Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 5ba09513562b48c85a6d25aa90799d6f095b53b6 / . / keystore2 / src / security_level.rs
blob: eb21aea25b6a183d07a87ccbc10ffdec45f896a1 [file] [log] [blame]
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1// Copyright 2020, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15#![allow(unused_variables)]
16
17//! This crate implements the IKeystoreSecurityLevel interface.
18
Janis Danisevskis4507f3b2021-01-13 16:34:39 -0800[diff] [blame]19use crate::gc::Gc;
Shawn Willden708744a2020-12-11 13:05:27 +0000[diff] [blame]20use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]21 Algorithm::Algorithm, HardwareAuthenticatorType::HardwareAuthenticatorType,
22 IKeyMintDevice::IKeyMintDevice, KeyCreationResult::KeyCreationResult, KeyFormat::KeyFormat,
23 KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel,
24 Tag::Tag,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]25};
26use android_system_keystore2::aidl::android::system::keystore2::{
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]27 AuthenticatorSpec::AuthenticatorSpec, CreateOperationResponse::CreateOperationResponse,
28 Domain::Domain, IKeystoreOperation::IKeystoreOperation,
29 IKeystoreSecurityLevel::BnKeystoreSecurityLevel,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]30 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]31 KeyMetadata::KeyMetadata, KeyParameters::KeyParameters,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]32};
33
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]34use crate::globals::ENFORCEMENTS;
35use crate::key_parameter::KeyParameter as KsKeyParam;
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]36use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
Qi Wub9433b52020-12-01 14:52:46 +0800[diff] [blame]37use crate::utils::{check_key_permission, uid_to_android_user, Asp};
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]38use crate::{database::KeyIdGuard, globals::DB};
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]39use crate::{
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]40 database::{DateTime, KeyMetaData, KeyMetaEntry, KeyType},
41 permission::KeyPerm,
42};
43use crate::{
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]44 database::{KeyEntry, KeyEntryLoadBits, SubComponentType},
45 operation::KeystoreOperation,
46 operation::OperationDb,
47};
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]48use crate::{
49 error::{self, map_km_error, map_or_log_err, Error, ErrorCode},
50 utils::key_characteristics_to_internal,
51};
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]52use anyhow::{Context, Result};
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]53use binder::{IBinder, Interface, ThreadState};
54
55/// Implementation of the IKeystoreSecurityLevel Interface.
56pub struct KeystoreSecurityLevel {
57 security_level: SecurityLevel,
58 keymint: Asp,
59 operation_db: OperationDb,
60}
61
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]62// Blob of 32 zeroes used as empty masking key.
63static ZERO_BLOB_32: &[u8] = &[0; 32];
64
65impl KeystoreSecurityLevel {
66 /// Creates a new security level instance wrapped in a
67 /// BnKeystoreSecurityLevel proxy object. It also
68 /// calls `IBinder::set_requesting_sid` on the new interface, because
69 /// we need it for checking keystore permissions.
70 pub fn new_native_binder(
71 security_level: SecurityLevel,
72 ) -> Result<impl IKeystoreSecurityLevel + Send> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]73 let result = BnKeystoreSecurityLevel::new_binder(Self {
74 security_level,
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]75 keymint: crate::globals::get_keymint_device(security_level)
76 .context("In KeystoreSecurityLevel::new_native_binder.")?,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]77 operation_db: OperationDb::new(),
78 });
79 result.as_binder().set_requesting_sid(true);
80 Ok(result)
81 }
82
83 fn store_new_key(
84 &self,
85 key: KeyDescriptor,
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]86 creation_result: KeyCreationResult,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]87 user_id: u32,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]88 ) -> Result<KeyMetadata> {
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]89 let KeyCreationResult {
90 keyBlob: key_blob,
91 keyCharacteristics: key_characteristics,
92 certificateChain: mut certificate_chain,
93 } = creation_result;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]94
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]95 let (cert, cert_chain): (Option<Vec<u8>>, Option<Vec<u8>>) = (
96 match certificate_chain.len() {
97 0 => None,
98 _ => Some(certificate_chain.remove(0).encodedCertificate),
99 },
100 match certificate_chain.len() {
101 0 => None,
102 _ => Some(
103 certificate_chain
104 .iter()
105 .map(|c| c.encodedCertificate.iter())
106 .flatten()
107 .copied()
108 .collect(),
109 ),
110 },
