1 /*
2 **
3 ** Copyright 2018, The Android Open Source Project
4 **
5 ** Licensed under the Apache License, Version 2.0 (the "License");
6 ** you may not use this file except in compliance with the License.
7 ** You may obtain a copy of the License at
8 **
9 ** http://www.apache.org/licenses/LICENSE-2.0
10 **
11 ** Unless required by applicable law or agreed to in writing, software
12 ** distributed under the License is distributed on an "AS IS" BASIS,
13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 ** See the License for the specific language governing permissions and
15 ** limitations under the License.
16 */
17
18 #define LOG_TAG "android.hardware.keymaster@4.0-impl.remote"
19
20 #include "remote_keymaster4_device.h"
21
22 #include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
23 #include <authorization_set.h>
24 #include <cutils/log.h>
25 #include <keymaster/android_keymaster_messages.h>
26
27 using ::keymaster::AbortOperationRequest;
28 using ::keymaster::AbortOperationResponse;
29 using ::keymaster::AddEntropyRequest;
30 using ::keymaster::AddEntropyResponse;
31 using ::keymaster::AttestKeyRequest;
32 using ::keymaster::AttestKeyResponse;
33 using ::keymaster::AuthorizationSet;
34 using ::keymaster::BeginOperationRequest;
35 using ::keymaster::BeginOperationResponse;
36 using ::keymaster::ExportKeyRequest;
37 using ::keymaster::ExportKeyResponse;
38 using ::keymaster::FinishOperationRequest;
39 using ::keymaster::FinishOperationResponse;
40 using ::keymaster::GenerateKeyRequest;
41 using ::keymaster::GenerateKeyResponse;
42 using ::keymaster::GetKeyCharacteristicsRequest;
43 using ::keymaster::GetKeyCharacteristicsResponse;
44 using ::keymaster::ImportKeyRequest;
45 using ::keymaster::ImportKeyResponse;
46 using ::keymaster::UpdateOperationRequest;
47 using ::keymaster::UpdateOperationResponse;
48 using ::keymaster::ng::Tag;
49
50 typedef ::android::hardware::keymaster::V3_0::Tag Tag3;
51 using ::android::hardware::keymaster::V4_0::Constants;
52
53 namespace keymaster {
54 namespace V4_1 {
55 namespace {
56
legacy_enum_conversion(const Tag value)57 inline keymaster_tag_t legacy_enum_conversion(const Tag value) {
58 return keymaster_tag_t(value);
59 }
legacy_enum_conversion(const keymaster_tag_t value)60 inline Tag legacy_enum_conversion(const keymaster_tag_t value) {
61 return Tag(value);
62 }
legacy_enum_conversion(const KeyPurpose value)63 inline keymaster_purpose_t legacy_enum_conversion(const KeyPurpose value) {
64 return keymaster_purpose_t(value);
65 }
legacy_enum_conversion(const KeyFormat value)66 inline keymaster_key_format_t legacy_enum_conversion(const KeyFormat value) {
67 return keymaster_key_format_t(value);
68 }
69
legacy_enum_conversion(const keymaster_security_level_t value)70 inline SecurityLevel legacy_enum_conversion(const keymaster_security_level_t value) {
71 return static_cast<SecurityLevel>(value);
72 }
73
legacy_enum_conversion(const HardwareAuthenticatorType value)74 inline hw_authenticator_type_t legacy_enum_conversion(const HardwareAuthenticatorType value) {
75 return static_cast<hw_authenticator_type_t>(value);
76 }
77
legacy_enum_conversion(const keymaster_error_t value)78 inline ErrorCode legacy_enum_conversion(const keymaster_error_t value) {
79 return ErrorCode(value);
80 }
81
typeFromTag(const keymaster_tag_t tag)82 inline keymaster_tag_type_t typeFromTag(const keymaster_tag_t tag) {
83 return keymaster_tag_get_type(tag);
84 }
85
86 /*
87 * injectAuthToken translates a KM4 authToken into a legacy AUTH_TOKEN tag
88 *
89 * Currently, system/keymaster's reference implementation only accepts this
90 * method for passing an auth token, so until that changes we need to
91 * translate to the old format.
