1 /*
2 * Copyright 2020, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 /******************************************************************************
17 *
18 * The original Work has been changed by NXP.
19 *
20 * Licensed under the Apache License, Version 2.0 (the "License");
21 * you may not use this file except in compliance with the License.
22 * You may obtain a copy of the License at
23 *
24 * http://www.apache.org/licenses/LICENSE-2.0
25 *
26 * Unless required by applicable law or agreed to in writing, software
27 * distributed under the License is distributed on an "AS IS" BASIS,
28 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
29 * See the License for the specific language governing permissions and
30 * limitations under the License.
31 *
32 * Copyright 2022,2024 NXP
33 *
34 ******************************************************************************/
35 #define LOG_TAG "javacard.keymint.device.strongbox-impl"
36 #include "JavacardKeyMintDevice.h"
37
38 #include <regex.h>
39
40 #include <algorithm>
41 #include <iostream>
42 #include <iterator>
43 #include <memory>
44 #include <memunreachable/memunreachable.h>
45 #include <string>
46 #include <vector>
47
48 #include <KeyMintUtils.h>
49 #include <android-base/logging.h>
50 #include <android-base/properties.h>
51 #include <hardware/hw_auth_token.h>
52 #include <keymaster/android_keymaster_messages.h>
53 #include <keymaster/wrapped_key.h>
54
55 #include "JavacardKeyMintOperation.h"
56 #include "JavacardSharedSecret.h"
57
58 namespace aidl::android::hardware::security::keymint {
59 using cppbor::Bstr;
60 using cppbor::EncodedItem;
61 using cppbor::Uint;
62 using ::keymaster::AuthorizationSet;
63 using ::keymaster::dup_buffer;
64 using ::keymaster::KeymasterBlob;
65 using ::keymaster::KeymasterKeyBlob;
66 using ::keymint::javacard::Instruction;
67 using std::string;
68
defaultHwInfo(KeyMintHardwareInfo * info)69 ScopedAStatus JavacardKeyMintDevice::defaultHwInfo(KeyMintHardwareInfo* info) {
70 info->versionNumber = 2;
71 info->keyMintAuthorName = "Google";
72 info->keyMintName = "JavacardKeymintDevice";
73 info->securityLevel = securitylevel_;
74 info->timestampTokenRequired = true;
75 return ScopedAStatus::ok();
76 }
77
getHardwareInfo(KeyMintHardwareInfo * info)78 ScopedAStatus JavacardKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) {
79 auto [item, err] = card_->sendRequest(Instruction::INS_GET_HW_INFO_CMD);
80 std::optional<string> optKeyMintName;
81 std::optional<string> optKeyMintAuthorName;
82 std::optional<uint64_t> optSecLevel;
83 std::optional<uint64_t> optVersion;
84 std::optional<uint64_t> optTsRequired;
85 if (err != KM_ERROR_OK || !(optVersion = cbor_.getUint64(item, 1)) ||
86 !(optSecLevel = cbor_.getUint64(item, 2)) ||
87 !(optKeyMintName = cbor_.getByteArrayStr(item, 3)) ||
88 !(optKeyMintAuthorName = cbor_.getByteArrayStr(item, 4)) ||
89 !(optTsRequired = cbor_.getUint64(item, 5))) {
90 LOG(ERROR) << "Error in response of getHardwareInfo.";
91 LOG(INFO) << "Returning defaultHwInfo in getHardwareInfo.";
92 return defaultHwInfo(info);
93 }
94 info->keyMintName = std::move(optKeyMintName.value());
95 info->keyMintAuthorName = std::move(optKeyMintAuthorName.value());
96 info->timestampTokenRequired = (optTsRequired.value() == 1);
97 info->securityLevel = static_cast<SecurityLevel>(std::move(optSecLevel.value()));
98 info->versionNumber = static_cast<int32_t>(std::move(optVersion.value()));
99 return ScopedAStatus::ok();
100 }
101
