Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 715d023c9294cf4860f73c8d83e82c5aa699add6 / . / keystore / keystore.h
blob: 62d72943094c806475d2c2473fed81571c7e3da6 [file] [log] [blame]
Shawn Willden6507c272016-01-05 22:51:48 -0700[diff] [blame]1/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef KEYSTORE_KEYSTORE_H_
18#define KEYSTORE_KEYSTORE_H_
19
20#include "user_state.h"
21
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame^]22#include <hardware/keymaster2.h>
Shawn Willden6507c272016-01-05 22:51:48 -0700[diff] [blame]23
24#include <utils/Vector.h>
25
26#include "blob.h"
27
28typedef struct {
29 uint32_t uid;
30 const uint8_t* filename;
31} grant_t;
32
33class KeyStore {
34 public:
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame^]35 KeyStore(Entropy* entropy, keymaster2_device_t* device, keymaster2_device_t* fallback);
Shawn Willden6507c272016-01-05 22:51:48 -0700[diff] [blame]36 ~KeyStore();
37
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame^]38 keymaster2_device_t* getDevice() const { return mDevice; }
Shawn Willden6507c272016-01-05 22:51:48 -0700[diff] [blame]39
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame^]40 keymaster2_device_t* getFallbackDevice() const { return mFallbackDevice; }
Shawn Willden6507c272016-01-05 22:51:48 -0700[diff] [blame]41
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame^]42 keymaster2_device_t* getDeviceForBlob(const Blob& blob) const {
Shawn Willden6507c272016-01-05 22:51:48 -0700[diff] [blame]43 return blob.isFallback() ? mFallbackDevice : mDevice;
44 }
45
46 ResponseCode initialize();
47
48 State getState(uid_t userId) { return getUserState(userId)->getState(); }
49
50 ResponseCode initializeUser(const android::String8& pw, uid_t userId);
51
52 ResponseCode copyMasterKey(uid_t srcUser, uid_t dstUser);
53 ResponseCode writeMasterKey(const android::String8& pw, uid_t userId);
54 ResponseCode readMasterKey(const android::String8& pw, uid_t userId);
55
56 android::String8 getKeyName(const android::String8& keyName);
57 android::String8 getKeyNameForUid(const android::String8& keyName, uid_t uid);
58 android::String8 getKeyNameForUidWithDir(const android::String8& keyName, uid_t uid);
59
60 /*
61 * Delete entries owned by userId. If keepUnencryptedEntries is true
62 * then only encrypted entries will be removed, otherwise all entries will
63 * be removed.
64 */
65 void resetUser(uid_t userId, bool keepUnenryptedEntries);
66 bool isEmpty(uid_t userId) const;
67
68 void lock(uid_t userId);
69
70 ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type, uid_t userId);
71 ResponseCode put(const char* filename, Blob* keyBlob, uid_t userId);
72 ResponseCode del(const char* filename, const BlobType type, uid_t userId);
73 ResponseCode list(const android::String8& prefix, android::Vector<android::String16>* matches,
74 uid_t userId);
75
76 void addGrant(const char* filename, uid_t granteeUid);
77 bool removeGrant(const char* filename, uid_t granteeUid);
78 bool hasGrant(const char* filename, const uid_t uid) const {
79 return getGrant(filename, uid) != NULL;
80 }
81
82 ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId,
83 int32_t flags);
84
85 bool isHardwareBacked(const android::String16& keyType) const;
86
87 ResponseCode getKeyForName(Blob* keyBlob, const android::String8& keyName, const uid_t uid,
88 const BlobType type);
89
90 /**
91 * Returns any existing UserState or creates it if it doesn't exist.
92 */
93 UserState* getUserState(uid_t userId);
94
95 /**
96 * Returns any existing UserState or creates it if it doesn't exist.
97 */
98 UserState* getUserStateByUid(uid_t uid);
99
100 /**
101 * Returns NULL if the UserState doesn't already exist.
102 */
103 const UserState* getUserState(uid_t userId) const;
104
105 /**
106 * Returns NULL if the UserState doesn't already exist.
107 */
108 const UserState* getUserStateByUid(uid_t uid) const;
109
110 private:
111 static const char* sOldMasterKey;
112 static const char* sMetaDataFile;
113 static const android::String16 sRSAKeyType;
114 static const android::String16 sECKeyType;
115 Entropy* mEntropy;
116
Shawn Willden715d0232016-01-21 00:45:13 -0700[diff] [blame^]117 keymaster2_device_t* mDevice;
118 keymaster2_device_t* mFallbackDevice;
Shawn Willden6507c272016-01-05 22:51:48 -0700[diff] [blame]119
120 android::Vector<UserState*> mMasterKeys;
121
122 android::Vector<grant_t*> mGrants;
123
124 typedef struct { uint32_t version; } keystore_metadata_t;
125
126 keystore_metadata_t mMetaData;
127
128 const grant_t* getGrant(const char* filename, uid_t uid) const;
129
130 /**
131 * Upgrade the key from the current version to whatever is newest.
132 */
133 bool upgradeBlob(const char* filename, Blob* blob, const uint8_t oldVersion,
134 const BlobType type, uid_t uid);
135
136 /**
137 * Takes a blob that is an PEM-encoded RSA key as a byte array and converts it to a DER-encoded
138 * PKCS#8 for import into a keymaster. Then it overwrites the original blob with the new blob
139 * format that is returned from the keymaster.
140 */
141 ResponseCode importBlobAsKey(Blob* blob, const char* filename, uid_t uid);
142
143 void readMetaData();
144 void writeMetaData();
145
146 bool upgradeKeystore();
147};
148
149#endif // KEYSTORE_KEYSTORE_H_