Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 94243c2f8f8bb7e9a539c7095f1e2a78a935e330 / . / keystore2 / src / security_level.rs
blob: e8760dc3fe625eba9bedcbdcc0218616d53ffe65 [file] [log] [blame]
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1// Copyright 2020, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]15//! This crate implements the IKeystoreSecurityLevel interface.
16
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]17use crate::{globals::get_keymint_device, id_rotation::IdRotationState};
Shawn Willden708744a2020-12-11 13:05:27 +0000[diff] [blame]18use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]19 Algorithm::Algorithm, AttestationKey::AttestationKey,
Shawn Willden8fde4c22021-02-14 13:58:22 -0700[diff] [blame]20 HardwareAuthenticatorType::HardwareAuthenticatorType, IKeyMintDevice::IKeyMintDevice,
21 KeyCreationResult::KeyCreationResult, KeyFormat::KeyFormat,
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]22 KeyMintHardwareInfo::KeyMintHardwareInfo, KeyParameter::KeyParameter,
23 KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel, Tag::Tag,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]24};
Andrew Walbrande45c8b2021-04-13 14:42:38 +0000[diff] [blame]25use android_hardware_security_keymint::binder::{BinderFeatures, Strong, ThreadState};
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]26use android_system_keystore2::aidl::android::system::keystore2::{
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]27 AuthenticatorSpec::AuthenticatorSpec, CreateOperationResponse::CreateOperationResponse,
Janis Danisevskisb2434d02021-04-20 12:49:27 -0700[diff] [blame]28 Domain::Domain, EphemeralStorageKeyResponse::EphemeralStorageKeyResponse,
29 IKeystoreOperation::IKeystoreOperation, IKeystoreSecurityLevel::BnKeystoreSecurityLevel,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]30 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]31 KeyMetadata::KeyMetadata, KeyParameters::KeyParameters,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]32};
33
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]34use crate::attestation_key_utils::{get_attest_key_info, AttestationKeyInfo};
Pavel Grafov94243c22021-04-21 18:03:11 +0100[diff] [blame^]35use crate::audit_log::{log_key_deleted, log_key_generated, log_key_imported};
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]36use crate::database::{CertificateInfo, KeyIdGuard};
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000[diff] [blame]37use crate::globals::{DB, ENFORCEMENTS, LEGACY_MIGRATOR, SUPER_KEY};
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]38use crate::key_parameter::KeyParameter as KsKeyParam;
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]39use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
Hasini Gunasingheb7142972021-02-20 03:11:27 +0000[diff] [blame]40use crate::metrics::log_key_creation_event_stats;
Max Bires97f96812021-02-23 23:44:57 -0800[diff] [blame]41use crate::remote_provisioning::RemProvState;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]42use crate::super_key::{KeyBlob, SuperKeyManager};
Bram Bonné5d6c5102021-02-24 15:09:18 +0100[diff] [blame]43use crate::utils::{
44 check_device_attestation_permissions, check_key_permission, is_device_id_attestation_tag,
45 uid_to_android_user, Asp,
46};
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]47use crate::{
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]48 database::{
49 BlobMetaData, BlobMetaEntry, DateTime, KeyEntry, KeyEntryLoadBits, KeyMetaData,
50 KeyMetaEntry, KeyType, SubComponentType, Uuid,
51 },
52 operation::KeystoreOperation,
Hasini Gunasinghe0aba68a2021-03-19 00:43:52 +0000[diff] [blame]53 operation::LoggingInfo,
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]54 operation::OperationDb,
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]55 permission::KeyPerm,
56};
57use crate::{
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]58 error::{self, map_km_error, map_or_log_err, Error, ErrorCode},
59 utils::key_characteristics_to_internal,
60};
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]61use anyhow::{anyhow, Context, Result};
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]62
63/// Implementation of the IKeystoreSecurityLevel Interface.
64pub struct KeystoreSecurityLevel {
65 security_level: SecurityLevel,
66 keymint: Asp,
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]67 hw_info: KeyMintHardwareInfo,
68 km_uuid: Uuid,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]69 operation_db: OperationDb,
Max Bires97f96812021-02-23 23:44:57 -0800[diff] [blame]70 rem_prov_state: RemProvState,
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]71 id_rotation_state: IdRotationState,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]72}
73
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]74// Blob of 32 zeroes used as empty masking key.
75static ZERO_BLOB_32: &[u8] = &[0; 32];
76
Janis Danisevskis2c084012021-01-31 22:23:17 -0800[diff] [blame]77// Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to GeneralizedTime
78// 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
79const UNDEFINED_NOT_AFTER: i64 = 253402300799000i64;
80
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]81impl KeystoreSecurityLevel {
82 /// Creates a new security level instance wrapped in a
Andrew Walbrande45c8b2021-04-13 14:42:38 +0000[diff] [blame]83 /// BnKeystoreSecurityLevel proxy object. It also enables
84 /// `BinderFeatures::set_requesting_sid` on the new interface, because
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]85 /// we need it for checking keystore permissions.
