Blame - keystore/keystore.h - platform/system/security

blob: 5ef88426b65ba0a97a074d11d61b82141da048fb [file] [log] [blame]

Shawn Willden	6507c27	2016-01-05 22:51:48 -0700	[diff] [blame^]	1	/*
				2	* Copyright (C) 2016 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#ifndef KEYSTORE_KEYSTORE_H_
				18	#define KEYSTORE_KEYSTORE_H_
				19
				20	#include "user_state.h"
				21
				22	#include <hardware/keymaster1.h>
				23
				24	#include <utils/Vector.h>
				25
				26	#include "blob.h"
				27
				28	typedef struct {
				29	uint32_t uid;
				30	const uint8_t* filename;
				31	} grant_t;
				32
				33	class KeyStore {
				34	public:
				35	KeyStore(Entropy* entropy, keymaster1_device_t* device, keymaster1_device_t* fallback);
				36	~KeyStore();
				37
				38	/**
				39	* Depending on the hardware keymaster version is this may return a
				40	* keymaster0_device_t* cast to a keymaster1_device_t*. All methods from
				41	* keymaster0 are safe to call, calls to keymaster1_device_t methods should
				42	* be guarded by a check on the device's version.
				43	*/
				44	keymaster1_device_t* getDevice() const { return mDevice; }
				45
				46	keymaster1_device_t* getFallbackDevice() const { return mFallbackDevice; }
				47
				48	keymaster1_device_t* getDeviceForBlob(const Blob& blob) const {
				49	return blob.isFallback() ? mFallbackDevice : mDevice;
				50	}
				51
				52	ResponseCode initialize();
				53
				54	State getState(uid_t userId) { return getUserState(userId)->getState(); }
				55
				56	ResponseCode initializeUser(const android::String8& pw, uid_t userId);
				57
				58	ResponseCode copyMasterKey(uid_t srcUser, uid_t dstUser);
				59	ResponseCode writeMasterKey(const android::String8& pw, uid_t userId);
				60	ResponseCode readMasterKey(const android::String8& pw, uid_t userId);
				61
				62	android::String8 getKeyName(const android::String8& keyName);
				63	android::String8 getKeyNameForUid(const android::String8& keyName, uid_t uid);
				64	android::String8 getKeyNameForUidWithDir(const android::String8& keyName, uid_t uid);
				65
				66	/*
				67	* Delete entries owned by userId. If keepUnencryptedEntries is true
				68	* then only encrypted entries will be removed, otherwise all entries will
				69	* be removed.
				70	*/
				71	void resetUser(uid_t userId, bool keepUnenryptedEntries);
				72	bool isEmpty(uid_t userId) const;
				73
				74	void lock(uid_t userId);
				75
				76	ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type, uid_t userId);
				77	ResponseCode put(const char* filename, Blob* keyBlob, uid_t userId);
				78	ResponseCode del(const char* filename, const BlobType type, uid_t userId);
				79	ResponseCode list(const android::String8& prefix, android::Vector<android::String16>* matches,
				80	uid_t userId);
				81
				82	void addGrant(const char* filename, uid_t granteeUid);
				83	bool removeGrant(const char* filename, uid_t granteeUid);
				84	bool hasGrant(const char* filename, const uid_t uid) const {
				85	return getGrant(filename, uid) != NULL;
				86	}
				87
				88	ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId,
				89	int32_t flags);
				90
				91	bool isHardwareBacked(const android::String16& keyType) const;
				92
				93	ResponseCode getKeyForName(Blob* keyBlob, const android::String8& keyName, const uid_t uid,
				94	const BlobType type);
				95
				96	/**
				97	* Returns any existing UserState or creates it if it doesn't exist.
				98	*/
				99	UserState* getUserState(uid_t userId);
				100
				101	/**
				102	* Returns any existing UserState or creates it if it doesn't exist.
				103	*/
				104	UserState* getUserStateByUid(uid_t uid);
				105
				106	/**
				107	* Returns NULL if the UserState doesn't already exist.
				108	*/
				109	const UserState* getUserState(uid_t userId) const;
				110
				111	/**
				112	* Returns NULL if the UserState doesn't already exist.
				113	*/
				114	const UserState* getUserStateByUid(uid_t uid) const;
				115
				116	private:
				117	static const char* sOldMasterKey;
				118	static const char* sMetaDataFile;
				119	static const android::String16 sRSAKeyType;
				120	static const android::String16 sECKeyType;
				121	Entropy* mEntropy;
				122
				123	keymaster1_device_t* mDevice;
				124	keymaster1_device_t* mFallbackDevice;
				125
				126	android::Vector<UserState*> mMasterKeys;
				127
				128	android::Vector<grant_t*> mGrants;
				129
				130	typedef struct { uint32_t version; } keystore_metadata_t;
				131
				132	keystore_metadata_t mMetaData;
				133
				134	const grant_t* getGrant(const char* filename, uid_t uid) const;
				135
				136	/**
				137	* Upgrade the key from the current version to whatever is newest.
				138	*/
				139	bool upgradeBlob(const char* filename, Blob* blob, const uint8_t oldVersion,
				140	const BlobType type, uid_t uid);
				141
				142	/**
				143	* Takes a blob that is an PEM-encoded RSA key as a byte array and converts it to a DER-encoded
				144	* PKCS#8 for import into a keymaster. Then it overwrites the original blob with the new blob
				145	* format that is returned from the keymaster.
				146	*/
				147	ResponseCode importBlobAsKey(Blob* blob, const char* filename, uid_t uid);
				148
				149	void readMetaData();
				150	void writeMetaData();
				151
				152	bool upgradeKeystore();
				153	};
				154
				155	#endif // KEYSTORE_KEYSTORE_H_