|  | /* | 
|  | * Copyright (c) 2019, The Android Open Source Project | 
|  | * | 
|  | * Licensed under the Apache License, Version 2.0 (the "License"); | 
|  | * you may not use this file except in compliance with the License. | 
|  | * You may obtain a copy of the License at | 
|  | * | 
|  | *     http://www.apache.org/licenses/LICENSE-2.0 | 
|  | * | 
|  | * Unless required by applicable law or agreed to in writing, software | 
|  | * distributed under the License is distributed on an "AS IS" BASIS, | 
|  | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 
|  | * See the License for the specific language governing permissions and | 
|  | * limitations under the License. | 
|  | */ | 
|  |  | 
|  | #ifndef SYSTEM_SECURITY_CREDENTIAL_DATA_H_ | 
|  | #define SYSTEM_SECURITY_CREDENTIAL_DATA_H_ | 
|  |  | 
|  | #include <sys/types.h> | 
|  | #include <unistd.h> | 
|  |  | 
|  | #include <map> | 
|  | #include <string> | 
|  | #include <utility> | 
|  | #include <vector> | 
|  |  | 
|  | #include <android/hardware/identity/IIdentityCredential.h> | 
|  | #include <android/hardware/identity/SecureAccessControlProfile.h> | 
|  |  | 
|  | namespace android { | 
|  | namespace security { | 
|  | namespace identity { | 
|  |  | 
|  | using ::android::hardware::identity::Certificate; | 
|  | using ::android::hardware::identity::IIdentityCredential; | 
|  | using ::android::hardware::identity::SecureAccessControlProfile; | 
|  | using ::std::map; | 
|  | using ::std::optional; | 
|  | using ::std::pair; | 
|  | using ::std::string; | 
|  | using ::std::tuple; | 
|  | using ::std::vector; | 
|  |  | 
|  | struct EntryData { | 
|  | EntryData() {} | 
|  |  | 
|  | uint64_t size = 0; | 
|  | vector<int32_t> accessControlProfileIds; | 
|  | vector<vector<uint8_t>> encryptedChunks; | 
|  | }; | 
|  |  | 
|  | struct AuthKeyData { | 
|  | AuthKeyData() {} | 
|  |  | 
|  | vector<uint8_t> certificate; | 
|  | vector<uint8_t> keyBlob; | 
|  | int64_t expirationDateMillisSinceEpoch = 0; | 
|  | vector<uint8_t> staticAuthenticationData; | 
|  | vector<uint8_t> pendingCertificate; | 
|  | vector<uint8_t> pendingKeyBlob; | 
|  | int useCount = 0; | 
|  | }; | 
|  |  | 
|  | class CredentialData : public RefBase { | 
|  | public: | 
|  | CredentialData(const string& dataPath, uid_t ownerUid, const string& name); | 
|  |  | 
|  | static string calculateCredentialFileName(const string& dataPath, uid_t ownerUid, | 
|  | const string& name); | 
|  |  | 
|  | static optional<bool> credentialExists(const string& dataPath, uid_t ownerUid, | 
|  | const string& name); | 
|  |  | 
|  | void setSecureUserId(int64_t secureUserId); | 
|  |  | 
|  | void setCredentialData(const vector<uint8_t>& credentialData); | 
|  |  | 
|  | void setAttestationCertificate(const vector<uint8_t>& attestationCertificate); | 
|  |  | 
|  | void | 
|  | addSecureAccessControlProfile(const SecureAccessControlProfile& secureAccessControlProfile); | 
|  |  | 
|  | void addEntryData(const string& namespaceName, const string& entryName, const EntryData& data); | 
|  |  | 
|  | bool saveToDisk() const; | 
|  |  | 
|  | bool loadFromDisk(); | 
|  |  | 
|  | bool deleteCredential(); | 
|  |  | 
|  | void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey); | 
|  |  | 
|  | // Getters | 
|  |  | 
|  | int64_t getSecureUserId(); | 
|  |  | 
|  | const vector<uint8_t>& getCredentialData() const; | 
|  |  | 
|  | const vector<uint8_t>& getAttestationCertificate() const; | 
|  |  | 
|  | const vector<SecureAccessControlProfile>& getSecureAccessControlProfiles() const; | 
|  |  | 
|  | bool hasEntryData(const string& namespaceName, const string& entryName) const; | 
|  |  | 
|  | optional<EntryData> getEntryData(const string& namespaceName, const string& entryName) const; | 
|  |  | 
|  | const vector<AuthKeyData>& getAuthKeyDatas() const; | 
|  |  | 
|  | pair<int /* keyCount */, int /*maxUsersPerKey */> getAvailableAuthenticationKeys(); | 
|  |  | 
|  | // Returns |nullptr| if a suitable key cannot be found. Otherwise returns | 
|  | // the authentication and increases its use-count. | 
|  | const AuthKeyData* selectAuthKey(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys); | 
|  |  | 
|  | optional<vector<vector<uint8_t>>> | 
|  | getAuthKeysNeedingCertification(const sp<IIdentityCredential>& halBinder); | 
|  |  | 
|  | bool storeStaticAuthenticationData(const vector<uint8_t>& authenticationKey, | 
|  | int64_t expirationDateMillisSinceEpoch, | 
|  | const vector<uint8_t>& staticAuthData); | 
|  |  | 
|  | private: | 
|  | AuthKeyData* findAuthKey_(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys); | 
|  |  | 
|  | // Set by constructor. | 
|  | // | 
|  | string dataPath_; | 
|  | uid_t ownerUid_; | 
|  | string name_; | 
|  |  | 
|  | // Calculated at construction time, from |dataPath_|, |ownerUid_|, |name_|. | 
|  | string fileName_; | 
|  |  | 
|  | // Data serialized in CBOR from here: | 
|  | // | 
|  | int64_t secureUserId_; | 
|  | vector<uint8_t> credentialData_; | 
|  | vector<uint8_t> attestationCertificate_; | 
|  | vector<SecureAccessControlProfile> secureAccessControlProfiles_; | 
|  | map<string, EntryData> idToEncryptedChunks_; | 
|  |  | 
|  | int keyCount_ = 0; | 
|  | int maxUsesPerKey_ = 1; | 
|  | vector<AuthKeyData> authKeyDatas_;  // Always |keyCount_| long. | 
|  | }; | 
|  |  | 
|  | }  // namespace identity | 
|  | }  // namespace security | 
|  | }  // namespace android | 
|  |  | 
|  | #endif  // SYSTEM_SECURITY_CREDENTIAL_DATA_H_ |