keystore2/src/service.rs

// Copyright 2020, The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// TODO remove when fully implemented.
#![allow(unused_variables)]

//! This crate implement the core Keystore 2.0 service API as defined by the Keystore 2.0
//! AIDL spec.

use crate::globals::DB;
use crate::permission;
use crate::permission::{KeyPerm, KeystorePerm};
use crate::security_level::KeystoreSecurityLevel;
use crate::utils::{
    check_grant_permission, check_key_permission, check_keystore_permission,
    key_parameters_to_authorizations, Asp,
};
use crate::{
    database::{KeyEntryLoadBits, KeyType, SubComponentType},
    error::ResponseCode,
};
use crate::{
    error::{self, map_or_log_err, ErrorCode},
    gc::Gc,
};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
use android_system_keystore2::aidl::android::system::keystore2::{
    Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
    IKeystoreService::BnKeystoreService, IKeystoreService::IKeystoreService,
    KeyDescriptor::KeyDescriptor, KeyEntryResponse::KeyEntryResponse, KeyMetadata::KeyMetadata,
};
use anyhow::{anyhow, Context, Result};
use binder::{IBinder, Interface, ThreadState};
use error::Error;
use keystore2_selinux as selinux;

/// Implementation of the IKeystoreService.
pub struct KeystoreService {
    sec_level_tee: Asp,
    sec_level_strongbox: Option<Asp>,
}

impl KeystoreService {
    /// Create a new instance of the Keystore 2.0 service.
    pub fn new_native_binder() -> Result<impl IKeystoreService> {
        let tee = KeystoreSecurityLevel::new_native_binder(SecurityLevel::TRUSTED_ENVIRONMENT)
            .map(|tee| Asp::new(tee.as_binder()))
            .context(concat!(
                "In KeystoreService::new_native_binder: ",
                "Trying to construct mendatory security level TEE."
            ))?;
        // Strongbox is optional, so we ignore errors and turn the result into an Option.
        let strongbox =
            KeystoreSecurityLevel::new_native_binder(SecurityLevel::TRUSTED_ENVIRONMENT)
                .map(|tee| Asp::new(tee.as_binder()))
                .ok();

        let result = BnKeystoreService::new_binder(Self {
            sec_level_tee: tee,
            sec_level_strongbox: strongbox,
        });
        result.as_binder().set_requesting_sid(true);
        Ok(result)
    }

    fn get_security_level_internal(
        &self,
        security_level: SecurityLevel,
    ) -> Result<Option<Box<dyn IKeystoreSecurityLevel>>> {
        Ok(match (security_level, &self.sec_level_strongbox) {
            (SecurityLevel::TRUSTED_ENVIRONMENT, _) => Some(self.sec_level_tee.get_interface().context(
                "In get_security_level_internal: Failed to get IKeystoreSecurityLevel (TEE).",
            )?),
            (SecurityLevel::STRONGBOX, Some(strongbox)) => Some(strongbox.get_interface().context(
                "In get_security_level_internal: Failed to get IKeystoreSecurityLevel (Strongbox).",
            )?),
            _ => None,
        })
    }

    fn get_security_level(
        &self,
        security_level: SecurityLevel,
    ) -> Result<Box<dyn IKeystoreSecurityLevel>> {
        self.get_security_level_internal(security_level)
            .context("In get_security_level.")?
            .ok_or_else(|| anyhow!(error::Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE)))
    }

    fn get_key_entry(&self, key: &KeyDescriptor) -> Result<KeyEntryResponse> {
        let (key_id_guard, mut key_entry) = DB
            .with(|db| {
                db.borrow_mut().load_key_entry(
                    key.clone(),
                    KeyType::Client,
                    KeyEntryLoadBits::PUBLIC,
                    ThreadState::get_calling_uid(),
                    |k, av| check_key_permission(KeyPerm::get_info(), k, &av),
                )
            })
            .context("In get_key_entry, while trying to load key info.")?;

        let i_sec_level = if !key_entry.pure_cert() {
            Some(
                self.get_security_level_internal(key_entry.sec_level())
                    .context("In get_key_entry.")?
                    .ok_or_else(|| {
                        anyhow!(error::Error::sys()).context(format!(
                            concat!(
                                "Found key with security level {:?} ",
                                "but no KeyMint instance of that security level."
                            ),
                            key_entry.sec_level()
                        ))
                    })?,
            )
        } else {
            None
        };

