Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 557b10336be7922de4c8937e198f95e853044ecf / . / keystore2 / src / utils.rs
blob: c1684867e7c52a9c8480c914b4e890316be20dbe [file] [log] [blame]
// Copyright 2020, The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// This suppresses the compiler's complaint about converting tv_sec to i64 in method
// get_current_time_in_seconds.
#![allow(clippy::useless_conversion)]
//! This module implements utility functions used by the Keystore 2.0 service
//! implementation.
use crate::permission;
use crate::permission::{KeyPerm, KeyPermSet, KeystorePerm};
use crate::{error::Error, key_parameter::KeyParameterValue};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
KeyCharacteristics::KeyCharacteristics, SecurityLevel::SecurityLevel,
};
use android_system_keystore2::aidl::android::system::keystore2::{
Authorization::Authorization, KeyDescriptor::KeyDescriptor,
};
use anyhow::{anyhow, Context};
use binder::{FromIBinder, SpIBinder, ThreadState};
use std::convert::TryFrom;
use std::sync::Mutex;
/// This function uses its namesake in the permission module and in
/// combination with with_calling_sid from the binder crate to check
/// if the caller has the given keystore permission.
pub fn check_keystore_permission(perm: KeystorePerm) -> anyhow::Result<()> {
ThreadState::with_calling_sid(|calling_sid| {
permission::check_keystore_permission(
&calling_sid.ok_or_else(Error::sys).context(
"In check_keystore_permission: Cannot check permission without calling_sid.",
)?,
perm,
)
})
}
/// This function uses its namesake in the permission module and in
/// combination with with_calling_sid from the binder crate to check
/// if the caller has the given grant permission.
pub fn check_grant_permission(access_vec: KeyPermSet, key: &KeyDescriptor) -> anyhow::Result<()> {
ThreadState::with_calling_sid(|calling_sid| {
permission::check_grant_permission(
&calling_sid.ok_or_else(Error::sys).context(
"In check_grant_permission: Cannot check permission without calling_sid.",
)?,
access_vec,
key,
)
})
}
/// This function uses its namesake in the permission module and in
/// combination with with_calling_sid from the binder crate to check
/// if the caller has the given key permission.
pub fn check_key_permission(
perm: KeyPerm,
key: &KeyDescriptor,
access_vector: &Option<KeyPermSet>,
) -> anyhow::Result<()> {
ThreadState::with_calling_sid(|calling_sid| {
permission::check_key_permission(
&calling_sid
.ok_or_else(Error::sys)
.context("In check_key_permission: Cannot check permission without calling_sid.")?,
perm,
key,
access_vector,
)
})
}
/// Thread safe wrapper around SpIBinder. It is safe to have SpIBinder smart pointers to the
/// same object in multiple threads, but cloning a SpIBinder is not thread safe.
/// Keystore frequently hands out binder tokens to the security level interface. If this
/// is to happen from a multi threaded thread pool, the SpIBinder needs to be protected by a
/// Mutex.
#[derive(Debug)]
pub struct Asp(Mutex<SpIBinder>);
impl Asp {
/// Creates a new instance owning a SpIBinder wrapped in a Mutex.
pub fn new(i: SpIBinder) -> Self {
Self(Mutex::new(i))
}
/// Clones the owned SpIBinder and attempts to convert it into the requested interface.
pub fn get_interface<T: FromIBinder + ?Sized>(&self) -> anyhow::Result<Box<T>> {
// We can use unwrap here because we never panic when locked, so the mutex
// can never be poisoned.
let lock = self.0.lock().unwrap();
(*lock)
.clone()
.into_interface()
.map_err(|e| anyhow!(format!("get_interface failed with error code {:?}", e)))
}
}
/// Converts a set of key characteristics as returned from KeyMint into the internal
/// representation of the keystore service.
/// The parameter `hw_security_level` indicates which security level shall be used for
/// parameters found in the hardware enforced parameter list.
pub fn key_characteristics_to_internal(
key_characteristics: KeyCharacteristics,
hw_security_level: SecurityLevel,
) -> Vec<crate::key_parameter::KeyParameter> {
key_characteristics
.hardwareEnforced
.into_iter()
.map(|aidl_kp| {
crate::key_parameter::KeyParameter::new(
KeyParameterValue::convert_from_wire(aidl_kp),
hw_security_level,
)
})
.chain(key_characteristics.softwareEnforced.into_iter().map(|aidl_kp| {
crate::key_parameter::KeyParameter::new(
KeyParameterValue::convert_from_wire(aidl_kp),
SecurityLevel::SOFTWARE,
)
}))
.collect()
}
/// Converts a set of key characteristics from the internal representation into a set of
/// Authorizations as they are used to convey key characteristics to the clients of keystore.
pub fn key_parameters_to_authorizations(
parameters: Vec<crate::key_parameter::KeyParameter>,
) -> Vec<Authorization> {
parameters.into_iter().map(|p| p.into_authorization()).collect()
}
/// This returns the current time (in seconds) as an instance of a monotonic clock, by invoking the
/// system call since Rust does not support getting monotonic time instance as an integer.
pub fn get_current_time_in_seconds() -> i64 {
let mut current_time = libc::timespec { tv_sec: 0, tv_nsec: 0 };
// Following unsafe block includes one system call to get monotonic time.
// Therefore, it is not considered harmful.
unsafe { libc::clock_gettime(libc::CLOCK_MONOTONIC_RAW, &mut current_time) };
// It is safe to unwrap here because try_from() returns std::convert::Infallible, which is
// defined to be an error that can never happen (i.e. the result is always ok).
i64::try_from(current_time.tv_sec).unwrap()
}