generateKey(const vector<KeyParameter> & keyParams,const optional<AttestationKey> & attestationKey,KeyCreationResult * creationResult)102 ScopedAStatus JavacardKeyMintDevice::generateKey(const vector<KeyParameter>& keyParams,
103 const optional<AttestationKey>& attestationKey,
104 KeyCreationResult* creationResult) {
105 card_->sendPendingEvents();
106 cppbor::Array array;
107 // add key params
108 cbor_.addKeyparameters(array, keyParams);
109 // add attestation key if any
110 cbor_.addAttestationKey(array, attestationKey);
111 auto [item, err] = card_->sendRequest(Instruction::INS_GENERATE_KEY_CMD, array);
112 if (err != KM_ERROR_OK) {
113 LOG(ERROR) << "Error in sending generateKey.";
114 return km_utils::kmError2ScopedAStatus(err);
115 }
116 auto optKeyBlob = cbor_.getByteArrayVec(item, 1);
117 auto optKeyChars = cbor_.getKeyCharacteristics(item, 2);
118 auto optCertChain = cbor_.getCertificateChain(item, 3);
119 if (!optKeyBlob || !optKeyChars || !optCertChain) {
120 LOG(ERROR) << "Error in decoding og response in generateKey.";
121 return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
122 }
123 creationResult->keyCharacteristics = std::move(optKeyChars.value());
124 creationResult->certificateChain = std::move(optCertChain.value());
125 creationResult->keyBlob = std::move(optKeyBlob.value());
126 return ScopedAStatus::ok();
127 }
128
addRngEntropy(const vector<uint8_t> & data)129 ScopedAStatus JavacardKeyMintDevice::addRngEntropy(const vector<uint8_t>& data) {
130 cppbor::Array request;
131 // add key data
132 request.add(Bstr(data));
133 auto [item, err] = card_->sendRequest(Instruction::INS_ADD_RNG_ENTROPY_CMD, request);
134 if (err != KM_ERROR_OK) {
135 LOG(ERROR) << "Error in sending addRngEntropy.";
136 return km_utils::kmError2ScopedAStatus(err);
137 }
138 return ScopedAStatus::ok();
139 }
140
importKey(const vector<KeyParameter> & keyParams,KeyFormat keyFormat,const vector<uint8_t> & keyData,const optional<AttestationKey> & attestationKey,KeyCreationResult * creationResult)141 ScopedAStatus JavacardKeyMintDevice::importKey(const vector<KeyParameter>& keyParams,
142 KeyFormat keyFormat, const vector<uint8_t>& keyData,
143 const optional<AttestationKey>& attestationKey,
144 KeyCreationResult* creationResult) {
145 card_->sendPendingEvents();
146 cppbor::Array request;
147 // add key params
148 cbor_.addKeyparameters(request, keyParams);
149 // add key format
150 request.add(Uint(static_cast<uint8_t>(keyFormat)));
151 // add key data
152 request.add(Bstr(keyData));
153 // add attestation key if any
154 cbor_.addAttestationKey(request, attestationKey);
155
156 auto [item, err] = card_->sendRequest(Instruction::INS_IMPORT_KEY_CMD, request);
157 if (err != KM_ERROR_OK) {
158 LOG(ERROR) << "Error in sending data in importKey.";
159 return km_utils::kmError2ScopedAStatus(err);
160 }
161 auto optKeyBlob = cbor_.getByteArrayVec(item, 1);
162 auto optKeyChars = cbor_.getKeyCharacteristics(item, 2);
163 auto optCertChain = cbor_.getCertificateChain(item, 3);
164 if (!optKeyBlob || !optKeyChars || !optCertChain) {
165 LOG(ERROR) << "Error in decoding response in importKey.";
166 return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
167 }
168 creationResult->keyCharacteristics = std::move(optKeyChars.value());
169 creationResult->certificateChain = std::move(optCertChain.value());
170 creationResult->keyBlob = std::move(optKeyBlob.value());
171 return ScopedAStatus::ok();
172 }
173
174 // import wrapped key is divided into 2 stage operation.