111 );
112
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]113 let mut key_parameters = key_characteristics_to_internal(key_characteristics);
114
115 key_parameters.push(KsKeyParam::new(
116 KsKeyParamValue::UserID(user_id as i32),
117 SecurityLevel::SOFTWARE,
118 ));
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]119
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]120 let creation_date = DateTime::now().context("Trying to make creation time.")?;
121
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]122 let key = match key.domain {
123 Domain::BLOB => {
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]124 KeyDescriptor { domain: Domain::BLOB, blob: Some(key_blob), ..Default::default() }
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]125 }
126 _ => DB
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]127 .with::<_, Result<KeyDescriptor>>(|db| {
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]128 let mut metadata = KeyMetaData::new();
129 metadata.add(KeyMetaEntry::CreationDate(creation_date));
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]130
131 let mut db = db.borrow_mut();
Janis Danisevskis4507f3b2021-01-13 16:34:39 -0800[diff] [blame]132 let (need_gc, key_id) = db
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]133 .store_new_key(
134 key,
135 &key_parameters,
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]136 &key_blob,
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]137 cert.as_deref(),
138 cert_chain.as_deref(),
139 &metadata,
140 )
141 .context("In store_new_key.")?;
Janis Danisevskis4507f3b2021-01-13 16:34:39 -0800[diff] [blame]142 if need_gc {
143 Gc::notify_gc();
144 }
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]145 Ok(KeyDescriptor {
146 domain: Domain::KEY_ID,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]147 nspace: key_id.id(),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]148 ..Default::default()
149 })
150 })
151 .context("In store_new_key.")?,
152 };
153
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]154 Ok(KeyMetadata {
155 key,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]156 keySecurityLevel: self.security_level,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]157 certificate: cert,
158 certificateChain: cert_chain,
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]159 authorizations: crate::utils::key_parameters_to_authorizations(key_parameters),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]160 modificationTimeMs: creation_date.to_millis_epoch(),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]161 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]162 }
163
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]164 fn create_operation(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]165 &self,
166 key: &KeyDescriptor,
167 operation_parameters: &[KeyParameter],
168 forced: bool,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]169 ) -> Result<CreateOperationResponse> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]170 let caller_uid = ThreadState::get_calling_uid();
171 // We use `scoping_blob` to extend the life cycle of the blob loaded from the database,
172 // so that we can use it by reference like the blob provided by the key descriptor.
173 // Otherwise, we would have to clone the blob from the key descriptor.
174 let scoping_blob: Vec<u8>;
Qi Wub9433b52020-12-01 14:52:46 +0800[diff] [blame]175 let (km_blob, key_properties, key_id_guard) = match key.domain {
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]176 Domain::BLOB => {
177 check_key_permission(KeyPerm::use_(), key, &None)
178 .context("In create_operation: checking use permission for Domain::BLOB.")?;
179 (
180 match &key.blob {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]181 Some(blob) => blob,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]182 None => {
183 return Err(Error::sys()).context(concat!(
184 "In create_operation: Key blob must be specified when",
185 " using Domain::BLOB."
186 ))
187 }
188 },
189 None,
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]190 None,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]191 )
192 }
193 _ => {
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]194 let (key_id_guard, mut key_entry) = DB
195 .with::<_, Result<(KeyIdGuard, KeyEntry)>>(|db| {
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]196 db.borrow_mut().load_key_entry(
197 key.clone(),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]198 KeyType::Client,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]199 KeyEntryLoadBits::KM,
200 caller_uid,
201 |k, av| check_key_permission(KeyPerm::use_(), k, &av),
202 )
203 })
204 .context("In create_operation: Failed to load key blob.")?;
205 scoping_blob = match key_entry.take_km_blob() {
206 Some(blob) => blob,
207 None => {
208 return Err(Error::sys()).context(concat!(
209 "In create_operation: Successfully loaded key entry,",
210 " but KM blob was missing."
