Add cert_chain output argument to KeyFactory. am: 6f4db7dd98
Original change: https://android-review.googlesource.com/c/platform/system/keymaster/+/1520312
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: I990c6cf65e94f97aead0ba65e761e82baaeb8c8a
diff --git a/android_keymaster/android_keymaster.cpp b/android_keymaster/android_keymaster.cpp
index c3ea27e..8986b9d 100644
--- a/android_keymaster/android_keymaster.cpp
+++ b/android_keymaster/android_keymaster.cpp
@@ -233,8 +233,9 @@
KeymasterKeyBlob key_blob;
response->enforced.Clear();
response->unenforced.Clear();
- response->error = factory->GenerateKey(request.key_description, &key_blob,
- &response->enforced, &response->unenforced);
+ response->error =
+ factory->GenerateKey(request.key_description, &key_blob, &response->enforced,
+ &response->unenforced, &response->certificate_chain);
if (response->error == KM_ERROR_OK) response->key_blob = move(key_blob);
}
}
@@ -417,9 +418,9 @@
} else {
keymaster_key_blob_t key_material = {request.key_data, request.key_data_length};
KeymasterKeyBlob key_blob;
- response->error = factory->ImportKey(request.key_description, request.key_format,
- KeymasterKeyBlob(key_material), &key_blob,
- &response->enforced, &response->unenforced);
+ response->error = factory->ImportKey(
+ request.key_description, request.key_format, KeymasterKeyBlob(key_material), &key_blob,
+ &response->enforced, &response->unenforced, &response->certificate_chain);
if (response->error == KM_ERROR_OK) response->key_blob = move(key_blob);
}
}
@@ -492,11 +493,13 @@
response->error = KM_ERROR_UNSUPPORTED_ALGORITHM;
} else {
KeymasterKeyBlob key_blob;
+ CertificateChain cert_chain;
response->error =
factory->ImportKey(key_description, key_format, KeymasterKeyBlob(secret_key), &key_blob,
- &response->enforced, &response->unenforced);
+ &response->enforced, &response->unenforced, &cert_chain);
if (response->error == KM_ERROR_OK) {
- response->key_blob = key_blob;
+ response->key_blob = move(key_blob);
+ response->certificate_chain = move(cert_chain);
}
}
}
diff --git a/include/keymaster/key_factory.h b/include/keymaster/key_factory.h
index 6c0ec11..299c8ad 100644
--- a/include/keymaster/key_factory.h
+++ b/include/keymaster/key_factory.h
@@ -38,14 +38,16 @@
// Factory methods.
virtual keymaster_error_t GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const = 0;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const = 0;
virtual keymaster_error_t ImportKey(const AuthorizationSet& key_description,
keymaster_key_format_t input_key_material_format,
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob,
AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const = 0;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const = 0;
virtual keymaster_error_t LoadKey(KeymasterKeyBlob&& key_material,
const AuthorizationSet& additional_params,
diff --git a/include/keymaster/km_openssl/ec_key_factory.h b/include/keymaster/km_openssl/ec_key_factory.h
index 7811277..1bf8335 100644
--- a/include/keymaster/km_openssl/ec_key_factory.h
+++ b/include/keymaster/km_openssl/ec_key_factory.h
@@ -35,12 +35,14 @@
keymaster_error_t GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const override;
keymaster_error_t ImportKey(const AuthorizationSet& key_description,
keymaster_key_format_t input_key_material_format,
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const override;
keymaster_error_t CreateEmptyKey(AuthorizationSet&& hw_enforced, AuthorizationSet&& sw_enforced,
UniquePtr<AsymmetricKey>* key) const override;
diff --git a/include/keymaster/km_openssl/rsa_key_factory.h b/include/keymaster/km_openssl/rsa_key_factory.h
index 1c93ef8..de629ef 100644
--- a/include/keymaster/km_openssl/rsa_key_factory.h