importWrappedKey(const vector<uint8_t> & wrappedKeyData,const vector<uint8_t> & wrappingKeyBlob,const vector<uint8_t> & maskingKey,const vector<KeyParameter> & unwrappingParams,int64_t passwordSid,int64_t biometricSid,KeyCreationResult * creationResult)175 ScopedAStatus JavacardKeyMintDevice::importWrappedKey(const vector<uint8_t>& wrappedKeyData,
176 const vector<uint8_t>& wrappingKeyBlob,
177 const vector<uint8_t>& maskingKey,
178 const vector<KeyParameter>& unwrappingParams,
179 int64_t passwordSid, int64_t biometricSid,
180 KeyCreationResult* creationResult) {
181 card_->sendPendingEvents();
182 cppbor::Array request;
183 std::unique_ptr<Item> item;
184 vector<uint8_t> keyBlob;
185 std::vector<uint8_t> response;
186 vector<KeyCharacteristics> keyCharacteristics;
187 std::vector<uint8_t> iv;
188 std::vector<uint8_t> transitKey;
189 std::vector<uint8_t> secureKey;
190 std::vector<uint8_t> tag;
191 vector<KeyParameter> authList;
192 KeyFormat keyFormat;
193 std::vector<uint8_t> wrappedKeyDescription;
194 keymaster_error_t errorCode = parseWrappedKey(wrappedKeyData, iv, transitKey, secureKey, tag,
195 authList, keyFormat, wrappedKeyDescription);
196 if (errorCode != KM_ERROR_OK) {
197 LOG(ERROR) << "Error in parse wrapped key in importWrappedKey.";
198 return km_utils::kmError2ScopedAStatus(errorCode);
199 }
200
201 // begin import
202 std::tie(item, errorCode) =
203 sendBeginImportWrappedKeyCmd(transitKey, wrappingKeyBlob, maskingKey, unwrappingParams);
204 if (errorCode != KM_ERROR_OK) {
205 LOG(ERROR) << "Error in send begin import wrapped key in importWrappedKey.";
206 return km_utils::kmError2ScopedAStatus(errorCode);
207 }
208 // Finish the import
209 std::tie(item, errorCode) = sendFinishImportWrappedKeyCmd(
210 authList, keyFormat, secureKey, tag, iv, wrappedKeyDescription, passwordSid, biometricSid);
211 if (errorCode != KM_ERROR_OK) {
212 LOG(ERROR) << "Error in send finish import wrapped key in importWrappedKey.";
213 return km_utils::kmError2ScopedAStatus(errorCode);
214 }
215 auto optKeyBlob = cbor_.getByteArrayVec(item, 1);
216 auto optKeyChars = cbor_.getKeyCharacteristics(item, 2);
217 auto optCertChain = cbor_.getCertificateChain(item, 3);
218 if (!optKeyBlob || !optKeyChars || !optCertChain) {
219 LOG(ERROR) << "Error in decoding the response in importWrappedKey.";
220 return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
221 }
222 creationResult->keyCharacteristics = std::move(optKeyChars.value());
223 creationResult->certificateChain = std::move(optCertChain.value());
224 creationResult->keyBlob = std::move(optKeyBlob.value());
225 return ScopedAStatus::ok();
226 }
227
228 std::tuple<std::unique_ptr<Item>, keymaster_error_t>
sendBeginImportWrappedKeyCmd(const std::vector<uint8_t> & transitKey,const std::vector<uint8_t> & wrappingKeyBlob,const std::vector<uint8_t> & maskingKey,const vector<KeyParameter> & unwrappingParams)229 JavacardKeyMintDevice::sendBeginImportWrappedKeyCmd(const std::vector<uint8_t>& transitKey,
230 const std::vector<uint8_t>& wrappingKeyBlob,
231 const std::vector<uint8_t>& maskingKey,
