Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #ifndef KEYSTORE_KEYSTORE_SERVICE_H_ |
| 18 | #define KEYSTORE_KEYSTORE_SERVICE_H_ |
| 19 | |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 20 | #include <android/security/keystore/BnKeystoreService.h> |
Shawn Willden | 98c5916 | 2016-03-20 09:10:18 -0600 | [diff] [blame] | 21 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 22 | #include "auth_token_table.h" |
David Zeuthen | c6eb7cd | 2017-11-27 11:33:55 -0500 | [diff] [blame] | 23 | #include "confirmation_manager.h" |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 24 | |
Shawn Willden | fa5702f | 2017-12-03 15:14:58 -0700 | [diff] [blame] | 25 | #include "KeyStore.h" |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 26 | #include "keystore_keymaster_enforcement.h" |
| 27 | #include "operation.h" |
| 28 | #include "permissions.h" |
| 29 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 30 | #include <keystore/ExportResult.h> |
| 31 | #include <keystore/KeyCharacteristics.h> |
| 32 | #include <keystore/KeymasterArguments.h> |
| 33 | #include <keystore/KeymasterBlob.h> |
| 34 | #include <keystore/KeymasterCertificateChain.h> |
| 35 | #include <keystore/OperationResult.h> |
| 36 | #include <keystore/keystore_return_types.h> |
| 37 | |
Janis Danisevskis | b50236a | 2019-03-25 10:26:30 -0700 | [diff] [blame^] | 38 | #include <mutex> |
| 39 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 40 | namespace keystore { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 41 | |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 42 | // Class provides implementation for generated BnKeystoreService.h based on |
| 43 | // gen/aidl/android/security/BnKeystoreService.h generated from |
| 44 | // java/android/security/IKeystoreService.aidl Note that all generated methods return binder::Status |
| 45 | // and use last arguments to send actual result to the caller. Private methods don't need to handle |
| 46 | // binder::Status. Input parameters cannot be null unless annotated with @nullable in .aidl file. |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 47 | class KeyStoreService : public android::security::keystore::BnKeystoreService { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 48 | public: |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 49 | explicit KeyStoreService(sp<KeyStore> keyStore) : mKeyStore(keyStore) {} |
Shawn Willden | c67a8aa | 2017-12-03 17:51:29 -0700 | [diff] [blame] | 50 | virtual ~KeyStoreService() = default; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 51 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 52 | void binderDied(const android::wp<android::IBinder>& who); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 53 | |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 54 | ::android::binder::Status getState(int32_t userId, int32_t* _aidl_return) override; |
| 55 | ::android::binder::Status get(const ::android::String16& name, int32_t uid, |
| 56 | ::std::vector<uint8_t>* _aidl_return) override; |
| 57 | ::android::binder::Status insert(const ::android::String16& name, |
| 58 | const ::std::vector<uint8_t>& item, int32_t uid, int32_t flags, |
| 59 | int32_t* _aidl_return) override; |
| 60 | ::android::binder::Status del(const ::android::String16& name, int32_t uid, |
| 61 | int32_t* _aidl_return) override; |
| 62 | ::android::binder::Status exist(const ::android::String16& name, int32_t uid, |
| 63 | int32_t* _aidl_return) override; |
| 64 | ::android::binder::Status list(const ::android::String16& namePrefix, int32_t uid, |
| 65 | ::std::vector<::android::String16>* _aidl_return) override; |
Rob Barnes | 5d59e63 | 2018-12-07 16:09:02 -0700 | [diff] [blame] | 66 | ::android::binder::Status listUidsOfAuthBoundKeys(std::vector<::std::string>* uids, |
Rob Barnes | eb7f79b | 2018-11-08 15:44:10 -0700 | [diff] [blame] | 67 | int32_t* _aidl_return) override; |
| 68 | |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 69 | ::android::binder::Status reset(int32_t* _aidl_return) override; |
| 70 | ::android::binder::Status onUserPasswordChanged(int32_t userId, |
| 71 | const ::android::String16& newPassword, |
| 72 | int32_t* _aidl_return) override; |
| 73 | ::android::binder::Status lock(int32_t userId, int32_t* _aidl_return) override; |
| 74 | ::android::binder::Status unlock(int32_t userId, const ::android::String16& userPassword, |
| 75 | int32_t* _aidl_return) override; |