86 pub fn new_native_binder(
87 security_level: SecurityLevel,
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]88 id_rotation_state: IdRotationState,
Stephen Crane221bbb52020-12-16 15:52:10 -0800[diff] [blame]89 ) -> Result<(Strong<dyn IKeystoreSecurityLevel>, Uuid)> {
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]90 let (dev, hw_info, km_uuid) = get_keymint_device(&security_level)
91 .context("In KeystoreSecurityLevel::new_native_binder.")?;
Andrew Walbrande45c8b2021-04-13 14:42:38 +0000[diff] [blame]92 let result = BnKeystoreSecurityLevel::new_binder(
93 Self {
94 security_level,
95 keymint: dev,
96 hw_info,
97 km_uuid,
98 operation_db: OperationDb::new(),
99 rem_prov_state: RemProvState::new(security_level, km_uuid),
100 id_rotation_state,
101 },
102 BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
103 );
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]104 Ok((result, km_uuid))
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]105 }
106
107 fn store_new_key(
108 &self,
109 key: KeyDescriptor,
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]110 creation_result: KeyCreationResult,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]111 user_id: u32,
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]112 flags: Option<i32>,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]113 ) -> Result<KeyMetadata> {
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]114 let KeyCreationResult {
115 keyBlob: key_blob,
116 keyCharacteristics: key_characteristics,
117 certificateChain: mut certificate_chain,
118 } = creation_result;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]119
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]120 let mut cert_info: CertificateInfo = CertificateInfo::new(
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]121 match certificate_chain.len() {
122 0 => None,
123 _ => Some(certificate_chain.remove(0).encodedCertificate),
124 },
125 match certificate_chain.len() {
126 0 => None,
127 _ => Some(
128 certificate_chain
129 .iter()
130 .map(|c| c.encodedCertificate.iter())
131 .flatten()
132 .copied()
133 .collect(),
134 ),
135 },
136 );
137
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]138 let mut key_parameters = key_characteristics_to_internal(key_characteristics);
139
140 key_parameters.push(KsKeyParam::new(
141 KsKeyParamValue::UserID(user_id as i32),
142 SecurityLevel::SOFTWARE,
143 ));
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]144
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]145 let creation_date = DateTime::now().context("Trying to make creation time.")?;
146
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]147 let key = match key.domain {
Satya Tangirala60671e32021-03-04 16:12:19 -0800[diff] [blame]148 Domain::BLOB => KeyDescriptor {
149 domain: Domain::BLOB,
150 blob: Some(key_blob.to_vec()),
151 ..Default::default()
152 },
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]153 _ => DB
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]154 .with::<_, Result<KeyDescriptor>>(|db| {
Satya Tangirala60671e32021-03-04 16:12:19 -0800[diff] [blame]155 let mut db = db.borrow_mut();
156
157 let (key_blob, mut blob_metadata) = SUPER_KEY
158 .handle_super_encryption_on_key_init(
159 &mut db,
160 &LEGACY_MIGRATOR,
161 &(key.domain),
162 &key_parameters,
163 flags,
164 user_id,
165 &key_blob,
166 )
167 .context("In store_new_key. Failed to handle super encryption.")?;
168
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]169 let mut key_metadata = KeyMetaData::new();
170 key_metadata.add(KeyMetaEntry::CreationDate(creation_date));
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]171 blob_metadata.add(BlobMetaEntry::KmUuid(self.km_uuid));
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]172
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]173 let key_id = db
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]174 .store_new_key(
Janis Danisevskis66784c42021-01-27 08:40:25 -0800[diff] [blame]175 &key,
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]176 &key_parameters,
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]177 &(&key_blob, &blob_metadata),
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]178 &cert_info,
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]179 &key_metadata,
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]180 &self.km_uuid,
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]181 )
182 .context("In store_new_key.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]183 Ok(KeyDescriptor {
184 domain: Domain::KEY_ID,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]185 nspace: key_id.id(),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]186 ..Default::default()
187 })
188 })
189 .context("In store_new_key.")?,
190 };
191
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]192 Ok(KeyMetadata {
193 key,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]194 keySecurityLevel: self.security_level,
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]195 certificate: cert_info.take_cert(),
196 certificateChain: cert_info.take_cert_chain(),
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]197 authorizations: crate::utils::key_parameters_to_authorizations(key_parameters),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]198 modificationTimeMs: creation_date.to_millis_epoch(),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]199 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]200 }
201
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]202 fn create_operation(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]203 &self,
204 key: &KeyDescriptor,
205 operation_parameters: &[KeyParameter],
206 forced: bool,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]207 ) -> Result<CreateOperationResponse> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]208 let caller_uid = ThreadState::get_calling_uid();
209 // We use `scoping_blob` to extend the life cycle of the blob loaded from the database,
210 // so that we can use it by reference like the blob provided by the key descriptor.
211 // Otherwise, we would have to clone the blob from the key descriptor.
212 let scoping_blob: Vec<u8>;
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]213 let (km_blob, key_properties, key_id_guard, blob_metadata) = match key.domain {
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]214 Domain::BLOB => {
215 check_key_permission(KeyPerm::use_(), key, &None)
216 .context("In create_operation: checking use permission for Domain::BLOB.")?;
Janis Danisevskis186d9f42021-03-03 14:40:52 -0800[diff] [blame]217 if forced {
218 check_key_permission(KeyPerm::req_forced_op(), key, &None).context(
219 "In create_operation: checking forced permission for Domain::BLOB.",
220 )?;
221 }
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]222 (
223 match &key.blob {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]224 Some(blob) => blob,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]225 None => {
226 return Err(Error::sys()).context(concat!(
227 "In create_operation: Key blob must be specified when",
228 " using Domain::BLOB."
