blob: 60cf56df921afcb28e7fcdf1a9807448bb6e41c1 [file] [log] [blame]
Shawn Willdenc1d1fee2016-01-26 22:44:56 -07001/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef KEYSTORE_KEYSTORE_H_
18#define KEYSTORE_KEYSTORE_H_
19
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +010020#include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070021
22#include <utils/Vector.h>
23
Shawn Willdenc67a8aa2017-12-03 17:51:29 -070024#include "Keymaster.h"
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070025#include "blob.h"
Janis Danisevskis6d449e82017-06-07 18:03:31 -070026#include "grant_store.h"
Dmitry Dementyeva447b3c2017-10-27 23:09:53 -070027#include "include/keystore/keymaster_tags.h"
Shawn Willdenfa5702f2017-12-03 15:14:58 -070028#include "user_state.h"
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070029
Shawn Willdenc67a8aa2017-12-03 17:51:29 -070030namespace keystore {
31
32using ::android::sp;
Janis Danisevskise8ba1802017-01-30 10:49:51 +000033
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070034class KeyStore {
35 public:
Shawn Willdenc67a8aa2017-12-03 17:51:29 -070036 KeyStore(Entropy* entropy, const sp<Keymaster>& device, const sp<Keymaster>& fallback,
Janis Danisevskise8ba1802017-01-30 10:49:51 +000037 bool allowNewFallback);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070038 ~KeyStore();
39
Shawn Willdenc67a8aa2017-12-03 17:51:29 -070040 sp<Keymaster>& getDevice() { return mDevice; }
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070041
Shawn Willdenc67a8aa2017-12-03 17:51:29 -070042 NullOr<sp<Keymaster>&> getFallbackDevice() {
Janis Danisevskise8ba1802017-01-30 10:49:51 +000043 // we only return the fallback device if the creation of new fallback key blobs is
44 // allowed. (also see getDevice below)
45 if (mAllowNewFallback) {
46 return mFallbackDevice;
47 } else {
48 return {};
49 }
50 }
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070051
Shawn Willdenc67a8aa2017-12-03 17:51:29 -070052 sp<Keymaster>& getDevice(const Blob& blob) {
Janis Danisevskise8ba1802017-01-30 10:49:51 +000053 // We return a device, based on the nature of the blob to provide backward
54 // compatibility with old key blobs generated using the fallback device.
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070055 return blob.isFallback() ? mFallbackDevice : mDevice;
56 }
57
58 ResponseCode initialize();
59
60 State getState(uid_t userId) { return getUserState(userId)->getState(); }
61
62 ResponseCode initializeUser(const android::String8& pw, uid_t userId);
63
64 ResponseCode copyMasterKey(uid_t srcUser, uid_t dstUser);
65 ResponseCode writeMasterKey(const android::String8& pw, uid_t userId);
66 ResponseCode readMasterKey(const android::String8& pw, uid_t userId);
67
Tucker Sylvestro0ab28b72016-08-05 18:02:47 -040068 android::String8 getKeyName(const android::String8& keyName, const BlobType type);
69 android::String8 getKeyNameForUid(const android::String8& keyName, uid_t uid,
70 const BlobType type);
71 android::String8 getKeyNameForUidWithDir(const android::String8& keyName, uid_t uid,
72 const BlobType type);
Janis Danisevskis31b44f22017-09-21 11:29:47 -070073 NullOr<android::String8> getBlobFileNameIfExists(const android::String8& alias, uid_t uid,
Dmitry Dementyeva447b3c2017-10-27 23:09:53 -070074 const BlobType type);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070075
76 /*
77 * Delete entries owned by userId. If keepUnencryptedEntries is true
78 * then only encrypted entries will be removed, otherwise all entries will
79 * be removed.
80 */
81 void resetUser(uid_t userId, bool keepUnenryptedEntries);
82 bool isEmpty(uid_t userId) const;
83
84 void lock(uid_t userId);
85
86 ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type, uid_t userId);
87 ResponseCode put(const char* filename, Blob* keyBlob, uid_t userId);
88 ResponseCode del(const char* filename, const BlobType type, uid_t userId);
89 ResponseCode list(const android::String8& prefix, android::Vector<android::String16>* matches,
90 uid_t userId);
91
Janis Danisevskis6905c332017-09-01 13:24:23 -070092 std::string addGrant(const char* alias, uid_t granterUid, uid_t granteeUid);
Janis Danisevskis31b44f22017-09-21 11:29:47 -070093 bool removeGrant(const char* alias, const uid_t granterUid, const uid_t granteeUid);
94 void removeAllGrantsToUid(const uid_t granteeUid);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070095
96 ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId,
97 int32_t flags);
98
99 bool isHardwareBacked(const android::String16& keyType) const;
100
101 ResponseCode getKeyForName(Blob* keyBlob, const android::String8& keyName, const uid_t uid,
102 const BlobType type);
103
104 /**
105 * Returns any existing UserState or creates it if it doesn't exist.
106 */
107 UserState* getUserState(uid_t userId);
108
109 /**
110 * Returns any existing UserState or creates it if it doesn't exist.
111 */
112 UserState* getUserStateByUid(uid_t uid);
113
114 /**
115 * Returns NULL if the UserState doesn't already exist.
116 */
117 const UserState* getUserState(uid_t userId) const;
118
119 /**
120 * Returns NULL if the UserState doesn't already exist.
121 */
122 const UserState* getUserStateByUid(uid_t uid) const;
123
124 private:
Shawn Willden0329a822017-12-04 13:55:14 -0700125 static const char* kOldMasterKey;
126 static const char* kMetaDataFile;
127 static const android::String16 kRsaKeyType;
128 static const android::String16 kEcKeyType;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700129 Entropy* mEntropy;
130
Shawn Willdenc67a8aa2017-12-03 17:51:29 -0700131 sp<Keymaster> mDevice;
132 sp<Keymaster> mFallbackDevice;
Janis Danisevskise8ba1802017-01-30 10:49:51 +0000133 bool mAllowNewFallback;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700134
135 android::Vector<UserState*> mMasterKeys;
136
Janis Danisevskis6d449e82017-06-07 18:03:31 -0700137 ::keystore::GrantStore mGrants;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700138
Shawn Willdenfa5702f2017-12-03 15:14:58 -0700139 typedef struct { uint32_t version; } keystore_metadata_t;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700140
141 keystore_metadata_t mMetaData;
142
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700143 /**
144 * Upgrade the key from the current version to whatever is newest.
145 */
146 bool upgradeBlob(const char* filename, Blob* blob, const uint8_t oldVersion,
147 const BlobType type, uid_t uid);
148
149 /**
150 * Takes a blob that is an PEM-encoded RSA key as a byte array and converts it to a DER-encoded
151 * PKCS#8 for import into a keymaster. Then it overwrites the original blob with the new blob
152 * format that is returned from the keymaster.
153 */
154 ResponseCode importBlobAsKey(Blob* blob, const char* filename, uid_t uid);
155
156 void readMetaData();
157 void writeMetaData();
158
159 bool upgradeKeystore();
160};
161
Shawn Willdenc67a8aa2017-12-03 17:51:29 -0700162} // namespace keystore
163
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700164#endif // KEYSTORE_KEYSTORE_H_