232 const vector<KeyParameter>& unwrappingParams) {
233 Array request;
234 request.add(std::vector<uint8_t>(transitKey));
235 request.add(std::vector<uint8_t>(wrappingKeyBlob));
236 request.add(std::vector<uint8_t>(maskingKey));
237 cbor_.addKeyparameters(request, unwrappingParams);
238 return card_->sendRequest(Instruction::INS_BEGIN_IMPORT_WRAPPED_KEY_CMD, request);
239 }
240
241 std::tuple<std::unique_ptr<Item>, keymaster_error_t>
sendFinishImportWrappedKeyCmd(const vector<KeyParameter> & keyParams,KeyFormat keyFormat,const std::vector<uint8_t> & secureKey,const std::vector<uint8_t> & tag,const std::vector<uint8_t> & iv,const std::vector<uint8_t> & wrappedKeyDescription,int64_t passwordSid,int64_t biometricSid)242 JavacardKeyMintDevice::sendFinishImportWrappedKeyCmd(
243 const vector<KeyParameter>& keyParams, KeyFormat keyFormat,
244 const std::vector<uint8_t>& secureKey, const std::vector<uint8_t>& tag,
245 const std::vector<uint8_t>& iv, const std::vector<uint8_t>& wrappedKeyDescription,
246 int64_t passwordSid, int64_t biometricSid) {
247 Array request;
248 cbor_.addKeyparameters(request, keyParams);
249 request.add(static_cast<uint64_t>(keyFormat));
250 request.add(std::vector<uint8_t>(secureKey));
251 request.add(std::vector<uint8_t>(tag));
252 request.add(std::vector<uint8_t>(iv));
253 request.add(std::vector<uint8_t>(wrappedKeyDescription));
254 request.add(Uint(passwordSid));
255 request.add(Uint(biometricSid));
256 return card_->sendRequest(Instruction::INS_FINISH_IMPORT_WRAPPED_KEY_CMD, request);
257 }
258
upgradeKey(const vector<uint8_t> & keyBlobToUpgrade,const vector<KeyParameter> & upgradeParams,vector<uint8_t> * keyBlob)259 ScopedAStatus JavacardKeyMintDevice::upgradeKey(const vector<uint8_t>& keyBlobToUpgrade,
260 const vector<KeyParameter>& upgradeParams,
261 vector<uint8_t>* keyBlob) {
262 card_->sendPendingEvents();
263 cppbor::Array request;
264 // add key blob
265 request.add(Bstr(keyBlobToUpgrade));
266 // add key params
267 cbor_.addKeyparameters(request, upgradeParams);
268 auto [item, err] = card_->sendRequest(Instruction::INS_UPGRADE_KEY_CMD, request);
269 if (err != KM_ERROR_OK) {
270 LOG(ERROR) << "Error in sending in upgradeKey.";
271 return km_utils::kmError2ScopedAStatus(err);
272 }
273 auto optKeyBlob = cbor_.getByteArrayVec(item, 1);
274 if (!optKeyBlob) {
275 LOG(ERROR) << "Error in decoding the response in upgradeKey.";
276 return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
277 }
278 *keyBlob = std::move(optKeyBlob.value());
279 return ScopedAStatus::ok();
280 }
281
deleteKey(const vector<uint8_t> & keyBlob)282 ScopedAStatus JavacardKeyMintDevice::deleteKey(const vector<uint8_t>& keyBlob) {
283 Array request;
284 request.add(Bstr(keyBlob));
285 auto [item, err] = card_->sendRequest(Instruction::INS_DELETE_KEY_CMD, request);
286 if (err != KM_ERROR_OK) {
287 LOG(ERROR) << "Error in sending in deleteKey.";
288 return km_utils::kmError2ScopedAStatus(err);
289 }
290 return ScopedAStatus::ok();
291 }
292
deleteAllKeys()293 ScopedAStatus JavacardKeyMintDevice::deleteAllKeys() {