92 */
injectAuthToken(const hidl_vec<KeyParameter> & keyParamsBase,const HardwareAuthToken & authToken)93 inline hidl_vec<KeyParameter> injectAuthToken(const hidl_vec<KeyParameter>& keyParamsBase,
94 const HardwareAuthToken& authToken) {
95 std::vector<KeyParameter> keyParams(keyParamsBase);
96 const size_t mac_len = static_cast<size_t>(Constants::AUTH_TOKEN_MAC_LENGTH);
97 /*
98 * mac.size() == 0 indicates no token provided, so we should not copy.
99 * mac.size() != mac_len means it is incompatible with the old
100 * hw_auth_token_t structure. This is forbidden by spec, but to be safe
101 * we only copy if mac.size() == mac_len, e.g. there is an authToken
102 * with a hw_auth_token_t compatible MAC.
103 */
104 if (authToken.mac.size() == mac_len) {
105 KeyParameter p;
106 p.tag = static_cast<Tag>(Tag3::AUTH_TOKEN);
107 p.blob.resize(sizeof(hw_auth_token_t));
108
109 hw_auth_token_t* auth_token = reinterpret_cast<hw_auth_token_t*>(p.blob.data());
110 auth_token->version = 0;
111 auth_token->challenge = authToken.challenge;
112 auth_token->user_id = authToken.userId;
113 auth_token->authenticator_id = authToken.authenticatorId;
114 auth_token->authenticator_type =
115 htobe32(static_cast<uint32_t>(authToken.authenticatorType));
116 auth_token->timestamp = htobe64(authToken.timestamp);
117 static_assert(mac_len == sizeof(auth_token->hmac));
118 memcpy(auth_token->hmac, authToken.mac.data(), mac_len);
119 keyParams.push_back(p);
120 }
121
122 return hidl_vec<KeyParameter>(std::move(keyParams));
123 }
124
125 class KmParamSet : public keymaster_key_param_set_t {
126 public:
KmParamSet(const hidl_vec<KeyParameter> & keyParams)127 KmParamSet(const hidl_vec<KeyParameter>& keyParams) {
128 params = new keymaster_key_param_t[keyParams.size()];
129 length = keyParams.size();
130 for (size_t i = 0; i < keyParams.size(); ++i) {
131 auto tag = legacy_enum_conversion(keyParams[i].tag);
132 switch (typeFromTag(tag)) {
133 case KM_ENUM:
134 case KM_ENUM_REP:
135 params[i] = keymaster_param_enum(tag, keyParams[i].f.integer);
136 break;
137 case KM_UINT:
138 case KM_UINT_REP:
139 params[i] = keymaster_param_int(tag, keyParams[i].f.integer);
140 break;
141 case KM_ULONG:
142 case KM_ULONG_REP:
143 params[i] = keymaster_param_long(tag, keyParams[i].f.longInteger);
144 break;
145 case KM_DATE:
146 params[i] = keymaster_param_date(tag, keyParams[i].f.dateTime);
147 break;
148 case KM_BOOL:
149 if (keyParams[i].f.boolValue)
150 params[i] = keymaster_param_bool(tag);
151 else
152 params[i].tag = KM_TAG_INVALID;
153 break;
154 case KM_BIGNUM:
155 case KM_BYTES:
156 params[i] = keymaster_param_blob(tag, &keyParams[i].blob[0],
157 keyParams[i].blob.size());
158 break;
159 case KM_INVALID:
160 default:
161 params[i].tag = KM_TAG_INVALID;
162 /* just skip */
163 break;
164 }
165 }
166 }
KmParamSet(KmParamSet && other)167 KmParamSet(KmParamSet&& other) noexcept
168 : keymaster_key_param_set_t{other.params, other.length} {
169 other.length = 0;
170 other.params = nullptr;
171 }
172 KmParamSet(const KmParamSet&) = delete;
~KmParamSet()173 ~KmParamSet() { delete[] params; }
174 };
175
kmBlob2hidlVec(const keymaster_key_blob_t & blob)176 inline hidl_vec<uint8_t> kmBlob2hidlVec(const keymaster_key_blob_t& blob) {
177 hidl_vec<uint8_t> result;
178 result.setToExternal(const_cast<unsigned char*>(blob.key_material), blob.key_material_size);
