diff options
| author | Shawn Willden <swillden@google.com> | 2016-01-05 18:15:38 -0700 |
|---|---|---|
| committer | Shawn Willden <swillden@google.com> | 2016-01-27 16:19:32 -0700 |
| commit | 7989c2bf8ad56518465b96bba61432de1a66bbf1 (patch) | |
| tree | f0a49c9e741af398c58a1915e2417e03e404e85c /include | |
| parent | 3d68cf64fb4bcea55406c3b6844b397ad264d8b2 (diff) | |
| download | keymaster-7989c2bf8ad56518465b96bba61432de1a66bbf1.tar.gz | |
Add attestation support to KeymasterContext
This CL also implements the necessary context bits for
SoftKeymasterContext, in a necessarily completely insecure way. The
software attestation intermediate key and intermediate and root
certificates are hardcoded. Software attestation is meaningless, but
needed to make the APIs work the same for both software and hardware.
Bug: 22914603
Change-Id: I1c3439409829c0991db2f0b54e11fb59b5e9bd87
Diffstat (limited to 'include')
| -rw-r--r-- | include/keymaster/android_keymaster_utils.h | 11 | ||||
| -rw-r--r-- | include/keymaster/keymaster_context.h | 16 | ||||
| -rw-r--r-- | include/keymaster/soft_keymaster_context.h | 5 |
3 files changed, 32 insertions, 0 deletions
diff --git a/include/keymaster/android_keymaster_utils.h b/include/keymaster/android_keymaster_utils.h index 1964f1f..3ce56cc 100644 --- a/include/keymaster/android_keymaster_utils.h +++ b/include/keymaster/android_keymaster_utils.h @@ -312,6 +312,17 @@ struct Malloc_Delete { void operator()(void* p) { free(p); } }; +struct CertificateChainDelete { + void operator()(keymaster_cert_chain_t* p) { + if (!p) + return; + for (size_t i = 0; i < p->entry_count; ++i) + delete[] p->entries[i].data; + delete[] p->entries; + delete p; + } +}; + } // namespace keymaster #endif // SYSTEM_KEYMASTER_ANDROID_KEYMASTER_UTILS_H_ diff --git a/include/keymaster/keymaster_context.h b/include/keymaster/keymaster_context.h index 338b408..c9802e4 100644 --- a/include/keymaster/keymaster_context.h +++ b/include/keymaster/keymaster_context.h @@ -19,6 +19,8 @@ #include <assert.h> +#include <openssl/evp.h> + #include <hardware/keymaster_defs.h> #include <keymaster/keymaster_enforcement.h> @@ -127,6 +129,20 @@ class KeymasterContext { */ virtual KeymasterEnforcement* enforcement_policy() = 0; + /** + * Return the attestation signing key of the specified algorithm (KM_ALGORITHM_RSA or + * KM_ALGORITHM_EC). + */ + virtual EVP_PKEY* AttestationKey(keymaster_algorithm_t algorithm, + keymaster_error_t* error) const = 0; + + /** + * Return the certificate chain of the attestation signing key of the specified algorithm + * (KM_ALGORITHM_RSA or KM_ALGORITHM_EC). + */ + virtual keymaster_cert_chain_t* AttestationChain(keymaster_algorithm_t algorithm, + keymaster_error_t* error) const = 0; + private: // Uncopyable. KeymasterContext(const KeymasterContext&); diff --git a/include/keymaster/soft_keymaster_context.h b/include/keymaster/soft_keymaster_context.h index 413117a..d9c02f2 100644 --- a/include/keymaster/soft_keymaster_context.h +++ b/include/keymaster/soft_keymaster_context.h @@ -71,6 +71,11 @@ class SoftKeymasterContext : public KeymasterContext { keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override; keymaster_error_t GenerateRandom(uint8_t* buf, size_t length) const override; + EVP_PKEY* AttestationKey(keymaster_algorithm_t algorithm, + keymaster_error_t* error) const override; + keymaster_cert_chain_t* AttestationChain(keymaster_algorithm_t algorithm, + keymaster_error_t* error) const override; + KeymasterEnforcement* enforcement_policy() override { // SoftKeymaster does no enforcement; it's all done by Keystore. return nullptr; |