Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #ifndef KEYSTORE_KEYSTORE_SERVICE_H_ |
| 18 | #define KEYSTORE_KEYSTORE_SERVICE_H_ |
| 19 | |
| 20 | #include <keystore/IKeystoreService.h> |
| 21 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 22 | #include <keystore/authorization_set.h> |
Shawn Willden | 98c5916 | 2016-03-20 09:10:18 -0600 | [diff] [blame] | 23 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 24 | #include "auth_token_table.h" |
| 25 | #include "keystore.h" |
| 26 | #include "keystore_keymaster_enforcement.h" |
| 27 | #include "operation.h" |
| 28 | #include "permissions.h" |
| 29 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 30 | namespace keystore { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 31 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 32 | class KeyStoreService : public android::BnKeystoreService, public android::IBinder::DeathRecipient { |
| 33 | typedef ::android::sp<::android::hardware::keymaster::V3_0::IKeymasterDevice> km_device_t; |
| 34 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 35 | public: |
Chih-Hung Hsieh | d7791be | 2016-07-12 11:58:02 -0700 | [diff] [blame] | 36 | explicit KeyStoreService(KeyStore* keyStore) : mKeyStore(keyStore), mOperationMap(this) {} |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 37 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 38 | void binderDied(const android::wp<android::IBinder>& who); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 39 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 40 | KeyStoreServiceReturnCode getState(int32_t userId) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 41 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 42 | KeyStoreServiceReturnCode get(const android::String16& name, int32_t uid, |
| 43 | hidl_vec<uint8_t>* item) override; |
| 44 | KeyStoreServiceReturnCode insert(const android::String16& name, const hidl_vec<uint8_t>& item, |
| 45 | int targetUid, int32_t flags) override; |
| 46 | KeyStoreServiceReturnCode del(const android::String16& name, int targetUid) override; |
| 47 | KeyStoreServiceReturnCode exist(const android::String16& name, int targetUid) override; |
| 48 | KeyStoreServiceReturnCode list(const android::String16& prefix, int targetUid, |
| 49 | android::Vector<android::String16>* matches) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 50 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 51 | KeyStoreServiceReturnCode reset() override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 52 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 53 | KeyStoreServiceReturnCode onUserPasswordChanged(int32_t userId, |
| 54 | const android::String16& password) override; |
| 55 | KeyStoreServiceReturnCode onUserAdded(int32_t userId, int32_t parentId) override; |
| 56 | KeyStoreServiceReturnCode onUserRemoved(int32_t userId) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 57 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 58 | KeyStoreServiceReturnCode lock(int32_t userId) override; |
| 59 | KeyStoreServiceReturnCode unlock(int32_t userId, const android::String16& pw) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 60 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 61 | bool isEmpty(int32_t userId) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 62 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 63 | KeyStoreServiceReturnCode |
| 64 | generate(const android::String16& name, int32_t targetUid, int32_t keyType, int32_t keySize, |
| 65 | int32_t flags, android::Vector<android::sp<android::KeystoreArg>>* args) override; |
| 66 | KeyStoreServiceReturnCode import(const android::String16& name, const hidl_vec<uint8_t>& data, |
| 67 | int targetUid, int32_t flags) override; |
| 68 | KeyStoreServiceReturnCode sign(const android::String16& name, const hidl_vec<uint8_t>& data, |
| 69 | hidl_vec<uint8_t>* out) override; |
| 70 | KeyStoreServiceReturnCode verify(const android::String16& name, const hidl_vec<uint8_t>& data, |
| 71 | const hidl_vec<uint8_t>& signature) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 72 | |
| 73 | /* |
| 74 | * TODO: The abstraction between things stored in hardware and regular blobs |
| 75 | * of data stored on the filesystem should be moved down to keystore itself. |
| 76 | * Unfortunately the Java code that calls this has naming conventions that it |
| 77 | * knows about. Ideally keystore shouldn't be used to store random blobs of |
| 78 | * data. |
| 79 | * |
| 80 | * Until that happens, it's necessary to have a separate "get_pubkey" and |
| 81 | * "del_key" since the Java code doesn't really communicate what it's |
| 82 | * intentions are. |
| 83 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 84 | KeyStoreServiceReturnCode get_pubkey(const android::String16& name, |
| 85 | hidl_vec<uint8_t>* pubKey) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 86 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 87 | KeyStoreServiceReturnCode grant(const android::String16& name, int32_t granteeUid) override; |
