1*e1997b9aSAndroid Build Coastguard Worker /* 2*e1997b9aSAndroid Build Coastguard Worker * Copyright (C) 2020 The Android Open Source Project 3*e1997b9aSAndroid Build Coastguard Worker * 4*e1997b9aSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*e1997b9aSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*e1997b9aSAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*e1997b9aSAndroid Build Coastguard Worker * 8*e1997b9aSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*e1997b9aSAndroid Build Coastguard Worker * 10*e1997b9aSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*e1997b9aSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*e1997b9aSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*e1997b9aSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*e1997b9aSAndroid Build Coastguard Worker * limitations under the License. 15*e1997b9aSAndroid Build Coastguard Worker */ 16*e1997b9aSAndroid Build Coastguard Worker 17*e1997b9aSAndroid Build Coastguard Worker #ifndef __CRYPTO_H__ 18*e1997b9aSAndroid Build Coastguard Worker #define __CRYPTO_H__ 19*e1997b9aSAndroid Build Coastguard Worker 20*e1997b9aSAndroid Build Coastguard Worker #include <stdbool.h> 21*e1997b9aSAndroid Build Coastguard Worker #include <stdint.h> 22*e1997b9aSAndroid Build Coastguard Worker #include <stddef.h> 23*e1997b9aSAndroid Build Coastguard Worker 24*e1997b9aSAndroid Build Coastguard Worker extern "C" { 25*e1997b9aSAndroid Build Coastguard Worker bool hmacSha256(const uint8_t* key, size_t key_size, const uint8_t* msg, size_t msg_size, 26*e1997b9aSAndroid Build Coastguard Worker uint8_t* out, size_t out_size); 27*e1997b9aSAndroid Build Coastguard Worker bool randomBytes(uint8_t* out, size_t len); 28*e1997b9aSAndroid Build Coastguard Worker bool AES_gcm_encrypt(const uint8_t* in, uint8_t* out, size_t len, 29*e1997b9aSAndroid Build Coastguard Worker const uint8_t* key, size_t key_size, const uint8_t* iv, uint8_t* tag); 30*e1997b9aSAndroid Build Coastguard Worker bool AES_gcm_decrypt(const uint8_t* in, uint8_t* out, size_t len, 31*e1997b9aSAndroid Build Coastguard Worker const uint8_t* key, size_t key_size, const uint8_t* iv, 32*e1997b9aSAndroid Build Coastguard Worker const uint8_t* tag); 33*e1997b9aSAndroid Build Coastguard Worker 34*e1997b9aSAndroid Build Coastguard Worker // Copied from system/security/keystore/keymaster_enforcement.h. 35*e1997b9aSAndroid Build Coastguard Worker typedef uint64_t km_id_t; 36*e1997b9aSAndroid Build Coastguard Worker 37*e1997b9aSAndroid Build Coastguard Worker bool CreateKeyId(const uint8_t* key_blob, size_t len, km_id_t* out_id); 38*e1997b9aSAndroid Build Coastguard Worker 39*e1997b9aSAndroid Build Coastguard Worker // The salt parameter must be non-nullptr and point to 16 bytes of data. 40*e1997b9aSAndroid Build Coastguard Worker void PBKDF2(uint8_t* key, size_t key_len, const char* pw, size_t pw_len, const uint8_t* salt); 41*e1997b9aSAndroid Build Coastguard Worker 42*e1997b9aSAndroid Build Coastguard Worker #include "openssl/digest.h" 43*e1997b9aSAndroid Build Coastguard Worker #include "openssl/ec_key.h" 44*e1997b9aSAndroid Build Coastguard Worker 45*e1997b9aSAndroid Build Coastguard Worker bool HKDFExtract(uint8_t *out_key, size_t *out_len, 46*e1997b9aSAndroid Build Coastguard Worker const uint8_t *secret, size_t secret_len, 47*e1997b9aSAndroid Build Coastguard Worker const uint8_t *salt, size_t salt_len); 48*e1997b9aSAndroid Build Coastguard Worker 49*e1997b9aSAndroid Build Coastguard Worker bool HKDFExpand(uint8_t *out_key, size_t out_len, 50*e1997b9aSAndroid