keystore/key_store_service.h

/*
 * Copyright (C) 2016 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef KEYSTORE_KEYSTORE_SERVICE_H_
#define KEYSTORE_KEYSTORE_SERVICE_H_

#include <android/security/BnKeystoreService.h>

#include "auth_token_table.h"

#include "KeyStore.h"
#include "keystore_keymaster_enforcement.h"
#include "operation.h"
#include "permissions.h"

namespace keystore {

// Class provides implementation for generated BnKeystoreService.h based on
// gen/aidl/android/security/BnKeystoreService.h generated from
// java/android/security/IKeystoreService.aidl Note that all generated methods return binder::Status
// and use last arguments to send actual result to the caller. Private methods don't need to handle
// binder::Status. Input parameters cannot be null unless annotated with @nullable in .aidl file.
class KeyStoreService : public android::security::BnKeystoreService,
                        android::IBinder::DeathRecipient {
    typedef ::android::sp<::android::hardware::keymaster::V3_0::IKeymasterDevice> km_device_t;

  public:
    explicit KeyStoreService(KeyStore* keyStore) : mKeyStore(keyStore), mOperationMap(this) {}

    void binderDied(const android::wp<android::IBinder>& who);

    ::android::binder::Status getState(int32_t userId, int32_t* _aidl_return) override;
    ::android::binder::Status get(const ::android::String16& name, int32_t uid,
                                  ::std::vector<uint8_t>* _aidl_return) override;
    ::android::binder::Status insert(const ::android::String16& name,
                                     const ::std::vector<uint8_t>& item, int32_t uid, int32_t flags,
                                     int32_t* _aidl_return) override;
    ::android::binder::Status del(const ::android::String16& name, int32_t uid,
                                  int32_t* _aidl_return) override;
    ::android::binder::Status exist(const ::android::String16& name, int32_t uid,
                                    int32_t* _aidl_return) override;
    ::android::binder::Status list(const ::android::String16& namePrefix, int32_t uid,
                                   ::std::vector<::android::String16>* _aidl_return) override;
    ::android::binder::Status reset(int32_t* _aidl_return) override;
    ::android::binder::Status onUserPasswordChanged(int32_t userId,
                                                    const ::android::String16& newPassword,
                                                    int32_t* _aidl_return) override;
    ::android::binder::Status lock(int32_t userId, int32_t* _aidl_return) override;
    ::android::binder::Status unlock(int32_t userId, const ::android::String16& userPassword,
                                     int32_t* _aidl_return) override;
    ::android::binder::Status isEmpty(int32_t userId, int32_t* _aidl_return) override;
    ::android::binder::Status generate(const ::android::String16& name, int32_t uid,
                                       int32_t keyType, int32_t keySize, int32_t flags,
                                       const ::android::security::KeystoreArguments& args,
                                       int32_t* _aidl_return) override;
    ::android::binder::Status import_key(const ::android::String16& name,
                                         const ::std::vector<uint8_t>& data, int32_t uid,
                                         int32_t flags, int32_t* _aidl_return) override;
    ::android::binder::Status sign(const ::android::String16& name,
                                   const ::std::vector<uint8_t>& data,
                                   ::std::vector<uint8_t>* _aidl_return) override;
    ::android::binder::Status verify(const ::android::String16& name,
                                     const ::std::vector<uint8_t>& data,
                                     const ::std::vector<uint8_t>& signature,
                                     int32_t* _aidl_return) override;
    /*
     * TODO: The abstraction between things stored in hardware and regular blobs
     * of data stored on the filesystem should be moved down to keystore itself.
     * Unfortunately the Java code that calls this has naming conventions that it
     * knows about. Ideally keystore shouldn't be used to store random blobs of
     * data.
     *
     * Until that happens, it's necessary to have a separate "get_pubkey" and
     * "del_key" since the Java code doesn't really communicate what it's
     * intentions are.
     */
    ::android::binder::Status get_pubkey(const ::android::String16& name,
                                         ::std::vector<uint8_t>* _aidl_return) override;
    ::android::binder::Status grant(const ::android::String16& name, int32_t granteeUid,
                                    ::android::String16* _aidl_return) override;
    ::android::binder::Status ungrant(const ::android::String16& name, int32_t granteeUid,
                                      int32_t* _aidl_return) override;
