1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef KEYSTORE_KEYSTORE_SERVICE_H_ 18 #define KEYSTORE_KEYSTORE_SERVICE_H_ 19 20 #include <android/security/keystore/BnKeystoreService.h> 21 22 #include "auth_token_table.h" 23 #include "confirmation_manager.h" 24 25 #include "KeyStore.h" 26 #include "keystore_keymaster_enforcement.h" 27 #include "operation.h" 28 #include "permissions.h" 29 30 #include <keystore/ExportResult.h> 31 #include <keystore/KeyCharacteristics.h> 32 #include <keystore/KeymasterArguments.h> 33 #include <keystore/KeymasterBlob.h> 34 #include <keystore/KeymasterCertificateChain.h> 35 #include <keystore/OperationResult.h> 36 #include <keystore/keystore_return_types.h> 37 38 #include <mutex> 39 40 namespace keystore { 41 42 // Class provides implementation for generated BnKeystoreService.h based on 43 // gen/aidl/android/security/BnKeystoreService.h generated from 44 // java/android/security/IKeystoreService.aidl Note that all generated methods return binder::Status 45 // and use last arguments to send actual result to the caller. Private methods don't need to handle 46 // binder::Status. Input parameters cannot be null unless annotated with @nullable in .aidl file. 47 class KeyStoreService : public android::security::keystore::BnKeystoreService { 48 public: KeyStoreService(sp<KeyStore> keyStore)49 explicit KeyStoreService(sp<KeyStore> keyStore) : mKeyStore(keyStore) {} 50 virtual ~KeyStoreService() = default; 51 52 void binderDied(const android::wp<android::IBinder>& who); 53 54 ::android::binder::Status getState(int32_t userId, int32_t* _aidl_return) override; 55 ::android::binder::Status get(const ::android::String16& name, int32_t uid, 56 ::std::vector<uint8_t>* _aidl_return) override; 57 ::android::binder::Status insert(const ::android::String16& name, 58 const ::std::vector<uint8_t>& item, int32_t uid, int32_t flags, 59 int32_t* _aidl_return) override; 60 ::android::binder::Status del(const ::android::String16& name, int32_t uid, 61 int32_t* _aidl_return) override; 62 ::android::binder::Status exist(const ::android::String16& name, int32_t uid, 63 int32_t* _aidl_return) override; 64 ::android::binder::Status list(const ::android::String16& namePrefix, int32_t uid, 65 ::std::vector<::android::String16>* _aidl_return) override; 66 ::android::binder::Status listUidsOfAuthBoundKeys(std::vector<::std::string>* uids, 67 int32_t* _aidl_return) override; 68 69 ::android::binder::Status reset(int32_t* _aidl_return) override; 70 ::android::binder::Status onUserPasswordChanged(int32_t userId, 71 const ::android::String16& newPassword, 72 int32_t* _aidl_return) override; 73 ::android::binder::Status lock(int32_t userId, int32_t* _aidl_return) override; 74 ::android::binder::Status unlock(int32_t userId, const ::android::String16& userPassword, 75 int32_t* _aidl_return) override; 76 ::android::binder::Status isEmpty(int32_t userId, int32_t* _aidl_return) override; 77 ::android::binder::Status grant(const ::android::String16& name, int32_t granteeUid, 78 ::android::String16* _aidl_return) override; 79 ::android::binder::Status ungrant(const ::android::String16& name, int32_t granteeUid, 80 int32_t* _aidl_return) override; 81 ::android::binder::Status getmtime(const ::android::String16& name, int32_t uid, 82 int64_t* _aidl_return) override; 83 ::android::binder::Status is_hardware_backed(const ::android::String16& string, 84 int32_t* _aidl_return) override; 85 ::android::binder::Status clear_uid(int64_t uid, int32_t* _aidl_return) override; 86 ::android::binder::Status 87 addRngEntropy(const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb, 88 const ::std::vector<uint8_t>& data, int32_t flags, 89 int32_t* _aidl_return) override; 90 ::android::binder::Status generateKey( 91 const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, 92 const ::android::String16& alias, 93 const ::android::security::keymaster::KeymasterArguments& arguments, 94 const ::std::vector<uint8_t>& entropy, int32_t uid, int32_t flags, 95 int32_t* _aidl_return) override; 96 ::android::binder::Status getKeyCharacteristics( 97 const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, 98 