229 ))
230 }
231 },
232 None,
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]233 None,
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]234 BlobMetaData::new(),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]235 )
236 }
237 _ => {
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]238 let (key_id_guard, mut key_entry) = DB
239 .with::<_, Result<(KeyIdGuard, KeyEntry)>>(|db| {
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000[diff] [blame]240 LEGACY_MIGRATOR.with_try_migrate(&key, caller_uid, || {
241 db.borrow_mut().load_key_entry(
242 &key,
243 KeyType::Client,
244 KeyEntryLoadBits::KM,
245 caller_uid,
Janis Danisevskis186d9f42021-03-03 14:40:52 -0800[diff] [blame]246 |k, av| {
247 check_key_permission(KeyPerm::use_(), k, &av)?;
248 if forced {
249 check_key_permission(KeyPerm::req_forced_op(), k, &av)?;
250 }
251 Ok(())
252 },
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000[diff] [blame]253 )
254 })
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]255 })
256 .context("In create_operation: Failed to load key blob.")?;
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]257
258 let (blob, blob_metadata) =
259 key_entry.take_key_blob_info().ok_or_else(Error::sys).context(concat!(
260 "In create_operation: Successfully loaded key entry, ",
261 "but KM blob was missing."
262 ))?;
263 scoping_blob = blob;
264
Qi Wub9433b52020-12-01 14:52:46 +0800[diff] [blame]265 (
266 &scoping_blob,
267 Some((key_id_guard.id(), key_entry.into_key_parameters())),
268 Some(key_id_guard),
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]269 blob_metadata,
Qi Wub9433b52020-12-01 14:52:46 +0800[diff] [blame]270 )
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]271 }
272 };
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]273
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]274 let purpose = operation_parameters.iter().find(|p| p.tag == Tag::PURPOSE).map_or(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]275 Err(Error::Km(ErrorCode::INVALID_ARGUMENT))
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]276 .context("In create_operation: No operation purpose specified."),
Janis Danisevskis398e6be2020-12-17 09:29:25 -0800[diff] [blame]277 |kp| match kp.value {
278 KeyParameterValue::KeyPurpose(p) => Ok(p),
279 _ => Err(Error::Km(ErrorCode::INVALID_ARGUMENT))
280 .context("In create_operation: Malformed KeyParameter."),
281 },
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]282 )?;
283
Satya Tangirala2642ff92021-04-15 01:57:00 -0700[diff] [blame]284 // Remove Tag::PURPOSE from the operation_parameters, since some keymaster devices return
285 // an error on begin() if Tag::PURPOSE is in the operation_parameters.
286 let op_params: Vec<KeyParameter> =
287 operation_parameters.iter().filter(|p| p.tag != Tag::PURPOSE).cloned().collect();
288 let operation_parameters = op_params.as_slice();
289
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]290 let (immediate_hat, mut auth_info) = ENFORCEMENTS
291 .authorize_create(
292 purpose,
Qi Wub9433b52020-12-01 14:52:46 +0800[diff] [blame]293 key_properties.as_ref(),
294 operation_parameters.as_ref(),
Janis Danisevskise3f7d202021-03-20 14:21:22 -0700[diff] [blame]295 self.hw_info.timestampTokenRequired,
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]296 )
297 .context("In create_operation.")?;
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]298
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]299 let immediate_hat = immediate_hat.unwrap_or_default();
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]300
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]301 let km_blob = SUPER_KEY
302 .unwrap_key_if_required(&blob_metadata, km_blob)
303 .context("In create_operation. Failed to handle super encryption.")?;
304
Stephen Crane221bbb52020-12-16 15:52:10 -0800[diff] [blame]305 let km_dev: Strong<dyn IKeyMintDevice> = self
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]306 .keymint
307 .get_interface()
308 .context("In create_operation: Failed to get KeyMint device")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]309
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]310 let (begin_result, upgraded_blob) = self
311 .upgrade_keyblob_if_required_with(
312 &*km_dev,
313 key_id_guard,
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]314 &km_blob,
315 &blob_metadata,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]316 &operation_parameters,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]317 |blob| loop {
318 match map_km_error(km_dev.begin(
319 purpose,
320 blob,
321 &operation_parameters,
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]322 &immediate_hat,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]323 )) {
324 Err(Error::Km(ErrorCode::TOO_MANY_OPERATIONS)) => {
Janis Danisevskis186d9f42021-03-03 14:40:52 -0800[diff] [blame]325 self.operation_db.prune(caller_uid, forced)?;
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]326 continue;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]327 }
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]328 v => return v,
329 }
330 },
331 )
332 .context("In create_operation: Failed to begin operation.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]333
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]334 let operation_challenge = auth_info.finalize_create_authorization(begin_result.challenge);
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]335
Hasini Gunasinghe0aba68a2021-03-19 00:43:52 +0000[diff] [blame]336 let op_params: Vec<KeyParameter> = operation_parameters.to_vec();
337
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]338 let operation = match begin_result.operation {
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]339 Some(km_op) => {
Hasini Gunasinghe0aba68a2021-03-19 00:43:52 +0000[diff] [blame]340 self.operation_db.create_operation(km_op, caller_uid, auth_info, forced,
Hasini Gunasinghe9617fd92021-04-01 22:27:07 +0000[diff] [blame]341 LoggingInfo::new(self.security_level, purpose, op_params,
342 upgraded_blob.is_some()))
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]343 },
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]344 None => return Err(Error::sys()).context("In create_operation: Begin operation returned successfully, but did not return a valid operation."),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]345 };
346
Stephen Crane221bbb52020-12-16 15:52:10 -0800[diff] [blame]347 let op_binder: binder::public_api::Strong<dyn IKeystoreOperation> =
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]348 KeystoreOperation::new_native_binder(operation)
349 .as_binder()
350 .into_interface()
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]351 .context("In create_operation: Failed to create IKeystoreOperation.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]352
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]353 Ok(CreateOperationResponse {
354 iOperation: Some(op_binder),
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]355 operationChallenge: operation_challenge,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]356 parameters: match begin_result.params.len() {
357 0 => None,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]358 _ => Some(KeyParameters { keyParameter: begin_result.params }),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]359 },
Satya Tangiralae2016a82021-03-05 09:28:30 -0800[diff] [blame]360 // An upgraded blob should only be returned if the caller has permission
361 // to use Domain::BLOB keys. If we got to this point, we already checked
362 // that the caller had that permission.
