Refactor keystore.
This CL isn't nearly as big as it looks. It doesn't change keystore
functionality, it just moves all of the classes out of the former
keystore.cpp into their own .h and .cpp files.
Note that this is a cherry-pick from:
https://android-review.googlesource.com/#/c/194971
Change-Id: Ide326c4f1d03984994d1bd9a76fa68d37da230dc
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
new file mode 100644
index 0000000..85dc966
--- /dev/null
+++ b/keystore/key_store_service.h
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef KEYSTORE_KEYSTORE_SERVICE_H_
+#define KEYSTORE_KEYSTORE_SERVICE_H_
+
+#include <keystore/IKeystoreService.h>
+
+#include "auth_token_table.h"
+#include "keystore.h"
+#include "keystore_keymaster_enforcement.h"
+#include "operation.h"
+#include "permissions.h"
+
+namespace android {
+
+class KeyStoreService : public BnKeystoreService, public IBinder::DeathRecipient {
+ public:
+ KeyStoreService(KeyStore* keyStore) : mKeyStore(keyStore), mOperationMap(this) {}
+
+ void binderDied(const wp<IBinder>& who);
+
+ int32_t getState(int32_t userId);
+
+ int32_t get(const String16& name, int32_t uid, uint8_t** item, size_t* itemLength);
+ int32_t insert(const String16& name, const uint8_t* item, size_t itemLength, int targetUid,
+ int32_t flags);
+ int32_t del(const String16& name, int targetUid);
+ int32_t exist(const String16& name, int targetUid);
+ int32_t list(const String16& prefix, int targetUid, Vector<String16>* matches);
+
+ int32_t reset();
+
+ int32_t onUserPasswordChanged(int32_t userId, const String16& password);
+ int32_t onUserAdded(int32_t userId, int32_t parentId);
+ int32_t onUserRemoved(int32_t userId);
+
+ int32_t lock(int32_t userId);
+ int32_t unlock(int32_t userId, const String16& pw);
+
+ bool isEmpty(int32_t userId);
+
+ int32_t generate(const String16& name, int32_t targetUid, int32_t keyType, int32_t keySize,
+ int32_t flags, Vector<sp<KeystoreArg>>* args);
+ int32_t import(const String16& name, const uint8_t* data, size_t length, int targetUid,
+ int32_t flags);
+ int32_t sign(const String16& name, const uint8_t* data, size_t length, uint8_t** out,
+ size_t* outLength);
+ int32_t verify(const String16& name, const uint8_t* data, size_t dataLength,
+ const uint8_t* signature, size_t signatureLength);
+
+ /*
+ * TODO: The abstraction between things stored in hardware and regular blobs
+ * of data stored on the filesystem should be moved down to keystore itself.
+ * Unfortunately the Java code that calls this has naming conventions that it
+ * knows about. Ideally keystore shouldn't be used to store random blobs of
+ * data.
+ *
+ * Until that happens, it's necessary to have a separate "get_pubkey" and
+ * "del_key" since the Java code doesn't really communicate what it's
+ * intentions are.
+ */
+ int32_t get_pubkey(const String16& name, uint8_t** pubkey, size_t* pubkeyLength);
+
+ int32_t grant(const String16& name, int32_t granteeUid);
+ int32_t ungrant(const String16& name, int32_t granteeUid);
+
+ int64_t getmtime(const String16& name, int32_t uid);
+
+ int32_t duplicate(const String16& srcKey, int32_t srcUid, const String16& destKey,
+ int32_t destUid);
+
+ int32_t is_hardware_backed(const String16& keyType);
+
+ int32_t clear_uid(int64_t targetUid64);
+
+ int32_t addRngEntropy(const uint8_t* data, size_t dataLength);
+ int32_t generateKey(const String16& name, const KeymasterArguments& params,
+ const uint8_t* entropy, size_t entropyLength, int uid, int flags,
+ KeyCharacteristics* outCharacteristics);
+ int32_t getKeyCharacteristics(const String16& name, const keymaster_blob_t* clientId,
+ const keymaster_blob_t* appData, int32_t uid,
+ KeyCharacteristics* outCharacteristics);
+ int32_t importKey(const String16& name, const KeymasterArguments& params,
+ keymaster_key_format_t format, const uint8_t* keyData, size_t keyLength,
+ int uid, int flags, KeyCharacteristics* outCharacteristics);
+ void exportKey(const String16& name, keymaster_key_format_t format,
+ const keymaster_blob_t* clientId, const keymaster_blob_t* appData, int32_t uid,
+ ExportResult* result);
+ void begin(const sp<IBinder>& appToken, const String16& name, keymaster_purpose_t purpose,
+ bool pruneable, const KeymasterArguments& params, const uint8_t* entropy,
+ size_t entropyLength, int32_t uid, OperationResult* result);
+ void update(const sp<IBinder>& token, const KeymasterArguments& params, const uint8_t* data,
+ size_t dataLength, OperationResult* result);
+ void finish(const sp<IBinder>& token, const KeymasterArguments& params,
+ const uint8_t* signature, size_t signatureLength, const uint8_t* entropy,
+ size_t entropyLength, OperationResult* result);
+ int32_t abort(const sp<IBinder>& token);
+
+ bool isOperationAuthorized(const sp<IBinder>& token);
+
+ int32_t addAuthToken(const uint8_t* token, size_t length);
+
+ private:
+ static const int32_t UID_SELF = -1;
+
+ /**
+ * Prune the oldest pruneable operation.