179 return result;
180 }
181
kmBlob2hidlVec(const keymaster_blob_t & blob)182 inline hidl_vec<uint8_t> kmBlob2hidlVec(const keymaster_blob_t& blob) {
183 hidl_vec<uint8_t> result;
184 result.setToExternal(const_cast<unsigned char*>(blob.data), blob.data_length);
185 return result;
186 }
187
kmBuffer2hidlVec(const::keymaster::Buffer & buf)188 inline hidl_vec<uint8_t> kmBuffer2hidlVec(const ::keymaster::Buffer& buf) {
189 hidl_vec<uint8_t> result;
190 result.setToExternal(const_cast<unsigned char*>(buf.peek_read()), buf.available_read());
191 return result;
192 }
193
kmCertChain2Hidl(const keymaster_cert_chain_t & cert_chain)194 inline static hidl_vec<hidl_vec<uint8_t>> kmCertChain2Hidl(
195 const keymaster_cert_chain_t& cert_chain) {
196 hidl_vec<hidl_vec<uint8_t>> result;
197 if (!cert_chain.entry_count || !cert_chain.entries) return result;
198
199 result.resize(cert_chain.entry_count);
200 for (size_t i = 0; i < cert_chain.entry_count; ++i) {
201 result[i] = kmBlob2hidlVec(cert_chain.entries[i]);
202 }
203
204 return result;
205 }
206
kmParamSet2Hidl(const keymaster_key_param_set_t & set)207 static inline hidl_vec<KeyParameter> kmParamSet2Hidl(const keymaster_key_param_set_t& set) {
208 hidl_vec<KeyParameter> result;
209 if (set.length == 0 || set.params == nullptr) return result;
210
211 result.resize(set.length);
212 keymaster_key_param_t* params = set.params;
213 for (size_t i = 0; i < set.length; ++i) {
214 auto tag = params[i].tag;
215 result[i].tag = legacy_enum_conversion(tag);
216 switch (typeFromTag(tag)) {
217 case KM_ENUM:
218 case KM_ENUM_REP:
219 result[i].f.integer = params[i].enumerated;
220 break;
221 case KM_UINT:
222 case KM_UINT_REP:
223 result[i].f.integer = params[i].integer;
224 break;
225 case KM_ULONG:
226 case KM_ULONG_REP:
227 result[i].f.longInteger = params[i].long_integer;
228 break;
229 case KM_DATE:
230 result[i].f.dateTime = params[i].date_time;
231 break;
232 case KM_BOOL:
233 result[i].f.boolValue = params[i].boolean;
234 break;
235 case KM_BIGNUM:
236 case KM_BYTES:
237 result[i].blob.setToExternal(const_cast<unsigned char*>(params[i].blob.data),
238 params[i].blob.data_length);
239 break;
240 case KM_INVALID:
241 default:
242 params[i].tag = KM_TAG_INVALID;
243 /* just skip */
244 break;
245 }
246 }
247 return result;
248 }
249
addClientAndAppData(const hidl_vec<uint8_t> & clientId,const hidl_vec<uint8_t> & appData,::keymaster::AuthorizationSet * params)250 void addClientAndAppData(const hidl_vec<uint8_t>& clientId, const hidl_vec<uint8_t>& appData,
251 ::keymaster::AuthorizationSet* params) {
252 params->Clear();
253 if (clientId.size()) {
254 params->push_back(::keymaster::TAG_APPLICATION_ID, clientId.data(), clientId.size());
255 }
256 if (appData.size()) {
257 params->push_back(::keymaster::TAG_APPLICATION_DATA, appData.data(), appData.size());
258 }
259 }
260
261 } // anonymous namespace
262
RemoteKeymaster4Device(RemoteKeymaster * impl)263 RemoteKeymaster4Device::RemoteKeymaster4Device(RemoteKeymaster* impl) : impl_(impl) {}
264
~RemoteKeymaster4Device()265 RemoteKeymaster4Device::~RemoteKeymaster4Device() {}
266
getHardwareInfo(getHardwareInfo_cb _hidl_cb)267 Return<void> RemoteKeymaster4Device::getHardwareInfo(getHardwareInfo_cb _hidl_cb) {
268 _hidl_cb(SecurityLevel::TRUSTED_ENVIRONMENT, "RemoteKeymaster", "Google");