363 upgradedBlob: if key.domain == Domain::BLOB { upgraded_blob } else { None },
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]364 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]365 }
366
Janis Danisevskise766edc2021-02-06 12:16:26 -0800[diff] [blame]367 fn add_certificate_parameters(
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]368 &self,
Janis Danisevskise766edc2021-02-06 12:16:26 -0800[diff] [blame]369 uid: u32,
370 params: &[KeyParameter],
371 key: &KeyDescriptor,
372 ) -> Result<Vec<KeyParameter>> {
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]373 let mut result = params.to_vec();
Janis Danisevskis2c084012021-01-31 22:23:17 -0800[diff] [blame]374 // If there is an attestation challenge we need to get an application id.
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]375 if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) {
376 let aaid = keystore2_aaid::get_aaid(uid).map_err(|e| {
Janis Danisevskis2c084012021-01-31 22:23:17 -0800[diff] [blame]377 anyhow!(format!("In add_certificate_parameters: get_aaid returned status {}.", e))
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]378 })?;
379 result.push(KeyParameter {
380 tag: Tag::ATTESTATION_APPLICATION_ID,
381 value: KeyParameterValue::Blob(aaid),
382 });
383 }
Janis Danisevskis2c084012021-01-31 22:23:17 -0800[diff] [blame]384
Janis Danisevskise766edc2021-02-06 12:16:26 -0800[diff] [blame]385 if params.iter().any(|kp| kp.tag == Tag::INCLUDE_UNIQUE_ID) {
386 check_key_permission(KeyPerm::gen_unique_id(), key, &None).context(concat!(
387 "In add_certificate_parameters: ",
Janis Danisevskis83116e52021-04-06 13:36:58 -0700[diff] [blame]388 "Caller does not have the permission to generate a unique ID"
Janis Danisevskise766edc2021-02-06 12:16:26 -0800[diff] [blame]389 ))?;
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]390 if self.id_rotation_state.had_factory_reset_since_id_rotation().context(
391 "In add_certificate_parameters: Call to had_factory_reset_since_id_rotation failed."
392 )? {
393 result.push(KeyParameter{
394 tag: Tag::RESET_SINCE_ID_ROTATION,
395 value: KeyParameterValue::BoolValue(true),
396 })
397 }
Janis Danisevskise766edc2021-02-06 12:16:26 -0800[diff] [blame]398 }
399
Bram Bonné5d6c5102021-02-24 15:09:18 +0100[diff] [blame]400 // If the caller requests any device identifier attestation tag, check that they hold the
401 // correct Android permission.
402 if params.iter().any(|kp| is_device_id_attestation_tag(kp.tag)) {
403 check_device_attestation_permissions().context(concat!(
404 "In add_certificate_parameters: ",
405 "Caller does not have the permission to attest device identifiers."
406 ))?;
407 }
408
Janis Danisevskis2c084012021-01-31 22:23:17 -0800[diff] [blame]409 // If we are generating/importing an asymmetric key, we need to make sure
410 // that NOT_BEFORE and NOT_AFTER are present.
411 match params.iter().find(|kp| kp.tag == Tag::ALGORITHM) {
412 Some(KeyParameter { tag: _, value: KeyParameterValue::Algorithm(Algorithm::RSA) })
413 | Some(KeyParameter { tag: _, value: KeyParameterValue::Algorithm(Algorithm::EC) }) => {
414 if !params.iter().any(|kp| kp.tag == Tag::CERTIFICATE_NOT_BEFORE) {
415 result.push(KeyParameter {
416 tag: Tag::CERTIFICATE_NOT_BEFORE,
417 value: KeyParameterValue::DateTime(0),
418 })
419 }
420 if !params.iter().any(|kp| kp.tag == Tag::CERTIFICATE_NOT_AFTER) {
421 result.push(KeyParameter {
422 tag: Tag::CERTIFICATE_NOT_AFTER,
423 value: KeyParameterValue::DateTime(UNDEFINED_NOT_AFTER),
424 })
425 }
426 }
427 _ => {}
428 }
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]429 Ok(result)
430 }
431
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]432 fn generate_key(
433 &self,
434 key: &KeyDescriptor,
Shawn Willden8fde4c22021-02-14 13:58:22 -0700[diff] [blame]435 attest_key_descriptor: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]436 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]437 flags: i32,
Paul Crowleyd5653e52021-03-25 09:46:31 -0700[diff] [blame]438 _entropy: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]439 ) -> Result<KeyMetadata> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]440 if key.domain != Domain::BLOB && key.alias.is_none() {
441 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
442 .context("In generate_key: Alias must be specified");
443 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]444 let caller_uid = ThreadState::get_calling_uid();
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]445
446 let key = match key.domain {
447 Domain::APP => KeyDescriptor {
448 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]449 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]450 alias: key.alias.clone(),
451 blob: None,
452 },
453 _ => key.clone(),
454 };
455
456 // generate_key requires the rebind permission.
