diff options
author | Kenny Root <kroot@google.com> | 2012-03-13 13:11:09 -0700 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2012-03-13 13:11:09 -0700 |
commit | b2959a49be9674513793fbf39a6255a473482728 (patch) | |
tree | d848da456f1937732c8f8472ab9ce59537913ce5 | |
parent | a776bb2e81e5c3a36394867fcb30c141d2a3ac0e (diff) | |
parent | 9271d04d888c5676ccd9707378d18cad0f06d607 (diff) | |
download | libhardware-b2959a49be9674513793fbf39a6255a473482728.tar.gz |
Merge "Update keymaster API to final signing spec"
-rw-r--r-- | include/hardware/keymaster.h | 123 |
1 files changed, 100 insertions, 23 deletions
diff --git a/include/hardware/keymaster.h b/include/hardware/keymaster.h index 76ab75de..3c7799ac 100644 --- a/include/hardware/keymaster.h +++ b/include/hardware/keymaster.h @@ -32,16 +32,50 @@ __BEGIN_DECLS #define KEYSTORE_KEYMASTER "keymaster" +/** + * The API level of this version of the header. The allows the implementing + * module to recognize which API level of the client it is dealing with in + * the case of pre-compiled binary clients. + */ +#define KEYMASTER_API_VERSION 1 + struct keystore_module { - struct hw_module_t common; + hw_module_t common; }; /** - * Key algorithm for imported keypairs. + * Asymmetric key pair types. */ typedef enum { - ALGORITHM_RSA, -} keymaster_keypair_algorithm_t; + TYPE_RSA = 1, +} keymaster_keypair_t; + +/** + * Parameters needed to generate an RSA key. + */ +typedef struct { + uint32_t modulus_size; + uint64_t public_exponent; +} keymaster_rsa_keygen_params_t; + +/** + * Digest type used for RSA operations. + */ +typedef enum { + DIGEST_NONE, +} keymaster_rsa_digest_t; + +/** + * Type of padding used for RSA operations. + */ +typedef enum { + PADDING_NONE, +} keymaster_rsa_padding_t; + +typedef struct { + keymaster_rsa_digest_t digest_type; + keymaster_rsa_padding_t padding_type; +} keymaster_rsa_sign_params_t; /** * The parameters that can be set for a given keymaster implementation. @@ -49,53 +83,96 @@ typedef enum { struct keymaster_device { struct hw_device_t common; + uint32_t client_version; + void* context; /** * Generates a public and private key. The key-blob returned is opaque - * and will subsequently provided for signing and verification. + * and must subsequently provided for signing and verification. * * Returns: 0 on success or an error code less than 0. */ - int (*generate_rsa_keypair)(const struct keymaster_device* dev, - int modulus_size, unsigned long public_exponent, - uint8_t** keyBlob, size_t* keyBlobLength); + int (*generate_keypair)(const struct keymaster_device* dev, + const keymaster_keypair_t key_type, const void* key_params, + uint8_t** key_blob, size_t* key_blob_length); /** - * Imports a public and private key pair. The imported keys should be in - * DER format. The key-blob returned is opaque and can be subsequently - * provided for signing and verification. + * Imports a public and private key pair. The imported keys will be in + * PKCS#8 format with DER encoding (Java standard). The key-blob + * returned is opaque and will be subsequently provided for signing + * and verification. * * Returns: 0 on success or an error code less than 0. */ int (*import_keypair)(const struct keymaster_device* dev, - keymaster_keypair_algorithm_t algorithm, - uint8_t* privateKey, size_t* privateKeyLength, - uint8_t* publicKey, size_t* publicKeyLength, - uint8_t** keyBlob, size_t* keyBlobLength); + const uint8_t* key, const size_t key_length, + uint8_t** key_blob, size_t* key_blob_length); /** - * Signs data using a key-blob generated before. + * Gets the public key part of a key pair. The public key must be in + * X.509 format (Java standard) encoded byte array. + * + * Returns: 0 on success or an error code less than 0. + * On error, x509_data should not be allocated. + */ + int (*get_keypair_public)(const struct keymaster_device* dev, + const uint8_t* key_blob, const size_t key_blob_length, + uint8_t** x509_data, size_t* x509_data_length); + + /** + * Deletes the key pair associated with the key blob. + */ + int (*delete_keypair)(const struct keymaster_device* dev, + const uint8_t* key_blob, const size_t key_blob_length); + + /** + * Signs data using a key-blob generated before. This can use either + * an asymmetric key or a secret key. * * Returns: 0 on success or an error code less than 0. */ int (*sign_data)(const struct keymaster_device* dev, - const uint8_t* keyBlob, const size_t keyBlobLength, - const uint8_t* data, const size_t dataLength, - uint8_t** signedData, size_t* signedDataLength); + const void* signing_params, + const uint8_t* key_blob, const size_t key_blob_length, + const uint8_t* data, const size_t data_length, + uint8_t** signed_data, size_t* signed_data_length); /** - * Verifies data signed with a key-blob. + * Verifies data signed with a key-blob. This can use either + * an asymmetric key or a secret key. * * Returns: 0 on successful verification or an error code less than 0. */ int (*verify_data)(const struct keymaster_device* dev, - const uint8_t* keyBlob, const size_t keyBlobLength, - const uint8_t* signedData, const size_t signedDataLength, - const uint8_t* signature, const size_t signatureLength); + const void* signing_params, + const uint8_t* key_blob, const size_t key_blob_length, + const uint8_t* signed_data, const size_t signed_data_length, + const uint8_t* signature, const size_t signature_length); }; typedef struct keymaster_device keymaster_device_t; + +/* Convenience API for opening and closing keymaster devices */ + +static inline int keymaster_open(const struct hw_module_t* module, + keymaster_device_t** device) +{ + int rc = module->methods->open(module, KEYSTORE_KEYMASTER, + (struct hw_device_t**) device); + + if (!rc) { + (*device)->client_version = KEYMASTER_API_VERSION; + } + + return rc; +} + +static inline int keymaster_close(keymaster_device_t* device) +{ + return device->common.close(&device->common); +} + __END_DECLS #endif // ANDROID_HARDWARE_KEYMASTER_H |