269 return Void();
270 }
271
getHmacSharingParameters(getHmacSharingParameters_cb _hidl_cb)272 Return<void> RemoteKeymaster4Device::getHmacSharingParameters(
273 getHmacSharingParameters_cb _hidl_cb) {
274 const GetHmacSharingParametersResponse response = impl_->GetHmacSharingParameters();
275 // response.params is not the same as the HIDL structure, we need to convert it
276 HmacSharingParameters params;
277 params.seed.setToExternal(const_cast<uint8_t*>(response.params.seed.data),
278 response.params.seed.data_length);
279 static_assert(sizeof(response.params.nonce) == params.nonce.size(), "Nonce sizes don't match");
280 memcpy(params.nonce.data(), response.params.nonce, params.nonce.size());
281 _hidl_cb(legacy_enum_conversion(response.error), params);
282 return Void();
283 }
284
computeSharedHmac(const hidl_vec<HmacSharingParameters> & params,computeSharedHmac_cb _hidl_cb)285 Return<void> RemoteKeymaster4Device::computeSharedHmac(
286 const hidl_vec<HmacSharingParameters>& params, computeSharedHmac_cb _hidl_cb) {
287 ComputeSharedHmacRequest request;
288 request.params_array.params_array = new keymaster::HmacSharingParameters[params.size()];
289 request.params_array.num_params = params.size();
290 for (size_t i = 0; i < params.size(); ++i) {
291 request.params_array.params_array[i].seed = {params[i].seed.data(), params[i].seed.size()};
292 static_assert(sizeof(request.params_array.params_array[i].nonce) ==
293 decltype(params[i].nonce)::size(),
294 "Nonce sizes don't match");
295 memcpy(request.params_array.params_array[i].nonce, params[i].nonce.data(),
296 params[i].nonce.size());
297 }
298
299 auto response = impl_->ComputeSharedHmac(request);
300 hidl_vec<uint8_t> sharing_check;
301 if (response.error == KM_ERROR_OK) {
302 sharing_check = kmBlob2hidlVec(response.sharing_check);
303 }
304
305 _hidl_cb(legacy_enum_conversion(response.error), sharing_check);
306 return Void();
307 }
308
verifyAuthorization(uint64_t challenge,const hidl_vec<KeyParameter> & parametersToVerify,const HardwareAuthToken & authToken,verifyAuthorization_cb _hidl_cb)309 Return<void> RemoteKeymaster4Device::verifyAuthorization(
310 uint64_t challenge, const hidl_vec<KeyParameter>& parametersToVerify,
311 const HardwareAuthToken& authToken, verifyAuthorization_cb _hidl_cb) {
312 VerifyAuthorizationRequest request;
313 request.challenge = challenge;
314 request.parameters_to_verify.Reinitialize(KmParamSet(parametersToVerify));
315 request.auth_token.challenge = authToken.challenge;
316 request.auth_token.user_id = authToken.userId;
317 request.auth_token.authenticator_id = authToken.authenticatorId;
318 request.auth_token.authenticator_type = legacy_enum_conversion(authToken.authenticatorType);
319 request.auth_token.timestamp = authToken.timestamp;
320 KeymasterBlob mac(authToken.mac.data(), authToken.mac.size());
321 request.auth_token.mac = mac;
322
323 auto response = impl_->VerifyAuthorization(request);
324
325 ::android::hardware::keymaster::V4_0::VerificationToken token;
326 token.challenge = response.token.challenge;
327 token.timestamp = response.token.timestamp;
328 token.parametersVerified = kmParamSet2Hidl(response.token.parameters_verified);
329 token.securityLevel = legacy_enum_conversion(response.token.security_level);
330 token.mac = kmBlob2hidlVec(response.token.mac);
331
