1 /******************************************************************************
2 *
3 * Copyright 2019 Google, Inc.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 #include "btif_keystore.h"
20
21 #include <base/files/file_util.h>
22 #include <base/logging.h>
23 #include <base/strings/string_number_conversions.h>
24 #include <base/strings/string_split.h>
25 #include <base/strings/string_util.h>
26 #include <base/strings/utf_string_conversions.h>
27 #include <sys/stat.h>
28
29 using namespace keystore;
30 using namespace bluetooth;
31
32 constexpr char kKeyStore[] = "AndroidKeystore";
33
34 namespace bluetooth {
35
BtifKeystore(keystore::KeystoreClient * keystore_client)36 BtifKeystore::BtifKeystore(keystore::KeystoreClient* keystore_client)
37 : keystore_client_(keystore_client) {}
38
Encrypt(const std::string & data,int32_t flags)39 std::string BtifKeystore::Encrypt(const std::string& data, int32_t flags) {
40 std::lock_guard<std::mutex> lock(api_mutex_);
41 std::string output;
42 if (data.empty()) {
43 LOG(ERROR) << __func__ << ": empty data";
44 return output;
45 }
46 if (!keystore_client_->doesKeyExist(kKeyStore)) {
47 auto gen_result = GenerateKey(kKeyStore, 0, false);
48 if (!gen_result.isOk()) {
49 LOG(FATAL) << "EncryptWithAuthentication Failed: generateKey response="
50 << gen_result;
51 return output;
52 }
53 }
54 if (!keystore_client_->encryptWithAuthentication(kKeyStore, data, flags,
55 &output)) {
56 LOG(FATAL) << "EncryptWithAuthentication failed.";
57 return output;
58 }
59 return output;
60 }
61
Decrypt(const std::string & input)62 std::string BtifKeystore::Decrypt(const std::string& input) {
63 std::lock_guard<std::mutex> lock(api_mutex_);
64 if (input.empty()) {
65 LOG(ERROR) << __func__ << ": empty input data";
66 return "";
67 }
68 std::string output;
69 if (!keystore_client_->decryptWithAuthentication(kKeyStore, input, &output)) {
70 LOG(FATAL) << "DecryptWithAuthentication failed.\n";
71 }
72 return output;
73 }
74
75 // Note: auth_bound keys created with this tool will not be usable.
GenerateKey(const std::string & name,int32_t flags,bool auth_bound)76 KeyStoreNativeReturnCode BtifKeystore::GenerateKey(const std::string& name,
77 int32_t flags,
78 bool auth_bound) {
79 AuthorizationSetBuilder params;
80 params.RsaSigningKey(2048, 65537)
81 .Digest(Digest::SHA_2_224)
82 .Digest(Digest::SHA_2_256)
83 .Digest(Digest::SHA_2_384)
84 .Digest(Digest::SHA_2_512)
85 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
86 .Padding(PaddingMode::RSA_PSS);
87 if (auth_bound) {
88 // Gatekeeper normally generates the secure user id.
89 // Using zero allows the key to be created, but it will not be usuable.
90 params.Authorization(TAG_USER_SECURE_ID, 0);
91 } else {
92 params.Authorization(TAG_NO_AUTH_REQUIRED);
93 }
94 AuthorizationSet hardware_enforced_characteristics;
95 AuthorizationSet software_enforced_characteristics;
96 return keystore_client_->generateKey(name, params, flags,
97 &hardware_enforced_characteristics,
98 &software_enforced_characteristics);
99 }
100
DoesKeyExist()101 bool BtifKeystore::DoesKeyExist() {
102 return keystore_client_->doesKeyExist(kKeyStore);
103 }
104
105 } // namespace bluetooth
106