Shawn Willden | 6507c27 | 2016-01-05 22:51:48 -0700 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #ifndef KEYSTORE_KEYSTORE_H_ |
| 18 | #define KEYSTORE_KEYSTORE_H_ |
| 19 | |
| 20 | #include "user_state.h" |
| 21 | |
| 22 | #include <hardware/keymaster1.h> |
| 23 | |
| 24 | #include <utils/Vector.h> |
| 25 | |
| 26 | #include "blob.h" |
| 27 | |
| 28 | typedef struct { |
| 29 | uint32_t uid; |
| 30 | const uint8_t* filename; |
| 31 | } grant_t; |
| 32 | |
| 33 | class KeyStore { |
| 34 | public: |
| 35 | KeyStore(Entropy* entropy, keymaster1_device_t* device, keymaster1_device_t* fallback); |
| 36 | ~KeyStore(); |
| 37 | |
| 38 | /** |
| 39 | * Depending on the hardware keymaster version is this may return a |
| 40 | * keymaster0_device_t* cast to a keymaster1_device_t*. All methods from |
| 41 | * keymaster0 are safe to call, calls to keymaster1_device_t methods should |
| 42 | * be guarded by a check on the device's version. |
| 43 | */ |
| 44 | keymaster1_device_t* getDevice() const { return mDevice; } |
| 45 | |
| 46 | keymaster1_device_t* getFallbackDevice() const { return mFallbackDevice; } |
| 47 | |
| 48 | keymaster1_device_t* getDeviceForBlob(const Blob& blob) const { |
| 49 | return blob.isFallback() ? mFallbackDevice : mDevice; |
| 50 | } |
| 51 | |
| 52 | ResponseCode initialize(); |
| 53 | |
| 54 | State getState(uid_t userId) { return getUserState(userId)->getState(); } |
| 55 | |
| 56 | ResponseCode initializeUser(const android::String8& pw, uid_t userId); |
| 57 | |
| 58 | ResponseCode copyMasterKey(uid_t srcUser, uid_t dstUser); |
| 59 | ResponseCode writeMasterKey(const android::String8& pw, uid_t userId); |
| 60 | ResponseCode readMasterKey(const android::String8& pw, uid_t userId); |
| 61 | |
| 62 | android::String8 getKeyName(const android::String8& keyName); |
| 63 | android::String8 getKeyNameForUid(const android::String8& keyName, uid_t uid); |
| 64 | android::String8 getKeyNameForUidWithDir(const android::String8& keyName, uid_t uid); |
| 65 | |
| 66 | /* |
| 67 | * Delete entries owned by userId. If keepUnencryptedEntries is true |
| 68 | * then only encrypted entries will be removed, otherwise all entries will |
| 69 | * be removed. |
| 70 | */ |
| 71 | void resetUser(uid_t userId, bool keepUnenryptedEntries); |
| 72 | bool isEmpty(uid_t userId) const; |
| 73 | |
| 74 | void lock(uid_t userId); |
| 75 | |
| 76 | ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type, uid_t userId); |
| 77 | ResponseCode put(const char* filename, Blob* keyBlob, uid_t userId); |
| 78 | ResponseCode del(const char* filename, const BlobType type, uid_t userId); |
| 79 | ResponseCode list(const android::String8& prefix, android::Vector<android::String16>* matches, |
| 80 | uid_t userId); |
| 81 | |
| 82 | void addGrant(const char* filename, uid_t granteeUid); |
| 83 | bool removeGrant(const char* filename, uid_t granteeUid); |
| 84 | bool hasGrant(const char* filename, const uid_t uid) const { |
| 85 | return getGrant(filename, uid) != NULL; |
| 86 | } |
| 87 | |
| 88 | ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId, |
| 89 | int32_t flags); |
| 90 | |
| 91 | bool isHardwareBacked(const android::String16& keyType) const; |
| 92 | |
| 93 | ResponseCode getKeyForName(Blob* keyBlob, const android::String8& keyName, const uid_t uid, |
| 94 | const BlobType type); |
| 95 | |
| 96 | /** |
| 97 | * Returns any existing UserState or creates it if it doesn't exist. |
| 98 | */ |
| 99 | UserState* getUserState(uid_t userId); |
| 100 | |
| 101 | /** |
| 102 | * Returns any existing UserState or creates it if it doesn't exist. |
| 103 | */ |
| 104 | UserState* getUserStateByUid(uid_t uid); |
| 105 | |
| 106 | /** |
| 107 | * Returns NULL if the UserState doesn't already exist. |
| 108 | */ |
| 109 | const UserState* getUserState(uid_t userId) const; |
| 110 | |
| 111 | /** |
| 112 | * Returns NULL if the UserState doesn't already exist. |
| 113 | */ |
| 114 | const UserState* getUserStateByUid(uid_t uid) const; |
| 115 | |
| 116 | private: |
| 117 | static const char* sOldMasterKey; |
| 118 | static const char* sMetaDataFile; |
| 119 | static const android::String16 sRSAKeyType; |
| 120 | static const android::String16 sECKeyType; |
| 121 | Entropy* mEntropy; |
| 122 | |
| 123 | keymaster1_device_t* mDevice; |
| 124 | keymaster1_device_t* mFallbackDevice; |
| 125 | |
| 126 | android::Vector<UserState*> mMasterKeys; |
| 127 | |
| 128 | android::Vector<grant_t*> mGrants; |
| 129 | |
| 130 | typedef struct { uint32_t version; } keystore_metadata_t; |
| 131 | |
| 132 | keystore_metadata_t mMetaData; |
| 133 | |
| 134 | const grant_t* getGrant(const char* filename, uid_t uid) const; |
| 135 | |
| 136 | /** |
| 137 | * Upgrade the key from the current version to whatever is newest. |
| 138 | */ |
| 139 | bool upgradeBlob(const char* filename, Blob* blob, const uint8_t oldVersion, |
| 140 | const BlobType type, uid_t uid); |
| 141 | |
| 142 | /** |
| 143 | * Takes a blob that is an PEM-encoded RSA key as a byte array and converts it to a DER-encoded |
| 144 | * PKCS#8 for import into a keymaster. Then it overwrites the original blob with the new blob |
| 145 | * format that is returned from the keymaster. |
| 146 | */ |
| 147 | ResponseCode importBlobAsKey(Blob* blob, const char* filename, uid_t uid); |
| 148 | |
| 149 | void readMetaData(); |
| 150 | void writeMetaData(); |
| 151 | |
| 152 | bool upgradeKeystore(); |
| 153 | }; |
| 154 | |
| 155 | #endif // KEYSTORE_KEYSTORE_H_ |