+++ b/include/keymaster/km_openssl/rsa_key_factory.h
@@ -32,12 +32,14 @@
keymaster_error_t GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const override;
keymaster_error_t ImportKey(const AuthorizationSet& key_description,
keymaster_key_format_t input_key_material_format,
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const override;
keymaster_error_t CreateEmptyKey(AuthorizationSet&& hw_enforced, AuthorizationSet&& sw_enforced,
UniquePtr<AsymmetricKey>* key) const override;
diff --git a/include/keymaster/km_openssl/symmetric_key.h b/include/keymaster/km_openssl/symmetric_key.h
index 221c9f7..5cd77f5 100644
--- a/include/keymaster/km_openssl/symmetric_key.h
+++ b/include/keymaster/km_openssl/symmetric_key.h
@@ -34,12 +34,14 @@
keymaster_error_t GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const override;
keymaster_error_t ImportKey(const AuthorizationSet& key_description,
keymaster_key_format_t input_key_material_format,
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const override;
virtual const keymaster_key_format_t* SupportedImportFormats(size_t* count) const override;
virtual const keymaster_key_format_t* SupportedExportFormats(size_t* count) const override {
diff --git a/include/keymaster/legacy_support/ec_keymaster1_key.h b/include/keymaster/legacy_support/ec_keymaster1_key.h
index 50459d0..67656d3 100644
--- a/include/keymaster/legacy_support/ec_keymaster1_key.h
+++ b/include/keymaster/legacy_support/ec_keymaster1_key.h
@@ -42,13 +42,15 @@
keymaster_error_t GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const override;
keymaster_error_t ImportKey(const AuthorizationSet& key_description,
keymaster_key_format_t input_key_material_format,
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const override;
keymaster_error_t LoadKey(KeymasterKeyBlob&& key_material,
const AuthorizationSet& additional_params,
diff --git a/include/keymaster/legacy_support/keymaster1_legacy_support.h b/include/keymaster/legacy_support/keymaster1_legacy_support.h
index dc9a82d..16b43cd 100644
--- a/include/keymaster/legacy_support/keymaster1_legacy_support.h
+++ b/include/keymaster/legacy_support/keymaster1_legacy_support.h
@@ -65,13 +65,14 @@
passthrough_factory_(ptengine, algorithm), legacy_support_(dev) {}
keymaster_error_t GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const {
if (legacy_support_.RequiresSoftwareDigesting(key_description)) {
return software_digest_factory_.GenerateKey(key_description, key_blob, hw_enforced,
- sw_enforced);
+ sw_enforced, cert_chain);
} else {
return passthrough_factory_.GenerateKey(key_description, key_blob, hw_enforced,
- sw_enforced);
+ sw_enforced, cert_chain);
}
}
@@ -79,15 +80,15 @@
keymaster_key_format_t input_key_material_format,
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* sw_enforced, CertificateChain* cert_chain) const {
if (legacy_support_.RequiresSoftwareDigesting(key_description)) {
return software_digest_factory_.ImportKey(key_description, input_key_material_format,
input_key_material, output_key_blob,
- hw_enforced, sw_enforced);
+ hw_enforced, sw_enforced, cert_chain);
} else {
return passthrough_factory_.ImportKey(key_description, input_key_material_format,
input_key_material, output_key_blob, hw_enforced,
- sw_enforced);
+ sw_enforced, cert_chain);
}
}
@@ -136,7 +137,8 @@
template <>
keymaster_error_t Keymaster1ArbitrationFactory<EcdsaKeymaster1KeyFactory>::GenerateKey(
const AuthorizationSet& key_description, KeymasterKeyBlob* key_blob,
- AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced) const;
+ AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const;
template <>
keymaster_error_t Keymaster1ArbitrationFactory<EcdsaKeymaster1KeyFactory>::LoadKey(
