Add additional parameters to importWrappedKey
Bug: 31675676
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I31166d0c562d92bbdcf3357782ac2a076a1bc2d9
diff --git a/keymaster/4.0/IKeymasterDevice.hal b/keymaster/4.0/IKeymasterDevice.hal
index 14c9c35..5dac929 100644
--- a/keymaster/4.0/IKeymasterDevice.hal
+++ b/keymaster/4.0/IKeymasterDevice.hal
@@ -274,6 +274,23 @@
* @param maskingKey The 32-byte value XOR'd with the transport key in the SecureWrappedKey
* structure.
*
+ * @param unwrappingParams must contain any parameters needed to perform the unwrapping
+ * operation. For example, if the wrapping key is an AES key the block and padding modes
+ * must be specified in this argument.
+ *
+ * @param passwordSid specifies the password secure ID (SID) of the user that owns the key being
+ * installed. If the authorization list in wrappedKeyData contains a Tag::USER_SECURE_ID
+ * with a value that has the HardwareAuthenticatorType::PASSWORD bit set, the constructed
+ * key must be bound to the SID value provided by this argument. If the wrappedKeyData
+ * does not contain such a tag and value, this argument must be ignored.
+ *
+ * @param biometricSid specifies the biometric secure ID (SID) of the user that owns the key
+ * being installed. If the authorization list in wrappedKeyData contains a
+ * Tag::USER_SECURE_ID with a value that has the HardwareAuthenticatorType::FINGERPRINT
+ * bit set, the constructed key must be bound to the SID value provided by this argument.
+ * If the wrappedKeyData does not contain such a tag and value, this argument must be
+ * ignored.
+ *
* @return error See the ErrorCode enum.
*
* @return keyBlob Opaque descriptor of the imported key. It is recommended that the keyBlob
@@ -281,8 +298,9 @@
* hardware.
*/
importWrappedKey(vec<uint8_t> wrappedKeyData, vec<uint8_t> wrappingKeyBlob,
- vec<uint8_t> maskingKey)
- generates (ErrorCode error, vec<uint8_t> keyBlob, KeyCharacteristics keyCharacteristics);
+ vec<uint8_t> maskingKey, vec<KeyParameter> unwrappingParams,
+ uint64_t passwordSid, uint64_t biometricSid)
+ generates(ErrorCode error, vec<uint8_t> keyBlob, KeyCharacteristics keyCharacteristics);
/**
* Returns the characteristics of the specified key, if the keyBlob is valid (implementations
diff --git a/keymaster/4.0/support/include/keymasterV4_0/Keymaster3.h b/keymaster/4.0/support/include/keymasterV4_0/Keymaster3.h
index 051e570..4054620 100644
--- a/keymaster/4.0/support/include/keymasterV4_0/Keymaster3.h
+++ b/keymaster/4.0/support/include/keymasterV4_0/Keymaster3.h
@@ -74,8 +74,12 @@
Return<void> importKey(const hidl_vec<KeyParameter>& params, KeyFormat keyFormat,
const hidl_vec<uint8_t>& keyData, importKey_cb _hidl_cb) override;
- Return<void> importWrappedKey(const hidl_vec<uint8_t>&, const hidl_vec<uint8_t>&,
- const hidl_vec<uint8_t>&, importWrappedKey_cb _hidl_cb) {
+ Return<void> importWrappedKey(const hidl_vec<uint8_t>& /* wrappedKeyData */,
+ const hidl_vec<uint8_t>& /* wrappingKeyBlob */,
+ const hidl_vec<uint8_t>& /* maskingKey */,
+ const hidl_vec<KeyParameter>& /* unwrappingParams */,
+ uint64_t /* passwordSid */, uint64_t /* biometricSid */,
+ importWrappedKey_cb _hidl_cb) {
_hidl_cb(ErrorCode::UNIMPLEMENTED, {}, {});
return Void();
}
diff --git a/keymaster/4.0/support/include/keymasterV4_0/Keymaster4.h b/keymaster/4.0/support/include/keymasterV4_0/Keymaster4.h
index ffddcac..86ef4f8 100644
--- a/keymaster/4.0/support/include/keymasterV4_0/Keymaster4.h
+++ b/keymaster/4.0/support/include/keymasterV4_0/Keymaster4.h
@@ -81,8 +81,11 @@
Return<void> importWrappedKey(const hidl_vec<uint8_t>& wrappedKeyData,
const hidl_vec<uint8_t>& wrappingKeyBlob,
const hidl_vec<uint8_t>& maskingKey,
+ const hidl_vec<KeyParameter>& unwrappingParams,
