blob: aee3b82dded11bafc8d918758df473e8ea1f1365 [file] [log] [blame]
Janis Danisevskis1af91262020-08-10 14:58:08 -07001// Copyright 2020, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15#![allow(unused_variables)]
16
17//! This crate implements the IKeystoreSecurityLevel interface.
18
Janis Danisevskis7e8b4622021-02-13 10:01:59 -080019use crate::globals::get_keymint_device;
Shawn Willden708744a2020-12-11 13:05:27 +000020use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Max Bires97f96812021-02-23 23:44:57 -080021 Algorithm::Algorithm, AttestationKey::AttestationKey, Certificate::Certificate,
Shawn Willden8fde4c22021-02-14 13:58:22 -070022 HardwareAuthenticatorType::HardwareAuthenticatorType, IKeyMintDevice::IKeyMintDevice,
23 KeyCreationResult::KeyCreationResult, KeyFormat::KeyFormat,
Max Bires8e93d2b2021-01-14 13:17:59 -080024 KeyMintHardwareInfo::KeyMintHardwareInfo, KeyParameter::KeyParameter,
25 KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel, Tag::Tag,
Janis Danisevskis1af91262020-08-10 14:58:08 -070026};
27use android_system_keystore2::aidl::android::system::keystore2::{
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -070028 AuthenticatorSpec::AuthenticatorSpec, CreateOperationResponse::CreateOperationResponse,
29 Domain::Domain, IKeystoreOperation::IKeystoreOperation,
30 IKeystoreSecurityLevel::BnKeystoreSecurityLevel,
Janis Danisevskis1af91262020-08-10 14:58:08 -070031 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
Janis Danisevskis5ed8c532021-01-11 14:19:42 -080032 KeyMetadata::KeyMetadata, KeyParameters::KeyParameters,
Janis Danisevskis1af91262020-08-10 14:58:08 -070033};
34
Max Bires97f96812021-02-23 23:44:57 -080035use crate::database::{CertificateInfo, KeyIdGuard, KeystoreDB};
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +000036use crate::globals::{DB, ENFORCEMENTS, LEGACY_MIGRATOR, SUPER_KEY};
Hasini Gunasinghe888dd352020-11-17 23:08:39 +000037use crate::key_parameter::KeyParameter as KsKeyParam;
Hasini Gunasinghea020b532021-01-07 21:42:35 +000038use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
Max Bires97f96812021-02-23 23:44:57 -080039use crate::remote_provisioning::RemProvState;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +000040use crate::super_key::{KeyBlob, SuperKeyManager};
Qi Wub9433b52020-12-01 14:52:46 +080041use crate::utils::{check_key_permission, uid_to_android_user, Asp};
Max Bires8e93d2b2021-01-14 13:17:59 -080042use crate::{
Janis Danisevskis7e8b4622021-02-13 10:01:59 -080043 database::{
44 BlobMetaData, BlobMetaEntry, DateTime, KeyEntry, KeyEntryLoadBits, KeyMetaData,
45 KeyMetaEntry, KeyType, SubComponentType, Uuid,
46 },
47 operation::KeystoreOperation,
48 operation::OperationDb,
Janis Danisevskisb42fc182020-12-15 08:41:27 -080049 permission::KeyPerm,
50};
51use crate::{
Janis Danisevskis04b02832020-10-26 09:21:40 -070052 error::{self, map_km_error, map_or_log_err, Error, ErrorCode},
53 utils::key_characteristics_to_internal,
54};
Janis Danisevskis212c68b2021-01-14 22:29:28 -080055use anyhow::{anyhow, Context, Result};
Stephen Crane221bbb52020-12-16 15:52:10 -080056use binder::{IBinder, Strong, ThreadState};
Shawn Willden34120872021-02-24 21:56:30 -070057use keystore2_crypto::parse_subject_from_certificate;
Janis Danisevskis1af91262020-08-10 14:58:08 -070058
59/// Implementation of the IKeystoreSecurityLevel Interface.
60pub struct KeystoreSecurityLevel {
61 security_level: SecurityLevel,
62 keymint: Asp,
Max Bires8e93d2b2021-01-14 13:17:59 -080063 #[allow(dead_code)]
64 hw_info: KeyMintHardwareInfo,
65 km_uuid: Uuid,
Janis Danisevskis1af91262020-08-10 14:58:08 -070066 operation_db: OperationDb,
Max Bires97f96812021-02-23 23:44:57 -080067 rem_prov_state: RemProvState,
Janis Danisevskis1af91262020-08-10 14:58:08 -070068}
69
Janis Danisevskis1af91262020-08-10 14:58:08 -070070// Blob of 32 zeroes used as empty masking key.
