| Shawn Willden | 6507c27 | 2016-01-05 22:51:48 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #ifndef KEYSTORE_KEYSTORE_SERVICE_H_ |
| 18 | #define KEYSTORE_KEYSTORE_SERVICE_H_ |
| 19 | |
| 20 | #include <keystore/IKeystoreService.h> |
| 21 | |
| 22 | #include "auth_token_table.h" |
| 23 | #include "keystore.h" |
| 24 | #include "keystore_keymaster_enforcement.h" |
| 25 | #include "operation.h" |
| 26 | #include "permissions.h" |
| 27 | |
| 28 | namespace android { |
| 29 | |
| 30 | class KeyStoreService : public BnKeystoreService, public IBinder::DeathRecipient { |
| 31 | public: |
| 32 | KeyStoreService(KeyStore* keyStore) : mKeyStore(keyStore), mOperationMap(this) {} |
| 33 | |
| 34 | void binderDied(const wp<IBinder>& who); |
| 35 | |
| 36 | int32_t getState(int32_t userId); |
| 37 | |
| 38 | int32_t get(const String16& name, uint8_t** item, size_t* itemLength); |
| 39 | int32_t insert(const String16& name, const uint8_t* item, size_t itemLength, int targetUid, |
| 40 | int32_t flags); |
| 41 | int32_t del(const String16& name, int targetUid); |
| 42 | int32_t exist(const String16& name, int targetUid); |
| 43 | int32_t list(const String16& prefix, int targetUid, Vector<String16>* matches); |
| 44 | |
| 45 | int32_t reset(); |
| 46 | |
| 47 | int32_t onUserPasswordChanged(int32_t userId, const String16& password); |
| 48 | int32_t onUserAdded(int32_t userId, int32_t parentId); |
| 49 | int32_t onUserRemoved(int32_t userId); |
| 50 | |
| 51 | int32_t lock(int32_t userId); |
| 52 | int32_t unlock(int32_t userId, const String16& pw); |
| 53 | |
| 54 | bool isEmpty(int32_t userId); |
| 55 | |
| 56 | int32_t generate(const String16& name, int32_t targetUid, int32_t keyType, int32_t keySize, |
| 57 | int32_t flags, Vector<sp<KeystoreArg>>* args); |
| 58 | int32_t import(const String16& name, const uint8_t* data, size_t length, int targetUid, |
| 59 | int32_t flags); |
| 60 | int32_t sign(const String16& name, const uint8_t* data, size_t length, uint8_t** out, |
| 61 | size_t* outLength); |
| 62 | int32_t verify(const String16& name, const uint8_t* data, size_t dataLength, |
| 63 | const uint8_t* signature, size_t signatureLength); |
| 64 | |
| 65 | /* |
| 66 | * TODO: The abstraction between things stored in hardware and regular blobs |
| 67 | * of data stored on the filesystem should be moved down to keystore itself. |
| 68 | * Unfortunately the Java code that calls this has naming conventions that it |
| 69 | * knows about. Ideally keystore shouldn't be used to store random blobs of |
| 70 | * data. |
| 71 | * |
| 72 | * Until that happens, it's necessary to have a separate "get_pubkey" and |
| 73 | * "del_key" since the Java code doesn't really communicate what it's |
| 74 | * intentions are. |
| 75 | */ |
| 76 | int32_t get_pubkey(const String16& name, uint8_t** pubkey, size_t* pubkeyLength); |
| 77 | |
| 78 | int32_t grant(const String16& name, int32_t granteeUid); |
| 79 | int32_t ungrant(const String16& name, int32_t granteeUid); |
| 80 | |
| 81 | int64_t getmtime(const String16& name); |
| 82 | |
| 83 | int32_t duplicate(const String16& srcKey, int32_t srcUid, const String16& destKey, |
| 84 | int32_t destUid); |
| 85 | |
| 86 | int32_t is_hardware_backed(const String16& keyType); |
| 87 | |
| 88 | int32_t clear_uid(int64_t targetUid64); |
| 89 | |
| 90 | int32_t addRngEntropy(const uint8_t* data, size_t dataLength); |
| 91 | int32_t generateKey(const String16& name, const KeymasterArguments& params, |
| 92 | const uint8_t* entropy, size_t entropyLength, int uid, int flags, |
| 93 | KeyCharacteristics* outCharacteristics); |
