| David Zeuthen | ab3e565 | 2019-10-28 13:32:48 -0400 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright (c) 2019, The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #ifndef SYSTEM_SECURITY_CREDENTIAL_DATA_H_ |
| 18 | #define SYSTEM_SECURITY_CREDENTIAL_DATA_H_ |
| 19 | |
| 20 | #include <sys/types.h> |
| 21 | #include <unistd.h> |
| 22 | |
| 23 | #include <map> |
| 24 | #include <string> |
| 25 | #include <utility> |
| 26 | #include <vector> |
| 27 | |
| 28 | #include <android/hardware/identity/1.0/IIdentityCredential.h> |
| 29 | #include <android/hardware/identity/1.0/types.h> |
| 30 | |
| 31 | namespace android { |
| 32 | namespace security { |
| 33 | namespace identity { |
| 34 | |
| 35 | using ::android::hardware::identity::V1_0::SecureAccessControlProfile; |
| 36 | using ::std::map; |
| 37 | using ::std::optional; |
| 38 | using ::std::pair; |
| 39 | using ::std::string; |
| 40 | using ::std::tuple; |
| 41 | using ::std::vector; |
| 42 | |
| 43 | struct EntryData { |
| 44 | EntryData() {} |
| 45 | |
| 46 | uint64_t size = 0; |
| 47 | vector<uint16_t> accessControlProfileIds; |
| 48 | vector<vector<uint8_t>> encryptedChunks; |
| 49 | }; |
| 50 | |
| 51 | struct AuthKeyData { |
| 52 | AuthKeyData() {} |
| 53 | |
| 54 | vector<uint8_t> certificate; |
| 55 | vector<uint8_t> keyBlob; |
| 56 | vector<uint8_t> staticAuthenticationData; |
| 57 | vector<uint8_t> pendingCertificate; |
| 58 | vector<uint8_t> pendingKeyBlob; |
| 59 | int useCount = 0; |
| 60 | }; |
| 61 | |
| 62 | class CredentialData : public RefBase { |
| 63 | public: |
| 64 | CredentialData(const string& dataPath, uid_t ownerUid, const string& name); |
| 65 | |
| 66 | static string calculateCredentialFileName(const string& dataPath, uid_t ownerUid, |
| 67 | const string& name); |
| 68 | |
| 69 | static optional<bool> credentialExists(const string& dataPath, uid_t ownerUid, |
| 70 | const string& name); |
| 71 | |
| 72 | void setSecureUserId(int64_t secureUserId); |
| 73 | |
| 74 | void setCredentialData(const vector<uint8_t>& credentialData); |
| 75 | |
| 76 | void setAttestationCertificate(const vector<uint8_t>& attestationCertificate); |
| 77 | |
| 78 | void |
| 79 | addSecureAccessControlProfile(const SecureAccessControlProfile& secureAccessControlProfile); |
| 80 | |
| 81 | void addEntryData(const string& namespaceName, const string& entryName, const EntryData& data); |
| 82 | |
| 83 | bool saveToDisk() const; |
| 84 | |
| 85 | bool loadFromDisk(); |
| 86 | |
| 87 | bool deleteCredential(); |
| 88 | |
| 89 | void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey); |
| 90 | |
| 91 | // Getters |
| 92 | |
| 93 | int64_t getSecureUserId(); |
| 94 | |
| 95 | const vector<uint8_t>& getCredentialData() const; |
| 96 | |
| 97 | const vector<uint8_t>& getAttestationCertificate() const; |
| 98 | |
| 99 | const vector<SecureAccessControlProfile>& getSecureAccessControlProfiles() const; |
| 100 | |
| 101 | bool hasEntryData(const string& namespaceName, const string& entryName) const; |
| 102 | |
| 103 | optional<EntryData> getEntryData(const string& namespaceName, const string& entryName) const; |
| 104 | |
| 105 | const vector<AuthKeyData>& getAuthKeyDatas() const; |
| 106 | |
| 107 | // Returns |nullptr| if a suitable key cannot be found. Otherwise returns |
| 108 | // the authentication and increases its use-count. |
| 109 | const AuthKeyData* selectAuthKey(bool allowUsingExhaustedKeys); |
| 110 | |
| 111 | optional<vector<vector<uint8_t>>> getAuthKeysNeedingCertification( |
| 112 | const sp<android::hardware::identity::V1_0::IIdentityCredential>& halBinder); |
| 113 | |
| 114 | bool storeStaticAuthenticationData(const vector<uint8_t>& authenticationKey, |
| 115 | const vector<uint8_t>& staticAuthData); |
| 116 | |
| 117 | private: |
| 118 | // Set by constructor. |
| 119 | // |
| 120 | string dataPath_; |
| 121 | uid_t ownerUid_; |
| 122 | string name_; |
| 123 | |
| 124 | // Calculated at construction time, from |dataPath_|, |ownerUid_|, |name_|. |
| 125 | string fileName_; |
| 126 | |
| 127 | // Data serialized in CBOR from here: |
| 128 | // |
| 129 | int64_t secureUserId_; |
| 130 | vector<uint8_t> credentialData_; |
| 131 | vector<uint8_t> attestationCertificate_; |
| 132 | vector<SecureAccessControlProfile> secureAccessControlProfiles_; |
| 133 | map<string, EntryData> idToEncryptedChunks_; |
| 134 | |
| 135 | int keyCount_ = 0; |
| 136 | int maxUsesPerKey_ = 1; |
| 137 | vector<AuthKeyData> authKeyDatas_; // Always |keyCount_| long. |
| 138 | }; |
| 139 | |
| 140 | } // namespace identity |
| 141 | } // namespace security |
| 142 | } // namespace android |
| 143 | |
| 144 | #endif // SYSTEM_SECURITY_CREDENTIAL_DATA_H_ |