        Ok(KeyEntryResponse {
            iSecurityLevel: i_sec_level,
            metadata: KeyMetadata {
                key: KeyDescriptor {
                    domain: Domain::KEY_ID,
                    nspace: key_id_guard.id(),
                    ..Default::default()
                },
                keySecurityLevel: key_entry.sec_level(),
                certificate: key_entry.take_cert(),
                certificateChain: key_entry.take_cert_chain(),
                modificationTimeMs: key_entry
                    .metadata()
                    .creation_date()
                    .map(|d| d.to_millis_epoch())
                    .ok_or(Error::Rc(ResponseCode::VALUE_CORRUPTED))
                    .context("In get_key_entry: Trying to get creation date.")?,
                authorizations: key_parameters_to_authorizations(key_entry.into_key_parameters()),
            },
        })
    }

    fn update_subcomponent(
        &self,
        key: &KeyDescriptor,
        public_cert: Option<&[u8]>,
        certificate_chain: Option<&[u8]>,
    ) -> Result<()> {
        DB.with::<_, Result<()>>(|db| {
            let mut db = db.borrow_mut();
            let entry = match db.load_key_entry(
                key.clone(),
                KeyType::Client,
                KeyEntryLoadBits::NONE,
                ThreadState::get_calling_uid(),
                |k, av| {
                    check_key_permission(KeyPerm::update(), k, &av)
                        .context("In update_subcomponent.")
                },
            ) {
                Err(e) => match e.root_cause().downcast_ref::<Error>() {
                    Some(Error::Rc(ResponseCode::KEY_NOT_FOUND)) => Ok(None),
                    _ => Err(e),
                },
                Ok(v) => Ok(Some(v)),
            }
            .context("Failed to load key entry.")?;

            if let Some((key_id_guard, key_entry)) = entry {
                db.set_blob(&key_id_guard, SubComponentType::CERT, public_cert)
                    .context("Failed to update cert subcomponent.")?;

                db.set_blob(&key_id_guard, SubComponentType::CERT_CHAIN, certificate_chain)
                    .context("Failed to update cert chain subcomponent.")?;
                return Ok(());
            }

            // If we reach this point we have to check the special condition where a certificate
            // entry may be made.
            if !(public_cert.is_none() && certificate_chain.is_some()) {
                return Err(Error::Rc(ResponseCode::KEY_NOT_FOUND)).context("No key to update.");
            }

            // So we know that we have a certificate chain and no public cert.
            // Now check that we have everything we need to make a new certificate entry.
            let key = match (key.domain, &key.alias) {
                (Domain::APP, Some(ref alias)) => KeyDescriptor {
                    domain: Domain::APP,
                    nspace: ThreadState::get_calling_uid() as i64,
                    alias: Some(alias.clone()),
                    blob: None,
                },
                (Domain::SELINUX, Some(_)) => key.clone(),
                _ => {
                    return Err(Error::Rc(ResponseCode::INVALID_ARGUMENT))
                        .context("Domain must be APP or SELINUX to insert a certificate.")
                }
            };

            // Security critical: This must return on failure. Do not remove the `?`;
            check_key_permission(KeyPerm::rebind(), &key, &None)
                .context("Caller does not have permission to insert this certificate.")?;

            db.store_new_certificate(key, certificate_chain.unwrap())
                .context("Failed to insert new certificate.")?;
            Ok(())
        })
        .context("In update_subcomponent.")
    }

    fn list_entries(&self, domain: Domain, namespace: i64) -> Result<Vec<KeyDescriptor>> {
        let mut k = match domain {
            Domain::APP => KeyDescriptor {
                domain,
                nspace: ThreadState::get_calling_uid() as u64 as i64,
                ..Default::default()
            },
            Domain::SELINUX => KeyDescriptor{domain, nspace: namespace, ..Default::default()},
            _ => return Err(Error::perm()).context(
                "In list_entries: List entries is only supported for Domain::APP and Domain::SELINUX."
            ),
        };

