1 /* 2 * Copyright 2020, The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include <aidl/android/hardware/security/keymint/BnKeyMintDevice.h> 20 #include <aidl/android/hardware/security/keymint/BnKeyMintOperation.h> 21 #include <aidl/android/hardware/security/keymint/HardwareAuthToken.h> 22 #include <aidl/android/hardware/security/sharedsecret/SharedSecretParameters.h> 23 24 #include "CborConverter.h" 25 #include "JavacardSecureElement.h" 26 27 namespace aidl::android::hardware::security::keymint { 28 using cppbor::Item; 29 using ::keymint::javacard::CborConverter; 30 using ::keymint::javacard::JavacardSecureElement; 31 using ndk::ScopedAStatus; 32 using secureclock::TimeStampToken; 33 using std::array; 34 using std::optional; 35 using std::shared_ptr; 36 using std::vector; 37 38 class JavacardKeyMintDevice : public BnKeyMintDevice { 39 public: JavacardKeyMintDevice(shared_ptr<JavacardSecureElement> card)40 explicit JavacardKeyMintDevice(shared_ptr<JavacardSecureElement> card) 41 : securitylevel_(SecurityLevel::STRONGBOX), card_(card) { 42 card_->initializeJavacard(); 43 } ~JavacardKeyMintDevice()44 virtual ~JavacardKeyMintDevice() {} 45 46 ScopedAStatus getHardwareInfo(KeyMintHardwareInfo* info) override; 47 48 ScopedAStatus addRngEntropy(const vector<uint8_t>& data) override; 49 50 ScopedAStatus generateKey(const vector<KeyParameter>& keyParams, 51 const optional<AttestationKey>& attestationKey, 52 KeyCreationResult* creationResult) override; 53 54 ScopedAStatus importKey(const vector<KeyParameter>& keyParams, KeyFormat keyFormat, 55 const vector<uint8_t>& keyData, 56 const optional<AttestationKey>& attestationKey, 57 KeyCreationResult* creationResult) override; 58 59 ScopedAStatus importWrappedKey(const vector<uint8_t>& wrappedKeyData, 60 const vector<uint8_t>& wrappingKeyBlob, 61 const vector<uint8_t>& maskingKey, 62 const vector<KeyParameter>& unwrappingParams, 63 int64_t passwordSid, int64_t biometricSid, 64 KeyCreationResult* creationResult) override; 65 66 ScopedAStatus upgradeKey(const vector<uint8_t>& keyBlobToUpgrade, 67 const vector<KeyParameter>& upgradeParams, 68 vector<uint8_t>* keyBlob) override; 69 70 ScopedAStatus deleteKey(const vector<uint8_t>& keyBlob) override; 71 ScopedAStatus deleteAllKeys() override; 72 ScopedAStatus destroyAttestationIds() override; 73 74 virtual ScopedAStatus begin(KeyPurpose in_purpose, const std::vector<uint8_t>& in_keyBlob, 75 const std::vector<KeyParameter>& in_params, 76 const std::optional<HardwareAuthToken>& in_authToken, 77 BeginResult* _aidl_return) override; 78 79 ScopedAStatus deviceLocked(bool passwordOnly, 80 const optional<TimeStampToken>& timestampToken) override; 81 82 ScopedAStatus earlyBootEnded() override; 83 84 ScopedAStatus getKeyCharacteristics(const std::vector<uint8_t>& in_keyBlob, 85 const std::vector<uint8_t>& in_appId, 86 const std::vector<uint8_t>& in_appData, 87 std::vector<KeyCharacteristics>* _aidl_return) override; 88 89 ScopedAStatus convertStorageKeyToEphemeral(const std::vector<uint8_t>& storageKeyBlob, 90 std::vector<uint8_t>* ephemeralKeyBlob) override; 91 92 ScopedAStatus getRootOfTrustChallenge(array<uint8_t, 16>* challenge) override; 93 94 ScopedAStatus getRootOfTrust(const array<uint8_t, 16>& challenge, 95 vector<uint8_t>* rootOfTrust) override; 96 97 ScopedAStatus sendRootOfTrust(const vector<uint8_t>& rootOfTrust) override; 98 99 private: 100 keymaster_error_t parseWrappedKey(const vector<uint8_t>& wrappedKeyData, 101 std::vector<uint8_t>& iv, std::vector<uint8_t>& transitKey, 102 std::vector<uint8_t>& secureKey, std::vector<uint8_t>& tag, 103 vector<KeyParameter>& authList, KeyFormat& keyFormat, 104 std::vector<uint8_t>& wrappedKeyDescription); 105 106 std::tuple<std::unique_ptr<Item>, keymaster_error_t> sendBeginImportWrappedKeyCmd( 107 const std::vector<uint8_t>& transitKey, const std::vector<uint8_t>& wrappingKeyBlob, 108 const std::vector<uint8_t>& maskingKey, const vector<KeyParameter>& unwrappingParams); 109 110 std::tuple<std::unique_ptr<Item>, keymaster_error_t> 111 sendFinishImportWrappedKeyCmd(const vector<KeyParameter>& keyParams, KeyFormat keyFormat, 112 const std::vector<uint8_t>& secureKey, 113 const std::vector<uint8_t>& tag, const std::vector<uint8_t>& iv, 114 const std::vector<uint8_t>& wrappedKeyDescription, 115 int64_t passwordSid, int64_t biometricSid); 116 117 ScopedAStatus defaultHwInfo(KeyMintHardwareInfo* info); 118 119 const SecurityLevel securitylevel_; 120 const shared_ptr<JavacardSecureElement> card_; 121 CborConverter cbor_; 122 }; 123 124 } // namespace aidl::android::hardware::security::keymint 125