71static ZERO_BLOB_32: &[u8] = &[0; 32];
72
Janis Danisevskis2c084012021-01-31 22:23:17 -080073// Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to GeneralizedTime
74// 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
75const UNDEFINED_NOT_AFTER: i64 = 253402300799000i64;
76
Janis Danisevskis1af91262020-08-10 14:58:08 -070077impl KeystoreSecurityLevel {
78 /// Creates a new security level instance wrapped in a
79 /// BnKeystoreSecurityLevel proxy object. It also
80 /// calls `IBinder::set_requesting_sid` on the new interface, because
81 /// we need it for checking keystore permissions.
82 pub fn new_native_binder(
83 security_level: SecurityLevel,
Stephen Crane221bbb52020-12-16 15:52:10 -080084 ) -> Result<(Strong<dyn IKeystoreSecurityLevel>, Uuid)> {
Max Bires8e93d2b2021-01-14 13:17:59 -080085 let (dev, hw_info, km_uuid) = get_keymint_device(&security_level)
86 .context("In KeystoreSecurityLevel::new_native_binder.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -070087 let result = BnKeystoreSecurityLevel::new_binder(Self {
88 security_level,
Max Bires8e93d2b2021-01-14 13:17:59 -080089 keymint: dev,
90 hw_info,
91 km_uuid,
Janis Danisevskis1af91262020-08-10 14:58:08 -070092 operation_db: OperationDb::new(),
Max Bires97f96812021-02-23 23:44:57 -080093 rem_prov_state: RemProvState::new(security_level, km_uuid),
Janis Danisevskis1af91262020-08-10 14:58:08 -070094 });
95 result.as_binder().set_requesting_sid(true);
Max Bires8e93d2b2021-01-14 13:17:59 -080096 Ok((result, km_uuid))
Janis Danisevskis1af91262020-08-10 14:58:08 -070097 }
98
99 fn store_new_key(
100 &self,
101 key: KeyDescriptor,
Shawn Willdendbdac602021-01-12 22:35:16 -0700102 creation_result: KeyCreationResult,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000103 user_id: u32,
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000104 flags: Option<i32>,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700105 ) -> Result<KeyMetadata> {
Shawn Willdendbdac602021-01-12 22:35:16 -0700106 let KeyCreationResult {
107 keyBlob: key_blob,
108 keyCharacteristics: key_characteristics,
109 certificateChain: mut certificate_chain,
110 } = creation_result;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700111
Max Bires8e93d2b2021-01-14 13:17:59 -0800112 let mut cert_info: CertificateInfo = CertificateInfo::new(
Shawn Willdendbdac602021-01-12 22:35:16 -0700113 match certificate_chain.len() {
114 0 => None,
115 _ => Some(certificate_chain.remove(0).encodedCertificate),
116 },
117 match certificate_chain.len() {
118 0 => None,
119 _ => Some(
120 certificate_chain
121 .iter()
122 .map(|c| c.encodedCertificate.iter())
123 .flatten()
124 .copied()
125 .collect(),
126 ),
127 },
128 );
129
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000130 let mut key_parameters = key_characteristics_to_internal(key_characteristics);
131
132 key_parameters.push(KsKeyParam::new(
133 KsKeyParamValue::UserID(user_id as i32),
134 SecurityLevel::SOFTWARE,
135 ));
Janis Danisevskis04b02832020-10-26 09:21:40 -0700136
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800137 let creation_date = DateTime::now().context("Trying to make creation time.")?;
138
Janis Danisevskis1af91262020-08-10 14:58:08 -0700139 let key = match key.domain {
Satya Tangirala60671e32021-03-04 16:12:19 -0800140 Domain::BLOB => KeyDescriptor {
141 domain: Domain::BLOB,
142 blob: Some(key_blob.to_vec()),
143 ..Default::default()
144 },
Janis Danisevskis1af91262020-08-10 14:58:08 -0700145 _ => DB
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800146 .with::<_, Result<KeyDescriptor>>(|db| {
Satya Tangirala60671e32021-03-04 16:12:19 -0800147 let mut db = db.borrow_mut();
148
149 let (key_blob, mut blob_metadata) = SUPER_KEY
150 .handle_super_encryption_on_key_init(
151 &mut db,
152 &LEGACY_MIGRATOR,
153 &(key.domain),
154 &key_parameters,
155 flags,
156 user_id,
157 &key_blob,
158 )
159 .context("In store_new_key. Failed to handle super encryption.")?;
160
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800161 let mut key_metadata = KeyMetaData::new();
162 key_metadata.add(KeyMetaEntry::CreationDate(creation_date));
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800163 blob_metadata.add(BlobMetaEntry::KmUuid(self.km_uuid));
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800164
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800165 let key_id = db
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800166 .store_new_key(
Janis Danisevskis66784c42021-01-27 08:40:25 -0800167 &key,
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800168 &key_parameters,
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800169 &(&key_blob, &blob_metadata),
Max Bires8e93d2b2021-01-14 13:17:59 -0800170 &cert_info,
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800171 &key_metadata,
Max Bires8e93d2b2021-01-14 13:17:59 -0800172 &self.km_uuid,
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800173 )