| 76 | ::android::binder::Status isEmpty(int32_t userId, int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 77 | ::android::binder::Status grant(const ::android::String16& name, int32_t granteeUid, |
| 78 | ::android::String16* _aidl_return) override; |
| 79 | ::android::binder::Status ungrant(const ::android::String16& name, int32_t granteeUid, |
| 80 | int32_t* _aidl_return) override; |
| 81 | ::android::binder::Status getmtime(const ::android::String16& name, int32_t uid, |
| 82 | int64_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 83 | ::android::binder::Status is_hardware_backed(const ::android::String16& string, |
| 84 | int32_t* _aidl_return) override; |
| 85 | ::android::binder::Status clear_uid(int64_t uid, int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 86 | ::android::binder::Status |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 87 | addRngEntropy(const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb, |
| 88 | const ::std::vector<uint8_t>& data, int32_t flags, |
| 89 | int32_t* _aidl_return) override; |
| 90 | ::android::binder::Status generateKey( |
| 91 | const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, |
| 92 | const ::android::String16& alias, |
| 93 | const ::android::security::keymaster::KeymasterArguments& arguments, |
| 94 | const ::std::vector<uint8_t>& entropy, int32_t uid, int32_t flags, |
| 95 | int32_t* _aidl_return) override; |
| 96 | ::android::binder::Status getKeyCharacteristics( |
| 97 | const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, |
| 98 | const ::android::String16& alias, |
| 99 | const ::android::security::keymaster::KeymasterBlob& clientId, |
| 100 | const ::android::security::keymaster::KeymasterBlob& appId, int32_t uid, |
| 101 | int32_t* _aidl_return) override; |
| 102 | ::android::binder::Status importKey( |
| 103 | const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, |
| 104 | const ::android::String16& alias, |
| 105 | const ::android::security::keymaster::KeymasterArguments& arguments, int32_t format, |
| 106 | const ::std::vector<uint8_t>& keyData, int32_t uid, int32_t flags, |
| 107 | int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 108 | ::android::binder::Status |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 109 | exportKey(const ::android::sp<::android::security::keystore::IKeystoreExportKeyCallback>& cb, |
| 110 | const ::android::String16& alias, int32_t format, |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 111 | const ::android::security::keymaster::KeymasterBlob& clientId, |
| 112 | const ::android::security::keymaster::KeymasterBlob& appId, int32_t uid, |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 113 | int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 114 | ::android::binder::Status |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 115 | begin(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb, |
| 116 | const ::android::sp<::android::IBinder>& appToken, const ::android::String16& alias, |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 117 | int32_t purpose, bool pruneable, |
| 118 | const ::android::security::keymaster::KeymasterArguments& params, |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 119 | const ::std::vector<uint8_t>& entropy, int32_t uid, int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 120 | ::android::binder::Status |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 121 | update(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb, |
| 122 | const ::android::sp<::android::IBinder>& token, |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 123 | const ::android::security::keymaster::KeymasterArguments& params, |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 124 | const ::std::vector<uint8_t>& input, int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 125 | ::android::binder::Status |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 126 | finish(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb, |
| 127 | const ::android::sp<::android::IBinder>& token, |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 128 | const ::android::security::keymaster::KeymasterArguments& params, |
| 129 | const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy, |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 130 | int32_t* _aidl_return) override; |
| 131 | ::android::binder::Status |
| 132 | abort(const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb, |
