1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef KEYSTORE_IKEYSTORESERVICE_H
18 #define KEYSTORE_IKEYSTORESERVICE_H
19 
20 #include <hardware/keymaster_defs.h>
21 #include <utils/RefBase.h>
22 #include <binder/IInterface.h>
23 #include <binder/Parcel.h>
24 #include <vector>
25 
26 namespace android {
27 
28 class KeystoreArg : public RefBase {
29 public:
30     KeystoreArg(const void *data, size_t len);
31     ~KeystoreArg();
32 
33     const void* data() const;
34     size_t size() const;
35 
36 private:
37     const void* mData;
38     size_t mSize;
39 };
40 
41 struct MallocDeleter {
operatorMallocDeleter42     void operator()(uint8_t* p) { free(p); }
43 };
44 
45 // struct for serializing/deserializing a list of keymaster_key_param_t's
46 struct KeymasterArguments {
47     KeymasterArguments();
48     ~KeymasterArguments();
49     void readFromParcel(const Parcel& in);
50     void writeToParcel(Parcel* out) const;
51 
52     std::vector<keymaster_key_param_t> params;
53 };
54 
55 // struct for serializing the results of begin/update/finish
56 struct OperationResult {
57     OperationResult();
58     ~OperationResult();
59     void readFromParcel(const Parcel& in);
60     void writeToParcel(Parcel* out) const;
61 
62     int resultCode;
63     sp<IBinder> token;
64     keymaster_operation_handle_t handle;
65     int inputConsumed;
66     std::unique_ptr<uint8_t[], MallocDeleter> data;
67     size_t dataLength;
68     KeymasterArguments outParams;
69 };
70 
71 // struct for serializing the results of export
72 struct ExportResult {
73     ExportResult();
74     ~ExportResult();
75     void readFromParcel(const Parcel& in);
76     void writeToParcel(Parcel* out) const;
77 
78     int resultCode;
79     std::unique_ptr<uint8_t[], MallocDeleter> exportData;
80     size_t dataLength;
81 };
82 
83 // struct for serializing keymaster_key_characteristics_t's
84 struct KeyCharacteristics {
85     KeyCharacteristics();
86     ~KeyCharacteristics();
87     void readFromParcel(const Parcel& in);
88     void writeToParcel(Parcel* out) const;
89 
90     keymaster_key_characteristics_t characteristics;
91 };
92 
93 // struct for serializing keymaster_cert_chain_t's
94 struct KeymasterCertificateChain {
95     KeymasterCertificateChain();
96     ~KeymasterCertificateChain();
97     void readFromParcel(const Parcel& in);
98     void writeToParcel(Parcel* out) const;
99 
100     void FreeChain();
101 
102     keymaster_cert_chain_t chain;
103 };
104 
105 bool readKeymasterArgumentFromParcel(const Parcel& in, keymaster_key_param_t* out);
106 void writeKeymasterArgumentToParcel(const keymaster_key_param_t& param, Parcel* out);
107 
108 /*
109  * This must be kept manually in sync with frameworks/base's IKeystoreService.java
110  */
111 class IKeystoreService: public IInterface {
112 public:
113     enum {
114         GET_STATE = IBinder::FIRST_CALL_TRANSACTION + 0,
115         GET = IBinder::FIRST_CALL_TRANSACTION + 1,
116         INSERT = IBinder::FIRST_CALL_TRANSACTION + 2,
117         DEL = IBinder::FIRST_CALL_TRANSACTION + 3,
118         EXIST = IBinder::FIRST_CALL_TRANSACTION + 4,
119         LIST = IBinder::FIRST_CALL_TRANSACTION + 5,
120         RESET = IBinder::FIRST_CALL_TRANSACTION + 6,
121         ON_USER_PASSWORD_CHANGED = IBinder::FIRST_CALL_TRANSACTION + 7,
122         LOCK = IBinder::FIRST_CALL_TRANSACTION + 8,
123         UNLOCK = IBinder::FIRST_CALL_TRANSACTION + 9,