| 94 | int32_t getKeyCharacteristics(const String16& name, const keymaster_blob_t* clientId, |
| 95 | const keymaster_blob_t* appData, |
| 96 | KeyCharacteristics* outCharacteristics); |
| 97 | int32_t importKey(const String16& name, const KeymasterArguments& params, |
| 98 | keymaster_key_format_t format, const uint8_t* keyData, size_t keyLength, |
| 99 | int uid, int flags, KeyCharacteristics* outCharacteristics); |
| 100 | void exportKey(const String16& name, keymaster_key_format_t format, |
| 101 | const keymaster_blob_t* clientId, const keymaster_blob_t* appData, |
| 102 | ExportResult* result); |
| 103 | void begin(const sp<IBinder>& appToken, const String16& name, keymaster_purpose_t purpose, |
| 104 | bool pruneable, const KeymasterArguments& params, const uint8_t* entropy, |
| 105 | size_t entropyLength, OperationResult* result); |
| 106 | void update(const sp<IBinder>& token, const KeymasterArguments& params, const uint8_t* data, |
| 107 | size_t dataLength, OperationResult* result); |
| 108 | void finish(const sp<IBinder>& token, const KeymasterArguments& params, |
| 109 | const uint8_t* signature, size_t signatureLength, const uint8_t* entropy, |
| 110 | size_t entropyLength, OperationResult* result); |
| 111 | int32_t abort(const sp<IBinder>& token); |
| 112 | |
| 113 | bool isOperationAuthorized(const sp<IBinder>& token); |
| 114 | |
| 115 | int32_t addAuthToken(const uint8_t* token, size_t length); |
| 116 | |
| Shawn Willden | 50eb1b2 | 2016-01-21 12:41:23 -0700 | [diff] [blame^] | 117 | int32_t attestKey(const String16& name, const KeymasterArguments& params, |
| 118 | KeymasterCertificateChain* outChain) override; |
| 119 | |
| Shawn Willden | 6507c27 | 2016-01-05 22:51:48 -0700 | [diff] [blame] | 120 | private: |
| 121 | static const int32_t UID_SELF = -1; |
| 122 | |
| 123 | /** |
| 124 | * Prune the oldest pruneable operation. |
| 125 | */ |
| 126 | bool pruneOperation(); |
| 127 | |
| 128 | /** |
| 129 | * Get the effective target uid for a binder operation that takes an |
| 130 | * optional uid as the target. |
| 131 | */ |
| 132 | uid_t getEffectiveUid(int32_t targetUid); |
| 133 | |
| 134 | /** |
| 135 | * Check if the caller of the current binder method has the required |
| 136 | * permission and if acting on other uids the grants to do so. |
| 137 | */ |
| 138 | bool checkBinderPermission(perm_t permission, int32_t targetUid = UID_SELF); |
| 139 | |
| 140 | /** |
| 141 | * Check if the caller of the current binder method has the required |
| 142 | * permission and the target uid is the caller or the caller is system. |
| 143 | */ |
| 144 | bool checkBinderPermissionSelfOrSystem(perm_t permission, int32_t targetUid); |
| 145 | |
| 146 | /** |
| 147 | * Check if the caller of the current binder method has the required |
| 148 | * permission or the target of the operation is the caller's uid. This is |
| 149 | * for operation where the permission is only for cross-uid activity and all |
| 150 | * uids are allowed to act on their own (ie: clearing all entries for a |
| 151 | * given uid). |
| 152 | */ |
| 153 | bool checkBinderPermissionOrSelfTarget(perm_t permission, int32_t targetUid); |
| 154 | |
| 155 | /** |
| 156 | * Helper method to check that the caller has the required permission as |
| 157 | * well as the keystore is in the unlocked state if checkUnlocked is true. |
| 158 | * |
| 159 | * Returns NO_ERROR on success, PERMISSION_DENIED on a permission error and |
| 160 | * otherwise the state of keystore when not unlocked and checkUnlocked is |
| 161 | * true. |
| 162 | */ |
| 163 | int32_t checkBinderPermissionAndKeystoreState(perm_t permission, int32_t targetUid = -1, |