174 .context("In store_new_key.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700175 Ok(KeyDescriptor {
176 domain: Domain::KEY_ID,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800177 nspace: key_id.id(),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700178 ..Default::default()
179 })
180 })
181 .context("In store_new_key.")?,
182 };
183
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700184 Ok(KeyMetadata {
185 key,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700186 keySecurityLevel: self.security_level,
Max Bires8e93d2b2021-01-14 13:17:59 -0800187 certificate: cert_info.take_cert(),
188 certificateChain: cert_info.take_cert_chain(),
Janis Danisevskis04b02832020-10-26 09:21:40 -0700189 authorizations: crate::utils::key_parameters_to_authorizations(key_parameters),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800190 modificationTimeMs: creation_date.to_millis_epoch(),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700191 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700192 }
193
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700194 fn create_operation(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700195 &self,
196 key: &KeyDescriptor,
197 operation_parameters: &[KeyParameter],
198 forced: bool,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700199 ) -> Result<CreateOperationResponse> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700200 let caller_uid = ThreadState::get_calling_uid();
201 // We use `scoping_blob` to extend the life cycle of the blob loaded from the database,
202 // so that we can use it by reference like the blob provided by the key descriptor.
203 // Otherwise, we would have to clone the blob from the key descriptor.
204 let scoping_blob: Vec<u8>;
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800205 let (km_blob, key_properties, key_id_guard, blob_metadata) = match key.domain {
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700206 Domain::BLOB => {
207 check_key_permission(KeyPerm::use_(), key, &None)
208 .context("In create_operation: checking use permission for Domain::BLOB.")?;
209 (
210 match &key.blob {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700211 Some(blob) => blob,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700212 None => {
213 return Err(Error::sys()).context(concat!(
214 "In create_operation: Key blob must be specified when",
215 " using Domain::BLOB."
216 ))
217 }
218 },
219 None,
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000220 None,
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000221 BlobMetaData::new(),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700222 )
223 }
224 _ => {
Janis Danisevskisaec14592020-11-12 09:41:49 -0800225 let (key_id_guard, mut key_entry) = DB
226 .with::<_, Result<(KeyIdGuard, KeyEntry)>>(|db| {
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000227 LEGACY_MIGRATOR.with_try_migrate(&key, caller_uid, || {
228 db.borrow_mut().load_key_entry(
229 &key,
230 KeyType::Client,
231 KeyEntryLoadBits::KM,
232 caller_uid,
233 |k, av| check_key_permission(KeyPerm::use_(), k, &av),
234 )
235 })
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700236 })
237 .context("In create_operation: Failed to load key blob.")?;
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800238
239 let (blob, blob_metadata) =
240 key_entry.take_key_blob_info().ok_or_else(Error::sys).context(concat!(
241 "In create_operation: Successfully loaded key entry, ",
242 "but KM blob was missing."
243 ))?;
244 scoping_blob = blob;
245
Qi Wub9433b52020-12-01 14:52:46 +0800246 (
247 &scoping_blob,
248 Some((key_id_guard.id(), key_entry.into_key_parameters())),
249 Some(key_id_guard),
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000250 blob_metadata,
Qi Wub9433b52020-12-01 14:52:46 +0800251 )
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700252 }
253 };
Janis Danisevskis1af91262020-08-10 14:58:08 -0700254
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700255 let purpose = operation_parameters.iter().find(|p| p.tag == Tag::PURPOSE).map_or(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700256 Err(Error::Km(ErrorCode::INVALID_ARGUMENT))
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700257 .context("In create_operation: No operation purpose specified."),
Janis Danisevskis398e6be2020-12-17 09:29:25 -0800258 |kp| match kp.value {
259 KeyParameterValue::KeyPurpose(p) => Ok(p),
260 _ => Err(Error::Km(ErrorCode::INVALID_ARGUMENT))
261 .context("In create_operation: Malformed KeyParameter."),
262 },
Janis Danisevskis1af91262020-08-10 14:58:08 -0700263 )?;
264
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800265 let (immediate_hat, mut auth_info) = ENFORCEMENTS
266 .authorize_create(
267 purpose,
Qi Wub9433b52020-12-01 14:52:46 +0800268 key_properties.as_ref(),
269 operation_parameters.as_ref(),
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800270 // TODO b/178222844 Replace this with the configuration returned by
271 // KeyMintDevice::getHardwareInfo.
