Blame - identity/CredentialData.h - android_system_security

blob: 799582811b93af6e0051b0e48767990a5b2e8b20 [file] [log] [blame]

David Zeuthen	ab3e565	2019-10-28 13:32:48 -0400	[diff] [blame]	1	/*
				2	* Copyright (c) 2019, The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#ifndef SYSTEM_SECURITY_CREDENTIAL_DATA_H_
				18	#define SYSTEM_SECURITY_CREDENTIAL_DATA_H_
				19
				20	#include <sys/types.h>
				21	#include <unistd.h>
				22
				23	#include <map>
				24	#include <string>
				25	#include <utility>
				26	#include <vector>
				27
David Zeuthen	a6f9fba	2020-02-11 22:08:27 -0500	[diff] [blame]	28	#include <android/hardware/identity/IIdentityCredential.h>
				29	#include <android/hardware/identity/SecureAccessControlProfile.h>
David Zeuthen	ab3e565	2019-10-28 13:32:48 -0400	[diff] [blame]	30
				31	namespace android {
				32	namespace security {
				33	namespace identity {
				34
David Zeuthen	a6f9fba	2020-02-11 22:08:27 -0500	[diff] [blame]	35	using ::android::hardware::identity::Certificate;
				36	using ::android::hardware::identity::IIdentityCredential;
				37	using ::android::hardware::identity::SecureAccessControlProfile;
David Zeuthen	ab3e565	2019-10-28 13:32:48 -0400	[diff] [blame]	38	using ::std::map;
				39	using ::std::optional;
				40	using ::std::pair;
				41	using ::std::string;
				42	using ::std::tuple;
				43	using ::std::vector;
				44
				45	struct EntryData {
				46	EntryData() {}
				47
				48	uint64_t size = 0;
David Zeuthen	a6f9fba	2020-02-11 22:08:27 -0500	[diff] [blame]	49	vector<int32_t> accessControlProfileIds;
David Zeuthen	ab3e565	2019-10-28 13:32:48 -0400	[diff] [blame]	50	vector<vector<uint8_t>> encryptedChunks;
				51	};
				52
				53	struct AuthKeyData {
				54	AuthKeyData() {}
				55
				56	vector<uint8_t> certificate;
				57	vector<uint8_t> keyBlob;
				58	vector<uint8_t> staticAuthenticationData;
				59	vector<uint8_t> pendingCertificate;
				60	vector<uint8_t> pendingKeyBlob;
				61	int useCount = 0;
				62	};
				63
				64	class CredentialData : public RefBase {
				65	public:
				66	CredentialData(const string& dataPath, uid_t ownerUid, const string& name);
				67
				68	static string calculateCredentialFileName(const string& dataPath, uid_t ownerUid,
				69	const string& name);
				70
				71	static optional<bool> credentialExists(const string& dataPath, uid_t ownerUid,
				72	const string& name);
				73
				74	void setSecureUserId(int64_t secureUserId);
				75
				76	void setCredentialData(const vector<uint8_t>& credentialData);
				77
				78	void setAttestationCertificate(const vector<uint8_t>& attestationCertificate);
				79
				80	void
				81	addSecureAccessControlProfile(const SecureAccessControlProfile& secureAccessControlProfile);
				82
				83	void addEntryData(const string& namespaceName, const string& entryName, const EntryData& data);
				84
				85	bool saveToDisk() const;
				86
				87	bool loadFromDisk();
				88
				89	bool deleteCredential();
				90
				91	void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey);
				92
				93	// Getters
				94
				95	int64_t getSecureUserId();
				96
				97	const vector<uint8_t>& getCredentialData() const;
				98
				99	const vector<uint8_t>& getAttestationCertificate() const;
				100
				101	const vector<SecureAccessControlProfile>& getSecureAccessControlProfiles() const;
				102
				103	bool hasEntryData(const string& namespaceName, const string& entryName) const;
				104
				105	optional<EntryData> getEntryData(const string& namespaceName, const string& entryName) const;
				106
				107	const vector<AuthKeyData>& getAuthKeyDatas() const;
				108
				109	// Returns \|nullptr\| if a suitable key cannot be found. Otherwise returns
				110	// the authentication and increases its use-count.
				111	const AuthKeyData* selectAuthKey(bool allowUsingExhaustedKeys);
				112
David Zeuthen	a6f9fba	2020-02-11 22:08:27 -0500	[diff] [blame]	113	optional<vector<vector<uint8_t>>>
				114	getAuthKeysNeedingCertification(const sp<IIdentityCredential>& halBinder);
David Zeuthen	ab3e565	2019-10-28 13:32:48 -0400	[diff] [blame]	115
				116	bool storeStaticAuthenticationData(const vector<uint8_t>& authenticationKey,
				117	const vector<uint8_t>& staticAuthData);
				118
				119	private:
				120	// Set by constructor.
				121	//
				122	string dataPath_;
				123	uid_t ownerUid_;
				124	string name_;
				125
				126	// Calculated at construction time, from \|dataPath_\|, \|ownerUid_\|, \|name_\|.
				127	string fileName_;
				128
				129	// Data serialized in CBOR from here:
				130	//
				131	int64_t secureUserId_;
				132	vector<uint8_t> credentialData_;
				133	vector<uint8_t> attestationCertificate_;
				134	vector<SecureAccessControlProfile> secureAccessControlProfiles_;
				135	map<string, EntryData> idToEncryptedChunks_;
				136
				137	int keyCount_ = 0;
				138	int maxUsesPerKey_ = 1;
				139	vector<AuthKeyData> authKeyDatas_; // Always \|keyCount_\| long.
				140	};
				141
				142	} // namespace identity
				143	} // namespace security
				144	} // namespace android
				145
				146	#endif // SYSTEM_SECURITY_CREDENTIAL_DATA_H_