1dfe32fa1Soh_ci/* 2dfe32fa1Soh_ci * Copyright (c) 2023 Huawei Device Co., Ltd. 3dfe32fa1Soh_ci * Licensed under the Apache License, Version 2.0 (the "License"); 4dfe32fa1Soh_ci * you may not use this file except in compliance with the License. 5dfe32fa1Soh_ci * You may obtain a copy of the License at 6dfe32fa1Soh_ci * 7dfe32fa1Soh_ci * http://www.apache.org/licenses/LICENSE-2.0 8dfe32fa1Soh_ci * 9dfe32fa1Soh_ci * Unless required by applicable law or agreed to in writing, software 10dfe32fa1Soh_ci * distributed under the License is distributed on an "AS IS" BASIS, 11dfe32fa1Soh_ci * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12dfe32fa1Soh_ci * See the License for the specific language governing permissions and 13dfe32fa1Soh_ci * limitations under the License. 14dfe32fa1Soh_ci */ 15dfe32fa1Soh_ci 16dfe32fa1Soh_ci#include <stdint.h> 17dfe32fa1Soh_ci 18dfe32fa1Soh_ci#include "hks_api.h" 19dfe32fa1Soh_ci#include "hks_param.h" 20dfe32fa1Soh_ci 21dfe32fa1Soh_ci#include "asset_log.h" 22dfe32fa1Soh_ci#include "asset_type.h" 23dfe32fa1Soh_ci#include "huks_wrapper.h" 24dfe32fa1Soh_ci 25dfe32fa1Soh_cistatic enum HksAuthStorageLevel AccessibilityToHksAuthStorageLevel(enum Accessibility accessibility) 26dfe32fa1Soh_ci{ 27dfe32fa1Soh_ci switch (accessibility) { 28dfe32fa1Soh_ci case DEVICE_POWERED_ON: 29dfe32fa1Soh_ci return HKS_AUTH_STORAGE_LEVEL_DE; 30dfe32fa1Soh_ci case DEVICE_FIRST_UNLOCKED: 31dfe32fa1Soh_ci return HKS_AUTH_STORAGE_LEVEL_CE; 32dfe32fa1Soh_ci default: 33dfe32fa1Soh_ci return HKS_AUTH_STORAGE_LEVEL_ECE; 34dfe32fa1Soh_ci } 35dfe32fa1Soh_ci} 36dfe32fa1Soh_ci 37dfe32fa1Soh_cistatic int32_t HuksErrorTransfer(int32_t ret) 38dfe32fa1Soh_ci{ 39dfe32fa1Soh_ci switch (ret) { 40dfe32fa1Soh_ci case HKS_SUCCESS: 41dfe32fa1Soh_ci return ASSET_SUCCESS; 42dfe32fa1Soh_ci case HKS_ERROR_NO_PERMISSION: 43dfe32fa1Soh_ci case HKS_ERROR_DEVICE_PASSWORD_UNSET: 44dfe32fa1Soh_ci return ASSET_STATUS_MISMATCH; 45dfe32fa1Soh_ci case HKS_ERROR_NOT_EXIST: 46dfe32fa1Soh_ci return ASSET_NOT_FOUND; 47dfe32fa1Soh_ci case HKS_ERROR_KEY_AUTH_FAILED: 48dfe32fa1Soh_ci case HKS_ERROR_KEY_AUTH_VERIFY_FAILED: 49dfe32fa1Soh_ci return ASSET_ACCESS_DENIED; 50dfe32fa1Soh_ci case HKS_ERROR_CRYPTO_ENGINE_ERROR: 51dfe32fa1Soh_ci return ASSET_DATA_CORRUPTED; 52dfe32fa1Soh_ci default: 53dfe32fa1Soh_ci return ASSET_CRYPTO_ERROR; 54dfe32fa1Soh_ci } 55dfe32fa1Soh_ci} 56dfe32fa1Soh_ci 57dfe32fa1Soh_cistatic int32_t AddSpecificUserIdParams(struct HksParamSet *paramSet, int32_t userId) 58dfe32fa1Soh_ci{ 59dfe32fa1Soh_ci struct HksParam specificUserIdParams[] = { 60dfe32fa1Soh_ci { .tag = HKS_TAG_SPECIFIC_USER_ID, .int32Param = userId }, 61dfe32fa1Soh_ci }; 62dfe32fa1Soh_ci return HksAddParams(paramSet, specificUserIdParams, ARRAY_SIZE(specificUserIdParams)); 63dfe32fa1Soh_ci} 64dfe32fa1Soh_ci 65dfe32fa1Soh_cistatic int32_t BuildParamSet(struct HksParamSet **paramSet, const struct