272 // For now we assume that strongbox implementations need secure timestamps.
273 self.security_level == SecurityLevel::STRONGBOX,
274 )
275 .context("In create_operation.")?;
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000276
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800277 let immediate_hat = immediate_hat.unwrap_or_default();
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000278
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000279 let user_id = uid_to_android_user(caller_uid);
280
281 let km_blob = SUPER_KEY
282 .unwrap_key_if_required(&blob_metadata, km_blob)
283 .context("In create_operation. Failed to handle super encryption.")?;
284
Stephen Crane221bbb52020-12-16 15:52:10 -0800285 let km_dev: Strong<dyn IKeyMintDevice> = self
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700286 .keymint
287 .get_interface()
288 .context("In create_operation: Failed to get KeyMint device")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700289
Janis Danisevskisaec14592020-11-12 09:41:49 -0800290 let (begin_result, upgraded_blob) = self
291 .upgrade_keyblob_if_required_with(
292 &*km_dev,
293 key_id_guard,
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000294 &(&km_blob, &blob_metadata),
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700295 &operation_parameters,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800296 |blob| loop {
297 match map_km_error(km_dev.begin(
298 purpose,
299 blob,
300 &operation_parameters,
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800301 &immediate_hat,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800302 )) {
303 Err(Error::Km(ErrorCode::TOO_MANY_OPERATIONS)) => {
304 self.operation_db.prune(caller_uid)?;
305 continue;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700306 }
Janis Danisevskisaec14592020-11-12 09:41:49 -0800307 v => return v,
308 }
309 },
310 )
311 .context("In create_operation: Failed to begin operation.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700312
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800313 let operation_challenge = auth_info.finalize_create_authorization(begin_result.challenge);
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000314
Janis Danisevskis1af91262020-08-10 14:58:08 -0700315 let operation = match begin_result.operation {
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000316 Some(km_op) => {
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800317 self.operation_db.create_operation(km_op, caller_uid, auth_info)
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000318 },
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700319 None => return Err(Error::sys()).context("In create_operation: Begin operation returned successfully, but did not return a valid operation."),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700320 };
321
Stephen Crane221bbb52020-12-16 15:52:10 -0800322 let op_binder: binder::public_api::Strong<dyn IKeystoreOperation> =
Janis Danisevskis1af91262020-08-10 14:58:08 -0700323 KeystoreOperation::new_native_binder(operation)
324 .as_binder()
325 .into_interface()
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700326 .context("In create_operation: Failed to create IKeystoreOperation.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700327
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700328 Ok(CreateOperationResponse {
329 iOperation: Some(op_binder),
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000330 operationChallenge: operation_challenge,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700331 parameters: match begin_result.params.len() {
332 0 => None,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700333 _ => Some(KeyParameters { keyParameter: begin_result.params }),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700334 },
335 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700336 }
337
Janis Danisevskise766edc2021-02-06 12:16:26 -0800338 fn add_certificate_parameters(
339 uid: u32,
340 params: &[KeyParameter],
341 key: &KeyDescriptor,
342 ) -> Result<Vec<KeyParameter>> {
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800343 let mut result = params.to_vec();
Janis Danisevskis2c084012021-01-31 22:23:17 -0800344 // If there is an attestation challenge we need to get an application id.
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800345 if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) {
346 let aaid = keystore2_aaid::get_aaid(uid).map_err(|e| {
Janis Danisevskis2c084012021-01-31 22:23:17 -0800347 anyhow!(format!("In add_certificate_parameters: get_aaid returned status {}.", e))
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800348 })?;
349 result.push(KeyParameter {
350 tag: Tag::ATTESTATION_APPLICATION_ID,
351 value: KeyParameterValue::Blob(aaid),
352 });
353 }
Janis Danisevskis2c084012021-01-31 22:23:17 -0800354
Janis Danisevskise766edc2021-02-06 12:16:26 -0800355 if params.iter().any(|kp| kp.tag == Tag::INCLUDE_UNIQUE_ID) {
356 check_key_permission(KeyPerm::gen_unique_id(), key, &None).context(concat!(
357 "In add_certificate_parameters: ",
358 "Caller does not have the permission for device unique attestation."
359 ))?;
360 }
361
Janis Danisevskis2c084012021-01-31 22:23:17 -0800362 // If we are generating/importing an asymmetric key, we need to make sure
363 // that NOT_BEFORE and NOT_AFTER are present.