332 _hidl_cb(legacy_enum_conversion(response.error), token);
333
334 return Void();
335 }
336
addRngEntropy(const hidl_vec<uint8_t> & data)337 Return<ErrorCode> RemoteKeymaster4Device::addRngEntropy(const hidl_vec<uint8_t>& data) {
338 if (data.size() == 0) return ErrorCode::OK;
339 AddEntropyRequest request;
340 request.random_data.Reinitialize(data.data(), data.size());
341
342 AddEntropyResponse response;
343 impl_->AddRngEntropy(request, &response);
344
345 return legacy_enum_conversion(response.error);
346 }
347
generateKey(const hidl_vec<KeyParameter> & keyParams,generateKey_cb _hidl_cb)348 Return<void> RemoteKeymaster4Device::generateKey(const hidl_vec<KeyParameter>& keyParams,
349 generateKey_cb _hidl_cb) {
350 GenerateKeyRequest request;
351 request.key_description.Reinitialize(KmParamSet(keyParams));
352
353 GenerateKeyResponse response;
354 impl_->GenerateKey(request, &response);
355
356 KeyCharacteristics resultCharacteristics;
357 hidl_vec<uint8_t> resultKeyBlob;
358 if (response.error == KM_ERROR_OK) {
359 resultKeyBlob = kmBlob2hidlVec(response.key_blob);
360 resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced);
361 resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced);
362 }
363 _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics);
364 return Void();
365 }
366
getKeyCharacteristics(const hidl_vec<uint8_t> & keyBlob,const hidl_vec<uint8_t> & clientId,const hidl_vec<uint8_t> & appData,getKeyCharacteristics_cb _hidl_cb)367 Return<void> RemoteKeymaster4Device::getKeyCharacteristics(const hidl_vec<uint8_t>& keyBlob,
368 const hidl_vec<uint8_t>& clientId,
369 const hidl_vec<uint8_t>& appData,
370 getKeyCharacteristics_cb _hidl_cb) {
371 GetKeyCharacteristicsRequest request;
372 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
373 addClientAndAppData(clientId, appData, &request.additional_params);
374
375 GetKeyCharacteristicsResponse response;
376 impl_->GetKeyCharacteristics(request, &response);
377
378 KeyCharacteristics resultCharacteristics;
379 if (response.error == KM_ERROR_OK) {
380 resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced);
381 resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced);
382 }
383 _hidl_cb(legacy_enum_conversion(response.error), resultCharacteristics);
384 return Void();
385 }
386
importKey(const hidl_vec<KeyParameter> & params,KeyFormat keyFormat,const hidl_vec<uint8_t> & keyData,importKey_cb _hidl_cb)387 Return<void> RemoteKeymaster4Device::importKey(const hidl_vec<KeyParameter>& params,
388 KeyFormat keyFormat,
389 const hidl_vec<uint8_t>& keyData,
390 importKey_cb _hidl_cb) {
391 ImportKeyRequest request;
392 request.key_description.Reinitialize(KmParamSet(params));
393 request.key_format = legacy_enum_conversion(keyFormat);
394 request.SetKeyMaterial(keyData.data(), keyData.size());
395
396 ImportKeyResponse response;
397 impl_->ImportKey(request, &response);
398
399 KeyCharacteristics resultCharacteristics;
400 hidl_vec<uint8_t> resultKeyBlob;
401 if (response.error == KM_ERROR_OK) {
402 resultKeyBlob = kmBlob2hidlVec(response.key_blob);
403 resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced);
404 resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced);
405 }
406 _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics);
407 return Void();
408 }
409