HksParam *params, uint32_t paramCount, 66dfe32fa1Soh_ci int32_t userId) 67dfe32fa1Soh_ci{ 68dfe32fa1Soh_ci int32_t ret = HksInitParamSet(paramSet); 69dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 70dfe32fa1Soh_ci LOGE("[FATAL]HUKS init param set failed. error=%{public}d", ret); 71dfe32fa1Soh_ci return ret; 72dfe32fa1Soh_ci } 73dfe32fa1Soh_ci 74dfe32fa1Soh_ci if (paramCount != 0) { 75dfe32fa1Soh_ci ret = HksAddParams(*paramSet, params, paramCount); 76dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 77dfe32fa1Soh_ci LOGE("[FATAL]HUKS add params failed. error=%{public}d", ret); 78dfe32fa1Soh_ci HksFreeParamSet(paramSet); 79dfe32fa1Soh_ci return ret; 80dfe32fa1Soh_ci } 81dfe32fa1Soh_ci 82dfe32fa1Soh_ci if (userId > ASSET_ROOT_USER_UPPERBOUND) { 83dfe32fa1Soh_ci ret = AddSpecificUserIdParams(*paramSet, userId); 84dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 85dfe32fa1Soh_ci LOGE("[FATAL]HUKS add specific userId failed. error=%{public}d", ret); 86dfe32fa1Soh_ci HksFreeParamSet(paramSet); 87dfe32fa1Soh_ci return ret; 88dfe32fa1Soh_ci } 89dfe32fa1Soh_ci } 90dfe32fa1Soh_ci } 91dfe32fa1Soh_ci 92dfe32fa1Soh_ci ret = HksBuildParamSet(paramSet); 93dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 94dfe32fa1Soh_ci LOGE("[FATAL]HUKS build param set failed. error=%{public}d", ret); 95dfe32fa1Soh_ci HksFreeParamSet(paramSet); 96dfe32fa1Soh_ci } 97dfe32fa1Soh_ci return ret; 98dfe32fa1Soh_ci} 99dfe32fa1Soh_ci 100dfe32fa1Soh_cistatic int32_t AddCommonGenParams(struct HksParamSet *paramSet, const struct KeyId *keyId) 101dfe32fa1Soh_ci{ 102dfe32fa1Soh_ci struct HksParam commonParams[] = { 103dfe32fa1Soh_ci { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_AES }, 104dfe32fa1Soh_ci { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_ENCRYPT | HKS_KEY_PURPOSE_DECRYPT }, 105dfe32fa1Soh_ci { .tag = HKS_TAG_KEY_SIZE, .uint32Param = HKS_AES_KEY_SIZE_256 }, 106dfe32fa1Soh_ci { .tag = HKS_TAG_PADDING, .uint32Param = HKS_PADDING_NONE }, 107dfe32fa1Soh_ci { .tag = HKS_TAG_BLOCK_MODE, .uint32Param = HKS_MODE_GCM }, 108dfe32fa1Soh_ci { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = AccessibilityToHksAuthStorageLevel(keyId->accessibility) }, 109dfe32fa1Soh_ci { .tag = HKS_TAG_IS_ALLOWED_DATA_WRAP, .boolParam = true }, 110dfe32fa1Soh_ci }; 111dfe32fa1Soh_ci return HksAddParams(paramSet, commonParams, ARRAY_SIZE(commonParams)); 112dfe32fa1Soh_ci} 113dfe32fa1Soh_ci 114dfe32fa1Soh_cistatic int32_t AddAuthGenParams(struct HksParamSet *paramSet) 115dfe32fa1Soh_ci{ 116dfe32fa1Soh_ci struct HksParam authParams[] = { 117dfe32fa1Soh_ci { .tag = HKS_TAG_KEY_AUTH_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_DECRYPT }, 118dfe32fa1Soh_ci { .tag = HKS_TAG_KEY_AUTH_ACCESS_TYPE, .uint32Param = HKS_AUTH_ACCESS_ALWAYS_VALID }, 119dfe32fa1Soh_ci { .tag = HKS_TAG_BATCH_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_DECRYPT }, 120dfe32fa1Soh_ci { .tag = HKS_TAG_CHALLENGE_TYPE, .uint32Param = HKS_CHALLENGE_TYPE_NORMAL }, 121dfe32fa1Soh_ci { .tag = HKS_TAG_USER_AUTH_TYPE, .uint32Param = 122dfe32fa1Soh_ci HKS_USER_AUTH_TYPE_FINGERPRINT | HKS_USER_AUTH_TYPE_FACE | HKS_USER_AUTH_TYPE_PIN } 123dfe32fa1Soh_ci }; 124dfe32fa1Soh_ci return HksAddParams(paramSet, authParams, ARRAY_SIZE(authParams)); 125dfe32fa1Soh_ci} 126dfe32fa1Soh_ci 127dfe32fa1Soh_ciint32_t GenerateKey(const struct KeyId *keyId, bool needAuth, bool requirePasswordSet) 128dfe32fa1Soh_ci{ 129dfe32fa1Soh_ci struct HksParamSet *paramSet = NULL; 130dfe32fa1Soh_ci int32_t ret = HKS_SUCCESS; 131dfe32fa1Soh_ci do { 132dfe32fa1Soh_ci ret = HksInitParamSet(¶mSet); 133dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 134dfe32fa1Soh_ci LOGE("[FATAL]HUKS init param set failed. error=%{public}d", ret); 135dfe32fa1Soh_ci break; 136dfe32fa1Soh_ci } 137dfe32fa1Soh_ci 138dfe32fa1Soh_ci ret = AddCommonGenParams(paramSet, keyId); 139dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 140dfe32fa1Soh_ci LOGE("[FATAL]HUKS add common params failed. error=%{public}d", ret); 141dfe32fa1Soh_ci break; 142dfe32fa1Soh_ci } 143dfe32fa1Soh_ci 144dfe32fa1Soh_ci if (keyId->userId > ASSET_ROOT_USER_UPPERBOUND) { 145dfe32fa1Soh_ci ret = AddSpecificUserIdParams(paramSet, keyId->userId); 146dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 147dfe32fa1Soh_ci LOGE("[FATAL]HUKS add specific userId failed. error=%{public}d", ret); 148dfe32fa1Soh_ci break; 149dfe32fa1Soh_ci } 150dfe32fa1Soh_ci } 151dfe32fa1Soh_ci 152dfe32fa1Soh_ci if (needAuth) { 153dfe32fa1Soh_ci ret = AddAuthGenParams(paramSet); 154dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 155dfe32fa1Soh_ci LOGE("[FATAL]HUKS add auth params failed. error=%{public}d", ret); 156dfe32fa1Soh_ci break; 157dfe32fa1Soh_ci } 158dfe32fa1Soh_ci } 159dfe32fa1Soh_ci 160dfe32fa1Soh_ci if (requirePasswordSet) { 161dfe32fa1Soh_ci struct HksParam tempParam = { .tag = HKS_TAG_IS_DEVICE_PASSWORD_SET, .boolParam = true }; 162dfe32fa1Soh_ci ret = HksAddParams(paramSet, &tempParam, 1); // 1: add one param to paramSet 163dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 164dfe32fa1Soh_ci LOGE("[FATAL]HUKS add requirePasswordSet param failed. error=%{public}d", ret); 165dfe32fa1Soh_ci break; 166dfe32fa1Soh_ci } 167dfe32fa1Soh_ci } 168dfe32fa1Soh_ci 169dfe32fa1Soh_ci ret = HksBuildParamSet(¶mSet); 170dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 171dfe32fa1Soh_ci LOGE("[FATAL]HUKS build param set failed. error=%{public}d", ret); 172dfe32fa1Soh_ci break; 173dfe32fa1Soh_ci } 174dfe32fa1Soh_ci 175dfe32fa1Soh_ci ret = HksGenerateKey(&keyId->alias, paramSet, NULL); 176dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 177dfe32fa1Soh_ci LOGE("[FATAL]HUKS generate key failed. error=%{public}d", ret); 178dfe32fa1Soh_ci } 179dfe32fa1Soh_ci } while (0); 180dfe32fa1Soh_ci 181dfe32fa1Soh_ci