364 match params.iter().find(|kp| kp.tag == Tag::ALGORITHM) {
365 Some(KeyParameter { tag: _, value: KeyParameterValue::Algorithm(Algorithm::RSA) })
366 | Some(KeyParameter { tag: _, value: KeyParameterValue::Algorithm(Algorithm::EC) }) => {
367 if !params.iter().any(|kp| kp.tag == Tag::CERTIFICATE_NOT_BEFORE) {
368 result.push(KeyParameter {
369 tag: Tag::CERTIFICATE_NOT_BEFORE,
370 value: KeyParameterValue::DateTime(0),
371 })
372 }
373 if !params.iter().any(|kp| kp.tag == Tag::CERTIFICATE_NOT_AFTER) {
374 result.push(KeyParameter {
375 tag: Tag::CERTIFICATE_NOT_AFTER,
376 value: KeyParameterValue::DateTime(UNDEFINED_NOT_AFTER),
377 })
378 }
379 }
380 _ => {}
381 }
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800382 Ok(result)
383 }
384
Janis Danisevskis1af91262020-08-10 14:58:08 -0700385 fn generate_key(
386 &self,
387 key: &KeyDescriptor,
Shawn Willden8fde4c22021-02-14 13:58:22 -0700388 attest_key_descriptor: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700389 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700390 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700391 entropy: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700392 ) -> Result<KeyMetadata> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700393 if key.domain != Domain::BLOB && key.alias.is_none() {
394 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
395 .context("In generate_key: Alias must be specified");
396 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000397 let caller_uid = ThreadState::get_calling_uid();
Janis Danisevskis1af91262020-08-10 14:58:08 -0700398
399 let key = match key.domain {
400 Domain::APP => KeyDescriptor {
401 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000402 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700403 alias: key.alias.clone(),
404 blob: None,
405 },
406 _ => key.clone(),
407 };
408
409 // generate_key requires the rebind permission.
410 check_key_permission(KeyPerm::rebind(), &key, &None).context("In generate_key.")?;
Max Bires97f96812021-02-23 23:44:57 -0800411 let (attest_key, cert_chain) = DB
412 .with::<_, Result<(Option<AttestationKey>, Option<Certificate>)>>(|db| {
413 self.get_attest_key_and_cert_chain(
414 &key,
415 caller_uid,
416 attest_key_descriptor,
417 params,
418 &mut db.borrow_mut(),
419 )
420 })
421 .context("In generate_key: Trying to get an attestation key")?;
Janis Danisevskise766edc2021-02-06 12:16:26 -0800422 let params = Self::add_certificate_parameters(caller_uid, params, &key)
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800423 .context("In generate_key: Trying to get aaid.")?;
424
Stephen Crane221bbb52020-12-16 15:52:10 -0800425 let km_dev: Strong<dyn IKeyMintDevice> = self.keymint.get_interface()?;
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800426 map_km_error(km_dev.addRngEntropy(entropy))
427 .context("In generate_key: Trying to add entropy.")?;
Max Bires97f96812021-02-23 23:44:57 -0800428 let mut creation_result = map_km_error(km_dev.generateKey(&params, attest_key.as_ref()))
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800429 .context("In generate_key: While generating Key")?;
Max Bires97f96812021-02-23 23:44:57 -0800430 // The certificate chain ultimately gets flattened into a big DER encoded byte array,
431 // so providing that blob upfront in a single certificate entry should be fine.
432 if let Some(cert) = cert_chain {
433 creation_result.certificateChain.push(cert);
434 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000435 let user_id = uid_to_android_user(caller_uid);
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000436 self.store_new_key(key, creation_result, user_id, Some(flags)).context("In generate_key.")
