Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 0ab28b78bd06a06a0ffa150cef5876d56212902a / . / keystore / keystore.h
blob: 278a0a0dccfc96a9758c49f6dded7ed90dec1047 [file] [log] [blame]
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]1/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef KEYSTORE_KEYSTORE_H_
18#define KEYSTORE_KEYSTORE_H_
19
20#include "user_state.h"
21
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame]22#include <hardware/keymaster2.h>
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]23
24#include <utils/Vector.h>
25
26#include "blob.h"
27
28typedef struct {
29 uint32_t uid;
30 const uint8_t* filename;
31} grant_t;
32
33class KeyStore {
34 public:
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame]35 KeyStore(Entropy* entropy, keymaster2_device_t* device, keymaster2_device_t* fallback);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]36 ~KeyStore();
37
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame]38 keymaster2_device_t* getDevice() const { return mDevice; }
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]39
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame]40 keymaster2_device_t* getFallbackDevice() const { return mFallbackDevice; }
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]41
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame]42 keymaster2_device_t* getDeviceForBlob(const Blob& blob) const {
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]43 return blob.isFallback() ? mFallbackDevice : mDevice;
44 }
45
46 ResponseCode initialize();
47
48 State getState(uid_t userId) { return getUserState(userId)->getState(); }
49
50 ResponseCode initializeUser(const android::String8& pw, uid_t userId);
51
52 ResponseCode copyMasterKey(uid_t srcUser, uid_t dstUser);
53 ResponseCode writeMasterKey(const android::String8& pw, uid_t userId);
54 ResponseCode readMasterKey(const android::String8& pw, uid_t userId);
55
Tucker Sylvestro0ab28b72016-08-05 18:02:47 -0400[diff] [blame^]56 android::String8 getKeyName(const android::String8& keyName, const BlobType type);
57 android::String8 getKeyNameForUid(const android::String8& keyName, uid_t uid,
58 const BlobType type);
59 android::String8 getKeyNameForUidWithDir(const android::String8& keyName, uid_t uid,
60 const BlobType type);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]61
62 /*
63 * Delete entries owned by userId. If keepUnencryptedEntries is true
64 * then only encrypted entries will be removed, otherwise all entries will
65 * be removed.
66 */
67 void resetUser(uid_t userId, bool keepUnenryptedEntries);
68 bool isEmpty(uid_t userId) const;
69
70 void lock(uid_t userId);
71
72 ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type, uid_t userId);
73 ResponseCode put(const char* filename, Blob* keyBlob, uid_t userId);
74 ResponseCode del(const char* filename, const BlobType type, uid_t userId);
75 ResponseCode list(const android::String8& prefix, android::Vector<android::String16>* matches,
76 uid_t userId);
77
78 void addGrant(const char* filename, uid_t granteeUid);
79 bool removeGrant(const char* filename, uid_t granteeUid);
80 bool hasGrant(const char* filename, const uid_t uid) const {
81 return getGrant(filename, uid) != NULL;
82 }
83
84 ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId,
85 int32_t flags);
86
87 bool isHardwareBacked(const android::String16& keyType) const;
88
89 ResponseCode getKeyForName(Blob* keyBlob, const android::String8& keyName, const uid_t uid,
90 const BlobType type);
91
92 /**
93 * Returns any existing UserState or creates it if it doesn't exist.
94 */
95 UserState* getUserState(uid_t userId);
96
97 /**
98 * Returns any existing UserState or creates it if it doesn't exist.
99 */
100 UserState* getUserStateByUid(uid_t uid);
101
102 /**
103 * Returns NULL if the UserState doesn't already exist.
104 */
105 const UserState* getUserState(uid_t userId) const;
106
107 /**
108 * Returns NULL if the UserState doesn't already exist.
109 */
110 const UserState* getUserStateByUid(uid_t uid) const;
111
112 private:
113 static const char* sOldMasterKey;
114 static const char* sMetaDataFile;
115 static const android::String16 sRSAKeyType;
116 Entropy* mEntropy;
117
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame]118 keymaster2_device_t* mDevice;
119 keymaster2_device_t* mFallbackDevice;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]120
121 android::Vector<UserState*> mMasterKeys;
122
123 android::Vector<grant_t*> mGrants;
124
125 typedef struct { uint32_t version; } keystore_metadata_t;
126
127 keystore_metadata_t mMetaData;
128
129 const grant_t* getGrant(const char* filename, uid_t uid) const;
130
131 /**
132 * Upgrade the key from the current version to whatever is newest.
133 */
134 bool upgradeBlob(const char* filename, Blob* blob, const uint8_t oldVersion,
135 const BlobType type, uid_t uid);
136
137 /**
138 * Takes a blob that is an PEM-encoded RSA key as a byte array and converts it to a DER-encoded
139 * PKCS#8 for import into a keymaster. Then it overwrites the original blob with the new blob
140 * format that is returned from the keymaster.
141 */
142 ResponseCode importBlobAsKey(Blob* blob, const char* filename, uid_t uid);
143
144 void readMetaData();
145 void writeMetaData();
146
147 bool upgradeKeystore();
148};
149
150#endif // KEYSTORE_KEYSTORE_H_