1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef KEYSTORE_KEYSTORE_SERVICE_H_ 18 #define KEYSTORE_KEYSTORE_SERVICE_H_ 19 20 #include <keystore/IKeystoreService.h> 21 22 #include <keystore/authorization_set.h> 23 24 #include "auth_token_table.h" 25 #include "keystore.h" 26 #include "keystore_keymaster_enforcement.h" 27 #include "operation.h" 28 #include "permissions.h" 29 30 namespace keystore { 31 32 class KeyStoreService : public android::BnKeystoreService, public android::IBinder::DeathRecipient { 33 typedef ::android::sp<::android::hardware::keymaster::V3_0::IKeymasterDevice> km_device_t; 34 35 public: KeyStoreService(KeyStore * keyStore)36 explicit KeyStoreService(KeyStore* keyStore) : mKeyStore(keyStore), mOperationMap(this) {} 37 38 void binderDied(const android::wp<android::IBinder>& who); 39 40 KeyStoreServiceReturnCode getState(int32_t userId) override; 41 42 KeyStoreServiceReturnCode get(const android::String16& name, int32_t uid, 43 hidl_vec<uint8_t>* item) override; 44 KeyStoreServiceReturnCode insert(const android::String16& name, const hidl_vec<uint8_t>& item, 45 int targetUid, int32_t flags) override; 46 KeyStoreServiceReturnCode del(const android::String16& name, int targetUid) override; 47 KeyStoreServiceReturnCode exist(const android::String16& name, int targetUid) override; 48 KeyStoreServiceReturnCode list(const android::String16& prefix, int targetUid, 49 android::Vector<android::String16>* matches) override; 50 51 KeyStoreServiceReturnCode reset() override; 52 53 KeyStoreServiceReturnCode onUserPasswordChanged(int32_t userId, 54 const android::String16& password) override; 55 KeyStoreServiceReturnCode onUserAdded(int32_t userId, int32_t parentId) override; 56 KeyStoreServiceReturnCode onUserRemoved(int32_t userId) override; 57 58 KeyStoreServiceReturnCode lock(int32_t userId) override; 59 KeyStoreServiceReturnCode unlock(int32_t userId, const android::String16& pw) override; 60 61 bool isEmpty(int32_t userId) override; 62 63 KeyStoreServiceReturnCode 64 generate(const android::String16& name, int32_t targetUid, int32_t keyType, int32_t keySize, 65 int32_t flags, android::Vector<android::sp<android::KeystoreArg>>* args) override; 66 KeyStoreServiceReturnCode import(const android::String16& name, const hidl_vec<uint8_t>& data, 67 int targetUid, int32_t flags) override; 68 KeyStoreServiceReturnCode sign(const android::String16& name, const hidl_vec<uint8_t>& data, 69 hidl_vec<uint8_t>* out) override; 70 KeyStoreServiceReturnCode verify(const android::String16& name, const hidl_vec<uint8_t>& data, 71 const hidl_vec<uint8_t>& signature) override; 72 73 /* 74 * TODO: The abstraction between things stored in hardware and regular blobs 75 * of data stored on the filesystem should be moved down to keystore itself. 76 * Unfortunately the Java code that calls this has naming conventions that it 77 * knows about. Ideally keystore shouldn't be used to store random blobs of 78 * data. 79 * 80 * Until that happens, it's necessary to have a separate "get_pubkey" and 81 * "del_key" since the Java code doesn't really communicate what it's 82 * intentions are. 83 */ 84 KeyStoreServiceReturnCode get_pubkey(const android::String16& name, 85 hidl_vec<uint8_t>* pubKey) override; 86 87 KeyStoreServiceReturnCode grant(const android::String16& name, int32_t granteeUid) override; 88 KeyStoreServiceReturnCode ungrant(const android::String16& name, int32_t granteeUid) override; 89 90 int64_t getmtime(const android::String16& name, int32_t uid) override; 91 92 KeyStoreServiceReturnCode duplicate(const android::String16& srcKey, int32_t srcUid, 