Janis Danisevskis1af91262020-08-10 14:58:08 -0700437 }
438
Max Bires97f96812021-02-23 23:44:57 -0800439 fn get_attest_key_and_cert_chain(
440 &self,
441 key: &KeyDescriptor,
442 caller_uid: u32,
443 attest_key_descriptor: Option<&KeyDescriptor>,
444 params: &[KeyParameter],
445 db: &mut KeystoreDB,
446 ) -> Result<(Option<AttestationKey>, Option<Certificate>)> {
447 match attest_key_descriptor {
448 None => self
449 .rem_prov_state
450 .get_remote_provisioning_key_and_certs(&key, caller_uid, params, db),
451 Some(attest_key) => Ok((
452 Some(
453 self.get_attest_key(&attest_key, caller_uid)
454 .context("In generate_key: Trying to load attest key")?,
455 ),
456 None,
457 )),
458 }
459 }
460
Shawn Willden8fde4c22021-02-14 13:58:22 -0700461 fn get_attest_key(&self, key: &KeyDescriptor, caller_uid: u32) -> Result<AttestationKey> {
462 let (km_blob, cert) = self
463 .load_attest_key_blob_and_cert(&key, caller_uid)
464 .context("In get_attest_key: Failed to load blob and cert")?;
465
Shawn Willden34120872021-02-24 21:56:30 -0700466 let issuer_subject: Vec<u8> = parse_subject_from_certificate(&cert)
Shawn Willden8fde4c22021-02-14 13:58:22 -0700467 .context("In get_attest_key: Failed to parse subject from certificate.")?;
468
469 Ok(AttestationKey {
470 keyBlob: km_blob.to_vec(),
471 attestKeyParams: [].to_vec(),
472 issuerSubjectName: issuer_subject,
473 })
474 }
475
476 fn load_attest_key_blob_and_cert(
477 &self,
478 key: &KeyDescriptor,
479 caller_uid: u32,
480 ) -> Result<(Vec<u8>, Vec<u8>)> {
481 match key.domain {
482 Domain::BLOB => Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(
483 "In load_attest_key_blob_and_cert: Domain::BLOB attestation keys not supported",
484 ),
485 _ => {
486 let (key_id_guard, mut key_entry) = DB
487 .with::<_, Result<(KeyIdGuard, KeyEntry)>>(|db| {
488 db.borrow_mut().load_key_entry(
489 &key,
490 KeyType::Client,
491 KeyEntryLoadBits::BOTH,
492 caller_uid,
493 |k, av| check_key_permission(KeyPerm::use_(), k, &av),
494 )
495 })
496 .context("In load_attest_key_blob_and_cert: Failed to load key.")?;
497
498 let (blob, _) =
499 key_entry.take_key_blob_info().ok_or_else(Error::sys).context(concat!(
500 "In load_attest_key_blob_and_cert: Successfully loaded key entry,",
501 " but KM blob was missing."
502 ))?;
503 let cert = key_entry.take_cert().ok_or_else(Error::sys).context(concat!(
504 "In load_attest_key_blob_and_cert: Successfully loaded key entry,",
505 " but cert was missing."
506 ))?;
507 Ok((blob, cert))
508 }
509 }
510 }
511
Janis Danisevskis1af91262020-08-10 14:58:08 -0700512 fn import_key(
513 &self,
514 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700515 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700516 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700517 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700518 key_data: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700519 ) -> Result<KeyMetadata> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700520 if key.domain != Domain::BLOB && key.alias.is_none() {
521 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
522 .context("In import_key: Alias must be specified");
523 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000524 let caller_uid = ThreadState::get_calling_uid();
Janis Danisevskis1af91262020-08-10 14:58:08 -0700525
526 let key = match key.domain {
527 Domain::APP => KeyDescriptor {
528 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000529 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700530 alias: key.alias.clone(),
531 blob: None,
532 },
533 _ => key.clone(),
534 };
535
536 // import_key requires the rebind permission.
537 check_key_permission(KeyPerm::rebind(), &key, &None).context("In import_key.")?;
538
Janis Danisevskise766edc2021-02-06 12:16:26 -0800539 let params = Self::add_certificate_parameters(caller_uid, params, &key)
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800540 .context("In import_key: Trying to get aaid.")?;
541
Janis Danisevskis1af91262020-08-10 14:58:08 -0700542 let format = params
543 .iter()
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700544 .find(|p| p.tag == Tag::ALGORITHM)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700545 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
546 .context("No KeyParameter 'Algorithm'.")
Janis Danisevskis398e6be2020-12-17 09:29:25 -0800547 .and_then(|p| match &p.value {
548 KeyParameterValue::Algorithm(Algorithm::AES)
549 | KeyParameterValue::Algorithm(Algorithm::HMAC)
550 | KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES) => Ok(KeyFormat::RAW),
551 KeyParameterValue::Algorithm(Algorithm::RSA)
552 | KeyParameterValue::Algorithm(Algorithm::EC) => Ok(KeyFormat::PKCS8),
553 v => Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
554 .context(format!("Unknown Algorithm {:?}.", v)),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700555 })
556 .context("In import_key.")?;
557
Stephen Crane221bbb52020-12-16 15:52:10 -0800558 let km_dev: Strong<dyn IKeyMintDevice> =
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800559 self.keymint.get_interface().context("In import_key: Trying to get the KM device")?;
Shawn Willdenc2f3acf2021-02-03 07:07:17 -0700560 let creation_result =
561 map_km_error(km_dev.importKey(&params, format, key_data, None /* attestKey */))
562 .context("In import_key: Trying to call importKey")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700563
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000564 let user_id = uid_to_android_user(caller_uid);
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000565 self.store_new_key(key, creation_result, user_id, Some(flags)).context("In import_key.")
