1 files changed, 130 insertions, 0 deletions
diff --git a/include/keymaster/key_blob.h b/include/keymaster/key_blob.h
new file mode 100644
index 0000000..b2a3778
--- /dev/null
+++ b/include/keymaster/key_blob.h
@@ -0,0 +1,130 @@
+/*
+ * Copyright 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SYSTEM_KEYMASTER_KEY_BLOB_H_
+#define SYSTEM_KEYMASTER_KEY_BLOB_H_
+
+#include <cstddef>
+
+#include <stdint.h>
+
+#include <UniquePtr.h>
+
+#include <hardware/keymaster_defs.h>
+#include <keymaster/android_keymaster_utils.h>
+#include <keymaster/authorization_set.h>
+#include <keymaster/serializable.h>
+
+namespace keymaster {
+
+/**
+ * This class represents a Keymaster key blob, including authorization sets and encrypted key
+ * material.  It serializes and deserializes blob arrays, and provides access to the data in the
+ * blob.
+ */
+class KeyBlob : public Serializable {
+  public:
+    static const size_t NONCE_LENGTH = 12;
+    static const size_t TAG_LENGTH = 128 / 8;
+
+    /**
+     * Create a KeyBlob, extracting the enforced and unenforced sets.  The KeyBlob does *not* take
+     * ownership of \p key_blob.
+     *
+     * IMPORTANT: After constructing a KeyBlob, call error() to verify that the blob is usable.
+     */
+    KeyBlob(const uint8_t* key_blob, size_t key_blob_length);
+
+    /**
+     * Create a KeyBlob, extracting the enforced and unenforced sets.  The KeyBlob does *not* take
+     * ownership of \p key_blob's contents.
+     *
+     * IMPORTANT: After constructing a KeyBlob, call error() to verify that the blob is usable.
+     */
+    KeyBlob(const keymaster_key_blob_t& key_blob);
+
+    ~KeyBlob() {
+        ClearKeyData();
+        // AuthorizationSets clear themselves.
+    }
+
+    size_t SerializedSize() const;
+    uint8_t* Serialize(uint8_t* buf, const uint8_t* end) const;
+    bool Deserialize(const uint8_t** buf_ptr, const uint8_t* end);
+
+    /**
+     * Returns KM_ERROR_OK if all is well, or an appropriate error code if there is a problem.  This
+     * error code should be checked after construction or deserialization, and if it does not return
+     * KM_ERROR_OK, then don't call any other methods.
+     */
+    inline keymaster_error_t error() { return error_; }
+
+    inline const uint8_t* nonce() const { return nonce_.get(); }
+    inline const uint8_t* encrypted_key_material() const { return encrypted_key_material_.get(); }
+    inline size_t key_material_length() const { return key_material_length_; }
+    inline const uint8_t* tag() const { return tag_.get(); }
+
+    inline const AuthorizationSet& enforced() const { return enforced_; }
+    inline const AuthorizationSet& unenforced() const { return unenforced_; }
+    inline keymaster_algorithm_t algorithm() const { return algorithm_; }
+    inline size_t key_size_bits() const { return key_size_bits_; }
+    keymaster_key_origin_t origin() const;
+    bool is_hardware() const;
+
+  protected:
+    /**
+     * Create a KeyBlob containing the specified authorization data.
+     *
+     * IMPORTANT: After constructing a KeyBlob, call error() to verify that the blob is usable.
+     */
+    KeyBlob(const AuthorizationSet& enforced, const AuthorizationSet& unenforced);
+
+    /**
+     * Set encrypted key and supporting nonce and tag.  Takes ownership of all arguments.
+     */
+    void SetEncryptedKey(uint8_t* encrypted_key_material, size_t encrypted_key_material_length,
+                         uint8_t* nonce, uint8_t* tag);
+
+    keymaster_error_t error_;
+
+  private:
+    void ClearKeyData() {
+        // None of these are sensitive, but clear them anyway.
+        if (encrypted_key_material_.get())
+            memset_s(encrypted_key_material_.get(), 0, key_material_length_);
+        if (nonce_.get())
+            memset_s(nonce_.get(), 0, NONCE_LENGTH);
+        if (tag_.get())
+            memset_s(tag_.get(), 0, TAG_LENGTH);
+    }
+
+    bool DeserializeUnversionedBlob(const uint8_t** buf_ptr, const uint8_t* end);
+
+    bool ExtractKeyCharacteristics();
+
+    UniquePtr<uint8_t[]> nonce_;
+    UniquePtr<uint8_t[]> encrypted_key_material_;
+    UniquePtr<uint8_t[]> tag_;
+    size_t key_material_length_;
+    AuthorizationSet enforced_;
+    AuthorizationSet unenforced_;
+    keymaster_algorithm_t algorithm_;
+    uint32_t key_size_bits_;
+};
+
+}  // namespace keymaster
+
+#endif  // SYSTEM_KEYMASTER_KEY_BLOB_H_