const ::android::String16& alias, 99 const ::android::security::keymaster::KeymasterBlob& clientId, 100 const ::android::security::keymaster::KeymasterBlob& appId, int32_t uid, 101 int32_t* _aidl_return) override; 102 ::android::binder::Status importKey( 103 const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, 104 const ::android::String16& alias, 105 const ::android::security::keymaster::KeymasterArguments& arguments, int32_t format, 106 const ::std::vector<uint8_t>& keyData, int32_t uid, int32_t flags, 107 int32_t* _aidl_return) override; 108 ::android::binder::Status 109 exportKey(const ::android::sp<::android::security::keystore::IKeystoreExportKeyCallback>& cb, 110 const ::android::String16& alias, int32_t format, 111 const ::android::security::keymaster::KeymasterBlob& clientId, 112 const ::android::security::keymaster::KeymasterBlob& appId, int32_t uid, 113 int32_t* _aidl_return) override; 114 ::android::binder::Status 115 begin(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb, 116 const ::android::sp<::android::IBinder>& appToken, const ::android::String16& alias, 117 int32_t purpose, bool pruneable, 118 const ::android::security::keymaster::KeymasterArguments& params, 119 const ::std::vector<uint8_t>& entropy, int32_t uid, int32_t* _aidl_return) override; 120 ::android::binder::Status 121 update(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb, 122 const ::android::sp<::android::IBinder>& token, 123 const ::android::security::keymaster::KeymasterArguments& params, 124 const ::std::vector<uint8_t>& input, int32_t* _aidl_return) override; 125 ::android::binder::Status 126 finish(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb, 127 const ::android::sp<::android::IBinder>& token, 128 const ::android::security::keymaster::KeymasterArguments& params, 129 const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy, 130 int32_t* _aidl_return) override; 131 ::android::binder::Status 132 abort(const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb, 133 const ::android::sp<::android::IBinder>& token, int32_t* _aidl_return) override; 134 ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken, 135 int32_t* _aidl_return) override; 136 ::android::binder::Status onUserAdded(int32_t userId, int32_t parentId, 137 int32_t* _aidl_return) override; 138 ::android::binder::Status onUserRemoved(int32_t userId, int32_t* _aidl_return) override; 139 ::android::binder::Status attestKey( 140 const ::android::sp<::android::security::keystore::IKeystoreCertificateChainCallback>& cb, 141 const ::android::String16& alias, 142 const ::android::security::keymaster::KeymasterArguments& params, 143 int32_t* _aidl_return) override; 144 ::android::binder::Status attestDeviceIds( 145 const ::android::sp<::android::security::keystore::IKeystoreCertificateChainCallback>& cb, 146 const ::android::security::keymaster::KeymasterArguments& params, 147 int32_t* _aidl_return) override; 148 ::android::binder::Status onDeviceOffBody(int32_t* _aidl_return) override; 149 150 ::android::binder::Status importWrappedKey( 151 const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb, 152 const ::android::String16& wrappedKeyAlias, const ::std::vector<uint8_t>& wrappedKey, 153 const ::android::String16& wrappingKeyAlias, const ::std::vector<uint8_t>& maskingKey, 154 const ::android::security::keymaster::KeymasterArguments& params, int64_t rootSid, 155 int64_t fingerprintSid, int32_t* _aidl_return) override; 156 157 ::android::binder::Status presentConfirmationPrompt( 158 const ::android::sp<::android::IBinder>& listener, const ::android::String16& promptText, 159 const ::std::vector<uint8_t>& extraData, const ::android::String16& locale, 160 int32_t uiOptionsAsFlags, int32_t* _aidl_return) override; 161 ::android::binder::Status 162 cancelConfirmationPrompt(const ::android::sp<::android::IBinder>& listener, 163 int32_t* _aidl_return) override; 164 ::android::binder::Status isConfirmationPromptSupported(bool* _aidl_return) override; 165 166 ::android::binder::Status onKeyguardVisibilityChanged(bool isShowing, int32_t userId, 167 int32_t* _aidl_return) override; 168 169 private: 170 static const int32_t UID_SELF = -1; 171 172 /** 173 * Get the effective target uid for a binder operation that takes an 174 * optional uid as the target. 