importWrappedKey(const hidl_vec<uint8_t> & wrappedKeyData,const hidl_vec<uint8_t> & wrappingKeyBlob,const hidl_vec<uint8_t> & maskingKey,const hidl_vec<KeyParameter> & unwrappingParams,uint64_t passwordSid,uint64_t biometricSid,importWrappedKey_cb _hidl_cb)410 Return<void> RemoteKeymaster4Device::importWrappedKey(
411 const hidl_vec<uint8_t>& wrappedKeyData, const hidl_vec<uint8_t>& wrappingKeyBlob,
412 const hidl_vec<uint8_t>& maskingKey, const hidl_vec<KeyParameter>& unwrappingParams,
413 uint64_t passwordSid, uint64_t biometricSid, importWrappedKey_cb _hidl_cb) {
414 ImportWrappedKeyRequest request;
415 request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size());
416 request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size());
417 request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size());
418 request.additional_params.Reinitialize(KmParamSet(unwrappingParams));
419 request.password_sid = passwordSid;
420 request.biometric_sid = biometricSid;
421
422 ImportWrappedKeyResponse response;
423 impl_->ImportWrappedKey(request, &response);
424
425 KeyCharacteristics resultCharacteristics;
426 hidl_vec<uint8_t> resultKeyBlob;
427 if (response.error == KM_ERROR_OK) {
428 resultKeyBlob = kmBlob2hidlVec(response.key_blob);
429 resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced);
430 resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced);
431 }
432 _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics);
433 return Void();
434 }
435
exportKey(KeyFormat exportFormat,const hidl_vec<uint8_t> & keyBlob,const hidl_vec<uint8_t> & clientId,const hidl_vec<uint8_t> & appData,exportKey_cb _hidl_cb)436 Return<void> RemoteKeymaster4Device::exportKey(KeyFormat exportFormat,
437 const hidl_vec<uint8_t>& keyBlob,
438 const hidl_vec<uint8_t>& clientId,
439 const hidl_vec<uint8_t>& appData,
440 exportKey_cb _hidl_cb) {
441 ExportKeyRequest request;
442 request.key_format = legacy_enum_conversion(exportFormat);
443 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
444 addClientAndAppData(clientId, appData, &request.additional_params);
445
446 ExportKeyResponse response;
447 impl_->ExportKey(request, &response);
448
449 hidl_vec<uint8_t> resultKeyBlob;
450 if (response.error == KM_ERROR_OK) {
451 resultKeyBlob.setToExternal(response.key_data, response.key_data_length);
452 }
453 _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob);
454 return Void();
455 }
456
attestKey(const hidl_vec<uint8_t> & keyToAttest,const hidl_vec<KeyParameter> & attestParams,attestKey_cb _hidl_cb)457 Return<void> RemoteKeymaster4Device::attestKey(const hidl_vec<uint8_t>& keyToAttest,
458 const hidl_vec<KeyParameter>& attestParams,
459 attestKey_cb _hidl_cb) {
460 AttestKeyRequest request;
461 request.SetKeyMaterial(keyToAttest.data(), keyToAttest.size());
462 request.attest_params.Reinitialize(KmParamSet(attestParams));
463
464 AttestKeyResponse response;
465 impl_->AttestKey(request, &response);
466
467 hidl_vec<hidl_vec<uint8_t>> resultCertChain;
468 if (response.error == KM_ERROR_OK) {
469 resultCertChain = kmCertChain2Hidl(response.certificate_chain);
470 }
471 _hidl_cb(legacy_enum_conversion(response.error), resultCertChain);
472 return Void();
473 }
474
upgradeKey(const hidl_vec<uint8_t> & keyBlobToUpgrade,const hidl_vec<KeyParameter> & upgradeParams,upgradeKey_cb _hidl_cb)475 Return<void> RemoteKeymaster4Device::upgradeKey(const hidl_vec<uint8_t>& keyBlobToUpgrade,