Janis Danisevskis1af91262020-08-10 14:58:08 -0700566 }
567
568 fn import_wrapped_key(
569 &self,
570 key: &KeyDescriptor,
571 wrapping_key: &KeyDescriptor,
572 masking_key: Option<&[u8]>,
573 params: &[KeyParameter],
574 authenticators: &[AuthenticatorSpec],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700575 ) -> Result<KeyMetadata> {
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800576 let wrapped_data: &[u8] = match key {
577 KeyDescriptor { domain: Domain::APP, blob: Some(ref blob), alias: Some(_), .. }
578 | KeyDescriptor {
579 domain: Domain::SELINUX, blob: Some(ref blob), alias: Some(_), ..
580 } => blob,
581 _ => {
582 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(format!(
583 concat!(
584 "In import_wrapped_key: Alias and blob must be specified ",
585 "and domain must be APP or SELINUX. {:?}"
586 ),
587 key
588 ))
589 }
590 };
Janis Danisevskis1af91262020-08-10 14:58:08 -0700591
Janis Danisevskisaec14592020-11-12 09:41:49 -0800592 if wrapping_key.domain == Domain::BLOB {
593 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(
594 "In import_wrapped_key: Import wrapped key not supported for self managed blobs.",
595 );
596 }
597
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000598 let caller_uid = ThreadState::get_calling_uid();
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000599 let user_id = uid_to_android_user(caller_uid);
600
Janis Danisevskis1af91262020-08-10 14:58:08 -0700601 let key = match key.domain {
602 Domain::APP => KeyDescriptor {
603 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000604 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700605 alias: key.alias.clone(),
606 blob: None,
607 },
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800608 Domain::SELINUX => KeyDescriptor {
609 domain: Domain::SELINUX,
610 nspace: key.nspace,
611 alias: key.alias.clone(),
612 blob: None,
613 },
614 _ => panic!("Unreachable."),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700615 };
616
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800617 // Import_wrapped_key requires the rebind permission for the new key.
Janis Danisevskis1af91262020-08-10 14:58:08 -0700618 check_key_permission(KeyPerm::rebind(), &key, &None).context("In import_wrapped_key.")?;
619
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000620 let (wrapping_key_id_guard, mut wrapping_key_entry) = DB
Janis Danisevskis1af91262020-08-10 14:58:08 -0700621 .with(|db| {
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000622 LEGACY_MIGRATOR.with_try_migrate(&key, caller_uid, || {
623 db.borrow_mut().load_key_entry(
624 &wrapping_key,
625 KeyType::Client,
626 KeyEntryLoadBits::KM,
627 caller_uid,
628 |k, av| check_key_permission(KeyPerm::use_(), k, &av),
629 )
630 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700631 })
632 .context("Failed to load wrapping key.")?;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000633
634 let (wrapping_key_blob, wrapping_blob_metadata) = wrapping_key_entry
635 .take_key_blob_info()
636 .ok_or_else(error::Error::sys)
637 .context("No km_blob after successfully loading key. This should never happen.")?;
638
639 let wrapping_key_blob =
640 SUPER_KEY.unwrap_key_if_required(&wrapping_blob_metadata, &wrapping_key_blob).context(
641 "In import_wrapped_key. Failed to handle super encryption for wrapping key.",
642 )?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700643
Janis Danisevskis1af91262020-08-10 14:58:08 -0700644 // km_dev.importWrappedKey does not return a certificate chain.
645 // TODO Do we assume that all wrapped keys are symmetric?
646 // let certificate_chain: Vec<KmCertificate> = Default::default();
647
648 let pw_sid = authenticators
649 .iter()
650 .find_map(|a| match a.authenticatorType {
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700651 HardwareAuthenticatorType::PASSWORD => Some(a.authenticatorId),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700652 _ => None,
653 })
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800654 .unwrap_or(-1);
Janis Danisevskis1af91262020-08-10 14:58:08 -0700655
656 let fp_sid = authenticators
657 .iter()
658 .find_map(|a| match a.authenticatorType {
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700659 HardwareAuthenticatorType::FINGERPRINT => Some(a.authenticatorId),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700660 _ => None,
661 })
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800662 .unwrap_or(-1);
Janis Danisevskis1af91262020-08-10 14:58:08 -0700663
664 let masking_key = masking_key.unwrap_or(ZERO_BLOB_32);
665
Stephen Crane221bbb52020-12-16 15:52:10 -0800666 let km_dev: Strong<dyn IKeyMintDevice> = self.keymint.get_interface()?;
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800667 let (creation_result, _) = self
668 .upgrade_keyblob_if_required_with(
669 &*km_dev,
670 Some(wrapping_key_id_guard),
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000671 &(&wrapping_key_blob, &wrapping_blob_metadata),
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800672 &[],
673 |wrapping_blob| {
674 let creation_result = map_km_error(km_dev.importWrappedKey(
675 wrapped_data,
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800676 wrapping_blob,
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800677 masking_key,
678 &params,
679 pw_sid,
680 fp_sid,
681 ))?;
682 Ok(creation_result)
683 },
684 )
685 .context("In import_wrapped_key.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700686
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000687 self.store_new_key(key, creation_result, user_id, None)
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800688 .context("In import_wrapped_key: Trying to store the new key.")