211 ))
212 }
213 };
Qi Wub9433b52020-12-01 14:52:46 +0800[diff] [blame]214 (
215 &scoping_blob,
216 Some((key_id_guard.id(), key_entry.into_key_parameters())),
217 Some(key_id_guard),
218 )
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]219 }
220 };
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]221
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]222 let purpose = operation_parameters.iter().find(|p| p.tag == Tag::PURPOSE).map_or(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]223 Err(Error::Km(ErrorCode::INVALID_ARGUMENT))
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]224 .context("In create_operation: No operation purpose specified."),
Janis Danisevskis398e6be2020-12-17 09:29:25 -0800[diff] [blame]225 |kp| match kp.value {
226 KeyParameterValue::KeyPurpose(p) => Ok(p),
227 _ => Err(Error::Km(ErrorCode::INVALID_ARGUMENT))
228 .context("In create_operation: Malformed KeyParameter."),
229 },
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]230 )?;
231
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]232 let (immediate_hat, mut auth_info) = ENFORCEMENTS
233 .authorize_create(
234 purpose,
Qi Wub9433b52020-12-01 14:52:46 +0800[diff] [blame]235 key_properties.as_ref(),
236 operation_parameters.as_ref(),
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]237 // TODO b/178222844 Replace this with the configuration returned by
238 // KeyMintDevice::getHardwareInfo.
239 // For now we assume that strongbox implementations need secure timestamps.
240 self.security_level == SecurityLevel::STRONGBOX,
241 )
242 .context("In create_operation.")?;
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]243
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]244 let immediate_hat = immediate_hat.unwrap_or_default();
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]245
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]246 let km_dev: Box<dyn IKeyMintDevice> = self
247 .keymint
248 .get_interface()
249 .context("In create_operation: Failed to get KeyMint device")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]250
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]251 let (begin_result, upgraded_blob) = self
252 .upgrade_keyblob_if_required_with(
253 &*km_dev,
254 key_id_guard,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]255 &km_blob,
256 &operation_parameters,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]257 |blob| loop {
258 match map_km_error(km_dev.begin(
259 purpose,
260 blob,
261 &operation_parameters,
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]262 &immediate_hat,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]263 )) {
264 Err(Error::Km(ErrorCode::TOO_MANY_OPERATIONS)) => {
265 self.operation_db.prune(caller_uid)?;
266 continue;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]267 }
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]268 v => return v,
269 }
270 },
271 )
272 .context("In create_operation: Failed to begin operation.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]273
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]274 let operation_challenge = auth_info.finalize_create_authorization(begin_result.challenge);
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]275
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]276 let operation = match begin_result.operation {
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]277 Some(km_op) => {
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]278 self.operation_db.create_operation(km_op, caller_uid, auth_info)
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]279 },
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]280 None => return Err(Error::sys()).context("In create_operation: Begin operation returned successfully, but did not return a valid operation."),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]281 };
282
283 let op_binder: Box<dyn IKeystoreOperation> =
284 KeystoreOperation::new_native_binder(operation)
285 .as_binder()
286 .into_interface()
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]287 .context("In create_operation: Failed to create IKeystoreOperation.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]288
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]289 Ok(CreateOperationResponse {
290 iOperation: Some(op_binder),
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]291 operationChallenge: operation_challenge,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]292 parameters: match begin_result.params.len() {
293 0 => None,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]294 _ => Some(KeyParameters { keyParameter: begin_result.params }),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]295 },
296 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]297 }
298
299 fn generate_key(
300 &self,
301 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]302 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]303 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]304 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]305 entropy: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]306 ) -> Result<KeyMetadata> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]307 if key.domain != Domain::BLOB && key.alias.is_none() {
308 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
309 .context("In generate_key: Alias must be specified");
310 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]311 let caller_uid = ThreadState::get_calling_uid();
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]312
313 let key = match key.domain {
314 Domain::APP => KeyDescriptor {
315 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]316 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]317 alias: key.alias.clone(),
318 blob: None,
319 },
320 _ => key.clone(),
321 };
322
323 // generate_key requires the rebind permission.
324 check_key_permission(KeyPerm::rebind(), &key, &None).context("In generate_key.")?;
325
326 let km_dev: Box<dyn IKeyMintDevice> = self.keymint.get_interface()?;
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]327 map_km_error(km_dev.addRngEntropy(entropy))
328 .context("In generate_key: Trying to add entropy.")?;
329 let creation_result = map_km_error(km_dev.generateKey(&params))
330 .context("In generate_key: While generating Key")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]331
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]332 let user_id = uid_to_android_user(caller_uid);
333 self.store_new_key(key, creation_result, user_id).context("In generate_key.")
