Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #ifndef KEYSTORE_KEYSTORE_SERVICE_H_ |
| 18 | #define KEYSTORE_KEYSTORE_SERVICE_H_ |
| 19 | |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 20 | #include <android/security/keystore/BnKeystoreService.h> |
Shawn Willden | 98c5916 | 2016-03-20 09:10:18 -0600 | [diff] [blame] | 21 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 22 | #include "auth_token_table.h" |
David Zeuthen | c6eb7cd | 2017-11-27 11:33:55 -0500 | [diff] [blame] | 23 | #include "confirmation_manager.h" |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 24 | |
Shawn Willden | fa5702f | 2017-12-03 15:14:58 -0700 | [diff] [blame] | 25 | #include "KeyStore.h" |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 26 | #include "keystore_keymaster_enforcement.h" |
| 27 | #include "operation.h" |
| 28 | #include "permissions.h" |
| 29 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 30 | #include <keystore/ExportResult.h> |
| 31 | #include <keystore/KeyCharacteristics.h> |
| 32 | #include <keystore/KeymasterArguments.h> |
| 33 | #include <keystore/KeymasterBlob.h> |
| 34 | #include <keystore/KeymasterCertificateChain.h> |
| 35 | #include <keystore/OperationResult.h> |
| 36 | #include <keystore/keystore_return_types.h> |
| 37 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 38 | namespace keystore { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 39 | |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 40 | // Class provides implementation for generated BnKeystoreService.h based on |
| 41 | // gen/aidl/android/security/BnKeystoreService.h generated from |
| 42 | // java/android/security/IKeystoreService.aidl Note that all generated methods return binder::Status |
| 43 | // and use last arguments to send actual result to the caller. Private methods don't need to handle |
| 44 | // binder::Status. Input parameters cannot be null unless annotated with @nullable in .aidl file. |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 45 | class KeyStoreService : public android::security::keystore::BnKeystoreService { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 46 | public: |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 47 | explicit KeyStoreService(sp<KeyStore> keyStore) : mKeyStore(keyStore) {} |
Shawn Willden | c67a8aa | 2017-12-03 17:51:29 -0700 | [diff] [blame] | 48 | virtual ~KeyStoreService() = default; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 49 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 50 | void binderDied(const android::wp<android::IBinder>& who); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 51 | |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 52 | ::android::binder::Status getState(int32_t userId, int32_t* _aidl_return) override; |
| 53 | ::android::binder::Status get(const ::android::String16& name, int32_t uid, |
| 54 | ::std::vector<uint8_t>* _aidl_return) override; |
| 55 | ::android::binder::Status insert(const ::android::String16& name, |
| 56 | const ::std::vector<uint8_t>& item, int32_t uid, int32_t flags, |
| 57 | int32_t* _aidl_return) override; |
| 58 | ::android::binder::Status del(const ::android::String16& name, int32_t uid, |
| 59 | int32_t* _aidl_return) override; |
| 60 | ::android::binder::Status exist(const ::android::String16& name, int32_t uid, |
| 61 | int32_t* _aidl_return) override; |
| 62 | ::android::binder::Status list(const ::android::String16& namePrefix, int32_t uid, |
| 63 | ::std::vector<::android::String16>* _aidl_return) override; |
| 64 | ::android::binder::Status reset(int32_t* _aidl_return) override; |
| 65 | ::android::binder::Status onUserPasswordChanged(int32_t userId, |
| 66 | const ::android::String16& newPassword, |
| 67 | int32_t* _aidl_return) override; |
| 68 | ::android::binder::Status lock(int32_t userId, int32_t* _aidl_return) override; |
| 69 | ::android::binder::Status unlock(int32_t userId, const ::android::String16& userPassword, |
| 70 | int32_t* _aidl_return) override; |
| 71 | ::android::binder::Status isEmpty(int32_t userId, int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 72 | ::android::binder::Status grant(const ::android::String16& name, int32_t granteeUid, |