294 auto [_, err] = card_->sendRequest(Instruction::INS_DELETE_ALL_KEYS_CMD);
295 if (err != KM_ERROR_OK) {
296 LOG(ERROR) << "Error in sending deleteAllKeys.";
297 card_->setDeleteAllKeysPending();
298 return km_utils::kmError2ScopedAStatus(err);
299 }
300 return ScopedAStatus::ok();
301 }
302
destroyAttestationIds()303 ScopedAStatus JavacardKeyMintDevice::destroyAttestationIds() {
304 auto [item, err] = card_->sendRequest(Instruction::INS_DESTROY_ATT_IDS_CMD);
305 if (err != KM_ERROR_OK) {
306 LOG(ERROR) << "Error in sending in destroyAttestationIds.";
307 return km_utils::kmError2ScopedAStatus(err);
308 }
309 return ScopedAStatus::ok();
310 }
311
begin(KeyPurpose purpose,const std::vector<uint8_t> & keyBlob,const std::vector<KeyParameter> & params,const std::optional<HardwareAuthToken> & authToken,BeginResult * result)312 ScopedAStatus JavacardKeyMintDevice::begin(KeyPurpose purpose, const std::vector<uint8_t>& keyBlob,
313 const std::vector<KeyParameter>& params,
314 const std::optional<HardwareAuthToken>& authToken,
315 BeginResult* result) {
316 card_->sendPendingEvents();
317 cppbor::Array array;
318 std::vector<uint8_t> response;
319 // make request
320 array.add(Uint(static_cast<uint64_t>(purpose)));
321 array.add(Bstr(keyBlob));
322 cbor_.addKeyparameters(array, params);
323 HardwareAuthToken token = authToken.value_or(HardwareAuthToken());
324 cbor_.addHardwareAuthToken(array, token);
325
326 auto [item, err] = card_->sendRequest(Instruction::INS_BEGIN_OPERATION_CMD, array);
327 if (err != KM_ERROR_OK) {
328 LOG(ERROR) << "Error in sending in begin.";
329 return km_utils::kmError2ScopedAStatus(err);
330 }
331 // return the result
332 auto keyParams = cbor_.getKeyParameters(item, 1);
333 auto optOpHandle = cbor_.getUint64(item, 2);
334 auto optBufMode = cbor_.getUint64(item, 3);
335 auto optMacLength = cbor_.getUint64(item, 4);
336
337 if (!keyParams || !optOpHandle || !optBufMode || !optMacLength) {
338 LOG(ERROR) << "Error in decoding the response in begin.";
339 return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
340 }
341 result->params = std::move(keyParams.value());
342 result->challenge = optOpHandle.value();
343 result->operation = ndk::SharedRefBase::make<JavacardKeyMintOperation>(
344 static_cast<keymaster_operation_handle_t>(optOpHandle.value()),
345 static_cast<BufferingMode>(optBufMode.value()), optMacLength.value(), card_);
346 return ScopedAStatus::ok();
347 }
348
349 ScopedAStatus
deviceLocked(bool passwordOnly,const std::optional<TimeStampToken> & timestampToken)350 JavacardKeyMintDevice::deviceLocked(bool passwordOnly,
351 const std::optional<TimeStampToken>& timestampToken) {
352 Array request;
353 int8_t password = 1;
354 if (!passwordOnly) {
355 password = 0;
356 }
357 request.add(Uint(password));
358 cbor_.addTimeStampToken(request, timestampToken.value_or(TimeStampToken()));
359 auto [item, err] = card_->sendRequest(Instruction::INS_DEVICE_LOCKED_CMD, request);
360 if (err != KM_ERROR_OK) {
361 return km_utils::kmError2ScopedAStatus(err);
362 }
363 return ScopedAStatus::ok();