    ::android::binder::Status getmtime(const ::android::String16& name, int32_t uid,
                                       int64_t* _aidl_return) override;
    ::android::binder::Status duplicate(const ::android::String16& srcKey, int32_t srcUid,
                                        const ::android::String16& destKey, int32_t destUid,
                                        int32_t* _aidl_return) override;
    ::android::binder::Status is_hardware_backed(const ::android::String16& string,
                                                 int32_t* _aidl_return) override;
    ::android::binder::Status clear_uid(int64_t uid, int32_t* _aidl_return) override;
    ::android::binder::Status addRngEntropy(const ::std::vector<uint8_t>& data,
                                            int32_t* _aidl_return) override;
    ::android::binder::Status
    generateKey(const ::android::String16& alias,
                const ::android::security::keymaster::KeymasterArguments& arguments,
                const ::std::vector<uint8_t>& entropy, int32_t uid, int32_t flags,
                ::android::security::keymaster::KeyCharacteristics* characteristics,
                int32_t* _aidl_return) override;
    ::android::binder::Status
    getKeyCharacteristics(const ::android::String16& alias,
                          const ::android::security::keymaster::KeymasterBlob& clientId,
                          const ::android::security::keymaster::KeymasterBlob& appId, int32_t uid,
                          ::android::security::keymaster::KeyCharacteristics* characteristics,
                          int32_t* _aidl_return) override;
    ::android::binder::Status
    importKey(const ::android::String16& alias,
              const ::android::security::keymaster::KeymasterArguments& arguments, int32_t format,
              const ::std::vector<uint8_t>& keyData, int32_t uid, int32_t flags,
              ::android::security::keymaster::KeyCharacteristics* characteristics,
              int32_t* _aidl_return) override;
    ::android::binder::Status
    exportKey(const ::android::String16& alias, int32_t format,
              const ::android::security::keymaster::KeymasterBlob& clientId,
              const ::android::security::keymaster::KeymasterBlob& appId, int32_t uid,
              ::android::security::keymaster::ExportResult* _aidl_return) override;
    ::android::binder::Status
    begin(const ::android::sp<::android::IBinder>& appToken, const ::android::String16& alias,
          int32_t purpose, bool pruneable,
          const ::android::security::keymaster::KeymasterArguments& params,
          const ::std::vector<uint8_t>& entropy, int32_t uid,
          ::android::security::keymaster::OperationResult* _aidl_return) override;
    ::android::binder::Status
    update(const ::android::sp<::android::IBinder>& token,
           const ::android::security::keymaster::KeymasterArguments& params,
           const ::std::vector<uint8_t>& input,
           ::android::security::keymaster::OperationResult* _aidl_return) override;
    ::android::binder::Status
    finish(const ::android::sp<::android::IBinder>& token,
           const ::android::security::keymaster::KeymasterArguments& params,
           const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy,
           ::android::security::keymaster::OperationResult* _aidl_return) override;
    ::android::binder::Status abort(const ::android::sp<::android::IBinder>& handle,
                                    int32_t* _aidl_return) override;
    ::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token,
                                                    bool* _aidl_return) override;
    ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken,
                                           int32_t* _aidl_return) override;
    ::android::binder::Status onUserAdded(int32_t userId, int32_t parentId,
                                          int32_t* _aidl_return) override;
    ::android::binder::Status onUserRemoved(int32_t userId, int32_t* _aidl_return) override;
    ::android::binder::Status
    attestKey(const ::android::String16& alias,
              const ::android::security::keymaster::KeymasterArguments& params,
              ::android::security::keymaster::KeymasterCertificateChain* chain,
              int32_t* _aidl_return) override;
    ::android::binder::Status
    attestDeviceIds(const ::android::security::keymaster::KeymasterArguments& params,
                    ::android::security::keymaster::KeymasterCertificateChain* chain,
                    int32_t* _aidl_return) override;
    ::android::binder::Status onDeviceOffBody(int32_t* _aidl_return) override;

  private:
    static const int32_t UID_SELF = -1;

    /**
     * Prune the oldest pruneable operation.
     */
    bool pruneOperation();

    /**
     * Get the effective target uid for a binder operation that takes an
     * optional uid as the target.
     */
    uid_t getEffectiveUid(int32_t targetUid);