| 73 | ::android::String16* _aidl_return) override; |
| 74 | ::android::binder::Status ungrant(const ::android::String16& name, int32_t granteeUid, |
| 75 | int32_t* _aidl_return) override; |
| 76 | ::android::binder::Status getmtime(const ::android::String16& name, int32_t uid, |
| 77 | int64_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 78 | ::android::binder::Status is_hardware_backed(const ::android::String16& string, |
| 79 | int32_t* _aidl_return) override; |
| 80 | ::android::binder::Status clear_uid(int64_t uid, int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 81 | ::android::binder::Status |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 82 | addRngEntropy(const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb, |
| 83 | const ::std::vector<uint8_t>& data, int32_t flags, |
| 84 | int32_t* _aidl_return) override; |
| 85 | ::android::binder::Status generateKey( |
| 86 | const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, |
| 87 | const ::android::String16& alias, |
| 88 | const ::android::security::keymaster::KeymasterArguments& arguments, |
| 89 | const ::std::vector<uint8_t>& entropy, int32_t uid, int32_t flags, |
| 90 | int32_t* _aidl_return) override; |
| 91 | ::android::binder::Status getKeyCharacteristics( |
| 92 | const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, |
| 93 | const ::android::String16& alias, |
| 94 | const ::android::security::keymaster::KeymasterBlob& clientId, |
| 95 | const ::android::security::keymaster::KeymasterBlob& appId, int32_t uid, |
| 96 | int32_t* _aidl_return) override; |
| 97 | ::android::binder::Status importKey( |
| 98 | const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, |
| 99 | const ::android::String16& alias, |
| 100 | const ::android::security::keymaster::KeymasterArguments& arguments, int32_t format, |
| 101 | const ::std::vector<uint8_t>& keyData, int32_t uid, int32_t flags, |
| 102 | int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 103 | ::android::binder::Status |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 104 | exportKey(const ::android::sp<::android::security::keystore::IKeystoreExportKeyCallback>& cb, |
| 105 | const ::android::String16& alias, int32_t format, |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 106 | const ::android::security::keymaster::KeymasterBlob& clientId, |
| 107 | const ::android::security::keymaster::KeymasterBlob& appId, int32_t uid, |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 108 | int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 109 | ::android::binder::Status |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 110 | begin(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb, |
| 111 | const ::android::sp<::android::IBinder>& appToken, const ::android::String16& alias, |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 112 | int32_t purpose, bool pruneable, |
| 113 | const ::android::security::keymaster::KeymasterArguments& params, |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 114 | const ::std::vector<uint8_t>& entropy, int32_t uid, int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 115 | ::android::binder::Status |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 116 | update(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb, |
| 117 | const ::android::sp<::android::IBinder>& token, |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 118 | const ::android::security::keymaster::KeymasterArguments& params, |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 119 | const ::std::vector<uint8_t>& input, int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 120 | ::android::binder::Status |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 121 | finish(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb, |
| 122 | const ::android::sp<::android::IBinder>& token, |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 123 | const ::android::security::keymaster::KeymasterArguments& params, |
| 124 | const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy, |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 125 | int32_t* _aidl_return) override; |