HksFreeParamSet(¶mSet); 182dfe32fa1Soh_ci return HuksErrorTransfer(ret); 183dfe32fa1Soh_ci} 184dfe32fa1Soh_ci 185dfe32fa1Soh_ciint32_t DeleteKey(const struct KeyId *keyId) 186dfe32fa1Soh_ci{ 187dfe32fa1Soh_ci struct HksParam params[] = { 188dfe32fa1Soh_ci { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = AccessibilityToHksAuthStorageLevel(keyId->accessibility) }, 189dfe32fa1Soh_ci }; 190dfe32fa1Soh_ci struct HksParamSet *paramSet = NULL; 191dfe32fa1Soh_ci int32_t ret = BuildParamSet(¶mSet, params, ARRAY_SIZE(params), keyId->userId); 192dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 193dfe32fa1Soh_ci return HuksErrorTransfer(ret); 194dfe32fa1Soh_ci } 195dfe32fa1Soh_ci 196dfe32fa1Soh_ci ret = HksDeleteKey(&keyId->alias, paramSet); 197dfe32fa1Soh_ci HksFreeParamSet(¶mSet); 198dfe32fa1Soh_ci return HuksErrorTransfer(ret); 199dfe32fa1Soh_ci} 200dfe32fa1Soh_ci 201dfe32fa1Soh_ciint32_t IsKeyExist(const struct KeyId *keyId) 202dfe32fa1Soh_ci{ 203dfe32fa1Soh_ci struct HksParam params[] = { 204dfe32fa1Soh_ci { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = AccessibilityToHksAuthStorageLevel(keyId->accessibility) }, 205dfe32fa1Soh_ci }; 206dfe32fa1Soh_ci struct HksParamSet *paramSet = NULL; 207dfe32fa1Soh_ci int32_t ret = BuildParamSet(¶mSet, params, ARRAY_SIZE(params), keyId->userId); 208dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 209dfe32fa1Soh_ci return HuksErrorTransfer(ret); 210dfe32fa1Soh_ci } 211dfe32fa1Soh_ci 212dfe32fa1Soh_ci ret = HksKeyExist(&keyId->alias, paramSet); 213dfe32fa1Soh_ci HksFreeParamSet(¶mSet); 214dfe32fa1Soh_ci return HuksErrorTransfer(ret); 215dfe32fa1Soh_ci} 216dfe32fa1Soh_ci 217dfe32fa1Soh_ciint32_t EncryptData(const struct KeyId *keyId, const struct HksBlob *aad, const struct HksBlob *inData, 218dfe32fa1Soh_ci struct HksBlob *outData) 219dfe32fa1Soh_ci{ 220dfe32fa1Soh_ci struct HksParam encryptParams[] = { 221dfe32fa1Soh_ci { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_AES }, 222dfe32fa1Soh_ci { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_ENCRYPT }, 223dfe32fa1Soh_ci { .tag = HKS_TAG_KEY_SIZE, .uint32Param = HKS_AES_KEY_SIZE_256 }, 224dfe32fa1Soh_ci { .tag = HKS_TAG_PADDING, .uint32Param = HKS_PADDING_NONE }, 225dfe32fa1Soh_ci { .tag = HKS_TAG_BLOCK_MODE, .uint32Param = HKS_MODE_GCM }, 226dfe32fa1Soh_ci { .tag = HKS_TAG_ASSOCIATED_DATA, .blob = *aad }, 227dfe32fa1Soh_ci { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = AccessibilityToHksAuthStorageLevel(keyId->accessibility) }, 228dfe32fa1Soh_ci }; 229dfe32fa1Soh_ci struct HksParamSet *encryptParamSet = NULL; 230dfe32fa1Soh_ci int32_t ret = BuildParamSet(&encryptParamSet, encryptParams, ARRAY_SIZE(encryptParams), keyId->userId); 231dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 232dfe32fa1Soh_ci return HuksErrorTransfer(ret); 233dfe32fa1Soh_ci } 234dfe32fa1Soh_ci 235dfe32fa1Soh_ci uint8_t handle[sizeof(uint64_t)] = { 