1 /*
2 **
3 ** Copyright 2017, The Android Open Source Project
4 **
5 ** Licensed under the Apache License, Version 2.0 (the "License");
6 ** you may not use this file except in compliance with the License.
7 ** You may obtain a copy of the License at
8 **
9 **     http://www.apache.org/licenses/LICENSE-2.0
10 **
11 ** Unless required by applicable law or agreed to in writing, software
12 ** distributed under the License is distributed on an "AS IS" BASIS,
13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 ** See the License for the specific language governing permissions and
15 ** limitations under the License.
16 */
17 
18 #ifndef KM_OPENSSL_ATTESTATION_UTILS_H_
19 #define KM_OPENSSL_ATTESTATION_UTILS_H_
20 
21 #include <hardware/keymaster_defs.h>
22 #include <keymaster/android_keymaster_utils.h>
23 
24 #include <openssl/x509v3.h>
25 
26 #include "openssl_utils.h"
27 
28 namespace keymaster {
29 
30 class AuthorizationSet;
31 class AttestationRecordContext;
32 class AsymmetricKey;
33 
34 // Generate attestation certificate base on the AsymmetricKey key and other parameters
35 // passed in.  In attest_params, we expect the challenge, active time and expiration
36 // time, and app id.
37 //
38 // The active time and expiration time are expected in milliseconds.
39 //
40 // Hardware and software enforced AuthorizationSet are expected to be built into the AsymmetricKey
41 // input. In hardware enforced AuthorizationSet, we expect hardware related tags such as
42 // TAG_IDENTITY_CREDENTIAL_KEY.
43 keymaster_error_t generate_attestation(const AsymmetricKey& key,
44         const AuthorizationSet& attest_params, const keymaster_cert_chain_t& attestation_chain,
45         const keymaster_key_blob_t& attestation_signing_key,
46         const AttestationRecordContext& context, CertChainPtr* cert_chain_out);
47 
48 // Generate attestation certificate based on the EVP key and other parameters
49 // passed in.  Note that due to sub sub sub call setup, there are 3 AuthorizationSet passed in,
50 // hardware, software, and general.  In attest_params, we expect the challenge,
51 // active time and expiration time, and app id.  In hw_enforced, we expect
52 // hardware related tags such as TAG_IDENTITY_CREDENTIAL_KEY.
53 //
54 // The active time and expiration time are expected in milliseconds since Jan 1,
55 // 1970.
56 keymaster_error_t generate_attestation_from_EVP(
57     const EVP_PKEY* evp_key,                  // input
58     const AuthorizationSet& sw_enforced,      // input
59     const AuthorizationSet& hw_enforced,      // input
60     const AuthorizationSet& attest_params,    // input. Sub function require app id to be set here.
61     const AttestationRecordContext& context,  // input
62     const uint keymaster_version,             // input
63     const keymaster_cert_chain_t& attestation_chain,      // input
64     const keymaster_key_blob_t& attestation_signing_key,  // input
65     CertChainPtr* cert_chain_out);                        // Output.
66 
67 } // namespace keymaster
68 
69 #endif  // KM_OPENSSL_ATTESTATION_UTILS_H_
70