| 126 | ::android::binder::Status |
| 127 | abort(const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb, |
| 128 | const ::android::sp<::android::IBinder>& token, int32_t* _aidl_return) override; |
Brian Young | ccb492d | 2018-02-22 23:36:01 +0000 | [diff] [blame] | 129 | ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken, |
Brian Young | 1b75929 | 2018-01-29 23:57:29 +0000 | [diff] [blame] | 130 | int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 131 | ::android::binder::Status onUserAdded(int32_t userId, int32_t parentId, |
| 132 | int32_t* _aidl_return) override; |
| 133 | ::android::binder::Status onUserRemoved(int32_t userId, int32_t* _aidl_return) override; |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 134 | ::android::binder::Status attestKey( |
| 135 | const ::android::sp<::android::security::keystore::IKeystoreCertificateChainCallback>& cb, |
| 136 | const ::android::String16& alias, |
| 137 | const ::android::security::keymaster::KeymasterArguments& params, |
| 138 | int32_t* _aidl_return) override; |
| 139 | ::android::binder::Status attestDeviceIds( |
| 140 | const ::android::sp<::android::security::keystore::IKeystoreCertificateChainCallback>& cb, |
| 141 | const ::android::security::keymaster::KeymasterArguments& params, |
| 142 | int32_t* _aidl_return) override; |
Dmitry Dementyev | a447b3c | 2017-10-27 23:09:53 -0700 | [diff] [blame] | 143 | ::android::binder::Status onDeviceOffBody(int32_t* _aidl_return) override; |
David Zeuthen | c6eb7cd | 2017-11-27 11:33:55 -0500 | [diff] [blame] | 144 | |
Janis Danisevskis | cb9267d | 2017-12-19 16:27:52 -0800 | [diff] [blame] | 145 | ::android::binder::Status importWrappedKey( |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 146 | const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, |
Janis Danisevskis | cb9267d | 2017-12-19 16:27:52 -0800 | [diff] [blame] | 147 | const ::android::String16& wrappedKeyAlias, const ::std::vector<uint8_t>& wrappedKey, |
| 148 | const ::android::String16& wrappingKeyAlias, const ::std::vector<uint8_t>& maskingKey, |
| 149 | const ::android::security::keymaster::KeymasterArguments& params, int64_t rootSid, |
Rob Barnes | bb6cabd | 2018-10-04 17:10:37 -0600 | [diff] [blame^] | 150 | int64_t fingerprintSid, int32_t* _aidl_return) override; |
Tucker Sylvestro | 0ab28b7 | 2016-08-05 18:02:47 -0400 | [diff] [blame] | 151 | |
David Zeuthen | c6eb7cd | 2017-11-27 11:33:55 -0500 | [diff] [blame] | 152 | ::android::binder::Status presentConfirmationPrompt( |
| 153 | const ::android::sp<::android::IBinder>& listener, const ::android::String16& promptText, |
| 154 | const ::std::vector<uint8_t>& extraData, const ::android::String16& locale, |
| 155 | int32_t uiOptionsAsFlags, int32_t* _aidl_return) override; |
| 156 | ::android::binder::Status |
| 157 | cancelConfirmationPrompt(const ::android::sp<::android::IBinder>& listener, |
| 158 | int32_t* _aidl_return) override; |
David Zeuthen | 1a49231 | 2018-02-26 11:00:30 -0500 | [diff] [blame] | 159 | ::android::binder::Status isConfirmationPromptSupported(bool* _aidl_return) override; |
David Zeuthen | c6eb7cd | 2017-11-27 11:33:55 -0500 | [diff] [blame] | 160 | |
Brian Young | 9371e95 | 2018-02-23 18:03:14 +0000 | [diff] [blame] | 161 | ::android::binder::Status onKeyguardVisibilityChanged(bool isShowing, int32_t userId, |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 162 | int32_t* _aidl_return) override; |
Brian Young | 9371e95 | 2018-02-23 18:03:14 +0000 | [diff] [blame] | 163 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 164 | private: |
| 165 | static const int32_t UID_SELF = -1; |
| 166 | |
| 167 | /** |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 168 | * Get the effective target uid for a binder operation that takes an |
| 169 | * optional uid as the target. |
| 170 | */ |
| 171 | uid_t getEffectiveUid(int32_t targetUid); |
| 172 | |
| 173 | /** |
| 174 | * Check if the caller of the current binder method has the required |
| 175 | * permission and if acting on other uids the grants to do so. |
| 176 | */ |
| 177 | bool checkBinderPermission(perm_t permission, int32_t targetUid = UID_SELF); |