364 }
365
earlyBootEnded()366 ScopedAStatus JavacardKeyMintDevice::earlyBootEnded() {
367 auto [_, err] = card_->sendRequest(Instruction::INS_EARLY_BOOT_ENDED_CMD);
368 if (err != KM_ERROR_OK) {
369 LOG(ERROR) << "Error in sending earlyBootEnded.";
370 card_->setEarlyBootEndedPending();
371 return km_utils::kmError2ScopedAStatus(err);
372 }
373 return ScopedAStatus::ok();
374 }
375
getKeyCharacteristics(const std::vector<uint8_t> & keyBlob,const std::vector<uint8_t> & appId,const std::vector<uint8_t> & appData,std::vector<KeyCharacteristics> * result)376 ScopedAStatus JavacardKeyMintDevice::getKeyCharacteristics(
377 const std::vector<uint8_t>& keyBlob, const std::vector<uint8_t>& appId,
378 const std::vector<uint8_t>& appData, std::vector<KeyCharacteristics>* result) {
379 card_->sendPendingEvents();
380 cppbor::Array request;
381 request.add(vector<uint8_t>(keyBlob));
382 request.add(vector<uint8_t>(appId));
383 request.add(vector<uint8_t>(appData));
384 auto [item, err] = card_->sendRequest(Instruction::INS_GET_KEY_CHARACTERISTICS_CMD, request);
385 if (err != KM_ERROR_OK) {
386 LOG(ERROR) << "Error in sending in getKeyCharacteristics.";
387 return km_utils::kmError2ScopedAStatus(err);
388 }
389 auto optKeyChars = cbor_.getKeyCharacteristics(item, 1);
390 if (!optKeyChars) {
391 LOG(ERROR) << "Error in sending in upgradeKey.";
392 return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
393 }
394 *result = std::move(optKeyChars.value());
395 return ScopedAStatus::ok();
396 }
397
getRootOfTrustChallenge(std::array<uint8_t,16> * challenge)398 ScopedAStatus JavacardKeyMintDevice::getRootOfTrustChallenge(std::array<uint8_t, 16>* challenge) {
399 #ifdef INIT_USING_SEHAL_TRANSPORT
400 auto [item, err] = card_->sendRequestSeHal(Instruction::INS_GET_ROT_CHALLENGE_CMD);
401 #else
402 auto [item, err] = card_->sendRequest(Instruction::INS_GET_ROT_CHALLENGE_CMD);
403 #endif
404 if (err != KM_ERROR_OK) {
405 LOG(ERROR) << "Error in sending in getRootOfTrustChallenge.";
406 #ifdef INIT_USING_SEHAL_TRANSPORT
407 card_->closeSEHal();
408 #endif
409 return km_utils::kmError2ScopedAStatus(err);
410 }
411 auto optChallenge = cbor_.getByteArrayVec(item, 1);
412 if (!optChallenge) {
413 LOG(ERROR) << "Error in sending in upgradeKey.";
414 return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
415 }
416 std::move(optChallenge->begin(), optChallenge->begin() + 16, challenge->begin());
417 return ScopedAStatus::ok();
418 }
419
getRootOfTrust(const std::array<uint8_t,16> &,std::vector<uint8_t> *)420 ScopedAStatus JavacardKeyMintDevice::getRootOfTrust(const std::array<uint8_t, 16>& /*challenge*/,
421 std::vector<uint8_t>* /*rootOfTrust*/) {
422 return km_utils::kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
423 }
424
sendRootOfTrust(const std::vector<uint8_t> & rootOfTrust)425 ScopedAStatus JavacardKeyMintDevice::sendRootOfTrust(const std::vector<uint8_t>& rootOfTrust) {
426 cppbor::Array request;
427 std::unique_ptr<Item> item;
428 keymaster_error_t err;
429 request.add(EncodedItem(rootOfTrust)); // taggedItem.
