1 /* 2 * Copyright 2020, The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 /****************************************************************************** 17 * 18 * The original Work has been changed by NXP. 19 * 20 * Licensed under the Apache License, Version 2.0 (the "License"); 21 * you may not use this file except in compliance with the License. 22 * You may obtain a copy of the License at 23 * 24 * http://www.apache.org/licenses/LICENSE-2.0 25 * 26 * Unless required by applicable law or agreed to in writing, software 27 * distributed under the License is distributed on an "AS IS" BASIS, 28 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 29 * See the License for the specific language governing permissions and 30 * limitations under the License. 31 * 32 * Copyright 2022-2024 NXP 33 * 34 ******************************************************************************/ 35 #pragma once 36 37 #include <aidl/android/hardware/security/keymint/BnKeyMintDevice.h> 38 #include <aidl/android/hardware/security/keymint/BnKeyMintOperation.h> 39 #include <aidl/android/hardware/security/keymint/HardwareAuthToken.h> 40 #include <aidl/android/hardware/security/sharedsecret/SharedSecretParameters.h> 41 42 #include "CborConverter.h" 43 #include "JavacardSecureElement.h" 44 45 namespace aidl::android::hardware::security::keymint { 46 using cppbor::Item; 47 using ::keymint::javacard::CborConverter; 48 using ::keymint::javacard::JavacardSecureElement; 49 using ndk::ScopedAStatus; 50 using secureclock::TimeStampToken; 51 using std::array; 52 using std::optional; 53 using std::shared_ptr; 54 using std::vector; 55 56 class JavacardKeyMintDevice : public BnKeyMintDevice { 57 public: JavacardKeyMintDevice(shared_ptr<JavacardSecureElement> card)58 explicit JavacardKeyMintDevice(shared_ptr<JavacardSecureElement> card) 59 : securitylevel_(SecurityLevel::STRONGBOX), card_(std::move(card)) {} ~JavacardKeyMintDevice()60 virtual ~JavacardKeyMintDevice() {} 61 62 // Methods from ::ndk::ICInterface follow. 63 binder_status_t dump(int fd, const char** args, uint32_t num_args) override; 64 65 ScopedAStatus getHardwareInfo(KeyMintHardwareInfo* info) override; 66 67 ScopedAStatus addRngEntropy(const vector<uint8_t>& data) override; 68 69 ScopedAStatus generateKey(const vector<KeyParameter>& keyParams, 70 const optional<AttestationKey>& attestationKey, 71 KeyCreationResult* creationResult) override; 72 73 ScopedAStatus importKey(const vector<KeyParameter>& keyParams, KeyFormat keyFormat, 74 const vector<uint8_t>& keyData, 75 const optional<AttestationKey>& attestationKey, 76 KeyCreationResult* creationResult) override; 77 78 ScopedAStatus importWrappedKey(const vector<uint8_t>& wrappedKeyData, 79 const vector<uint8_t>& wrappingKeyBlob, 80 const vector<uint8_t>& maskingKey, 81 const vector<KeyParameter>& unwrappingParams, 82 int64_t passwordSid, int64_t biometricSid, 83 KeyCreationResult* creationResult) override; 84 85 ScopedAStatus upgradeKey(const vector<uint8_t>& keyBlobToUpgrade, 86 const vector<KeyParameter>& upgradeParams, 87 vector<uint8_t>* keyBlob) override; 88 89 ScopedAStatus deleteKey(const vector<uint8_t>& keyBlob) override; 90 ScopedAStatus deleteAllKeys() override; 91 ScopedAStatus destroyAttestationIds() override; 92 93 virtual ScopedAStatus begin(KeyPurpose in_purpose, const std::vector<uint8_t>& in_keyBlob, 94 const std::vector<KeyParameter>& in_params, 95 const std::optional<HardwareAuthToken>& in_authToken, 96 BeginResult* _aidl_return) override; 97 98 ScopedAStatus deviceLocked(bool passwordOnly, 99 const optional<TimeStampToken>& timestampToken) override; 100 101 ScopedAStatus earlyBootEnded() override; 102 103 ScopedAStatus getKeyCharacteristics(const std::vector<uint8_t>& in_keyBlob, 104 const std::vector<uint8_t>& in_appId, 105 const std::vector<uint8_t>& in_appData, 106 std::vector<KeyCharacteristics>* _aidl_return) override; 107 108 ScopedAStatus convertStorageKeyToEphemeral(const std::vector<uint8_t>& storageKeyBlob, 109 std::vector<uint8_t>* ephemeralKeyBlob) override; 110 111 ScopedAStatus getRootOfTrustChallenge(array<uint8_t, 16>* challenge) override; 112 113 ScopedAStatus getRootOfTrust(const array<uint8_t, 16>& challenge, 114 vector<uint8_t>* rootOfTrust) override; 115 116 ScopedAStatus sendRootOfTrust(const vector<uint8_t>& rootOfTrust) override; 117 118 private: 119 keymaster_error_t parseWrappedKey(const vector<uint8_t>& wrappedKeyData, 120 std::vector<uint8_t>& iv, std::vector<uint8_t>& transitKey, 121 std::vector<uint8_t>& secureKey, std::vector<uint8_t>& tag, 122 vector<KeyParameter>& authList, KeyFormat& keyFormat, 123 std::vector<uint8_t>& wrappedKeyDescription); 124 125 std::tuple<std::unique_ptr<Item>, keymaster_error_t> sendBeginImportWrappedKeyCmd( 126 const std::vector<uint8_t>& transitKey, const std::vector<uint8_t>& wrappingKeyBlob, 127 const std::vector<uint8_t>& maskingKey, const vector<KeyParameter>& unwrappingParams); 128 129 std::tuple<std::unique_ptr<Item>, keymaster_error_t> 130 sendFinishImportWrappedKeyCmd(const vector<KeyParameter>& keyParams, KeyFormat keyFormat, 131 const std::vector<uint8_t>& secureKey, 132 const std::vector<uint8_t>& tag, const std::vector<uint8_t>& iv, 133 const std::vector<uint8_t>& wrappedKeyDescription, 134 int64_t passwordSid, int64_t biometricSid); 135 136 ScopedAStatus defaultHwInfo(KeyMintHardwareInfo* info); 137 138 const SecurityLevel securitylevel_; 139 const shared_ptr<JavacardSecureElement> card_; 140 CborConverter cbor_; 141 }; 142 143 } // namespace aidl::android::hardware::security::keymint 144