diff options
Diffstat (limited to 'include/keymaster')
-rw-r--r-- | include/keymaster/android_keymaster.h | 1 | ||||
-rw-r--r-- | include/keymaster/android_keymaster_messages.h | 92 | ||||
-rw-r--r-- | include/keymaster/keymaster_enforcement.h | 31 | ||||
-rw-r--r-- | include/keymaster/km_openssl/soft_keymaster_enforcement.h | 5 |
4 files changed, 124 insertions, 5 deletions
diff --git a/include/keymaster/android_keymaster.h b/include/keymaster/android_keymaster.h index 510b504..2836464 100644 --- a/include/keymaster/android_keymaster.h +++ b/include/keymaster/android_keymaster.h @@ -67,6 +67,7 @@ class AndroidKeymaster { GetHmacSharingParametersResponse GetHmacSharingParameters(); ComputeSharedHmacResponse ComputeSharedHmac(const ComputeSharedHmacRequest& request); + VerifyAuthorizationResponse VerifyAuthorization(const VerifyAuthorizationRequest& request); void AddRngEntropy(const AddEntropyRequest& request, AddEntropyResponse* response); void Configure(const ConfigureRequest& request, ConfigureResponse* response); diff --git a/include/keymaster/android_keymaster_messages.h b/include/keymaster/android_keymaster_messages.h index 348d085..9c49145 100644 --- a/include/keymaster/android_keymaster_messages.h +++ b/include/keymaster/android_keymaster_messages.h @@ -50,6 +50,7 @@ enum AndroidKeymasterCommand : uint32_t { CONFIGURE = 18, GET_HMAC_SHARING_PARAMETERS = 19, COMPUTE_SHARED_HMAC = 20, + VERIFY_AUTHORIZATION = 21, }; /** @@ -808,6 +809,97 @@ struct ImportWrappedKeyResponse : public KeymasterResponse { AuthorizationSet unenforced; }; +struct HardwareAuthToken : public Serializable { + HardwareAuthToken() = default; + HardwareAuthToken(HardwareAuthToken&& other) { + challenge = other.challenge; + user_id = other.user_id; + authenticator_id = other.authenticator_id; + authenticator_type = other.authenticator_type; + timestamp = other.timestamp; + mac = move(other.mac); + } + + size_t SerializedSize() const override; + uint8_t* Serialize(uint8_t* buf, const uint8_t* end) const override; + bool Deserialize(const uint8_t** buf_ptr, const uint8_t* end) override; + + uint64_t challenge{}; + uint64_t user_id{}; + uint64_t authenticator_id{}; + hw_authenticator_type_t authenticator_type{}; + uint64_t timestamp{}; + KeymasterBlob mac; +}; + +struct VerificationToken : public Serializable { + VerificationToken() = default; + VerificationToken(VerificationToken&& other) { + challenge = other.challenge; + timestamp = other.timestamp; + parameters_verified = move(other.parameters_verified); + security_level = other.security_level; + mac = move(other.mac); + } + + size_t SerializedSize() const override; + uint8_t* Serialize(uint8_t* buf, const uint8_t* end) const override; + bool Deserialize(const uint8_t** buf_ptr, const uint8_t* end) override; + + uint64_t challenge{}; + uint64_t timestamp{}; + AuthorizationSet parameters_verified{}; + keymaster_security_level_t security_level{}; + KeymasterBlob mac{}; +}; + +struct VerifyAuthorizationRequest : public KeymasterMessage { + explicit VerifyAuthorizationRequest(int32_t ver = MAX_MESSAGE_VERSION) + : KeymasterMessage(ver) {} + VerifyAuthorizationRequest(VerifyAuthorizationRequest&& other) = default; + + size_t SerializedSize() const override { + return sizeof(challenge) + parameters_to_verify.SerializedSize() + + auth_token.SerializedSize(); + } + + uint8_t* Serialize(uint8_t* buf, const uint8_t* end) const override { + buf = append_uint64_to_buf(buf, end, challenge); + buf = parameters_to_verify.Serialize(buf, end); + return auth_token.Serialize(buf, end); + } + + bool Deserialize(const uint8_t** buf_ptr, const uint8_t* end) override { + return (copy_uint64_from_buf(buf_ptr, end, &challenge) && + parameters_to_verify.Deserialize(buf_ptr, end) && + auth_token.Deserialize(buf_ptr, end)); + } + + uint64_t challenge{}; + AuthorizationSet parameters_to_verify; + HardwareAuthToken auth_token; +}; + +struct VerifyAuthorizationResponse : public KeymasterResponse { + explicit VerifyAuthorizationResponse(int32_t ver = MAX_MESSAGE_VERSION) + : KeymasterResponse(ver) {} + VerifyAuthorizationResponse(VerifyAuthorizationResponse&& other) = default; + + size_t