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]457 // Must return on error for security reasons.
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]458 check_key_permission(KeyPerm::rebind(), &key, &None).context("In generate_key.")?;
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]459
460 let attestation_key_info = match (key.domain, attest_key_descriptor) {
461 (Domain::BLOB, _) => None,
Satya Tangiralafdb9c762021-03-09 22:34:22 -0800[diff] [blame]462 _ => DB
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]463 .with(|db| {
464 get_attest_key_info(
Satya Tangiralafdb9c762021-03-09 22:34:22 -0800[diff] [blame]465 &key,
466 caller_uid,
467 attest_key_descriptor,
468 params,
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]469 &self.rem_prov_state,
Satya Tangiralafdb9c762021-03-09 22:34:22 -0800[diff] [blame]470 &mut db.borrow_mut(),
471 )
472 })
473 .context("In generate_key: Trying to get an attestation key")?,
474 };
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]475 let params = self
476 .add_certificate_parameters(caller_uid, params, &key)
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]477 .context("In generate_key: Trying to get aaid.")?;
478
Stephen Crane221bbb52020-12-16 15:52:10 -0800[diff] [blame]479 let km_dev: Strong<dyn IKeyMintDevice> = self.keymint.get_interface()?;
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]480
481 let creation_result = match attestation_key_info {
482 Some(AttestationKeyInfo::UserGenerated {
483 key_id_guard,
484 blob,
485 blob_metadata,
486 issuer_subject,
487 }) => self
488 .upgrade_keyblob_if_required_with(
489 &*km_dev,
490 Some(key_id_guard),
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]491 &KeyBlob::Ref(&blob),
492 &blob_metadata,
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]493 &params,
494 |blob| {
495 let attest_key = Some(AttestationKey {
496 keyBlob: blob.to_vec(),
497 attestKeyParams: vec![],
498 issuerSubjectName: issuer_subject.clone(),
499 });
500 map_km_error(km_dev.generateKey(&params, attest_key.as_ref()))
501 },
502 )
503 .context("In generate_key: Using user generated attestation key.")
504 .map(|(result, _)| result),
505 Some(AttestationKeyInfo::RemoteProvisioned { attestation_key, attestation_certs }) => {
506 map_km_error(km_dev.generateKey(&params, Some(&attestation_key)))
507 .context("While generating Key with remote provisioned attestation key.")
508 .map(|mut creation_result| {
509 creation_result.certificateChain.push(attestation_certs);
510 creation_result
511 })
512 }
513 None => map_km_error(km_dev.generateKey(&params, None))
514 .context("While generating Key without explicit attestation key."),
Max Bires97f96812021-02-23 23:44:57 -0800[diff] [blame]515 }
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]516 .context("In generate_key.")?;
517
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]518 let user_id = uid_to_android_user(caller_uid);
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]519 self.store_new_key(key, creation_result, user_id, Some(flags)).context("In generate_key.")
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]520 }
521
522 fn import_key(
523 &self,
524 key: &KeyDescriptor,
Paul Crowleyd5653e52021-03-25 09:46:31 -0700[diff] [blame]525 _attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]526 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]527 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]528 key_data: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]529 ) -> Result<KeyMetadata> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]530 if key.domain != Domain::BLOB && key.alias.is_none() {
531 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
532 .context("In import_key: Alias must be specified");
533 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]534 let caller_uid = ThreadState::get_calling_uid();
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]535
536 let key = match key.domain {
537 Domain::APP => KeyDescriptor {
538 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]539 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]540 alias: key.alias.clone(),
541 blob: None,
542 },
543 _ => key.clone(),
544 };
545
546 // import_key requires the rebind permission.
547 check_key_permission(KeyPerm::rebind(), &key, &None).context("In import_key.")?;
548
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]549 let params = self
550 .add_certificate_parameters(caller_uid, params, &key)
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]551 .context("In import_key: Trying to get aaid.")?;
552
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]553 let format = params
554 .iter()
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]555 .find(|p| p.tag == Tag::ALGORITHM)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]556 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
557 .context("No KeyParameter 'Algorithm'.")
Janis Danisevskis398e6be2020-12-17 09:29:25 -0800[diff] [blame]558 .and_then(|p| match &p.value {
559 KeyParameterValue::Algorithm(Algorithm::AES)
560 | KeyParameterValue::Algorithm(Algorithm::HMAC)
561 | KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES) => Ok(KeyFormat::RAW),
562 KeyParameterValue::Algorithm(Algorithm::RSA)
563 | KeyParameterValue::Algorithm(Algorithm::EC) => Ok(KeyFormat::PKCS8),
564 v => Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
565 .context(format!("Unknown Algorithm {:?}.", v)),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]566 })
567 .context("In import_key.")?;
568
Stephen Crane221bbb52020-12-16 15:52:10 -0800[diff] [blame]569 let km_dev: Strong<dyn IKeyMintDevice> =
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]570 self.keymint.get_interface().context("In import_key: Trying to get the KM device")?;
Shawn Willdenc2f3acf2021-02-03 07:07:17 -0700[diff] [blame]571 let creation_result =
572 map_km_error(km_dev.importKey(&params, format, key_data, None /* attestKey */))
573 .context("In import_key: Trying to call importKey")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]574
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]575 let user_id = uid_to_android_user(caller_uid);
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]576 self.store_new_key(key, creation_result, user_id, Some(flags)).context("In import_key.")