124         IS_EMPTY = IBinder::FIRST_CALL_TRANSACTION + 10,
125         GENERATE = IBinder::FIRST_CALL_TRANSACTION + 11,
126         IMPORT = IBinder::FIRST_CALL_TRANSACTION + 12,
127         SIGN = IBinder::FIRST_CALL_TRANSACTION + 13,
128         VERIFY = IBinder::FIRST_CALL_TRANSACTION + 14,
129         GET_PUBKEY = IBinder::FIRST_CALL_TRANSACTION + 15,
130         GRANT = IBinder::FIRST_CALL_TRANSACTION + 16,
131         UNGRANT = IBinder::FIRST_CALL_TRANSACTION + 17,
132         GETMTIME = IBinder::FIRST_CALL_TRANSACTION + 18,
133         DUPLICATE = IBinder::FIRST_CALL_TRANSACTION + 19,
134         IS_HARDWARE_BACKED = IBinder::FIRST_CALL_TRANSACTION + 20,
135         CLEAR_UID = IBinder::FIRST_CALL_TRANSACTION + 21,
136         ADD_RNG_ENTROPY = IBinder::FIRST_CALL_TRANSACTION + 22,
137         GENERATE_KEY = IBinder::FIRST_CALL_TRANSACTION + 23,
138         GET_KEY_CHARACTERISTICS = IBinder::FIRST_CALL_TRANSACTION + 24,
139         IMPORT_KEY = IBinder::FIRST_CALL_TRANSACTION + 25,
140         EXPORT_KEY = IBinder::FIRST_CALL_TRANSACTION + 26,
141         BEGIN = IBinder::FIRST_CALL_TRANSACTION + 27,
142         UPDATE = IBinder::FIRST_CALL_TRANSACTION + 28,
143         FINISH = IBinder::FIRST_CALL_TRANSACTION + 29,
144         ABORT = IBinder::FIRST_CALL_TRANSACTION + 30,
145         IS_OPERATION_AUTHORIZED = IBinder::FIRST_CALL_TRANSACTION + 31,
146         ADD_AUTH_TOKEN = IBinder::FIRST_CALL_TRANSACTION + 32,
147         ON_USER_ADDED = IBinder::FIRST_CALL_TRANSACTION + 33,
148         ON_USER_REMOVED = IBinder::FIRST_CALL_TRANSACTION + 34,
149         ATTEST_KEY = IBinder::FIRST_CALL_TRANSACTION + 35,
150     };
151 
152     DECLARE_META_INTERFACE(KeystoreService);
153 
154     virtual int32_t getState(int32_t userId) = 0;
155 
156     virtual int32_t get(const String16& name, int32_t uid, uint8_t** item, size_t* itemLength) = 0;
157 
158     virtual int32_t insert(const String16& name, const uint8_t* item, size_t itemLength, int uid,
159             int32_t flags) = 0;
160 
161     virtual int32_t del(const String16& name, int uid) = 0;
162 
163     virtual int32_t exist(const String16& name, int uid) = 0;
164 
165     virtual int32_t list(const String16& prefix, int uid, Vector<String16>* matches) = 0;
166 
167     virtual int32_t reset() = 0;
168 
169     virtual int32_t onUserPasswordChanged(int32_t userId, const String16& newPassword) = 0;
170 
171     virtual int32_t lock(int32_t userId) = 0;
172 
173     virtual int32_t unlock(int32_t userId, const String16& password) = 0;
174 
175     virtual bool isEmpty(int32_t userId) = 0;
176 
177     virtual int32_t generate(const String16& name, int32_t uid, int32_t keyType, int32_t keySize,
178             int32_t flags, Vector<sp<KeystoreArg> >* args) = 0;
179 
180     virtual int32_t import(const String16& name, const uint8_t* data, size_t length, int uid,
181             int32_t flags) = 0;
182 
183     virtual int32_t sign(const String16& name, const uint8_t* data, size_t length, uint8_t** out,
184             size_t* outLength) = 0;
185 
186     virtual int32_t verify(const String16& name, const uint8_t* data, size_t dataLength,
187             const uint8_t* signature, size_t signatureLength) = 0;
188 
189     virtual int32_t get_pubkey(const String16& name, uint8_t** pubkey, size_t* pubkeyLength) = 0;
190 
191     virtual int32_t grant(const String16& name, int32_t granteeUid) = 0;
192 
193     virtual int32_t ungrant(const String16& name, int32_t granteeUid) = 0;