0 }; 236dfe32fa1Soh_ci struct HksBlob handleBlob = { sizeof(uint64_t), handle }; 237dfe32fa1Soh_ci ret = HksInit(&keyId->alias, encryptParamSet, &handleBlob, NULL); 238dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 239dfe32fa1Soh_ci LOGE("[FATAL]HUKS encrypt init failed. error=%{public}d", ret); 240dfe32fa1Soh_ci HksFreeParamSet(&encryptParamSet); 241dfe32fa1Soh_ci return HuksErrorTransfer(ret); 242dfe32fa1Soh_ci } 243dfe32fa1Soh_ci 244dfe32fa1Soh_ci ret = HksFinish(&handleBlob, encryptParamSet, inData, outData); 245dfe32fa1Soh_ci HksFreeParamSet(&encryptParamSet); 246dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 247dfe32fa1Soh_ci LOGE("[FATAL]HUKS encrypt finish failed. error=%{public}d", ret); 248dfe32fa1Soh_ci } 249dfe32fa1Soh_ci return HuksErrorTransfer(ret); 250dfe32fa1Soh_ci} 251dfe32fa1Soh_ci 252dfe32fa1Soh_ciint32_t DecryptData(const struct KeyId *keyId, const struct HksBlob *aad, const struct HksBlob *inData, 253dfe32fa1Soh_ci struct HksBlob *outData) 254dfe32fa1Soh_ci{ 255dfe32fa1Soh_ci struct HksBlob cipher = { inData->size - NONCE_SIZE - TAG_SIZE, inData->data }; 256dfe32fa1Soh_ci struct HksBlob tag = { TAG_SIZE, inData->data + (inData->size - NONCE_SIZE - TAG_SIZE) }; 257dfe32fa1Soh_ci struct HksBlob nonce = { NONCE_SIZE, inData->data + (inData->size - NONCE_SIZE) }; 258dfe32fa1Soh_ci 259dfe32fa1Soh_ci struct HksParamSet *decryptParamSet = NULL; 260dfe32fa1Soh_ci struct HksParam decryptParams[] = { 261dfe32fa1Soh_ci { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_AES }, 262dfe32fa1Soh_ci { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_DECRYPT }, 263dfe32fa1Soh_ci { .tag = HKS_TAG_KEY_SIZE, .uint32Param = HKS_AES_KEY_SIZE_256 }, 264dfe32fa1Soh_ci { .tag = HKS_TAG_PADDING, .uint32Param = HKS_PADDING_NONE }, 265dfe32fa1Soh_ci { .tag = HKS_TAG_BLOCK_MODE, .uint32Param = HKS_MODE_GCM }, 266dfe32fa1Soh_ci { .tag = HKS_TAG_ASSOCIATED_DATA, .blob = *aad }, 267dfe32fa1Soh_ci { .tag = HKS_TAG_NONCE, .blob = nonce }, 268dfe32fa1Soh_ci { .tag = HKS_TAG_AE_TAG, .blob = tag }, 269dfe32fa1Soh_ci { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = AccessibilityToHksAuthStorageLevel(keyId->accessibility) }, 270dfe32fa1Soh_ci }; 271dfe32fa1Soh_ci 272dfe32fa1Soh_ci int32_t ret = BuildParamSet(&decryptParamSet, decryptParams, ARRAY_SIZE(decryptParams), keyId->userId); 273dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 274dfe32fa1Soh_ci return HuksErrorTransfer(ret); 275dfe32fa1Soh_ci } 276dfe32fa1Soh_ci 277dfe32fa1Soh_ci uint8_t handle[sizeof(uint64_t)] = { 0 }; 278dfe32fa1Soh_ci struct HksBlob handleBlob = { sizeof(uint64_t), handle }; 279dfe32fa1Soh_ci ret = HksInit(&keyId->alias, decryptParamSet, &handleBlob, NULL); 280dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 281dfe32fa1Soh_ci LOGE("[FATAL]HUKS decrypt init failed. error=%{public}d", ret); 282dfe32fa1Soh_ci HksFreeParamSet(&decryptParamSet); 