476 const hidl_vec<KeyParameter>& upgradeParams,
477 upgradeKey_cb _hidl_cb) {
478 UpgradeKeyRequest request;
479 request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size());
480 request.upgrade_params.Reinitialize(KmParamSet(upgradeParams));
481
482 UpgradeKeyResponse response;
483 impl_->UpgradeKey(request, &response);
484
485 if (response.error == KM_ERROR_OK) {
486 _hidl_cb(ErrorCode::OK, kmBlob2hidlVec(response.upgraded_key));
487 } else {
488 _hidl_cb(legacy_enum_conversion(response.error), hidl_vec<uint8_t>());
489 }
490 return Void();
491 }
492
deleteKey(const hidl_vec<uint8_t> & keyBlob)493 Return<ErrorCode> RemoteKeymaster4Device::deleteKey(const hidl_vec<uint8_t>& keyBlob) {
494 DeleteKeyRequest request;
495 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
496
497 DeleteKeyResponse response;
498 impl_->DeleteKey(request, &response);
499
500 return legacy_enum_conversion(response.error);
501 }
502
deleteAllKeys()503 Return<ErrorCode> RemoteKeymaster4Device::deleteAllKeys() {
504 DeleteAllKeysRequest request;
505 DeleteAllKeysResponse response;
506 impl_->DeleteAllKeys(request, &response);
507
508 return legacy_enum_conversion(response.error);
509 }
510
destroyAttestationIds()511 Return<ErrorCode> RemoteKeymaster4Device::destroyAttestationIds() {
512 return ErrorCode::UNIMPLEMENTED;
513 }
514
begin(KeyPurpose purpose,const hidl_vec<uint8_t> & key,const hidl_vec<KeyParameter> & inParams,const HardwareAuthToken & authToken,begin_cb _hidl_cb)515 Return<void> RemoteKeymaster4Device::begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key,
516 const hidl_vec<KeyParameter>& inParams,
517 const HardwareAuthToken& authToken, begin_cb _hidl_cb) {
518 hidl_vec<KeyParameter> extendedParams = injectAuthToken(inParams, authToken);
519 BeginOperationRequest request;
520 request.purpose = legacy_enum_conversion(purpose);
521 request.SetKeyMaterial(key.data(), key.size());
522 request.additional_params.Reinitialize(KmParamSet(extendedParams));
523
524 BeginOperationResponse response;
525 impl_->BeginOperation(request, &response);
526
527 hidl_vec<KeyParameter> resultParams;
528 if (response.error == KM_ERROR_OK) {
529 resultParams = kmParamSet2Hidl(response.output_params);
530 }
531
532 _hidl_cb(legacy_enum_conversion(response.error), resultParams, response.op_handle);
533 return Void();
534 }
535
update(uint64_t operationHandle,const hidl_vec<KeyParameter> & inParams,const hidl_vec<uint8_t> & input,const HardwareAuthToken & authToken,const VerificationToken & verificationToken,update_cb _hidl_cb)536 Return<void> RemoteKeymaster4Device::update(uint64_t operationHandle,
537 const hidl_vec<KeyParameter>& inParams,
538 const hidl_vec<uint8_t>& input,
539 const HardwareAuthToken& authToken,
540 const VerificationToken& verificationToken,
541 update_cb _hidl_cb) {
542 (void)verificationToken;
543 UpdateOperationRequest request;
544 UpdateOperationResponse response;
545 hidl_vec<KeyParameter> resultParams;
546 hidl_vec<uint8_t> resultBlob;
547 hidl_vec<KeyParameter> extendedParams = injectAuthToken(inParams, authToken);
548 uint32_t resultConsumed = 0;
549
550 request.op_handle = operationHandle;
551 request.additional_params.Reinitialize(KmParamSet(extendedParams));
552
553 // TODO(schuffelen): Set a buffer size limit.