194 
195     virtual int64_t getmtime(const String16& name, int32_t uid) = 0;
196 
197     virtual int32_t duplicate(const String16& srcKey, int32_t srcUid, const String16& destKey,
198             int32_t destUid) = 0;
199 
200     virtual int32_t is_hardware_backed(const String16& keyType) = 0;
201 
202     virtual int32_t clear_uid(int64_t uid) = 0;
203 
204     virtual int32_t addRngEntropy(const uint8_t* data, size_t dataLength) = 0;
205 
206     virtual int32_t generateKey(const String16& name, const KeymasterArguments& params,
207                                 const uint8_t* entropy, size_t entropyLength, int uid, int flags,
208                                 KeyCharacteristics* outCharacteristics) = 0;
209 
210     virtual int32_t getKeyCharacteristics(const String16& name,
211                                           const keymaster_blob_t* clientId,
212                                           const keymaster_blob_t* appData,
213                                           int32_t uid,
214                                           KeyCharacteristics* outCharacteristics) = 0;
215 
216     virtual int32_t importKey(const String16& name, const KeymasterArguments&  params,
217                               keymaster_key_format_t format, const uint8_t *keyData,
218                               size_t keyLength, int uid, int flags,
219                               KeyCharacteristics* outCharacteristics) = 0;
220 
221     virtual void exportKey(const String16& name, keymaster_key_format_t format,
222                            const keymaster_blob_t* clientId,
223                            const keymaster_blob_t* appData, int32_t uid, ExportResult* result) = 0;
224 
225     virtual void begin(const sp<IBinder>& apptoken, const String16& name,
226                        keymaster_purpose_t purpose, bool pruneable,
227                        const KeymasterArguments& params, const uint8_t* entropy,
228                        size_t entropyLength, int32_t uid, OperationResult* result) = 0;
229 
230     virtual void update(const sp<IBinder>& token, const KeymasterArguments& params,
231                         const uint8_t* data, size_t dataLength, OperationResult* result) = 0;
232 
233     virtual void finish(const sp<IBinder>& token, const KeymasterArguments& params,
234                         const uint8_t* signature, size_t signatureLength,
235                         const uint8_t* entropy, size_t entropyLength,
236                         OperationResult* result) = 0;
237 
238     virtual int32_t abort(const sp<IBinder>& handle) = 0;
239 
240     virtual bool isOperationAuthorized(const sp<IBinder>& handle) = 0;
241 
242     virtual int32_t addAuthToken(const uint8_t* token, size_t length) = 0;
243 
244     virtual int32_t onUserAdded(int32_t userId, int32_t parentId) = 0;
245 
246     virtual int32_t onUserRemoved(int32_t userId) = 0;
247 
248     virtual int32_t attestKey(const String16& name, const KeymasterArguments& params,
249                               KeymasterCertificateChain* outChain) = 0;
250 
251 };
252 
253 // ----------------------------------------------------------------------------
254 
255 class BnKeystoreService: public BnInterface<IKeystoreService> {
256 public:
257     virtual status_t onTransact(uint32_t code, const Parcel& data, Parcel* reply,
258             uint32_t flags = 0);
259 };
260 
261 } // namespace android
262 
263 #endif
264