| 164 | bool checkUnlocked = true); |
| 165 | |
| 166 | bool isKeystoreUnlocked(State state); |
| 167 | |
| Shawn Willden | 715d023 | 2016-01-21 00:45:13 -0700 | [diff] [blame] | 168 | bool isKeyTypeSupported(const keymaster2_device_t* device, keymaster_keypair_t keyType); |
| Shawn Willden | 6507c27 | 2016-01-05 22:51:48 -0700 | [diff] [blame] | 169 | |
| 170 | /** |
| 171 | * Check that all keymaster_key_param_t's provided by the application are |
| 172 | * allowed. Any parameter that keystore adds itself should be disallowed here. |
| 173 | */ |
| 174 | bool checkAllowedOperationParams(const std::vector<keymaster_key_param_t>& params); |
| 175 | |
| 176 | keymaster_error_t getOperationCharacteristics(const keymaster_key_blob_t& key, |
| Shawn Willden | 715d023 | 2016-01-21 00:45:13 -0700 | [diff] [blame] | 177 | const keymaster2_device_t* dev, |
| Shawn Willden | 6507c27 | 2016-01-05 22:51:48 -0700 | [diff] [blame] | 178 | const std::vector<keymaster_key_param_t>& params, |
| 179 | keymaster_key_characteristics_t* out); |
| 180 | |
| 181 | /** |
| 182 | * Get the auth token for this operation from the auth token table. |
| 183 | * |
| 184 | * Returns ::NO_ERROR if the auth token was set or none was required. |
| 185 | * ::OP_AUTH_NEEDED if it is a per op authorization, no |
| 186 | * authorization token exists for that operation and |
| 187 | * failOnTokenMissing is false. |
| 188 | * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth |
| 189 | * token for the operation |
| 190 | */ |
| 191 | int32_t getAuthToken(const keymaster_key_characteristics_t* characteristics, |
| 192 | keymaster_operation_handle_t handle, keymaster_purpose_t purpose, |
| 193 | const hw_auth_token_t** authToken, bool failOnTokenMissing = true); |
| 194 | |
| 195 | void addAuthToParams(std::vector<keymaster_key_param_t>* params, const hw_auth_token_t* token); |
| 196 | |
| 197 | /** |
| 198 | * Add the auth token for the operation to the param list if the operation |
| 199 | * requires authorization. Uses the cached result in the OperationMap if available |
| 200 | * otherwise gets the token from the AuthTokenTable and caches the result. |
| 201 | * |
| 202 | * Returns ::NO_ERROR if the auth token was added or not needed. |
| 203 | * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if the operation is not |
| 204 | * authenticated. |
| 205 | * KM_ERROR_INVALID_OPERATION_HANDLE if token is not a valid |
| 206 | * operation token. |
| 207 | */ |
| 208 | int32_t addOperationAuthTokenIfNeeded(sp<IBinder> token, |
| 209 | std::vector<keymaster_key_param_t>* params); |
| 210 | |
| 211 | /** |
| 212 | * Translate a result value to a legacy return value. All keystore errors are |
| 213 | * preserved and keymaster errors become SYSTEM_ERRORs |
| 214 | */ |
| 215 | int32_t translateResultToLegacyResult(int32_t result); |
| 216 | |
| 217 | keymaster_key_param_t* getKeyAlgorithm(keymaster_key_characteristics_t* characteristics); |
| 218 | |
| 219 | void addLegacyBeginParams(const String16& name, std::vector<keymaster_key_param_t>& params); |
| 220 | |
| 221 | int32_t doLegacySignVerify(const String16& name, const uint8_t* data, size_t length, |
| 222 | uint8_t** out, size_t* outLength, const uint8_t* signature, |
| 223 | size_t signatureLength, keymaster_purpose_t purpose); |
| 224 | |
| 225 | ::KeyStore* mKeyStore; |
| 226 | OperationMap mOperationMap; |
| 227 | keymaster::AuthTokenTable mAuthTokenTable; |
| 228 | KeystoreKeymasterEnforcement enforcement_policy; |
| 229 | }; |
| 230 | |
| 231 | }; // namespace android |
| 232 | |
| 233 | #endif // KEYSTORE_KEYSTORE_SERVICE_H_ |