NonErrorSerializedSize() const override { + return sizeof(error) + token.SerializedSize(); + } + uint8_t* NonErrorSerialize(uint8_t* buf, const uint8_t* end) const override { + buf = append_uint32_to_buf(buf, end, error); + return token.Serialize(buf, end); + } + bool NonErrorDeserialize(const uint8_t** buf_ptr, const uint8_t* end) override { + return copy_uint32_from_buf(buf_ptr, end, &error) && token.Deserialize(buf_ptr, end); + } + + keymaster_error_t error{KM_ERROR_UNKNOWN_ERROR}; + VerificationToken token; +}; + } // namespace keymaster #endif // SYSTEM_KEYMASTER_ANDROID_KEYMASTER_MESSAGES_H_ diff --git a/include/keymaster/keymaster_enforcement.h b/include/keymaster/keymaster_enforcement.h index 3557a68..4e33aff 100644 --- a/include/keymaster/keymaster_enforcement.h +++ b/include/keymaster/keymaster_enforcement.h @@ -19,6 +19,7 @@ #include <stdio.h> +#include <keymaster/android_keymaster_messages.h> #include <keymaster/authorization_set.h> namespace keymaster { @@ -120,15 +121,31 @@ class KeymasterEnforcement { virtual bool auth_token_timed_out(const hw_auth_token_t& token, uint32_t timeout) const = 0; /* + * Get current time in milliseconds from some starting point. This value is used to compute + * relative times between events. It must be monotonically increasing, and must not skip or + * lag. It need not have any relation to any external time standard (other than the duration of + * "second"). + * + * On Linux systems, it's recommended to use clock_gettime(CLOCK_BOOTTIME, ...) to implement + * this method. On non-Linux POSIX systems, CLOCK_MONOTONIC is good, assuming the device does + * not suspend. + */ + virtual uint64_t get_current_time_ms() const = 0; + + /* * Get current time in seconds from some starting point. This value is used to compute relative * times between events. It must be monotonically increasing, and must not skip or lag. It * need not have any relation to any external time standard (other than the duration of * "second"). - * - * On POSIX systems, it's recommended to use clock_gettime(CLOCK_MONOTONIC, ...) to implement - * this method. */ - virtual uint32_t get_current_time() const = 0; + uint32_t get_current_time() const { + return static_cast<uint32_t>(get_current_time_ms() / 1000); // Will wrap every 136 years + } + + /* + * Returns the security level of this implementation. + */ + virtual keymaster_security_level_t SecurityLevel() const = 0; /* * Returns true if the specified auth_token has a valid signature, or if signature validation is @@ -148,6 +165,12 @@ class KeymasterEnforcement { KeymasterBlob* sharingCheck) = 0; /** + * Verify authorizations for another Keymaster instance. + */ + virtual VerifyAuthorizationResponse + VerifyAuthorization(const VerifyAuthorizationRequest& request) = 0; + + /** * Creates a key ID for use in subsequent calls to AuthorizeOperation. AndroidKeymaster uses * this method for creating key IDs. The generated id must be stable in that the same key_blob * bits yield the same keyid. diff --git a/include/keymaster/km_openssl/soft_keymaster_enforcement.h b/include/keymaster/km_openssl/soft_keymaster_enforcement.h index a510009..72b11ec 100644 --- a/include/keymaster/km_openssl/soft_keymaster_enforcement.h +++ b/include/keymaster/km_openssl/soft_keymaster_enforcement.h @@ -34,13 +34,16 @@ class SoftKeymasterEnforcement : public KeymasterEnforcement { uint32_t /*timeout*/) const override { return false; } - uint32_t get_current_time() const override; + uint64_t get_current_time_ms() const override; + keymaster_security_level_t SecurityLevel() const override { return KM_SECURITY_LEVEL_SOFTWARE; } bool ValidateTokenSignature(const hw_auth_token_t& /*token*/) const override { return true; } bool CreateKeyId(const keymaster_key_blob_t& key_blob, km_id_t* keyid) const override; keymaster_error_t GetHmacSharingParameters(HmacSharingParameters* params) override; keymaster_error_t ComputeSharedHmac(const HmacSharingParametersArray& params_array, KeymasterBlob* sharingCheck) override; + VerifyAuthorizationResponse + VerifyAuthorization(const VerifyAuthorizationRequest& request) override; private: bool have_saved_params_ = false; |