+ */
+ bool pruneOperation();
+
+ /**
+ * Get the effective target uid for a binder operation that takes an
+ * optional uid as the target.
+ */
+ uid_t getEffectiveUid(int32_t targetUid);
+
+ /**
+ * Check if the caller of the current binder method has the required
+ * permission and if acting on other uids the grants to do so.
+ */
+ bool checkBinderPermission(perm_t permission, int32_t targetUid = UID_SELF);
+
+ /**
+ * Check if the caller of the current binder method has the required
+ * permission and the target uid is the caller or the caller is system.
+ */
+ bool checkBinderPermissionSelfOrSystem(perm_t permission, int32_t targetUid);
+
+ /**
+ * Check if the caller of the current binder method has the required
+ * permission or the target of the operation is the caller's uid. This is
+ * for operation where the permission is only for cross-uid activity and all
+ * uids are allowed to act on their own (ie: clearing all entries for a
+ * given uid).
+ */
+ bool checkBinderPermissionOrSelfTarget(perm_t permission, int32_t targetUid);
+
+ /**
+ * Helper method to check that the caller has the required permission as
+ * well as the keystore is in the unlocked state if checkUnlocked is true.
+ *
+ * Returns NO_ERROR on success, PERMISSION_DENIED on a permission error and
+ * otherwise the state of keystore when not unlocked and checkUnlocked is
+ * true.
+ */
+ int32_t checkBinderPermissionAndKeystoreState(perm_t permission, int32_t targetUid = -1,
+ bool checkUnlocked = true);
+
+ bool isKeystoreUnlocked(State state);
+
+ bool isKeyTypeSupported(const keymaster1_device_t* device, keymaster_keypair_t keyType);
+
+ /**
+ * Check that all keymaster_key_param_t's provided by the application are
+ * allowed. Any parameter that keystore adds itself should be disallowed here.
+ */
+ bool checkAllowedOperationParams(const std::vector<keymaster_key_param_t>& params);
+
+ keymaster_error_t getOperationCharacteristics(const keymaster_key_blob_t& key,
+ const keymaster1_device_t* dev,
+ const std::vector<keymaster_key_param_t>& params,
+ keymaster_key_characteristics_t* out);
+
+ /**
+ * Get the auth token for this operation from the auth token table.
+ *
+ * Returns ::NO_ERROR if the auth token was set or none was required.
+ * ::OP_AUTH_NEEDED if it is a per op authorization, no
+ * authorization token exists for that operation and
+ * failOnTokenMissing is false.
+ * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth
+ * token for the operation
+ */
+ int32_t getAuthToken(const keymaster_key_characteristics_t* characteristics,
+ keymaster_operation_handle_t handle, keymaster_purpose_t purpose,
+ const hw_auth_token_t** authToken, bool failOnTokenMissing = true);
+
+ void addAuthToParams(std::vector<keymaster_key_param_t>* params, const hw_auth_token_t* token);
+
+ /**
+ * Add the auth token for the operation to the param list if the operation
+ * requires authorization. Uses the cached result in the OperationMap if available
+ * otherwise gets the token from the AuthTokenTable and caches the result.
+ *
+ * Returns ::NO_ERROR if the auth token was added or not needed.
+ * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if the operation is not
+ * authenticated.
+ * KM_ERROR_INVALID_OPERATION_HANDLE if token is not a valid
+ * operation token.
+ */
+ int32_t addOperationAuthTokenIfNeeded(sp<IBinder> token,
+ std::vector<keymaster_key_param_t>* params);
+
+ /**
+ * Translate a result value to a legacy return value. All keystore errors are
+ * preserved and keymaster errors become SYSTEM_ERRORs
+ */
+ int32_t translateResultToLegacyResult(int32_t result);
+
+ keymaster_key_param_t* getKeyAlgorithm(keymaster_key_characteristics_t* characteristics);
+
+ void addLegacyBeginParams(const String16& name, std::vector<keymaster_key_param_t>& params);
+
+ int32_t doLegacySignVerify(const String16& name, const uint8_t* data, size_t length,
+ uint8_t** out, size_t* outLength, const uint8_t* signature,
+ size_t signatureLength, keymaster_purpose_t purpose);
+
+ ::KeyStore* mKeyStore;
+ OperationMap mOperationMap;
+ keymaster::AuthTokenTable mAuthTokenTable;
+ KeystoreKeymasterEnforcement enforcement_policy;
+};
+
+}; // namespace android
+
+#endif // KEYSTORE_KEYSTORE_SERVICE_H_