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]334 }
335
336 fn import_key(
337 &self,
338 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]339 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]340 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]341 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]342 key_data: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]343 ) -> Result<KeyMetadata> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]344 if key.domain != Domain::BLOB && key.alias.is_none() {
345 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
346 .context("In import_key: Alias must be specified");
347 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]348 let caller_uid = ThreadState::get_calling_uid();
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]349
350 let key = match key.domain {
351 Domain::APP => KeyDescriptor {
352 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]353 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]354 alias: key.alias.clone(),
355 blob: None,
356 },
357 _ => key.clone(),
358 };
359
360 // import_key requires the rebind permission.
361 check_key_permission(KeyPerm::rebind(), &key, &None).context("In import_key.")?;
362
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]363 let format = params
364 .iter()
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]365 .find(|p| p.tag == Tag::ALGORITHM)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]366 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
367 .context("No KeyParameter 'Algorithm'.")
Janis Danisevskis398e6be2020-12-17 09:29:25 -0800[diff] [blame]368 .and_then(|p| match &p.value {
369 KeyParameterValue::Algorithm(Algorithm::AES)
370 | KeyParameterValue::Algorithm(Algorithm::HMAC)
371 | KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES) => Ok(KeyFormat::RAW),
372 KeyParameterValue::Algorithm(Algorithm::RSA)
373 | KeyParameterValue::Algorithm(Algorithm::EC) => Ok(KeyFormat::PKCS8),
374 v => Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
375 .context(format!("Unknown Algorithm {:?}.", v)),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]376 })
377 .context("In import_key.")?;
378
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]379 let km_dev: Box<dyn IKeyMintDevice> =
380 self.keymint.get_interface().context("In import_key: Trying to get the KM device")?;
381 let creation_result = map_km_error(km_dev.importKey(&params, format, key_data))
382 .context("In import_key: Trying to call importKey")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]383
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]384 let user_id = uid_to_android_user(caller_uid);
385 self.store_new_key(key, creation_result, user_id).context("In import_key.")
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]386 }
387
388 fn import_wrapped_key(
389 &self,
390 key: &KeyDescriptor,
391 wrapping_key: &KeyDescriptor,
392 masking_key: Option<&[u8]>,
393 params: &[KeyParameter],
394 authenticators: &[AuthenticatorSpec],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]395 ) -> Result<KeyMetadata> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]396 if key.domain != Domain::BLOB && key.alias.is_none() {
397 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
398 .context("In import_wrapped_key: Alias must be specified.");
399 }
400
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]401 if wrapping_key.domain == Domain::BLOB {
402 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(
403 "In import_wrapped_key: Import wrapped key not supported for self managed blobs.",
404 );
405 }
406
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]407 let wrapped_data = match &key.blob {
408 Some(d) => d,
409 None => {
410 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(
411 "In import_wrapped_key: Blob must be specified and hold wrapped key data.",
412 )
413 }
414 };
415
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]416 let caller_uid = ThreadState::get_calling_uid();
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]417 let key = match key.domain {
418 Domain::APP => KeyDescriptor {
419 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]420 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]421 alias: key.alias.clone(),
422 blob: None,
423 },
424 _ => key.clone(),
425 };
426
427 // import_wrapped_key requires the rebind permission for the new key.
428 check_key_permission(KeyPerm::rebind(), &key, &None).context("In import_wrapped_key.")?;
429
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]430 let (wrapping_key_id_guard, wrapping_key_entry) = DB
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]431 .with(|db| {
432 db.borrow_mut().load_key_entry(
433 wrapping_key.clone(),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]434 KeyType::Client,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]435 KeyEntryLoadBits::KM,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]436 caller_uid,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]437 |k, av| check_key_permission(KeyPerm::use_(), k, &av),
438 )
439 })
440 .context("Failed to load wrapping key.")?;
441 let wrapping_key_blob = match wrapping_key_entry.km_blob() {
442 Some(blob) => blob,
443 None => {
444 return Err(error::Error::sys()).context(concat!(
445 "No km_blob after successfully loading key.",
446 " This should never happen."
447 ))
448 }
449 };
450
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]451 // km_dev.importWrappedKey does not return a certificate chain.
452 // TODO Do we assume that all wrapped keys are symmetric?