| 133 | const ::android::sp<::android::IBinder>& token, int32_t* _aidl_return) override; |
Brian Young | ccb492d | 2018-02-22 23:36:01 +0000 | [diff] [blame] | 134 | ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken, |
Brian Young | 1b75929 | 2018-01-29 23:57:29 +0000 | [diff] [blame] | 135 | int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 136 | ::android::binder::Status onUserAdded(int32_t userId, int32_t parentId, |
| 137 | int32_t* _aidl_return) override; |
| 138 | ::android::binder::Status onUserRemoved(int32_t userId, int32_t* _aidl_return) override; |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 139 | ::android::binder::Status attestKey( |
| 140 | const ::android::sp<::android::security::keystore::IKeystoreCertificateChainCallback>& cb, |
| 141 | const ::android::String16& alias, |
| 142 | const ::android::security::keymaster::KeymasterArguments& params, |
| 143 | int32_t* _aidl_return) override; |
| 144 | ::android::binder::Status attestDeviceIds( |
| 145 | const ::android::sp<::android::security::keystore::IKeystoreCertificateChainCallback>& cb, |
| 146 | const ::android::security::keymaster::KeymasterArguments& params, |
| 147 | int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 148 | ::android::binder::Status onDeviceOffBody(int32_t* _aidl_return) override; |
David Zeuthen | c6eb7cd | 2017-11-27 11:33:55 -0500 | [diff] [blame] | 149 | |
Janis Danisevskis | cb9267d | 2017-12-19 16:27:52 -0800 | [diff] [blame] | 150 | ::android::binder::Status importWrappedKey( |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 151 | const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, |
Janis Danisevskis | cb9267d | 2017-12-19 16:27:52 -0800 | [diff] [blame] | 152 | const ::android::String16& wrappedKeyAlias, const ::std::vector<uint8_t>& wrappedKey, |
| 153 | const ::android::String16& wrappingKeyAlias, const ::std::vector<uint8_t>& maskingKey, |
| 154 | const ::android::security::keymaster::KeymasterArguments& params, int64_t rootSid, |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame] | 155 | int64_t fingerprintSid, int32_t* _aidl_return) override; |
Tucker Sylvestro | 0ab28b7 | 2016-08-05 18:02:47 -0400 | [diff] [blame] | 156 | |
David Zeuthen | c6eb7cd | 2017-11-27 11:33:55 -0500 | [diff] [blame] | 157 | ::android::binder::Status presentConfirmationPrompt( |
| 158 | const ::android::sp<::android::IBinder>& listener, const ::android::String16& promptText, |
| 159 | const ::std::vector<uint8_t>& extraData, const ::android::String16& locale, |
| 160 | int32_t uiOptionsAsFlags, int32_t* _aidl_return) override; |
| 161 | ::android::binder::Status |
| 162 | cancelConfirmationPrompt(const ::android::sp<::android::IBinder>& listener, |
| 163 | int32_t* _aidl_return) override; |
David Zeuthen | 1a49231 | 2018-02-26 11:00:30 -0500 | [diff] [blame] | 164 | ::android::binder::Status isConfirmationPromptSupported(bool* _aidl_return) override; |
David Zeuthen | c6eb7cd | 2017-11-27 11:33:55 -0500 | [diff] [blame] | 165 | |
Brian Young | 9371e95 | 2018-02-23 18:03:14 +0000 | [diff] [blame] | 166 | ::android::binder::Status onKeyguardVisibilityChanged(bool isShowing, int32_t userId, |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 167 | int32_t* _aidl_return) override; |
Brian Young | 9371e95 | 2018-02-23 18:03:14 +0000 | [diff] [blame] | 168 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 169 | private: |
| 170 | static const int32_t UID_SELF = -1; |
| 171 | |
| 172 | /** |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 173 | * Get the effective target uid for a binder operation that takes an |
| 174 | * optional uid as the target. |
| 175 | */ |
| 176 | uid_t getEffectiveUid(int32_t targetUid); |
| 177 | |
| 178 | /** |
| 179 | * Check if the caller of the current binder method has the required |
| 180 | * permission and if acting on other uids the grants to do so. |
| 181 | */ |
| 182 | bool checkBinderPermission(perm_t permission, int32_t targetUid = UID_SELF); |
| 183 | |
| 184 | /** |
| 185 | * Check if the caller of the current binder method has the required |
| 186 | * permission and the target uid is the caller or the caller is system. |
| 187 | */ |
| 188 | bool checkBinderPermissionSelfOrSystem(perm_t permission, int32_t targetUid); |
| 189 | |
| 190 | /** |
| 191 | * Check if the caller of the current binder method has the required |
| 192 | * permission or the target of the operation is the caller's uid. This is |