554 request.input.Reinitialize(input.data(), input.size());
555
556 impl_->UpdateOperation(request, &response);
557
558 if (response.error == KM_ERROR_OK) {
559 resultConsumed = response.input_consumed;
560 resultParams = kmParamSet2Hidl(response.output_params);
561 resultBlob = kmBuffer2hidlVec(response.output);
562 }
563 _hidl_cb(legacy_enum_conversion(response.error), resultConsumed, resultParams, resultBlob);
564 return Void();
565 }
566
finish(uint64_t operationHandle,const hidl_vec<KeyParameter> & inParams,const hidl_vec<uint8_t> & input,const hidl_vec<uint8_t> & signature,const HardwareAuthToken & authToken,const VerificationToken & verificationToken,finish_cb _hidl_cb)567 Return<void> RemoteKeymaster4Device::finish(uint64_t operationHandle,
568 const hidl_vec<KeyParameter>& inParams,
569 const hidl_vec<uint8_t>& input,
570 const hidl_vec<uint8_t>& signature,
571 const HardwareAuthToken& authToken,
572 const VerificationToken& verificationToken,
573 finish_cb _hidl_cb) {
574 (void)verificationToken;
575 FinishOperationRequest request;
576 hidl_vec<KeyParameter> extendedParams = injectAuthToken(inParams, authToken);
577 request.op_handle = operationHandle;
578 request.input.Reinitialize(input.data(), input.size());
579 request.signature.Reinitialize(signature.data(), signature.size());
580 request.additional_params.Reinitialize(KmParamSet(extendedParams));
581
582 FinishOperationResponse response;
583 impl_->FinishOperation(request, &response);
584
585 hidl_vec<KeyParameter> resultParams;
586 hidl_vec<uint8_t> resultBlob;
587 if (response.error == KM_ERROR_OK) {
588 resultParams = kmParamSet2Hidl(response.output_params);
589 resultBlob = kmBuffer2hidlVec(response.output);
590 }
591 _hidl_cb(legacy_enum_conversion(response.error), resultParams, resultBlob);
592 return Void();
593 }
594
abort(uint64_t operationHandle)595 Return<ErrorCode> RemoteKeymaster4Device::abort(uint64_t operationHandle) {
596 AbortOperationRequest request;
597 request.op_handle = operationHandle;
598
599 AbortOperationResponse response;
600 impl_->AbortOperation(request, &response);
601
602 return legacy_enum_conversion(response.error);
603 }
604
deviceLocked(bool passwordOnly,const VerificationToken & verificationToken)605 Return<ErrorCodeV41> RemoteKeymaster4Device::deviceLocked(
606 bool passwordOnly, const VerificationToken& verificationToken) {
607 keymaster::VerificationToken internal_verification_token;
608 internal_verification_token.challenge = verificationToken.challenge;
609 internal_verification_token.timestamp = verificationToken.timestamp;
610 internal_verification_token.parameters_verified.Reinitialize(
611 KmParamSet(verificationToken.parametersVerified));
612 internal_verification_token.security_level =
613 static_cast<keymaster_security_level_t>(verificationToken.securityLevel);
614 internal_verification_token.mac =
615 KeymasterBlob(verificationToken.mac.data(), verificationToken.mac.size());
616
617 DeviceLockedRequest request(
618 passwordOnly, std::move(internal_verification_token));
619
620 auto response = impl_->DeviceLocked(request);
621
622 return ErrorCodeV41(response.error);
623 }
624
earlyBootEnded()625 Return<ErrorCodeV41> RemoteKeymaster4Device::earlyBootEnded() {
626 auto response = impl_->EarlyBootEnded();
627
628 return ErrorCodeV41(response.error);
629 }
630
631 } // namespace V4_1
632 } // namespace keymaster
633