175 */ 176 uid_t getEffectiveUid(int32_t targetUid); 177 178 /** 179 * Check if the caller of the current binder method has the required 180 * permission and if acting on other uids the grants to do so. 181 */ 182 bool checkBinderPermission(perm_t permission, int32_t targetUid = UID_SELF); 183 184 /** 185 * Check if the caller of the current binder method has the required 186 * permission and the target uid is the caller or the caller is system. 187 */ 188 bool checkBinderPermissionSelfOrSystem(perm_t permission, int32_t targetUid); 189 190 /** 191 * Check if the caller of the current binder method has the required 192 * permission or the target of the operation is the caller's uid. This is 193 * for operation where the permission is only for cross-uid activity and all 194 * uids are allowed to act on their own (ie: clearing all entries for a 195 * given uid). 196 */ 197 bool checkBinderPermissionOrSelfTarget(perm_t permission, int32_t targetUid); 198 199 /** 200 * Helper method to check that the caller has the required permission as 201 * well as the keystore is in the unlocked state if checkUnlocked is true. 202 * 203 * Returns NO_ERROR on success, PERMISSION_DENIED on a permission error and 204 * otherwise the state of keystore when not unlocked and checkUnlocked is 205 * true. 206 */ 207 KeyStoreServiceReturnCode checkBinderPermissionAndKeystoreState(perm_t permission, 208 int32_t targetUid = -1, 209 bool checkUnlocked = true); 210 211 bool isKeystoreUnlocked(State state); 212 213 /** 214 * Check that all keymaster_key_param_t's provided by the application are 215 * allowed. Any parameter that keystore adds itself should be disallowed here. 216 */ 217 bool checkAllowedOperationParams(const hidl_vec<KeyParameter>& params); 218 219 void addLegacyBeginParams(const android::String16& name, AuthorizationSet* params); 220 221 KeyStoreServiceReturnCode doLegacySignVerify(const android::String16& name, 222 const hidl_vec<uint8_t>& data, 223 hidl_vec<uint8_t>* out, 224 const hidl_vec<uint8_t>& signature, 225 KeyPurpose purpose); 226 227 /** 228 * Adds a Confirmation Token to the key parameters if needed. 229 */ 230 void appendConfirmationTokenIfNeeded(const KeyCharacteristics& keyCharacteristics, 231 std::vector<KeyParameter>* params); 232 233 sp<KeyStore> mKeyStore; 234 235 /** 236 * This mutex locks keystore operations from concurrent execution. 237 * The keystore service has always been conceptually single threaded. Even with the introduction 238 * of keymaster workers, it was assumed that the dispatcher thread executes exclusively on 239 * certain code paths. With the introduction of wifi Keystore service in the keystore process 240 * this assumption no longer holds as the hwbinder thread servicing this interface makes 241 * functions (rather than IPC) calls into keystore. This mutex protects the keystore logic 242 * from concurrent execution. 243 */ 244 std::mutex keystoreServiceMutex_; 245 246 std::mutex operationDeviceMapMutex_; 247 std::map<sp<IBinder>, std::shared_ptr<KeymasterWorker>> operationDeviceMap_; 248 addOperationDevice(sp<IBinder> token,std::shared_ptr<KeymasterWorker> dev)249 void addOperationDevice(sp<IBinder> token, std::shared_ptr<KeymasterWorker> dev) { 250 std::lock_guard<std::mutex> lock(operationDeviceMapMutex_); 251 operationDeviceMap_.emplace(std::move(token), std::move(dev)); 252 } getOperationDevice(const sp<IBinder> & token)253 std::shared_ptr<KeymasterWorker> getOperationDevice(const sp<IBinder>& token) { 254 std::lock_guard<std::mutex> lock(operationDeviceMapMutex_); 255 auto it = operationDeviceMap_.find(token); 256 if (it != operationDeviceMap_.end()) { 257 return it->second; 258 } 259 return {}; 260 } removeOperationDevice(const sp<IBinder> & token)261 void removeOperationDevice(const sp<IBinder>& token) { 262 std::lock_guard<std::mutex> lock(operationDeviceMapMutex_); 263 operationDeviceMap_.erase(token); 264 } 265 }; 266 267 }; // namespace keystore 268 269 #endif // KEYSTORE_KEYSTORE_SERVICE_H_ 270