(KeyPurpose purpose, const std::string& key,
|
||||
const AuthorizationSet& inParams,
|
||||
AuthorizationSet* outParams) {
|
||||
auto keyBlob = blob2hidlVec(key);
|
||||
uint64_t mOpHandle;
|
||||
ErrorCode km_error;
|
||||
|
||||
auto hidlCb = [&] (ErrorCode ret, const hidl_vec<KeyParameter>& _outParams,
|
||||
uint64_t operationHandle) {
|
||||
km_error = ret;
|
||||
if (km_error != ErrorCode::OK) return;
|
||||
if (outParams)
|
||||
*outParams = _outParams;
|
||||
mOpHandle = operationHandle;
|
||||
};
|
||||
|
||||
auto error = mDevice->begin(purpose, keyBlob, inParams.hidl_data(), hidlCb);
|
||||
if (!error.isOk()) {
|
||||
LOG(ERROR) << "begin failed: " << error.description();
|
||||
return KeymasterOperation(ErrorCode::UNKNOWN_ERROR);
|
||||
}
|
||||
if (outParams) {
|
||||
outParams->Clear();
|
||||
outParams->push_back(outParams_set);
|
||||
keymaster_free_param_set(&outParams_set);
|
||||
if (km_error != ErrorCode::OK) {
|
||||
LOG(ERROR) << "begin failed, code " << uint32_t(km_error);
|
||||
return KeymasterOperation(km_error);
|
||||
}
|
||||
return KeymasterOperation(mDevice, mOpHandle);
|
||||
}
|
||||
|
|
58
Keymaster.h
58
Keymaster.h
|
@ -21,22 +21,21 @@
|
|||
#include <string>
|
||||
#include <utility>
|
||||
|
||||
#include <keymaster/authorization_set.h>
|
||||
#include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
|
||||
#include <keystore/authorization_set.h>
|
||||
|
||||
namespace android {
|
||||
namespace vold {
|
||||
using ::android::hardware::keymaster::V3_0::IKeymasterDevice;
|
||||
using ::keystore::ErrorCode;
|
||||
using ::keystore::KeyPurpose;
|
||||
using ::keystore::AuthorizationSet;
|
||||
|
||||
using namespace keymaster;
|
||||
|
||||
// C++ wrappers to the Keymaster C interface.
|
||||
// C++ wrappers to the Keymaster hidl interface.
|
||||
// This is tailored to the needs of KeyStorage, but could be extended to be
|
||||
// a more general interface.
|
||||
|
||||
// Class that wraps a keymaster1_device_t or keymaster2_device_t and provides methods
|
||||
// they have in common. Also closes the device on destruction.
|
||||
class IKeymasterDevice;
|
||||
|
||||
// Wrapper for a keymaster_operation_handle_t representing an
|
||||
// Wrapper for a Keymaster operation handle representing an
|
||||
// ongoing Keymaster operation. Aborts the operation
|
||||
// in the destructor if it is unfinished. Methods log failures
|
||||
// to LOG(ERROR).
|
||||
|
@ -45,8 +44,8 @@ class KeymasterOperation {
|
|||
~KeymasterOperation();
|
||||
// Is this instance valid? This is false if creation fails, and becomes
|
||||
// false on finish or if an update fails.
|
||||
explicit operator bool() { return mError == KM_ERROR_OK; }
|
||||
keymaster_error_t error() { return mError; }
|
||||
explicit operator bool() { return mError == ErrorCode::OK; }
|
||||
ErrorCode error() { return mError; }
|
||||
// Call "update" repeatedly until all of the input is consumed, and
|
||||
// concatenate the output. Return true on success.
|
||||
bool updateCompletely(const std::string& input, std::string* output);
|
||||
|
@ -59,17 +58,19 @@ class KeymasterOperation {
|
|||
mError = std::move(rhs.mError);
|
||||
}
|
||||
// Construct an object in an error state for error returns
|
||||
KeymasterOperation() : KeymasterOperation(KM_ERROR_UNKNOWN_ERROR) {}
|
||||
KeymasterOperation()
|
||||
: mDevice{nullptr}, mOpHandle{static_cast<uint64_t>(0)},
|
||||
mError {ErrorCode::UNKNOWN_ERROR} {}
|
||||
|
||||
private:
|
||||
KeymasterOperation(std::shared_ptr<IKeymasterDevice> d, keymaster_operation_handle_t h)
|
||||
: mDevice{d}, mOpHandle{h}, mError {KM_ERROR_OK} {}
|
||||
KeymasterOperation(keymaster_error_t error)
|
||||
: mDevice{nullptr}, mOpHandle{static_cast<keymaster_operation_handle_t>(0)},
|
||||
KeymasterOperation(const sp<IKeymasterDevice>& d, uint64_t h)
|
||||
: mDevice{d}, mOpHandle{h}, mError {ErrorCode::OK} {}
|
||||
KeymasterOperation(ErrorCode error)
|
||||
: mDevice{nullptr}, mOpHandle{0},
|
||||
mError {error} {}
|
||||
std::shared_ptr<IKeymasterDevice> mDevice;
|
||||
keymaster_operation_handle_t mOpHandle;
|
||||
keymaster_error_t mError;
|
||||
sp<IKeymasterDevice> mDevice;
|
||||
uint64_t mOpHandle;
|
||||
ErrorCode mError;
|
||||
DISALLOW_COPY_AND_ASSIGN(KeymasterOperation);
|
||||
friend class Keymaster;
|
||||
};
|
||||
|
@ -80,7 +81,7 @@ class Keymaster {
|
|||
public:
|
||||
Keymaster();
|
||||
// false if we failed to open the keymaster device.
|
||||
explicit operator bool() { return mDevice != nullptr; }
|
||||
explicit operator bool() { return mDevice.get() != nullptr; }
|
||||
// Generate a key in the keymaster from the given params.
|
||||
bool generateKey(const AuthorizationSet& inParams, std::string* key);
|
||||
// If the keymaster supports it, permanently delete a key.
|
||||
|
@ -89,27 +90,14 @@ class Keymaster {
|
|||
bool upgradeKey(const std::string& oldKey, const AuthorizationSet& inParams,
|
||||
std::string* newKey);
|
||||
// Begin a new cryptographic operation, collecting output parameters if pointer is non-null
|
||||
KeymasterOperation begin(keymaster_purpose_t purpose, const std::string& key,
|
||||
KeymasterOperation begin(KeyPurpose purpose, const std::string& key,
|
||||
const AuthorizationSet& inParams, AuthorizationSet* outParams);
|
||||
|
||||
private:
|
||||
std::shared_ptr<IKeymasterDevice> mDevice;
|
||||
sp<hardware::keymaster::V3_0::IKeymasterDevice> mDevice;
|
||||
DISALLOW_COPY_AND_ASSIGN(Keymaster);
|
||||
};
|
||||
|
||||
template <keymaster_tag_t Tag>
|
||||
inline AuthorizationSetBuilder& addStringParam(AuthorizationSetBuilder&& params,
|
||||
TypedTag<KM_BYTES, Tag> tag,
|
||||
const std::string& val) {
|
||||
return params.Authorization(tag, val.data(), val.size());
|
||||
}
|
||||
|
||||
template <keymaster_tag_t Tag>
|
||||
inline void addStringParam(AuthorizationSetBuilder* params, TypedTag<KM_BYTES, Tag> tag,
|
||||
const std::string& val) {
|
||||
params->Authorization(tag, val.data(), val.size());
|
||||
}
|
||||
|
||||
} // namespace vold
|
||||
} // namespace android
|
||||
|
||||
|
|
Loading…
Reference in a new issue