| 193 | * for operation where the permission is only for cross-uid activity and all |
| 194 | * uids are allowed to act on their own (ie: clearing all entries for a |
| 195 | * given uid). |
| 196 | */ |
| 197 | bool checkBinderPermissionOrSelfTarget(perm_t permission, int32_t targetUid); |
| 198 | |
| 199 | /** |
| 200 | * Helper method to check that the caller has the required permission as |
| 201 | * well as the keystore is in the unlocked state if checkUnlocked is true. |
| 202 | * |
| 203 | * Returns NO_ERROR on success, PERMISSION_DENIED on a permission error and |
| 204 | * otherwise the state of keystore when not unlocked and checkUnlocked is |
| 205 | * true. |
| 206 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 207 | KeyStoreServiceReturnCode checkBinderPermissionAndKeystoreState(perm_t permission, |
| 208 | int32_t targetUid = -1, |
| 209 | bool checkUnlocked = true); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 210 | |
| 211 | bool isKeystoreUnlocked(State state); |
| 212 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 213 | /** |
| 214 | * Check that all keymaster_key_param_t's provided by the application are |
| 215 | * allowed. Any parameter that keystore adds itself should be disallowed here. |
| 216 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 217 | bool checkAllowedOperationParams(const hidl_vec<KeyParameter>& params); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 218 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 219 | void addLegacyBeginParams(const android::String16& name, AuthorizationSet* params); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 220 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 221 | KeyStoreServiceReturnCode doLegacySignVerify(const android::String16& name, |
| 222 | const hidl_vec<uint8_t>& data, |
| 223 | hidl_vec<uint8_t>* out, |
| 224 | const hidl_vec<uint8_t>& signature, |
| 225 | KeyPurpose purpose); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 226 | |
Shawn Willden | 98c5916 | 2016-03-20 09:10:18 -0600 | [diff] [blame] | 227 | /** |
David Zeuthen | c6eb7cd | 2017-11-27 11:33:55 -0500 | [diff] [blame] | 228 | * Adds a Confirmation Token to the key parameters if needed. |
| 229 | */ |
| 230 | void appendConfirmationTokenIfNeeded(const KeyCharacteristics& keyCharacteristics, |
| 231 | std::vector<KeyParameter>* params); |
| 232 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 233 | sp<KeyStore> mKeyStore; |
| 234 | |
Janis Danisevskis | b50236a | 2019-03-25 10:26:30 -0700 | [diff] [blame^] | 235 | /** |
| 236 | * This mutex locks keystore operations from concurrent execution. |
| 237 | * The keystore service has always been conceptually single threaded. Even with the introduction |
| 238 | * of keymaster workers, it was assumed that the dispatcher thread executes exclusively on |
| 239 | * certain code paths. With the introduction of wifi Keystore service in the keystore process |
| 240 | * this assumption no longer holds as the hwbinder thread servicing this interface makes |
| 241 | * functions (rather than IPC) calls into keystore. This mutex protects the keystore logic |
| 242 | * from concurrent execution. |
| 243 | */ |
| 244 | std::mutex keystoreServiceMutex_; |
| 245 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 246 | std::mutex operationDeviceMapMutex_; |
| 247 | std::map<sp<IBinder>, std::shared_ptr<KeymasterWorker>> operationDeviceMap_; |
| 248 | |
| 249 | void addOperationDevice(sp<IBinder> token, std::shared_ptr<KeymasterWorker> dev) { |
| 250 | std::lock_guard<std::mutex> lock(operationDeviceMapMutex_); |
| 251 | operationDeviceMap_.emplace(std::move(token), std::move(dev)); |
| 252 | } |
| 253 | std::shared_ptr<KeymasterWorker> getOperationDevice(const sp<IBinder>& token) { |
| 254 | std::lock_guard<std::mutex> lock(operationDeviceMapMutex_); |
| 255 | auto it = operationDeviceMap_.find(token); |
| 256 | if (it != operationDeviceMap_.end()) { |
| 257 | return it->second; |
| 258 | } |
| 259 | return {}; |
| 260 | } |
| 261 | void removeOperationDevice(const sp<IBinder>& token) { |
| 262 | std::lock_guard<std::mutex> lock(operationDeviceMapMutex_); |
| 263 | operationDeviceMap_.erase(token); |
| 264 | } |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 265 | }; |
| 266 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 267 | }; // namespace keystore |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 268 | |
| 269 | #endif // KEYSTORE_KEYSTORE_SERVICE_H_ |