| 88 | KeyStoreServiceReturnCode ungrant(const android::String16& name, int32_t granteeUid) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 89 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 90 | int64_t getmtime(const android::String16& name, int32_t uid) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 91 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 92 | KeyStoreServiceReturnCode duplicate(const android::String16& srcKey, int32_t srcUid, |
| 93 | const android::String16& destKey, int32_t destUid) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 94 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 95 | int32_t is_hardware_backed(const android::String16& keyType) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 96 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 97 | KeyStoreServiceReturnCode clear_uid(int64_t targetUid64) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 98 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 99 | KeyStoreServiceReturnCode addRngEntropy(const hidl_vec<uint8_t>& entropy) override; |
| 100 | KeyStoreServiceReturnCode generateKey(const android::String16& name, |
| 101 | const hidl_vec<KeyParameter>& params, |
| 102 | const hidl_vec<uint8_t>& entropy, int uid, int flags, |
| 103 | KeyCharacteristics* outCharacteristics) override; |
| 104 | KeyStoreServiceReturnCode |
| 105 | getKeyCharacteristics(const android::String16& name, const hidl_vec<uint8_t>& clientId, |
| 106 | const hidl_vec<uint8_t>& appData, int32_t uid, |
| 107 | KeyCharacteristics* outCharacteristics) override; |
| 108 | KeyStoreServiceReturnCode importKey(const android::String16& name, |
| 109 | const hidl_vec<KeyParameter>& params, KeyFormat format, |
| 110 | const hidl_vec<uint8_t>& keyData, int uid, int flags, |
| 111 | KeyCharacteristics* outCharacteristics) override; |
| 112 | void exportKey(const android::String16& name, KeyFormat format, |
| 113 | const hidl_vec<uint8_t>& clientId, const hidl_vec<uint8_t>& appData, int32_t uid, |
| 114 | android::ExportResult* result) override; |
| 115 | void begin(const sp<android::IBinder>& appToken, const android::String16& name, |
| 116 | KeyPurpose purpose, bool pruneable, const hidl_vec<KeyParameter>& params, |
| 117 | const hidl_vec<uint8_t>& entropy, int32_t uid, |
| 118 | android::OperationResult* result) override; |
| 119 | void update(const sp<android::IBinder>& token, const hidl_vec<KeyParameter>& params, |
| 120 | const hidl_vec<uint8_t>& data, android::OperationResult* result) override; |
| 121 | void finish(const sp<android::IBinder>& token, const hidl_vec<KeyParameter>& params, |
| 122 | const hidl_vec<uint8_t>& signature, const hidl_vec<uint8_t>& entropy, |
| 123 | android::OperationResult* result) override; |
| 124 | KeyStoreServiceReturnCode abort(const sp<android::IBinder>& token) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 125 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 126 | bool isOperationAuthorized(const sp<android::IBinder>& token) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 127 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 128 | KeyStoreServiceReturnCode addAuthToken(const uint8_t* token, size_t length) override; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 129 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 130 | KeyStoreServiceReturnCode attestKey(const android::String16& name, |
| 131 | const hidl_vec<KeyParameter>& params, |
| 132 | hidl_vec<hidl_vec<uint8_t>>* outChain) override; |
Shawn Willden | 50eb1b2 | 2016-01-21 12:41:23 -0700 | [diff] [blame] | 133 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 134 | KeyStoreServiceReturnCode onDeviceOffBody() override; |
Tucker Sylvestro | 0ab28b7 | 2016-08-05 18:02:47 -0400 | [diff] [blame] | 135 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 136 | private: |
| 137 | static const int32_t UID_SELF = -1; |
| 138 | |
| 139 | /** |
| 140 | * Prune the oldest pruneable operation. |
| 141 | */ |
| 142 | bool pruneOperation(); |
| 143 | |
| 144 | /** |
| 145 | * Get the effective target uid for a binder operation that takes an |
| 146 | * optional uid as the target. |
| 147 | */ |
| 148 | uid_t getEffectiveUid(int32_t targetUid); |
| 149 | |
| 150 | /** |
| 151 | * Check if the caller of the current binder method has the required |
| 152 | * permission and if acting on other uids the grants to do so. |
| 153 | */ |
| 154 | bool checkBinderPermission(perm_t permission, int32_t targetUid = UID_SELF); |
| 155 | |
| 156 | /** |
| 157 | * Check if the caller of the current binder method has the required |
| 158 | * permission and the target uid is the caller or the caller is system. |
| 159 | */ |
| 160 | bool checkBinderPermissionSelfOrSystem(perm_t permission, int32_t targetUid); |
| 161 | |
| 162 | /** |
| 163 | * Check if the caller of the current binder method has the required |
| 164 | * permission or the target of the operation is the caller's uid. This is |
| 165 | * for operation where the permission is only for cross-uid activity and all |
| 166 | * uids are allowed to act on their own (ie: clearing all entries for a |
| 167 | * given uid). |
| 168 | */ |
| 169 | bool checkBinderPermissionOrSelfTarget(perm_t permission, int32_t targetUid); |
| 170 | |
| 171 | /** |
| 172 | * Helper method to check that the caller has the required permission as |
