diff options
author | Shawn Willden <swillden@google.com> | 2015-05-20 16:36:24 -0600 |
---|---|---|
committer | Shawn Willden <swillden@google.com> | 2015-05-28 07:28:51 -0600 |
commit | 2beb628bfefae72fa6bb84a6235da7e3de532823 (patch) | |
tree | 53fdd19f54afc714b37505cbea0dc31e1ecadda9 /include | |
parent | de7e66c3692073eb967f01cc8281441709701e2d (diff) | |
download | keymaster-2beb628bfefae72fa6bb84a6235da7e3de532823.tar.gz |
Delegate RSA keys to keymaster0 in SoftKeymasterDevice.
Bug: 20912868
Change-Id: I515a125f1247357d2cd9b4633c3b223590848093
Diffstat (limited to 'include')
-rw-r--r-- | include/keymaster/android_keymaster.h | 2 | ||||
-rw-r--r-- | include/keymaster/android_keymaster_messages.h | 19 | ||||
-rw-r--r-- | include/keymaster/android_keymaster_utils.h | 6 | ||||
-rw-r--r-- | include/keymaster/keymaster_context.h | 15 | ||||
-rw-r--r-- | include/keymaster/soft_keymaster_context.h | 6 | ||||
-rw-r--r-- | include/keymaster/soft_keymaster_device.h | 15 |
6 files changed, 59 insertions, 4 deletions
diff --git a/include/keymaster/android_keymaster.h b/include/keymaster/android_keymaster.h index c7a3f41..db74b97 100644 --- a/include/keymaster/android_keymaster.h +++ b/include/keymaster/android_keymaster.h @@ -67,6 +67,8 @@ class AndroidKeymaster { GetKeyCharacteristicsResponse* response); void ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response); void ExportKey(const ExportKeyRequest& request, ExportKeyResponse* response); + keymaster_error_t DeleteKey(const DeleteKeyRequest& request); + keymaster_error_t DeleteAllKeys(); void BeginOperation(const BeginOperationRequest& request, BeginOperationResponse* response); void UpdateOperation(const UpdateOperationRequest& request, UpdateOperationResponse* response); void FinishOperation(const FinishOperationRequest& request, FinishOperationResponse* response); diff --git a/include/keymaster/android_keymaster_messages.h b/include/keymaster/android_keymaster_messages.h index 3e1059f..d7703b4 100644 --- a/include/keymaster/android_keymaster_messages.h +++ b/include/keymaster/android_keymaster_messages.h @@ -378,6 +378,25 @@ struct ExportKeyResponse : public KeymasterResponse { size_t key_data_length; }; +struct DeleteKeyRequest : public KeymasterMessage { + DeleteKeyRequest(int32_t ver = MAX_MESSAGE_VERSION) : KeymasterMessage(ver) { + key_blob.key_material = nullptr; + key_blob.key_material_size = 0; + } + ~DeleteKeyRequest() { delete[] key_blob.key_material; } + + void SetKeyMaterial(const void* key_material, size_t length); + void SetKeyMaterial(const keymaster_key_blob_t& blob) { + SetKeyMaterial(blob.key_material, blob.key_material_size); + } + + size_t SerializedSize() const; + uint8_t* Serialize(uint8_t* buf, const uint8_t* end) const; + bool Deserialize(const uint8_t** buf_ptr, const uint8_t* end); + + keymaster_key_blob_t key_blob; +}; + struct GetVersionRequest : public KeymasterMessage { GetVersionRequest() : KeymasterMessage(0 /* not versionable */) {} diff --git a/include/keymaster/android_keymaster_utils.h b/include/keymaster/android_keymaster_utils.h index c636f5c..16140a6 100644 --- a/include/keymaster/android_keymaster_utils.h +++ b/include/keymaster/android_keymaster_utils.h @@ -237,6 +237,12 @@ struct KeymasterKeyBlob : public keymaster_key_blob_t { key_material_size = blob.key_material_size; } + void operator=(const KeymasterKeyBlob& blob) { + Clear(); + key_material = dup_buffer(blob.key_material, blob.key_material_size); + key_material_size = blob.key_material_size; + } + ~KeymasterKeyBlob() { Clear(); } const uint8_t* begin() const { return key_material; } diff --git a/include/keymaster/keymaster_context.h b/include/keymaster/keymaster_context.h index 68410f8..0b9b62b 100644 --- a/include/keymaster/keymaster_context.h +++ b/include/keymaster/keymaster_context.h @@ -56,7 +56,7 @@ namespace keymaster { class KeymasterContext { public: KeymasterContext() {} - virtual ~KeymasterContext() {}; + virtual ~KeymasterContext(){}; /** * CreateKeyBlob takes authorization sets and key material and produces a key blob and hardware @@ -86,6 +86,19 @@ class KeymasterContext { AuthorizationSet* sw_enforced) const = 0; /** + * Take whatever environment-specific action is appropriate (if any) to delete the specified + * key. + */ + virtual keymaster_error_t DeleteKey(const KeymasterKeyBlob& /* blob */) const { + return KM_ERROR_OK; + } + + /** + * Take whatever environment-specific action is appropriate to delete all keys. + */ + virtual keymaster_error_t DeleteAllKeys() const { return KM_ERROR_OK; } + + /** * Adds entropy to the Cryptographic Pseudo Random Number Generator used to generate key * material, and other cryptographic protocol elements. Note that if the underlying CPRNG * tracks the size of its entropy pool, it should not assume that the provided data contributes diff --git a/include/keymaster/soft_keymaster_context.h b/include/keymaster/soft_keymaster_context.h index 1dba59d..33afe3d 100644 --- a/include/keymaster/soft_keymaster_context.h +++ b/include/keymaster/soft_keymaster_context.h @@ -19,23 +19,26 @@ #include <memory> +#include <hardware/keymaster0.h> #include <keymaster/keymaster_context.h> namespace keymaster { class SoftKeymasterKeyRegistrations; +class Keymaster0Engine; /** * SoftKeymasterContext provides the context for a non-secure implementation of AndroidKeymaster. */ class SoftKeymasterContext : public KeymasterContext { public: - SoftKeymasterContext(); + SoftKeymasterContext(keymaster0_device_t* keymaster0_device); keymaster_error_t CreateKeyBlob(const AuthorizationSet& auths, keymaster_key_origin_t origin, const KeymasterKeyBlob& key_material, KeymasterKeyBlob* blob, AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced) const override; + keymaster_error_t ParseKeyBlob(const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params, KeymasterKeyBlob* key_material, AuthorizationSet* hw_enforced, @@ -44,6 +47,7 @@ class SoftKeymasterContext : public KeymasterContext { keymaster_error_t GenerateRandom(uint8_t* buf, size_t length) const override; private: + std::unique_ptr<Keymaster0Engine> engine_; std::unique_ptr<SoftKeymasterKeyRegistrations> registrations_; }; diff --git a/include/keymaster/soft_keymaster_device.h b/include/keymaster/soft_keymaster_device.h index 44e64e9..9a710eb 100644 --- a/include/keymaster/soft_keymaster_device.h +++ b/include/keymaster/soft_keymaster_device.h @@ -19,9 +19,11 @@ #include <stdlib.h> +#include <hardware/keymaster0.h> #include <hardware/keymaster1.h> #include <keymaster/android_keymaster.h> +#include <keymaster/keymaster_context.h> #include <keymaster/logger.h> #include <UniquePtr.h> @@ -31,7 +33,10 @@ namespace keymaster { class AuthorizationSet; /** - * Software OpenSSL-based Keymaster implementation. + * Keymaster1 device implementation. + * + * This is a hybrid software/hardware implementation which wraps a keymaster0_device_t, forwarding + * RSA operations to secure hardware and doing everything else in software. * * IMPORTANT MAINTAINER NOTE: Pointers to instances of this class must be castable to hw_device_t * and keymaster_device. This means it must remain a standard layout class (no virtual functions and @@ -40,7 +45,7 @@ class AuthorizationSet; */ class SoftKeymasterDevice { public: - SoftKeymasterDevice(); + SoftKeymasterDevice(keymaster0_device_t* keymaster0_device = nullptr); hw_device_t* hw_device(); keymaster1_device_t* keymaster_device(); @@ -74,6 +79,9 @@ class SoftKeymasterDevice { static int get_keypair_public(const keymaster1_device_t* dev, const uint8_t* key_blob, const size_t key_blob_length, uint8_t** x509_data, size_t* x509_data_length); + static int delete_keypair(const struct keymaster1_device* dev, const uint8_t* key_blob, + const size_t key_blob_length); + static int delete_all(const struct keymaster1_device* dev); static int sign_data(const keymaster1_device_t* dev, const void* signing_params, const uint8_t* key_blob, const size_t key_blob_length, const uint8_t* data, const size_t data_length, uint8_t** signed_data, @@ -130,6 +138,9 @@ class SoftKeymasterDevice { export_key(const keymaster1_device_t* dev, keymaster_key_format_t export_format, const keymaster_key_blob_t* key_to_export, const keymaster_blob_t* client_id, const keymaster_blob_t* app_data, uint8_t** export_data, size_t* export_data_length); + static keymaster_error_t delete_key(const struct keymaster1_device* dev, + const keymaster_key_blob_t* key); + static keymaster_error_t delete_all_keys(const struct keymaster1_device* dev); static keymaster_error_t begin(const keymaster1_device_t* dev, keymaster_purpose_t purpose, const keymaster_key_blob_t* key, const keymaster_key_param_t* params, size_t params_count, |