diff --git a/include/keymaster/legacy_support/keymaster_passthrough_key.h b/include/keymaster/legacy_support/keymaster_passthrough_key.h
index aba7a07..d4b8e12 100644
--- a/include/keymaster/legacy_support/keymaster_passthrough_key.h
+++ b/include/keymaster/legacy_support/keymaster_passthrough_key.h
@@ -42,7 +42,8 @@
keymaster_error_t GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const override {
return engine_->GenerateKey(key_description, key_blob, hw_enforced, sw_enforced);
}
@@ -50,7 +51,8 @@
keymaster_key_format_t input_key_material_format,
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const override {
return engine_->ImportKey(key_description, input_key_material_format, input_key_material,
output_key_blob, hw_enforced, sw_enforced);
}
diff --git a/include/keymaster/legacy_support/rsa_keymaster1_key.h b/include/keymaster/legacy_support/rsa_keymaster1_key.h
index a49b500..dd9eac7 100644
--- a/include/keymaster/legacy_support/rsa_keymaster1_key.h
+++ b/include/keymaster/legacy_support/rsa_keymaster1_key.h
@@ -42,13 +42,15 @@
keymaster_error_t GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const override;
keymaster_error_t ImportKey(const AuthorizationSet& key_description,
keymaster_key_format_t input_key_material_format,
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const override;
+ AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const override;
keymaster_error_t LoadKey(KeymasterKeyBlob&& key_material,
const AuthorizationSet& additional_params,
diff --git a/km_openssl/ec_key_factory.cpp b/km_openssl/ec_key_factory.cpp
index c533af2..4deaac7 100644
--- a/km_openssl/ec_key_factory.cpp
+++ b/km_openssl/ec_key_factory.cpp
@@ -74,7 +74,8 @@
keymaster_error_t EcKeyFactory::GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob,
AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const {
if (!key_blob || !hw_enforced || !sw_enforced) return KM_ERROR_OUTPUT_PARAMETER_NULL;
AuthorizationSet authorizations(key_description);
@@ -125,7 +126,8 @@
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob,
AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const {
if (!output_key_blob || !hw_enforced || !sw_enforced) return KM_ERROR_OUTPUT_PARAMETER_NULL;
AuthorizationSet authorizations;
diff --git a/km_openssl/rsa_key_factory.cpp b/km_openssl/rsa_key_factory.cpp
index d8879af..4ec0af6 100644
--- a/km_openssl/rsa_key_factory.cpp
+++ b/km_openssl/rsa_key_factory.cpp
@@ -52,7 +52,8 @@
keymaster_error_t RsaKeyFactory::GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob,
AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const {
if (!key_blob || !hw_enforced || !sw_enforced) return KM_ERROR_OUTPUT_PARAMETER_NULL;
const AuthorizationSet& authorizations(key_description);
@@ -102,7 +103,8 @@
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob,
AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const {
if (!output_key_blob || !hw_enforced || !sw_enforced) return KM_ERROR_OUTPUT_PARAMETER_NULL;
AuthorizationSet authorizations;
diff --git a/km_openssl/symmetric_key.cpp b/km_openssl/symmetric_key.cpp
index a9ec688..32fccb3 100644
--- a/km_openssl/symmetric_key.cpp
+++ b/km_openssl/symmetric_key.cpp
@@ -33,7 +33,8 @@
keymaster_error_t SymmetricKeyFactory::GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob,
AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const {
if (!key_blob || !hw_enforced || !sw_enforced) return KM_ERROR_OUTPUT_PARAMETER_NULL;
uint32_t key_size_bits;
@@ -63,7 +64,8 @@
const KeymasterKeyBlob& input_key_material,
KeymasterKeyBlob* output_key_blob,
AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const {
if (!output_key_blob || !hw_enforced || !sw_enforced) return KM_ERROR_OUTPUT_PARAMETER_NULL;