Janis Danisevskis1af91262020-08-10 14:58:08 -0700689 }
Janis Danisevskisaec14592020-11-12 09:41:49 -0800690
691 fn upgrade_keyblob_if_required_with<T, F>(
692 &self,
693 km_dev: &dyn IKeyMintDevice,
694 key_id_guard: Option<KeyIdGuard>,
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000695 blob_info: &(&KeyBlob, &BlobMetaData),
Janis Danisevskisaec14592020-11-12 09:41:49 -0800696 params: &[KeyParameter],
697 f: F,
698 ) -> Result<(T, Option<Vec<u8>>)>
699 where
700 F: Fn(&[u8]) -> Result<T, Error>,
701 {
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800702 match f(blob_info.0) {
Janis Danisevskisaec14592020-11-12 09:41:49 -0800703 Err(Error::Km(ErrorCode::KEY_REQUIRES_UPGRADE)) => {
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800704 let upgraded_blob = map_km_error(km_dev.upgradeKey(blob_info.0, params))
Janis Danisevskisaec14592020-11-12 09:41:49 -0800705 .context("In upgrade_keyblob_if_required_with: Upgrade failed.")?;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000706
707 let (upgraded_blob_to_be_stored, blob_metadata) =
708 SuperKeyManager::reencrypt_on_upgrade_if_required(blob_info.0, &upgraded_blob)
709 .context(
710 "In upgrade_keyblob_if_required_with: Failed to handle super encryption.",
711 )?;
712
713 let mut blob_metadata = blob_metadata.unwrap_or_else(BlobMetaData::new);
714 if let Some(uuid) = blob_info.1.km_uuid() {
715 blob_metadata.add(BlobMetaEntry::KmUuid(*uuid));
716 }
717
Janis Danisevskisaec14592020-11-12 09:41:49 -0800718 key_id_guard.map_or(Ok(()), |key_id_guard| {
719 DB.with(|db| {
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000720 let mut db = db.borrow_mut();
721 db.set_blob(
Janis Danisevskisaec14592020-11-12 09:41:49 -0800722 &key_id_guard,
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800723 SubComponentType::KEY_BLOB,
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000724 Some(&upgraded_blob_to_be_stored),
725 Some(&blob_metadata),
Janis Danisevskisaec14592020-11-12 09:41:49 -0800726 )
727 })
728 .context(concat!(
729 "In upgrade_keyblob_if_required_with: ",
730 "Failed to insert upgraded blob into the database.",
731 ))
732 })?;
733 match f(&upgraded_blob) {
734 Ok(v) => Ok((v, Some(upgraded_blob))),
735 Err(e) => Err(e).context(concat!(
736 "In upgrade_keyblob_if_required_with: ",
737 "Failed to perform operation on second try."
738 )),
739 }
740 }
741 Err(e) => {
742 Err(e).context("In upgrade_keyblob_if_required_with: Failed perform operation.")
743 }
744 Ok(v) => Ok((v, None)),
745 }
746 }
Janis Danisevskis1af91262020-08-10 14:58:08 -0700747}
748
749impl binder::Interface for KeystoreSecurityLevel {}
750
751impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700752 fn createOperation(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700753 &self,
754 key: &KeyDescriptor,
755 operation_parameters: &[KeyParameter],
756 forced: bool,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700757 ) -> binder::public_api::Result<CreateOperationResponse> {
758 map_or_log_err(self.create_operation(key, operation_parameters, forced), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700759 }
760 fn generateKey(
761 &self,
762 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700763 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700764 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700765 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700766 entropy: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700767 ) -> binder::public_api::Result<KeyMetadata> {
768 map_or_log_err(self.generate_key(key, attestation_key, params, flags, entropy), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700769 }
770 fn importKey(
771 &self,
772 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700773 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700774 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700775 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700776 key_data: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700777 ) -> binder::public_api::Result<KeyMetadata> {
778 map_or_log_err(self.import_key(key, attestation_key, params, flags, key_data), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700779 }
780 fn importWrappedKey(
781 &self,
782 key: &KeyDescriptor,
783 wrapping_key: &KeyDescriptor,
784 masking_key: Option<&[u8]>,
785 params: &[KeyParameter],
786 authenticators: &[AuthenticatorSpec],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700787 ) -> binder::public_api::Result<KeyMetadata> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700788 map_or_log_err(
789 self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700790 Ok,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700791 )
792 }
793}