430 #ifdef INIT_USING_SEHAL_TRANSPORT
431 std::tie(item, err) =
432 card_->sendRequestSeHal(Instruction::INS_SEND_ROT_DATA_CMD, request.encode());
433 card_->closeSEHal();
434 #else
435 std::tie(item, err) = card_->sendRequest(Instruction::INS_SEND_ROT_DATA_CMD, request.encode());
436 #endif
437 if (err != KM_ERROR_OK) {
438 LOG(ERROR) << "Error in sending in sendRootOfTrust.";
439 return km_utils::kmError2ScopedAStatus(err);
440 }
441 LOG(INFO) << "JavacardKeyMintDevice::sendRootOfTrust success";
442 return ScopedAStatus::ok();
443 }
444
445 keymaster_error_t
parseWrappedKey(const vector<uint8_t> & wrappedKeyData,std::vector<uint8_t> & iv,std::vector<uint8_t> & transitKey,std::vector<uint8_t> & secureKey,std::vector<uint8_t> & tag,vector<KeyParameter> & authList,KeyFormat & keyFormat,std::vector<uint8_t> & wrappedKeyDescription)446 JavacardKeyMintDevice::parseWrappedKey(const vector<uint8_t>& wrappedKeyData,
447 std::vector<uint8_t>& iv, std::vector<uint8_t>& transitKey,
448 std::vector<uint8_t>& secureKey, std::vector<uint8_t>& tag,
449 vector<KeyParameter>& authList, KeyFormat& keyFormat,
450 std::vector<uint8_t>& wrappedKeyDescription) {
451 KeymasterBlob kmIv;
452 KeymasterKeyBlob kmTransitKey;
453 KeymasterKeyBlob kmSecureKey;
454 KeymasterBlob kmTag;
455 AuthorizationSet authSet;
456 keymaster_key_format_t kmKeyFormat;
457 KeymasterBlob kmWrappedKeyDescription;
458
459 size_t keyDataLen = wrappedKeyData.size();
460 uint8_t* keyData = dup_buffer(wrappedKeyData.data(), keyDataLen);
461 keymaster_key_blob_t keyMaterial = {keyData, keyDataLen};
462 keymaster_error_t error =
463 parse_wrapped_key(KeymasterKeyBlob(keyMaterial), &kmIv, &kmTransitKey, &kmSecureKey, &kmTag,
464 &authSet, &kmKeyFormat, &kmWrappedKeyDescription);
465 if (error != KM_ERROR_OK) {
466 LOG(ERROR) << "Error parsing wrapped key.";
467 return error;
468 }
469 iv = km_utils::kmBlob2vector(kmIv);
470 transitKey = km_utils::kmBlob2vector(kmTransitKey);
471 secureKey = km_utils::kmBlob2vector(kmSecureKey);
472 tag = km_utils::kmBlob2vector(kmTag);
473 authList = km_utils::kmParamSet2Aidl(authSet);
474 keyFormat = static_cast<KeyFormat>(kmKeyFormat);
475 wrappedKeyDescription = km_utils::kmBlob2vector(kmWrappedKeyDescription);
476 return KM_ERROR_OK;
477 }
478
convertStorageKeyToEphemeral(const std::vector<uint8_t> &,std::vector<uint8_t> *)479 ScopedAStatus JavacardKeyMintDevice::convertStorageKeyToEphemeral(
480 const std::vector<uint8_t>& /* storageKeyBlob */,
481 std::vector<uint8_t>* /* ephemeralKeyBlob */) {
482 return km_utils::kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
483 }
dump(int,const char **,uint32_t)484 binder_status_t JavacardKeyMintDevice::dump(int /* fd */, const char** /* p */, uint32_t /* q */) {
485 LOG(INFO) << "\n KeyMint-JavacardKeyMintDevice HAL MemoryLeak Info = \n"
486 << ::android::GetUnreachableMemoryString(true, 10000).c_str();
487 return STATUS_OK;
488 }
489
490 } // namespace aidl::android::hardware::security::keymint
491