283dfe32fa1Soh_ci return HuksErrorTransfer(ret); 284dfe32fa1Soh_ci } 285dfe32fa1Soh_ci 286dfe32fa1Soh_ci ret = HksFinish(&handleBlob, decryptParamSet, &cipher, outData); 287dfe32fa1Soh_ci HksFreeParamSet(&decryptParamSet); 288dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 289dfe32fa1Soh_ci LOGE("[FATAL]HUKS decrypt finish failed. error=%{public}d", ret); 290dfe32fa1Soh_ci } 291dfe32fa1Soh_ci return HuksErrorTransfer(ret); 292dfe32fa1Soh_ci} 293dfe32fa1Soh_ci 294dfe32fa1Soh_ciint32_t InitKey(const struct KeyId *keyId, uint32_t validTime, struct HksBlob *challenge, struct HksBlob *handle) 295dfe32fa1Soh_ci{ 296dfe32fa1Soh_ci struct HksParam initParams[] = { 297dfe32fa1Soh_ci { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_AES}, 298dfe32fa1Soh_ci { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_DECRYPT }, 299dfe32fa1Soh_ci { .tag = HKS_TAG_KEY_SIZE, .uint32Param = HKS_AES_KEY_SIZE_256 }, 300dfe32fa1Soh_ci { .tag = HKS_TAG_IS_BATCH_OPERATION, .boolParam = true }, 301dfe32fa1Soh_ci { .tag = HKS_TAG_BATCH_OPERATION_TIMEOUT, .uint32Param = validTime }, 302dfe32fa1Soh_ci { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = AccessibilityToHksAuthStorageLevel(keyId->accessibility) }, 303dfe32fa1Soh_ci }; 304dfe32fa1Soh_ci struct HksParamSet *paramSet = NULL; 305dfe32fa1Soh_ci int32_t ret = BuildParamSet(¶mSet, initParams, ARRAY_SIZE(initParams), keyId->userId); 306dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 307dfe32fa1Soh_ci return HuksErrorTransfer(ret); 308dfe32fa1Soh_ci } 309dfe32fa1Soh_ci 310dfe32fa1Soh_ci ret = HksInit(&keyId->alias, paramSet, handle, challenge); 311dfe32fa1Soh_ci HksFreeParamSet(¶mSet); 312dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 313dfe32fa1Soh_ci LOGE("[FATAL]HUKS batch decrypt init failed. error=%{public}d", ret); 314dfe32fa1Soh_ci } 315dfe32fa1Soh_ci return HuksErrorTransfer(ret); 316dfe32fa1Soh_ci} 317dfe32fa1Soh_ci 318dfe32fa1Soh_ciint32_t ExecCrypt(const struct HksBlob *handle, const struct HksBlob *aad, const struct HksBlob *authToken, 319dfe32fa1Soh_ci const struct HksBlob *inData, struct HksBlob *outData) 320dfe32fa1Soh_ci{ 321dfe32fa1Soh_ci struct HksBlob tag = { TAG_SIZE, inData->data + (inData->size - NONCE_SIZE - TAG_SIZE) }; 322dfe32fa1Soh_ci struct HksBlob nonce = { NONCE_SIZE, inData->data + (inData->size - NONCE_SIZE) }; 323dfe32fa1Soh_ci 324dfe32fa1Soh_ci struct HksParam updateParams[] = { 325dfe32fa1Soh_ci { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_AES }, 326dfe32fa1Soh_ci { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_DECRYPT }, 327dfe32fa1Soh_ci { .tag = HKS_TAG_KEY_SIZE, .uint32Param = HKS_AES_KEY_SIZE_256 }, 328dfe32fa1Soh_ci { .tag = HKS_TAG_PADDING, .uint32Param = HKS_PADDING_NONE }, 329dfe32fa1Soh_ci { .tag = HKS_TAG_BLOCK_MODE, .uint32Param = HKS_MODE_GCM }, 330dfe32fa1Soh_ci { .tag = HKS_TAG_ASSOCIATED_DATA, .blob = { .size = aad->size, .data = aad->data } }, 331dfe32fa1Soh_ci { .tag = HKS_TAG_NONCE, .blob = nonce }, 332dfe32fa1Soh_ci { .tag = HKS_TAG_AE_TAG, .blob = tag }, 333dfe32fa1Soh_ci { .tag = HKS_TAG_AUTH_TOKEN, .blob = *authToken }, 334dfe32fa1Soh_ci }; 335dfe32fa1Soh_ci 336dfe32fa1Soh_ci struct HksParamSet *paramSet = NULL; 337dfe32fa1Soh_ci int32_t ret = BuildParamSet(¶mSet, updateParams, ARRAY_SIZE(updateParams), 0); 338dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 339dfe32fa1Soh_ci return HuksErrorTransfer(ret); 340dfe32fa1Soh_ci } 341dfe32fa1Soh_ci 342dfe32fa1Soh_ci struct HksBlob cipher = { inData->size - NONCE_SIZE - TAG_SIZE, inData->data }; 343dfe32fa1Soh_ci ret = HksUpdate(handle, paramSet, &cipher, outData); 344dfe32fa1Soh_ci HksFreeParamSet(¶mSet); 345dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 346dfe32fa1Soh_ci LOGE("[FATAL]HUKS batch decrypt update failed. error=%{public}d", ret); 347dfe32fa1Soh_ci } 348dfe32fa1Soh_ci return HuksErrorTransfer(ret); 349dfe32fa1Soh_ci} 350dfe32fa1Soh_ci 351dfe32fa1Soh_ciint32_t Drop(const struct HksBlob *handle) 352dfe32fa1Soh_ci{ 353dfe32fa1Soh_ci struct HksBlob inData = { 0, NULL }; 354dfe32fa1Soh_ci struct HksBlob outData = { 0, NULL }; 355dfe32fa1Soh_ci 356dfe32fa1Soh_ci struct HksParamSet *paramSet = NULL; 357dfe32fa1Soh_ci int32_t ret = BuildParamSet(¶mSet, NULL, 0, 0); 358dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 359dfe32fa1Soh_ci return HuksErrorTransfer(ret); 360dfe32fa1Soh_ci } 361dfe32fa1Soh_ci 362dfe32fa1Soh_ci ret = HksFinish(handle, paramSet, &inData, &outData); 363dfe32fa1Soh_ci HksFreeParamSet(¶mSet); 364dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 365dfe32fa1Soh_ci LOGE("[FATAL]HUKS batch decrypt finish failed. error=%{public}d", ret); 366dfe32fa1Soh_ci } 367dfe32fa1Soh_ci return HuksErrorTransfer(ret); 368dfe32fa1Soh_ci} 369dfe32fa1Soh_ci 370dfe32fa1Soh_ciint32_t RenameKeyAlias(const struct KeyId *keyId, const struct HksBlob *newKeyAlias) 371dfe32fa1Soh_ci{ 372dfe32fa1Soh_ci struct HksParam params[] = { 373dfe32fa1Soh_ci { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = AccessibilityToHksAuthStorageLevel(keyId->accessibility) }, 374dfe32fa1Soh_ci { .tag = HKS_TAG_IS_COPY_NEW_KEY, .boolParam = true }, 375dfe32fa1Soh_ci }; 376dfe32fa1Soh_ci struct HksParamSet *paramSet = NULL; 377dfe32fa1Soh_ci int32_t ret = BuildParamSet(¶mSet, params, ARRAY_SIZE(params), keyId->userId); 378dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 379dfe32fa1Soh_ci return HuksErrorTransfer(ret); 380dfe32fa1Soh_ci } 381dfe32fa1Soh_ci 382dfe32fa1Soh_ci ret = HksRenameKeyAlias(&keyId->alias, paramSet, newKeyAlias); 383dfe32fa1Soh_ci HksFreeParamSet(¶mSet); 384dfe32fa1Soh_ci if (ret != HKS_SUCCESS) { 385dfe32fa1Soh_ci LOGE("[FATAL]HUKS rename key alias failed. error=%{public}d", ret); 386dfe32fa1Soh_ci } 387dfe32fa1Soh_ci return HuksErrorTransfer(ret); 388dfe32fa1Soh_ci}