93 const android::String16& destKey, int32_t destUid) override; 94 95 int32_t is_hardware_backed(const android::String16& keyType) override; 96 97 KeyStoreServiceReturnCode clear_uid(int64_t targetUid64) override; 98 99 KeyStoreServiceReturnCode addRngEntropy(const hidl_vec<uint8_t>& entropy) override; 100 KeyStoreServiceReturnCode generateKey(const android::String16& name, 101 const hidl_vec<KeyParameter>& params, 102 const hidl_vec<uint8_t>& entropy, int uid, int flags, 103 KeyCharacteristics* outCharacteristics) override; 104 KeyStoreServiceReturnCode 105 getKeyCharacteristics(const android::String16& name, const hidl_vec<uint8_t>& clientId, 106 const hidl_vec<uint8_t>& appData, int32_t uid, 107 KeyCharacteristics* outCharacteristics) override; 108 KeyStoreServiceReturnCode importKey(const android::String16& name, 109 const hidl_vec<KeyParameter>& params, KeyFormat format, 110 const hidl_vec<uint8_t>& keyData, int uid, int flags, 111 KeyCharacteristics* outCharacteristics) override; 112 void exportKey(const android::String16& name, KeyFormat format, 113 const hidl_vec<uint8_t>& clientId, const hidl_vec<uint8_t>& appData, int32_t uid, 114 android::ExportResult* result) override; 115 void begin(const sp<android::IBinder>& appToken, const android::String16& name, 116 KeyPurpose purpose, bool pruneable, const hidl_vec<KeyParameter>& params, 117 const hidl_vec<uint8_t>& entropy, int32_t uid, 118 android::OperationResult* result) override; 119 void update(const sp<android::IBinder>& token, const hidl_vec<KeyParameter>& params, 120 const hidl_vec<uint8_t>& data, android::OperationResult* result) override; 121 void finish(const sp<android::IBinder>& token, const hidl_vec<KeyParameter>& params, 122 const hidl_vec<uint8_t>& signature, const hidl_vec<uint8_t>& entropy, 123 android::OperationResult* result) override; 124 KeyStoreServiceReturnCode abort(const sp<android::IBinder>& token) override; 125 126 bool isOperationAuthorized(const sp<android::IBinder>& token) override; 127 128 KeyStoreServiceReturnCode addAuthToken(const uint8_t* token, size_t length) override; 129 130 KeyStoreServiceReturnCode attestKey(const android::String16& name, 131 const hidl_vec<KeyParameter>& params, 132 hidl_vec<hidl_vec<uint8_t>>* outChain) override; 133 134 KeyStoreServiceReturnCode attestDeviceIds(const hidl_vec<KeyParameter>& params, 135 hidl_vec<hidl_vec<uint8_t>>* outChain) override; 136 137 KeyStoreServiceReturnCode onDeviceOffBody() override; 138 139 private: 140 static const int32_t UID_SELF = -1; 141 142 /** 143 * Prune the oldest pruneable operation. 144 */ 145 bool pruneOperation(); 146 147 /** 148 * Get the effective target uid for a binder operation that takes an 149 * optional uid as the target. 150 */ 151 uid_t getEffectiveUid(int32_t targetUid); 152 153 /** 154 * Check if the caller of the current binder method has the required 155 * permission and if acting on other uids the grants to do so. 156 */ 157 bool checkBinderPermission(perm_t permission, int32_t targetUid = UID_SELF); 158 159 /** 160 * Check if the caller of the current binder method has the required 161 * permission and the target uid is the caller or the caller is system. 162 */ 163 bool checkBinderPermissionSelfOrSystem(perm_t permission, int32_t targetUid); 164 165 /** 166 * Check if the caller of the current binder method has the required 167 * permission or the target of the operation is the caller's uid. This is 168 * for operation where the permission is only for cross-uid activity and all 169 * uids are allowed to act on their own (ie: clearing all entries for a 170 * given uid). 