        // First we check if the caller has the info permission for the selected domain/namespace.
        // By default we use the calling uid as namespace if domain is Domain::APP.
        // If the first check fails we check if the caller has the list permission allowing to list
        // any namespace. In that case we also adjust the queried namespace if a specific uid was
        // selected.
        match check_key_permission(KeyPerm::get_info(), &k, &None) {
            Err(e) => {
                if let Some(selinux::Error::PermissionDenied) =
                    e.root_cause().downcast_ref::<selinux::Error>()
                {
                    check_keystore_permission(KeystorePerm::list())
                        .context("In list_entries: While checking keystore permission.")?;
                    if namespace != -1 {
                        k.nspace = namespace;
                    }
                } else {
                    return Err(e).context("In list_entries: While checking key permission.")?;
                }
            }
            Ok(()) => {}
        };

        DB.with(|db| {
            let mut db = db.borrow_mut();
            db.list(k.domain, k.nspace)
        })
    }

    fn delete_key(&self, key: &KeyDescriptor) -> Result<()> {
        let caller_uid = ThreadState::get_calling_uid();
        let need_gc = DB
            .with(|db| {
                db.borrow_mut().unbind_key(key.clone(), KeyType::Client, caller_uid, |k, av| {
                    check_key_permission(KeyPerm::delete(), k, &av).context("During delete_key.")
                })
            })
            .context("In delete_key: Trying to unbind the key.")?;
        if need_gc {
            Gc::notify_gc();
        }
        Ok(())
    }

    fn grant(
        &self,
        key: &KeyDescriptor,
        grantee_uid: i32,
        access_vector: permission::KeyPermSet,
    ) -> Result<KeyDescriptor> {
        DB.with(|db| {
            db.borrow_mut().grant(
                key.clone(),
                ThreadState::get_calling_uid(),
                grantee_uid as u32,
                access_vector,
                |k, av| check_grant_permission(*av, k).context("During grant."),
            )
        })
        .context("In KeystoreService::grant.")
    }

    fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> Result<()> {
        DB.with(|db| {
            db.borrow_mut().ungrant(
                key.clone(),
                ThreadState::get_calling_uid(),
                grantee_uid as u32,
                |k| check_key_permission(KeyPerm::grant(), k, &None),
            )
        })
        .context("In KeystoreService::ungrant.")
    }
}

impl binder::Interface for KeystoreService {}

// Implementation of IKeystoreService. See AIDL spec at
// system/security/keystore2/binder/android/security/keystore2/IKeystoreService.aidl
impl IKeystoreService for KeystoreService {
    fn getSecurityLevel(
        &self,
        security_level: SecurityLevel,
    ) -> binder::public_api::Result<Box<dyn IKeystoreSecurityLevel>> {
        map_or_log_err(self.get_security_level(SecurityLevel(security_level.0)), Ok)
    }
    fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::public_api::Result<KeyEntryResponse> {
        map_or_log_err(self.get_key_entry(key), Ok)
    }
    fn updateSubcomponent(
        &self,
        key: &KeyDescriptor,
        public_cert: Option<&[u8]>,
        certificate_chain: Option<&[u8]>,
    ) -> binder::public_api::Result<()> {
        map_or_log_err(self.update_subcomponent(key, public_cert, certificate_chain), Ok)
    }
    fn listEntries(
        &self,
        domain: Domain,
        namespace: i64,
    ) -> binder::public_api::Result<Vec<KeyDescriptor>> {
        map_or_log_err(self.list_entries(domain, namespace), Ok)
    }
    fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
        map_or_log_err(self.delete_key(key), Ok)
    }
    fn grant(
        &self,
        key: &KeyDescriptor,
        grantee_uid: i32,
        access_vector: i32,
    ) -> binder::public_api::Result<KeyDescriptor> {
        map_or_log_err(self.grant(key, grantee_uid, access_vector.into()), Ok)
    }
    fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::public_api::Result<()> {
        map_or_log_err(self.ungrant(key, grantee_uid), Ok)
    }
}