Build Coastguard Worker const uint8_t *prk, size_t prk_len, 51*e1997b9aSAndroid Build Coastguard Worker const uint8_t *info, size_t info_len); 52*e1997b9aSAndroid Build Coastguard Worker 53*e1997b9aSAndroid Build Coastguard Worker // We define this as field_elem_size. 54*e1997b9aSAndroid Build Coastguard Worker static const size_t EC_MAX_BYTES = 32; 55*e1997b9aSAndroid Build Coastguard Worker 56*e1997b9aSAndroid Build Coastguard Worker int ECDHComputeKey(void *out, const EC_POINT *pub_key, const EC_KEY *priv_key); 57*e1997b9aSAndroid Build Coastguard Worker 58*e1997b9aSAndroid Build Coastguard Worker EC_KEY* ECKEYGenerateKey(); 59*e1997b9aSAndroid Build Coastguard Worker 60*e1997b9aSAndroid Build Coastguard Worker size_t ECKEYMarshalPrivateKey(const EC_KEY *priv_key, uint8_t *buf, size_t len); 61*e1997b9aSAndroid Build Coastguard Worker 62*e1997b9aSAndroid Build Coastguard Worker EC_KEY* ECKEYParsePrivateKey(const uint8_t *buf, size_t len); 63*e1997b9aSAndroid Build Coastguard Worker 64*e1997b9aSAndroid Build Coastguard Worker size_t ECPOINTPoint2Oct(const EC_POINT *point, uint8_t *buf, size_t len); 65*e1997b9aSAndroid Build Coastguard Worker 66*e1997b9aSAndroid Build Coastguard Worker EC_POINT* ECPOINTOct2Point(const uint8_t *buf, size_t len); 67*e1997b9aSAndroid Build Coastguard Worker 68*e1997b9aSAndroid Build Coastguard Worker } 69*e1997b9aSAndroid Build Coastguard Worker 70*e1997b9aSAndroid Build Coastguard Worker // Parse a DER-encoded X.509 certificate contained in cert_buf, with length 71*e1997b9aSAndroid Build Coastguard Worker // cert_len, extract the subject, DER-encode it and write the result to 72*e1997b9aSAndroid Build Coastguard Worker // subject_buf, which has subject_buf_len capacity. 73*e1997b9aSAndroid Build Coastguard Worker // 74*e1997b9aSAndroid Build Coastguard Worker // Because the length of the subject is unknown, and because we'd like to (a) be 75*e1997b9aSAndroid Build Coastguard Worker // able to handle subjects of any size and (b) avoid parsing the certificate 76*e1997b9aSAndroid Build Coastguard Worker // twice most of the time, once to discover the length and once to parse it, the 77*e1997b9aSAndroid Build Coastguard Worker // return value is overloaded. 78*e1997b9aSAndroid Build Coastguard Worker // 79*e1997b9aSAndroid Build Coastguard Worker // If the return value > 0 it specifies the number of bytes written into 80*e1997b9aSAndroid Build Coastguard Worker // subject_buf; the operation was successful. 81*e1997b9aSAndroid Build Coastguard Worker // 82*e1997b9aSAndroid Build Coastguard Worker // If the return value == 0, certificate parsing failed unrecoverably. The 83*e1997b9aSAndroid Build Coastguard Worker // reason will be logged. 84*e1997b9aSAndroid Build Coastguard Worker // 85*e1997b9aSAndroid Build Coastguard Worker // If the return value < 0, the operation failed because the subject size > 86*e1997b9aSAndroid Build Coastguard Worker // subject_buf_len. The return value is -(subject_size), where subject_size is 87*e1997b9aSAndroid Build Coastguard Worker // the size of the extracted DER-encoded subject field. Call 88*e1997b9aSAndroid Build Coastguard Worker // extractSubjectFromCertificate again with a sufficiently-large buffer. 89*e1997b9aSAndroid Build Coastguard Worker int extractSubjectFromCertificate(const uint8_t* cert_buf, size_t cert_len, 90*e1997b9aSAndroid Build Coastguard Worker uint8_t* subject_buf, size_t subject_buf_len); 91*e1997b9aSAndroid Build Coastguard Worker 92*e1997b9aSAndroid Build Coastguard Worker #endif // __CRYPTO_H__ 93