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]577 }
578
579 fn import_wrapped_key(
580 &self,
581 key: &KeyDescriptor,
582 wrapping_key: &KeyDescriptor,
583 masking_key: Option<&[u8]>,
584 params: &[KeyParameter],
585 authenticators: &[AuthenticatorSpec],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]586 ) -> Result<KeyMetadata> {
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800[diff] [blame]587 let wrapped_data: &[u8] = match key {
588 KeyDescriptor { domain: Domain::APP, blob: Some(ref blob), alias: Some(_), .. }
589 | KeyDescriptor {
590 domain: Domain::SELINUX, blob: Some(ref blob), alias: Some(_), ..
591 } => blob,
592 _ => {
593 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(format!(
594 concat!(
595 "In import_wrapped_key: Alias and blob must be specified ",
596 "and domain must be APP or SELINUX. {:?}"
597 ),
598 key
599 ))
600 }
601 };
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]602
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]603 if wrapping_key.domain == Domain::BLOB {
604 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(
605 "In import_wrapped_key: Import wrapped key not supported for self managed blobs.",
606 );
607 }
608
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]609 let caller_uid = ThreadState::get_calling_uid();
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]610 let user_id = uid_to_android_user(caller_uid);
611
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]612 let key = match key.domain {
613 Domain::APP => KeyDescriptor {
614 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]615 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]616 alias: key.alias.clone(),
617 blob: None,
618 },
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800[diff] [blame]619 Domain::SELINUX => KeyDescriptor {
620 domain: Domain::SELINUX,
621 nspace: key.nspace,
622 alias: key.alias.clone(),
623 blob: None,
624 },
625 _ => panic!("Unreachable."),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]626 };
627
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]628 // Import_wrapped_key requires the rebind permission for the new key.
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]629 check_key_permission(KeyPerm::rebind(), &key, &None).context("In import_wrapped_key.")?;
630
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]631 let (wrapping_key_id_guard, mut wrapping_key_entry) = DB
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]632 .with(|db| {
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000[diff] [blame]633 LEGACY_MIGRATOR.with_try_migrate(&key, caller_uid, || {
634 db.borrow_mut().load_key_entry(
635 &wrapping_key,
636 KeyType::Client,
637 KeyEntryLoadBits::KM,
638 caller_uid,
639 |k, av| check_key_permission(KeyPerm::use_(), k, &av),
640 )
641 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]642 })
643 .context("Failed to load wrapping key.")?;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]644
645 let (wrapping_key_blob, wrapping_blob_metadata) = wrapping_key_entry
646 .take_key_blob_info()
647 .ok_or_else(error::Error::sys)
648 .context("No km_blob after successfully loading key. This should never happen.")?;
649
650 let wrapping_key_blob =
651 SUPER_KEY.unwrap_key_if_required(&wrapping_blob_metadata, &wrapping_key_blob).context(
652 "In import_wrapped_key. Failed to handle super encryption for wrapping key.",
653 )?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]654
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]655 // km_dev.importWrappedKey does not return a certificate chain.
656 // TODO Do we assume that all wrapped keys are symmetric?
657 // let certificate_chain: Vec<KmCertificate> = Default::default();
658
659 let pw_sid = authenticators
660 .iter()
661 .find_map(|a| match a.authenticatorType {
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]662 HardwareAuthenticatorType::PASSWORD => Some(a.authenticatorId),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]663 _ => None,
664 })
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800[diff] [blame]665 .unwrap_or(-1);
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]666
667 let fp_sid = authenticators
668 .iter()
669 .find_map(|a| match a.authenticatorType {
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]670 HardwareAuthenticatorType::FINGERPRINT => Some(a.authenticatorId),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]671 _ => None,
672 })
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800[diff] [blame]673 .unwrap_or(-1);
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]674
675 let masking_key = masking_key.unwrap_or(ZERO_BLOB_32);
676
Stephen Crane221bbb52020-12-16 15:52:10 -0800[diff] [blame]677 let km_dev: Strong<dyn IKeyMintDevice> = self.keymint.get_interface()?;
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]678 let (creation_result, _) = self
679 .upgrade_keyblob_if_required_with(
680 &*km_dev,
681 Some(wrapping_key_id_guard),
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]682 &wrapping_key_blob,
683 &wrapping_blob_metadata,
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]684 &[],
685 |wrapping_blob| {
686 let creation_result = map_km_error(km_dev.importWrappedKey(
687 wrapped_data,
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]688 wrapping_blob,
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]689 masking_key,
690 &params,
691 pw_sid,
692 fp_sid,
693 ))?;
694 Ok(creation_result)
695 },
696 )
697 .context("In import_wrapped_key.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]698
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]699 self.store_new_key(key, creation_result, user_id, None)
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]700 .context("In import_wrapped_key: Trying to store the new key.")