453 // let certificate_chain: Vec<KmCertificate> = Default::default();
454
455 let pw_sid = authenticators
456 .iter()
457 .find_map(|a| match a.authenticatorType {
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]458 HardwareAuthenticatorType::PASSWORD => Some(a.authenticatorId),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]459 _ => None,
460 })
461 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
462 .context("A password authenticator SID must be specified.")?;
463
464 let fp_sid = authenticators
465 .iter()
466 .find_map(|a| match a.authenticatorType {
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]467 HardwareAuthenticatorType::FINGERPRINT => Some(a.authenticatorId),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]468 _ => None,
469 })
470 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
471 .context("A fingerprint authenticator SID must be specified.")?;
472
473 let masking_key = masking_key.unwrap_or(ZERO_BLOB_32);
474
475 let km_dev: Box<dyn IKeyMintDevice> = self.keymint.get_interface()?;
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]476 let (creation_result, _) = self
477 .upgrade_keyblob_if_required_with(
478 &*km_dev,
479 Some(wrapping_key_id_guard),
480 wrapping_key_blob,
481 &[],
482 |wrapping_blob| {
483 let creation_result = map_km_error(km_dev.importWrappedKey(
484 wrapped_data,
485 wrapping_key_blob,
486 masking_key,
487 &params,
488 pw_sid,
489 fp_sid,
490 ))?;
491 Ok(creation_result)
492 },
493 )
494 .context("In import_wrapped_key.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]495
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]496 let user_id = uid_to_android_user(caller_uid);
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]497 self.store_new_key(key, creation_result, user_id)
498 .context("In import_wrapped_key: Trying to store the new key.")
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]499 }
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]500
501 fn upgrade_keyblob_if_required_with<T, F>(
502 &self,
503 km_dev: &dyn IKeyMintDevice,
504 key_id_guard: Option<KeyIdGuard>,
505 blob: &[u8],
506 params: &[KeyParameter],
507 f: F,
508 ) -> Result<(T, Option<Vec<u8>>)>
509 where
510 F: Fn(&[u8]) -> Result<T, Error>,
511 {
512 match f(blob) {
513 Err(Error::Km(ErrorCode::KEY_REQUIRES_UPGRADE)) => {
514 let upgraded_blob = map_km_error(km_dev.upgradeKey(blob, params))
515 .context("In upgrade_keyblob_if_required_with: Upgrade failed.")?;
516 key_id_guard.map_or(Ok(()), |key_id_guard| {
517 DB.with(|db| {
518 db.borrow_mut().insert_blob(
519 &key_id_guard,
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]520 SubComponentType::KEY_BLOB,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]521 &upgraded_blob,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]522 )
523 })
524 .context(concat!(
525 "In upgrade_keyblob_if_required_with: ",
526 "Failed to insert upgraded blob into the database.",
527 ))
528 })?;
529 match f(&upgraded_blob) {
530 Ok(v) => Ok((v, Some(upgraded_blob))),
531 Err(e) => Err(e).context(concat!(
532 "In upgrade_keyblob_if_required_with: ",
533 "Failed to perform operation on second try."
534 )),
535 }
536 }
537 Err(e) => {
538 Err(e).context("In upgrade_keyblob_if_required_with: Failed perform operation.")
539 }
540 Ok(v) => Ok((v, None)),
541 }
542 }
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]543}
544
545impl binder::Interface for KeystoreSecurityLevel {}
546
547impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]548 fn createOperation(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]549 &self,
550 key: &KeyDescriptor,
551 operation_parameters: &[KeyParameter],
552 forced: bool,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]553 ) -> binder::public_api::Result<CreateOperationResponse> {
554 map_or_log_err(self.create_operation(key, operation_parameters, forced), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]555 }
556 fn generateKey(
557 &self,
558 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]559 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]560 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]561 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]562 entropy: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]563 ) -> binder::public_api::Result<KeyMetadata> {
564 map_or_log_err(self.generate_key(key, attestation_key, params, flags, entropy), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]565 }
566 fn importKey(
567 &self,
568 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]569 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]570 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]571 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]572 key_data: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]573 ) -> binder::public_api::Result<KeyMetadata> {
574 map_or_log_err(self.import_key(key, attestation_key, params, flags, key_data), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]575 }
576 fn importWrappedKey(
577 &self,
578 key: &KeyDescriptor,
579 wrapping_key: &KeyDescriptor,
580 masking_key: Option<&[u8]>,
581 params: &[KeyParameter],
582 authenticators: &[AuthenticatorSpec],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]583 ) -> binder::public_api::Result<KeyMetadata> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]584 map_or_log_err(
585 self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]586 Ok,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]587 )
588 }
589}