+ uint64_t passwordSid, uint64_t biometricSid,
importWrappedKey_cb _hidl_cb) {
- return dev_->importWrappedKey(wrappedKeyData, wrappingKeyBlob, maskingKey, _hidl_cb);
+ return dev_->importWrappedKey(wrappedKeyData, wrappingKeyBlob, maskingKey, unwrappingParams,
+ passwordSid, biometricSid, _hidl_cb);
}
Return<void> exportKey(KeyFormat exportFormat, const hidl_vec<uint8_t>& keyBlob,
diff --git a/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp b/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp
index 13b6b2f..37d8c42 100644
--- a/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp
+++ b/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp
@@ -137,11 +137,14 @@
ErrorCode KeymasterHidlTest::ImportWrappedKey(string wrapped_key, string wrapping_key,
const AuthorizationSet& wrapping_key_desc,
- string masking_key) {
+ string masking_key,
+ const AuthorizationSet& unwrapping_params) {
ErrorCode error;
ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key);
EXPECT_TRUE(keymaster_
->importWrappedKey(HidlBuf(wrapped_key), key_blob_, HidlBuf(masking_key),
+ unwrapping_params.hidl_data(), 0 /* passwordSid */,
+ 0 /* biometricSid */,
[&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
const KeyCharacteristics& hidl_key_characteristics) {
error = hidl_error;
diff --git a/keymaster/4.0/vts/functional/KeymasterHidlTest.h b/keymaster/4.0/vts/functional/KeymasterHidlTest.h
index 0c73f05..3e84bfd 100644
--- a/keymaster/4.0/vts/functional/KeymasterHidlTest.h
+++ b/keymaster/4.0/vts/functional/KeymasterHidlTest.h
@@ -116,7 +116,8 @@
const string& key_material);
ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key,
- const AuthorizationSet& wrapping_key_desc, string masking_key);
+ const AuthorizationSet& wrapping_key_desc, string masking_key,
+ const AuthorizationSet& unwrapping_params);
ErrorCode ExportKey(KeyFormat format, const HidlBuf& key_blob, const HidlBuf& client_id,
const HidlBuf& app_data, HidlBuf* key_material);
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index cb6ade2..49090e8 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -1943,7 +1943,9 @@
.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);
ASSERT_EQ(ErrorCode::OK,
- ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key));
+ ImportWrappedKey(
+ wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
+ AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP)));
string message = "Hello World!";
auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
@@ -1960,7 +1962,9 @@
.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);
ASSERT_EQ(ErrorCode::OK,
- ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key));
+ ImportWrappedKey(
+ wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
+ AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP)));
}
TEST_F(ImportWrappedKeyTest, WrongMask) {
@@ -1970,9 +1974,10 @@
.Padding(PaddingMode::RSA_OAEP)
.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);
- ASSERT_EQ(
- ErrorCode::VERIFICATION_FAILED,
- ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key));
+ ASSERT_EQ(ErrorCode::VERIFICATION_FAILED,
+ ImportWrappedKey(
+ wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
+ AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP)));
}
TEST_F(ImportWrappedKeyTest, WrongPurpose) {
@@ -1981,9 +1986,10 @@
.Digest(Digest::SHA1)
.Padding(PaddingMode::RSA_OAEP);
- ASSERT_EQ(
- ErrorCode::INCOMPATIBLE_PURPOSE,
- ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key));
+ ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
+ ImportWrappedKey(
+ wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
+ AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP)));
}
typedef KeymasterHidlTest EncryptionOperationsTest;