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]701 }
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]702
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]703 fn store_upgraded_keyblob(
704 key_id_guard: KeyIdGuard,
705 km_uuid: Option<&Uuid>,
706 key_blob: &KeyBlob,
707 upgraded_blob: &[u8],
708 ) -> Result<()> {
709 let (upgraded_blob_to_be_stored, new_blob_metadata) =
710 SuperKeyManager::reencrypt_if_required(key_blob, &upgraded_blob)
711 .context("In store_upgraded_keyblob: Failed to handle super encryption.")?;
712
Paul Crowley44c02da2021-04-08 17:04:43 +0000[diff] [blame]713 let mut new_blob_metadata = new_blob_metadata.unwrap_or_default();
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]714 if let Some(uuid) = km_uuid {
715 new_blob_metadata.add(BlobMetaEntry::KmUuid(*uuid));
716 }
717
718 DB.with(|db| {
719 let mut db = db.borrow_mut();
720 db.set_blob(
721 &key_id_guard,
722 SubComponentType::KEY_BLOB,
723 Some(&upgraded_blob_to_be_stored),
724 Some(&new_blob_metadata),
725 )
726 })
727 .context("In store_upgraded_keyblob: Failed to insert upgraded blob into the database.")
728 }
729
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]730 fn upgrade_keyblob_if_required_with<T, F>(
731 &self,
732 km_dev: &dyn IKeyMintDevice,
733 key_id_guard: Option<KeyIdGuard>,
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]734 key_blob: &KeyBlob,
735 blob_metadata: &BlobMetaData,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]736 params: &[KeyParameter],
737 f: F,
738 ) -> Result<(T, Option<Vec<u8>>)>
739 where
740 F: Fn(&[u8]) -> Result<T, Error>,
741 {
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]742 match f(key_blob) {
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]743 Err(Error::Km(ErrorCode::KEY_REQUIRES_UPGRADE)) => {
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]744 let upgraded_blob = map_km_error(km_dev.upgradeKey(key_blob, params))
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]745 .context("In upgrade_keyblob_if_required_with: Upgrade failed.")?;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]746
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]747 if let Some(kid) = key_id_guard {
748 Self::store_upgraded_keyblob(
749 kid,
750 blob_metadata.km_uuid(),
751 key_blob,
752 &upgraded_blob,
753 )
754 .context(
755 "In upgrade_keyblob_if_required_with: store_upgraded_keyblob failed",
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]756 )?;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]757 }
758
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]759 match f(&upgraded_blob) {
760 Ok(v) => Ok((v, Some(upgraded_blob))),
761 Err(e) => Err(e).context(concat!(
762 "In upgrade_keyblob_if_required_with: ",
763 "Failed to perform operation on second try."
764 )),
765 }
766 }
Paul Crowley8d5b2532021-03-19 10:53:07 -0700[diff] [blame]767 result => {
768 if let Some(kid) = key_id_guard {
769 if key_blob.force_reencrypt() {
770 Self::store_upgraded_keyblob(
771 kid,
772 blob_metadata.km_uuid(),
773 key_blob,
774 key_blob,
775 )
776 .context(concat!(
777 "In upgrade_keyblob_if_required_with: ",
778 "store_upgraded_keyblob failed in forced reencrypt"
779 ))?;
780 }
781 }
782 result
783 .map(|v| (v, None))
784 .context("In upgrade_keyblob_if_required_with: Called closure failed.")
785 }
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]786 }
787 }
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]788
Janis Danisevskisb2434d02021-04-20 12:49:27 -0700[diff] [blame]789 fn convert_storage_key_to_ephemeral(
790 &self,
791 storage_key: &KeyDescriptor,
792 ) -> Result<EphemeralStorageKeyResponse> {
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]793 if storage_key.domain != Domain::BLOB {
794 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(concat!(
795 "In IKeystoreSecurityLevel convert_storage_key_to_ephemeral: ",
796 "Key must be of Domain::BLOB"
797 ));
798 }
799 let key_blob = storage_key
800 .blob
801 .as_ref()
802 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
803 .context(
804 "In IKeystoreSecurityLevel convert_storage_key_to_ephemeral: No key blob specified",
805 )?;
806
807 // convert_storage_key_to_ephemeral requires the associated permission
808 check_key_permission(KeyPerm::convert_storage_key_to_ephemeral(), storage_key, &None)
809 .context("In convert_storage_key_to_ephemeral: Check permission")?;
810
811 let km_dev: Strong<dyn IKeyMintDevice> = self.keymint.get_interface().context(concat!(
812 "In IKeystoreSecurityLevel convert_storage_key_to_ephemeral: ",
813 "Getting keymint device interface"
814 ))?;
Janis Danisevskisb2434d02021-04-20 12:49:27 -0700[diff] [blame]815 match map_km_error(km_dev.convertStorageKeyToEphemeral(key_blob)) {
816 Ok(result) => {
817 Ok(EphemeralStorageKeyResponse { ephemeralKey: result, upgradedBlob: None })
818 }
819 Err(error::Error::Km(ErrorCode::KEY_REQUIRES_UPGRADE)) => {
820 let upgraded_blob = map_km_error(km_dev.upgradeKey(key_blob, &[]))
821 .context("In convert_storage_key_to_ephemeral: Failed to upgrade key blob.")?;
822 let ephemeral_key = map_km_error(km_dev.convertStorageKeyToEphemeral(key_blob))
823 .context(concat!(
824 "In convert_storage_key_to_ephemeral: ",
825 "Failed to retrieve ephemeral key (after upgrade)."