AuthorizationSet authorizations(key_description);
diff --git a/legacy_support/ec_keymaster1_key.cpp b/legacy_support/ec_keymaster1_key.cpp
index ad41cc8..7e4e89f 100644
--- a/legacy_support/ec_keymaster1_key.cpp
+++ b/legacy_support/ec_keymaster1_key.cpp
@@ -64,7 +64,8 @@
keymaster_error_t EcdsaKeymaster1KeyFactory::GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob,
AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const {
AuthorizationSet key_params_copy;
UpdateToWorkAroundUnsupportedDigests(key_description, &key_params_copy);
@@ -82,7 +83,8 @@
keymaster_error_t EcdsaKeymaster1KeyFactory::ImportKey(
const AuthorizationSet& key_description, keymaster_key_format_t input_key_material_format,
const KeymasterKeyBlob& input_key_material, KeymasterKeyBlob* output_key_blob,
- AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const {
AuthorizationSet key_params_copy;
UpdateToWorkAroundUnsupportedDigests(key_description, &key_params_copy);
return engine_->ImportKey(key_params_copy, input_key_material_format, input_key_material,
diff --git a/legacy_support/keymaster1_legacy_support.cpp b/legacy_support/keymaster1_legacy_support.cpp
index 1ea07c1..1f8836e 100644
--- a/legacy_support/keymaster1_legacy_support.cpp
+++ b/legacy_support/keymaster1_legacy_support.cpp
@@ -218,15 +218,14 @@
return !has_purpose;
}
-template<>
-keymaster_error_t
-Keymaster1ArbitrationFactory<EcdsaKeymaster1KeyFactory>::GenerateKey(
- const AuthorizationSet& key_description,
- KeymasterKeyBlob* key_blob, AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+template <>
+keymaster_error_t Keymaster1ArbitrationFactory<EcdsaKeymaster1KeyFactory>::GenerateKey(
+ const AuthorizationSet& key_description, KeymasterKeyBlob* key_blob,
+ AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced,
+ CertificateChain* cert_chain) const {
if (legacy_support_.RequiresSoftwareDigesting(key_description)) {
return software_digest_factory_.GenerateKey(key_description, key_blob, hw_enforced,
- sw_enforced);
+ sw_enforced, cert_chain);
} else {
AuthorizationSet mutable_key_description = key_description;
keymaster_ec_curve_t curve;
@@ -249,7 +248,7 @@
}
return passthrough_factory_.GenerateKey(mutable_key_description, key_blob, hw_enforced,
- sw_enforced);
+ sw_enforced, cert_chain);
}
}
diff --git a/legacy_support/rsa_keymaster1_key.cpp b/legacy_support/rsa_keymaster1_key.cpp
index 81e190c..b7b37ff 100644
--- a/legacy_support/rsa_keymaster1_key.cpp
+++ b/legacy_support/rsa_keymaster1_key.cpp
@@ -82,16 +82,21 @@
keymaster_error_t RsaKeymaster1KeyFactory::GenerateKey(const AuthorizationSet& key_description,
KeymasterKeyBlob* key_blob,
AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const {
AuthorizationSet key_params_copy;
UpdateToWorkAroundUnsupportedDigests(key_description, &key_params_copy);
return engine_->GenerateKey(key_params_copy, key_blob, hw_enforced, sw_enforced);
}
-keymaster_error_t RsaKeymaster1KeyFactory::ImportKey(
- const AuthorizationSet& key_description, keymaster_key_format_t input_key_material_format,
- const KeymasterKeyBlob& input_key_material, KeymasterKeyBlob* output_key_blob,
- AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced) const {
+keymaster_error_t //
+RsaKeymaster1KeyFactory::ImportKey(const AuthorizationSet& key_description,
+ keymaster_key_format_t input_key_material_format,
+ const KeymasterKeyBlob& input_key_material,
+ KeymasterKeyBlob* output_key_blob, //
+ AuthorizationSet* hw_enforced, //
+ AuthorizationSet* sw_enforced,
+ CertificateChain* /* cert_chain */) const {
AuthorizationSet key_params_copy;
UpdateToWorkAroundUnsupportedDigests(key_description, &key_params_copy);
return engine_->ImportKey(key_params_copy, input_key_material_format, input_key_material,