1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <hardware/keymaster_defs.h>
20 
21 #include <keymaster/android_keymaster_utils.h>
22 #include <keymaster/authorization_set.h>
23 
24 namespace keymaster {
25 
26 class Buffer;
27 class RandomSource;
28 
29 // Define the formats this code knows about.  Note that "format" here implies both structure and KEK
30 // derivation and encryption algorithm, though the KEK derivation and encryption is performed prior
31 // to serialization.
32 enum AuthEncryptedBlobFormat : uint8_t {
33     AES_OCB = 0,
34     AES_GCM_WITH_SW_ENFORCED = 1,
35 };
36 
37 struct MoveOnly {
38     MoveOnly() = default;
39     MoveOnly(const MoveOnly&) = delete;
40     MoveOnly(MoveOnly&&) = default;
41 
42     MoveOnly& operator=(MoveOnly&&) = default;
43     void operator=(const MoveOnly&) = delete;
44 };
45 
46 struct EncryptedKey : private MoveOnly {
47     AuthEncryptedBlobFormat format;
48     KeymasterKeyBlob ciphertext;
49     Buffer nonce;
50     Buffer tag;
51 };
52 
53 struct DeserializedKey : private MoveOnly {
54     EncryptedKey encrypted_key;
55     AuthorizationSet hw_enforced;
56     AuthorizationSet sw_enforced;
57 };
58 
59 /**
60  * Encrypt the provided plaintext with format `format`, using the provided authorization lists and
61  * master_key to derive the key encryption key.
62  */
63 EncryptedKey EncryptKey(const KeymasterKeyBlob& plaintext, AuthEncryptedBlobFormat format,
64                         const AuthorizationSet& hw_enforced, const AuthorizationSet& sw_enforced,
65                         const AuthorizationSet& hidden, const KeymasterKeyBlob& master_key,
66                         const RandomSource& random, keymaster_error_t* error);
67 
68 /**
69  * Serialize `encrypted_key` (which contains necessary nonce & tag information),
70  * along with the associated authorization data into a blob.
71  */
72 KeymasterKeyBlob SerializeAuthEncryptedBlob(const EncryptedKey& encrypted_key,
73                                             const AuthorizationSet& hw_enforced,
74                                             const AuthorizationSet& sw_enforced,
75                                             keymaster_error_t* error);
76 
77 /**
78  * Deserialize a blob, retrieving the key ciphertext, decryption parameters and associated
79  * authorization lists.
80  */
81 DeserializedKey DeserializeAuthEncryptedBlob(const KeymasterKeyBlob& key_blob,
82                                              keymaster_error_t* error);
83 
84 /**
85  * Decrypt key material from the Deserialized data in `key'.
86  */
87 KeymasterKeyBlob DecryptKey(const DeserializedKey& key, const AuthorizationSet& hidden,
88                             const KeymasterKeyBlob& master_key, keymaster_error_t* error);
89 
90 }  // namespace keymaster
91