826 ))?;
827 Ok(EphemeralStorageKeyResponse {
828 ephemeralKey: ephemeral_key,
829 upgradedBlob: Some(upgraded_blob),
830 })
831 }
832 Err(e) => Err(e)
833 .context("In convert_storage_key_to_ephemeral: Failed to retrieve ephemeral key."),
834 }
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]835 }
Satya Tangirala04bca0d2021-03-08 22:27:54 -0800[diff] [blame]836
837 fn delete_key(&self, key: &KeyDescriptor) -> Result<()> {
838 if key.domain != Domain::BLOB {
839 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
840 .context("In IKeystoreSecurityLevel delete_key: Key must be of Domain::BLOB");
841 }
842
843 let key_blob = key
844 .blob
845 .as_ref()
846 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
847 .context("In IKeystoreSecurityLevel delete_key: No key blob specified")?;
848
849 check_key_permission(KeyPerm::delete(), key, &None)
850 .context("In IKeystoreSecurityLevel delete_key: Checking delete permissions")?;
851
852 let km_dev: Strong<dyn IKeyMintDevice> = self
853 .keymint
854 .get_interface()
855 .context("In IKeystoreSecurityLevel delete_key: Getting keymint device interface")?;
856 map_km_error(km_dev.deleteKey(&key_blob)).context("In keymint device deleteKey")
857 }
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]858}
859
860impl binder::Interface for KeystoreSecurityLevel {}
861
862impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]863 fn createOperation(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]864 &self,
865 key: &KeyDescriptor,
866 operation_parameters: &[KeyParameter],
867 forced: bool,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]868 ) -> binder::public_api::Result<CreateOperationResponse> {
869 map_or_log_err(self.create_operation(key, operation_parameters, forced), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]870 }
871 fn generateKey(
872 &self,
873 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]874 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]875 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]876 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]877 entropy: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]878 ) -> binder::public_api::Result<KeyMetadata> {
Hasini Gunasingheb7142972021-02-20 03:11:27 +0000[diff] [blame]879 let result = self.generate_key(key, attestation_key, params, flags, entropy);
Hasini Gunasinghe9617fd92021-04-01 22:27:07 +0000[diff] [blame]880 log_key_creation_event_stats(self.security_level, params, &result);
Pavel Grafov94243c22021-04-21 18:03:11 +0100[diff] [blame^]881 log_key_generated(key, ThreadState::get_calling_uid(), result.is_ok());
Hasini Gunasingheb7142972021-02-20 03:11:27 +0000[diff] [blame]882 map_or_log_err(result, Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]883 }
884 fn importKey(
885 &self,
886 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]887 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]888 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]889 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]890 key_data: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]891 ) -> binder::public_api::Result<KeyMetadata> {
Hasini Gunasingheb7142972021-02-20 03:11:27 +0000[diff] [blame]892 let result = self.import_key(key, attestation_key, params, flags, key_data);
Hasini Gunasinghe9617fd92021-04-01 22:27:07 +0000[diff] [blame]893 log_key_creation_event_stats(self.security_level, params, &result);
Pavel Grafov94243c22021-04-21 18:03:11 +0100[diff] [blame^]894 log_key_imported(key, ThreadState::get_calling_uid(), result.is_ok());
Hasini Gunasingheb7142972021-02-20 03:11:27 +0000[diff] [blame]895 map_or_log_err(result, Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]896 }
897 fn importWrappedKey(
898 &self,
899 key: &KeyDescriptor,
900 wrapping_key: &KeyDescriptor,
901 masking_key: Option<&[u8]>,
902 params: &[KeyParameter],
903 authenticators: &[AuthenticatorSpec],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]904 ) -> binder::public_api::Result<KeyMetadata> {
Hasini Gunasingheb7142972021-02-20 03:11:27 +0000[diff] [blame]905 let result =
906 self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators);
Hasini Gunasinghe9617fd92021-04-01 22:27:07 +0000[diff] [blame]907 log_key_creation_event_stats(self.security_level, params, &result);
Pavel Grafov94243c22021-04-21 18:03:11 +0100[diff] [blame^]908 log_key_imported(key, ThreadState::get_calling_uid(), result.is_ok());
Hasini Gunasingheb7142972021-02-20 03:11:27 +0000[diff] [blame]909 map_or_log_err(result, Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]910 }
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]911 fn convertStorageKeyToEphemeral(
912 &self,
913 storage_key: &KeyDescriptor,
Janis Danisevskisb2434d02021-04-20 12:49:27 -0700[diff] [blame]914 ) -> binder::public_api::Result<EphemeralStorageKeyResponse> {
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]915 map_or_log_err(self.convert_storage_key_to_ephemeral(storage_key), Ok)
916 }
Satya Tangirala04bca0d2021-03-08 22:27:54 -0800[diff] [blame]917 fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
Pavel Grafov94243c22021-04-21 18:03:11 +0100[diff] [blame^]918 let result = self.delete_key(key);
919 log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok());
920 map_or_log_err(result, Ok)
Satya Tangirala04bca0d2021-03-08 22:27:54 -0800[diff] [blame]921 }
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]922}