/*
* Copyright 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "rsa_keymaster0_key.h"
#include <memory>
#include <keymaster/android_keymaster_utils.h>
#include <keymaster/logger.h>
#include <keymaster/soft_keymaster_context.h>
#include "keymaster0_engine.h"
#include "openssl_utils.h"
using std::unique_ptr;
namespace keymaster {
RsaKeymaster0KeyFactory::RsaKeymaster0KeyFactory(const SoftKeymasterContext* context,
const Keymaster0Engine* engine)
: RsaKeyFactory(context), engine_(engine) {}
keymaster_error_t RsaKeymaster0KeyFactory::GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob,
AuthorizationSet* hw_enforced,
AuthorizationSet* sw_enforced) const {
if (!key_blob || !hw_enforced || !sw_enforced)
return KM_ERROR_OUTPUT_PARAMETER_NULL;
uint64_t public_exponent;
if (!key_description.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &public_exponent)) {
LOG_E("%s", "No public exponent specified for RSA key generation");
return KM_ERROR_INVALID_ARGUMENT;
}
uint32_t key_size;
if (!key_description.GetTagValue(TAG_KEY_SIZE, &key_size)) {
LOG_E("%s", "No key size specified for RSA key generation");
return KM_ERROR_UNSUPPORTED_KEY_SIZE;
}
KeymasterKeyBlob key_material;
if (!engine_->GenerateRsaKey(public_exponent, key_size, &key_material))
return KM_ERROR_UNKNOWN_ERROR;
// These tags are hardware-enforced. Putting them in the hw_enforced set here will ensure that
// context_->CreateKeyBlob doesn't put them in sw_enforced.
hw_enforced->push_back(TAG_ALGORITHM, KM_ALGORITHM_RSA);
hw_enforced->push_back(TAG_RSA_PUBLIC_EXPONENT, public_exponent);
hw_enforced->push_back(TAG_KEY_SIZE, key_size);
hw_enforced->push_back(TAG_ORIGIN, KM_ORIGIN_UNKNOWN);
return context_->CreateKeyBlob(key_description, KM_ORIGIN_UNKNOWN, key_material, key_blob,
hw_enforced, sw_enforced);
}
keymaster_error_t RsaKeymaster0KeyFactory::ImportKey(
const AuthorizationSet& key_description, keymaster_key_format_t input_key_material_format,
const KeymasterKeyBlob& input_key_material, KeymasterKeyBlob* output_key_blob,
AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced) const {
if (!output_key_blob || !hw_enforced || !sw_enforced)
return KM_ERROR_OUTPUT_PARAMETER_NULL;
AuthorizationSet authorizations;
uint64_t public_exponent;
uint32_t key_size;
keymaster_error_t error =
UpdateImportKeyDescription(key_description, input_key_material_format, input_key_material,
&authorizations, &public_exponent, &key_size);
if (error != KM_ERROR_OK)
return error;
KeymasterKeyBlob imported_hw_key;
if (!engine_->ImportKey(input_key_material_format, input_key_material, &imported_hw_key))
return KM_ERROR_UNKNOWN_ERROR;
// These tags are hardware-enforced. Putting them in the hw_enforced set here will ensure that
// context_->CreateKeyBlob doesn't put them in sw_enforced.
hw_enforced->push_back(TAG_ALGORITHM, KM_ALGORITHM_RSA);
hw_enforced->push_back(TAG_RSA_PUBLIC_EXPONENT, public_exponent);
hw_enforced->push_back(TAG_KEY_SIZE, key_size);
hw_enforced->push_back(TAG_ORIGIN, KM_ORIGIN_UNKNOWN);
return context_->CreateKeyBlob(authorizations, KM_ORIGIN_UNKNOWN, imported_hw_key,
output_key_blob, hw_enforced, sw_enforced);
}
keymaster_error_t RsaKeymaster0KeyFactory::LoadKey(const KeymasterKeyBlob& key_material,
const AuthorizationSet& additional_params,
const AuthorizationSet& hw_enforced,
const AuthorizationSet& sw_enforced,
UniquePtr<Key>* key) const {
if (!key)
return KM_ERROR_OUTPUT_PARAMETER_NULL;
if (sw_enforced.GetTagCount(TAG_ALGORITHM) == 1)
return super::LoadKey(key_material, additional_params, hw_enforced, sw_enforced, key);
unique_ptr<RSA, RSA_Delete> rsa(engine_->BlobToRsaKey(key_material));
if (!rsa)
return KM_ERROR_UNKNOWN_ERROR;
keymaster_error_t error;
key->reset(new (std::nothrow)
RsaKeymaster0Key(rsa.release(), hw_enforced, sw_enforced, &error));
if (!key->get())
error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
if (error != KM_ERROR_OK)
return error;
return KM_ERROR_OK;
}
} // namespace keymaster