171 */ 172 bool checkBinderPermissionOrSelfTarget(perm_t permission, int32_t targetUid); 173 174 /** 175 * Helper method to check that the caller has the required permission as 176 * well as the keystore is in the unlocked state if checkUnlocked is true. 177 * 178 * Returns NO_ERROR on success, PERMISSION_DENIED on a permission error and 179 * otherwise the state of keystore when not unlocked and checkUnlocked is 180 * true. 181 */ 182 KeyStoreServiceReturnCode checkBinderPermissionAndKeystoreState(perm_t permission, 183 int32_t targetUid = -1, 184 bool checkUnlocked = true); 185 186 bool isKeystoreUnlocked(State state); 187 188 /** 189 * Check that all keymaster_key_param_t's provided by the application are 190 * allowed. Any parameter that keystore adds itself should be disallowed here. 191 */ 192 bool checkAllowedOperationParams(const hidl_vec<KeyParameter>& params); 193 194 ErrorCode getOperationCharacteristics(const hidl_vec<uint8_t>& key, km_device_t* dev, 195 const AuthorizationSet& params, KeyCharacteristics* out); 196 197 /** 198 * Get the auth token for this operation from the auth token table. 199 * 200 * Returns ::NO_ERROR if the auth token was set or none was required. 201 * ::OP_AUTH_NEEDED if it is a per op authorization, no 202 * authorization token exists for that operation and 203 * failOnTokenMissing is false. 204 * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth 205 * token for the operation 206 */ 207 KeyStoreServiceReturnCode getAuthToken(const KeyCharacteristics& characteristics, 208 uint64_t handle, KeyPurpose purpose, 209 const HardwareAuthToken** authToken, 210 bool failOnTokenMissing = true); 211 212 /** 213 * Add the auth token for the operation to the param list if the operation 214 * requires authorization. Uses the cached result in the OperationMap if available 215 * otherwise gets the token from the AuthTokenTable and caches the result. 216 * 217 * Returns ::NO_ERROR if the auth token was added or not needed. 218 * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if the operation is not 219 * authenticated. 220 * KM_ERROR_INVALID_OPERATION_HANDLE if token is not a valid 221 * operation token. 222 */ 223 KeyStoreServiceReturnCode addOperationAuthTokenIfNeeded(const sp<android::IBinder>& token, 224 AuthorizationSet* params); 225 226 /** 227 * Translate a result value to a legacy return value. All keystore errors are 228 * preserved and keymaster errors become SYSTEM_ERRORs 229 */ 230 KeyStoreServiceReturnCode translateResultToLegacyResult(int32_t result); 231 232 void addLegacyBeginParams(const android::String16& name, AuthorizationSet* params); 233 234 KeyStoreServiceReturnCode doLegacySignVerify(const android::String16& name, 235 const hidl_vec<uint8_t>& data, 236 hidl_vec<uint8_t>* out, 237 const hidl_vec<uint8_t>& signature, 238 KeyPurpose purpose); 239 240 /** 241 * Upgrade a key blob under alias "name", returning the new blob in "blob". If "blob" 242 * previously contained data, it will be overwritten. 243 * 244 * Returns ::NO_ERROR if the key was upgraded successfully. 245 * KM_ERROR_VERSION_MISMATCH if called on a key whose patch level is greater than or 246 * equal to the current system patch level. 247 */ 248 KeyStoreServiceReturnCode upgradeKeyBlob(const android::String16& name, uid_t targetUid, 249 const AuthorizationSet& params, Blob* blob); 250 251 ::KeyStore* mKeyStore; 252 OperationMap mOperationMap; 253 keystore::AuthTokenTable mAuthTokenTable; 254 KeystoreKeymasterEnforcement enforcement_policy; 255 }; 256 257 }; // namespace keystore 258 259 #endif // KEYSTORE_KEYSTORE_SERVICE_H_ 260