| 178 | |
| 179 | /** |
| 180 | * Check if the caller of the current binder method has the required |
| 181 | * permission and the target uid is the caller or the caller is system. |
| 182 | */ |
| 183 | bool checkBinderPermissionSelfOrSystem(perm_t permission, int32_t targetUid); |
| 184 | |
| 185 | /** |
| 186 | * Check if the caller of the current binder method has the required |
| 187 | * permission or the target of the operation is the caller's uid. This is |
| 188 | * for operation where the permission is only for cross-uid activity and all |
| 189 | * uids are allowed to act on their own (ie: clearing all entries for a |
| 190 | * given uid). |
| 191 | */ |
| 192 | bool checkBinderPermissionOrSelfTarget(perm_t permission, int32_t targetUid); |
| 193 | |
| 194 | /** |
| 195 | * Helper method to check that the caller has the required permission as |
| 196 | * well as the keystore is in the unlocked state if checkUnlocked is true. |
| 197 | * |
| 198 | * Returns NO_ERROR on success, PERMISSION_DENIED on a permission error and |
| 199 | * otherwise the state of keystore when not unlocked and checkUnlocked is |
| 200 | * true. |
| 201 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 202 | KeyStoreServiceReturnCode checkBinderPermissionAndKeystoreState(perm_t permission, |
| 203 | int32_t targetUid = -1, |
| 204 | bool checkUnlocked = true); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 205 | |
| 206 | bool isKeystoreUnlocked(State state); |
| 207 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 208 | /** |
| 209 | * Check that all keymaster_key_param_t's provided by the application are |
| 210 | * allowed. Any parameter that keystore adds itself should be disallowed here. |
| 211 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 212 | bool checkAllowedOperationParams(const hidl_vec<KeyParameter>& params); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 213 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 214 | void addLegacyBeginParams(const android::String16& name, AuthorizationSet* params); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 215 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 216 | KeyStoreServiceReturnCode doLegacySignVerify(const android::String16& name, |
| 217 | const hidl_vec<uint8_t>& data, |
| 218 | hidl_vec<uint8_t>* out, |
| 219 | const hidl_vec<uint8_t>& signature, |
| 220 | KeyPurpose purpose); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 221 | |
Shawn Willden | 98c5916 | 2016-03-20 09:10:18 -0600 | [diff] [blame] | 222 | /** |
David Zeuthen | c6eb7cd | 2017-11-27 11:33:55 -0500 | [diff] [blame] | 223 | * Adds a Confirmation Token to the key parameters if needed. |
| 224 | */ |
| 225 | void appendConfirmationTokenIfNeeded(const KeyCharacteristics& keyCharacteristics, |
| 226 | std::vector<KeyParameter>* params); |
| 227 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 228 | sp<KeyStore> mKeyStore; |
| 229 | |
| 230 | std::mutex operationDeviceMapMutex_; |
| 231 | std::map<sp<IBinder>, std::shared_ptr<KeymasterWorker>> operationDeviceMap_; |
| 232 | |
| 233 | void addOperationDevice(sp<IBinder> token, std::shared_ptr<KeymasterWorker> dev) { |
| 234 | std::lock_guard<std::mutex> lock(operationDeviceMapMutex_); |
| 235 | operationDeviceMap_.emplace(std::move(token), std::move(dev)); |
| 236 | } |
| 237 | std::shared_ptr<KeymasterWorker> getOperationDevice(const sp<IBinder>& token) { |
| 238 | std::lock_guard<std::mutex> lock(operationDeviceMapMutex_); |
| 239 | auto it = operationDeviceMap_.find(token); |
| 240 | if (it != operationDeviceMap_.end()) { |
| 241 | return it->second; |
| 242 | } |
| 243 | return {}; |
| 244 | } |
| 245 | void removeOperationDevice(const sp<IBinder>& token) { |
| 246 | std::lock_guard<std::mutex> lock(operationDeviceMapMutex_); |
| 247 | operationDeviceMap_.erase(token); |
| 248 | } |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 249 | }; |
| 250 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 251 | }; // namespace keystore |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 252 | |
| 253 | #endif // KEYSTORE_KEYSTORE_SERVICE_H_ |