| 173 | * well as the keystore is in the unlocked state if checkUnlocked is true. |
| 174 | * |
| 175 | * Returns NO_ERROR on success, PERMISSION_DENIED on a permission error and |
| 176 | * otherwise the state of keystore when not unlocked and checkUnlocked is |
| 177 | * true. |
| 178 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 179 | KeyStoreServiceReturnCode checkBinderPermissionAndKeystoreState(perm_t permission, |
| 180 | int32_t targetUid = -1, |
| 181 | bool checkUnlocked = true); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 182 | |
| 183 | bool isKeystoreUnlocked(State state); |
| 184 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 185 | /** |
| 186 | * Check that all keymaster_key_param_t's provided by the application are |
| 187 | * allowed. Any parameter that keystore adds itself should be disallowed here. |
| 188 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 189 | bool checkAllowedOperationParams(const hidl_vec<KeyParameter>& params); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 190 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 191 | ErrorCode getOperationCharacteristics(const hidl_vec<uint8_t>& key, km_device_t* dev, |
| 192 | const AuthorizationSet& params, KeyCharacteristics* out); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 193 | |
| 194 | /** |
| 195 | * Get the auth token for this operation from the auth token table. |
| 196 | * |
| 197 | * Returns ::NO_ERROR if the auth token was set or none was required. |
| 198 | * ::OP_AUTH_NEEDED if it is a per op authorization, no |
| 199 | * authorization token exists for that operation and |
| 200 | * failOnTokenMissing is false. |
| 201 | * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth |
| 202 | * token for the operation |
| 203 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 204 | KeyStoreServiceReturnCode getAuthToken(const KeyCharacteristics& characteristics, |
| 205 | uint64_t handle, KeyPurpose purpose, |
| 206 | const HardwareAuthToken** authToken, |
| 207 | bool failOnTokenMissing = true); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 208 | |
| 209 | /** |
| 210 | * Add the auth token for the operation to the param list if the operation |
| 211 | * requires authorization. Uses the cached result in the OperationMap if available |
| 212 | * otherwise gets the token from the AuthTokenTable and caches the result. |
| 213 | * |
| 214 | * Returns ::NO_ERROR if the auth token was added or not needed. |
| 215 | * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if the operation is not |
| 216 | * authenticated. |
| 217 | * KM_ERROR_INVALID_OPERATION_HANDLE if token is not a valid |
| 218 | * operation token. |
| 219 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 220 | KeyStoreServiceReturnCode addOperationAuthTokenIfNeeded(const sp<android::IBinder>& token, |
| 221 | AuthorizationSet* params); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 222 | |
| 223 | /** |
| 224 | * Translate a result value to a legacy return value. All keystore errors are |
| 225 | * preserved and keymaster errors become SYSTEM_ERRORs |
| 226 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 227 | KeyStoreServiceReturnCode translateResultToLegacyResult(int32_t result); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 228 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 229 | void addLegacyBeginParams(const android::String16& name, AuthorizationSet* params); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 230 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 231 | KeyStoreServiceReturnCode doLegacySignVerify(const android::String16& name, |
| 232 | const hidl_vec<uint8_t>& data, |
| 233 | hidl_vec<uint8_t>* out, |
| 234 | const hidl_vec<uint8_t>& signature, |
| 235 | KeyPurpose purpose); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 236 | |
Shawn Willden | 98c5916 | 2016-03-20 09:10:18 -0600 | [diff] [blame] | 237 | /** |
| 238 | * Upgrade a key blob under alias "name", returning the new blob in "blob". If "blob" |
| 239 | * previously contained data, it will be overwritten. |
| 240 | * |
| 241 | * Returns ::NO_ERROR if the key was upgraded successfully. |
| 242 | * KM_ERROR_VERSION_MISMATCH if called on a key whose patch level is greater than or |
| 243 | * equal to the current system patch level. |
| 244 | */ |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 245 | KeyStoreServiceReturnCode upgradeKeyBlob(const android::String16& name, uid_t targetUid, |
| 246 | const AuthorizationSet& params, Blob* blob); |
Shawn Willden | 98c5916 | 2016-03-20 09:10:18 -0600 | [diff] [blame] | 247 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 248 | ::KeyStore* mKeyStore; |
| 249 | OperationMap mOperationMap; |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 250 | keystore::AuthTokenTable mAuthTokenTable; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 251 | KeystoreKeymasterEnforcement enforcement_policy; |
| 252 | }; |
| 253 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame^] | 254 | }; // namespace keystore |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 255 | |
| 256 | #endif // KEYSTORE_KEYSTORE_SERVICE_H_ |