    /**
     * Check if the caller of the current binder method has the required
     * permission and if acting on other uids the grants to do so.
     */
    bool checkBinderPermission(perm_t permission, int32_t targetUid = UID_SELF);

    /**
     * Check if the caller of the current binder method has the required
     * permission and the target uid is the caller or the caller is system.
     */
    bool checkBinderPermissionSelfOrSystem(perm_t permission, int32_t targetUid);

    /**
     * Check if the caller of the current binder method has the required
     * permission or the target of the operation is the caller's uid. This is
     * for operation where the permission is only for cross-uid activity and all
     * uids are allowed to act on their own (ie: clearing all entries for a
     * given uid).
     */
    bool checkBinderPermissionOrSelfTarget(perm_t permission, int32_t targetUid);

    /**
     * Helper method to check that the caller has the required permission as
     * well as the keystore is in the unlocked state if checkUnlocked is true.
     *
     * Returns NO_ERROR on success, PERMISSION_DENIED on a permission error and
     * otherwise the state of keystore when not unlocked and checkUnlocked is
     * true.
     */
    KeyStoreServiceReturnCode checkBinderPermissionAndKeystoreState(perm_t permission,
                                                                    int32_t targetUid = -1,
                                                                    bool checkUnlocked = true);

    bool isKeystoreUnlocked(State state);

    /**
     * Check that all keymaster_key_param_t's provided by the application are
     * allowed. Any parameter that keystore adds itself should be disallowed here.
     */
    bool checkAllowedOperationParams(const hidl_vec<KeyParameter>& params);

    ErrorCode getOperationCharacteristics(const hidl_vec<uint8_t>& key, km_device_t* dev,
                                          const AuthorizationSet& params, KeyCharacteristics* out);

    /**
     * Get the auth token for this operation from the auth token table.
     *
     * Returns ::NO_ERROR if the auth token was set or none was required.
     *         ::OP_AUTH_NEEDED if it is a per op authorization, no
     *         authorization token exists for that operation and
     *         failOnTokenMissing is false.
     *         KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth
     *         token for the operation
     */
    KeyStoreServiceReturnCode getAuthToken(const KeyCharacteristics& characteristics,
                                           uint64_t handle, KeyPurpose purpose,
                                           const HardwareAuthToken** authToken,
                                           bool failOnTokenMissing = true);

    /**
     * Add the auth token for the operation to the param list if the operation
     * requires authorization. Uses the cached result in the OperationMap if available
     * otherwise gets the token from the AuthTokenTable and caches the result.
     *
     * Returns ::NO_ERROR if the auth token was added or not needed.
     *         KM_ERROR_KEY_USER_NOT_AUTHENTICATED if the operation is not
     *         authenticated.
     *         KM_ERROR_INVALID_OPERATION_HANDLE if token is not a valid
     *         operation token.
     */
    KeyStoreServiceReturnCode addOperationAuthTokenIfNeeded(const sp<android::IBinder>& token,
                                                            AuthorizationSet* params);

    /**
     * Translate a result value to a legacy return value. All keystore errors are
     * preserved and keymaster errors become SYSTEM_ERRORs
     */
    KeyStoreServiceReturnCode translateResultToLegacyResult(int32_t result);

    void addLegacyBeginParams(const android::String16& name, AuthorizationSet* params);

    KeyStoreServiceReturnCode doLegacySignVerify(const android::String16& name,
                                                 const hidl_vec<uint8_t>& data,
                                                 hidl_vec<uint8_t>* out,
                                                 const hidl_vec<uint8_t>& signature,
                                                 KeyPurpose purpose);

    /**
     * Upgrade a key blob under alias "name", returning the new blob in "blob".  If "blob"
     * previously contained data, it will be overwritten.
     *
     * Returns ::NO_ERROR if the key was upgraded successfully.
     *         KM_ERROR_VERSION_MISMATCH if called on a key whose patch level is greater than or
     *         equal to the current system patch level.
     */
    KeyStoreServiceReturnCode upgradeKeyBlob(const android::String16& name, uid_t targetUid,
                                             const AuthorizationSet& params, Blob* blob);

    ::KeyStore* mKeyStore;
    OperationMap mOperationMap;
    keystore::AuthTokenTable mAuthTokenTable;
    KeystoreKeymasterEnforcement enforcement_policy;
};

};  // namespace keystore

#endif  // KEYSTORE_KEYSTORE_SERVICE_H_