• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2016 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef KEYSTORE_KEYSTORE_H_
18 #define KEYSTORE_KEYSTORE_H_
19 
20 #include "user_state.h"
21 
22 #include <hardware/keymaster2.h>
23 
24 #include <utils/Vector.h>
25 
26 #include "blob.h"
27 
28 typedef struct {
29     uint32_t uid;
30     const uint8_t* filename;
31 } grant_t;
32 
33 class KeyStore {
34   public:
35     KeyStore(Entropy* entropy, keymaster2_device_t* device, keymaster2_device_t* fallback);
36     ~KeyStore();
37 
getDevice()38     keymaster2_device_t* getDevice() const { return mDevice; }
39 
getFallbackDevice()40     keymaster2_device_t* getFallbackDevice() const { return mFallbackDevice; }
41 
getDeviceForBlob(const Blob & blob)42     keymaster2_device_t* getDeviceForBlob(const Blob& blob) const {
43         return blob.isFallback() ? mFallbackDevice : mDevice;
44     }
45 
46     ResponseCode initialize();
47 
getState(uid_t userId)48     State getState(uid_t userId) { return getUserState(userId)->getState(); }
49 
50     ResponseCode initializeUser(const android::String8& pw, uid_t userId);
51 
52     ResponseCode copyMasterKey(uid_t srcUser, uid_t dstUser);
53     ResponseCode writeMasterKey(const android::String8& pw, uid_t userId);
54     ResponseCode readMasterKey(const android::String8& pw, uid_t userId);
55 
56     android::String8 getKeyName(const android::String8& keyName, const BlobType type);
57     android::String8 getKeyNameForUid(const android::String8& keyName, uid_t uid,
58                                       const BlobType type);
59     android::String8 getKeyNameForUidWithDir(const android::String8& keyName, uid_t uid,
60                                              const BlobType type);
61 
62     /*
63      * Delete entries owned by userId. If keepUnencryptedEntries is true
64      * then only encrypted entries will be removed, otherwise all entries will
65      * be removed.
66      */
67     void resetUser(uid_t userId, bool keepUnenryptedEntries);
68     bool isEmpty(uid_t userId) const;
69 
70     void lock(uid_t userId);
71 
72     ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type, uid_t userId);
73     ResponseCode put(const char* filename, Blob* keyBlob, uid_t userId);
74     ResponseCode del(const char* filename, const BlobType type, uid_t userId);
75     ResponseCode list(const android::String8& prefix, android::Vector<android::String16>* matches,
76                       uid_t userId);
77 
78     void addGrant(const char* filename, uid_t granteeUid);
79     bool removeGrant(const char* filename, uid_t granteeUid);
hasGrant(const char * filename,const uid_t uid)80     bool hasGrant(const char* filename, const uid_t uid) const {
81         return getGrant(filename, uid) != NULL;
82     }
83 
84     ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId,
85                            int32_t flags);
86 
87     bool isHardwareBacked(const android::String16& keyType) const;
88 
89     ResponseCode getKeyForName(Blob* keyBlob, const android::String8& keyName, const uid_t uid,
90                                const BlobType type);
91 
92     /**
93      * Returns any existing UserState or creates it if it doesn't exist.
94      */
95     UserState* getUserState(uid_t userId);
96 
97     /**
98      * Returns any existing UserState or creates it if it doesn't exist.
99      */
100     UserState* getUserStateByUid(uid_t uid);
101 
102     /**
103      * Returns NULL if the UserState doesn't already exist.
104      */
105     const UserState* getUserState(uid_t userId) const;
106 
107     /**
108      * Returns NULL if the UserState doesn't already exist.
109      */
110     const UserState* getUserStateByUid(uid_t uid) const;
111 
112   private:
113     static const char* sOldMasterKey;
114     static const char* sMetaDataFile;
115     static const android::String16 sRSAKeyType;
116     Entropy* mEntropy;
117 
118     keymaster2_device_t* mDevice;
119     keymaster2_device_t* mFallbackDevice;
120 
121     android::Vector<UserState*> mMasterKeys;
122 
123     android::Vector<grant_t*> mGrants;
124 
125     typedef struct { uint32_t version; } keystore_metadata_t;
126 
127     keystore_metadata_t mMetaData;
128 
129     const grant_t* getGrant(const char* filename, uid_t uid) const;
130 
131     /**
132      * Upgrade the key from the current version to whatever is newest.
133      */
134     bool upgradeBlob(const char* filename, Blob* blob, const uint8_t oldVersion,
135                      const BlobType type, uid_t uid);
136 
137     /**
138      * Takes a blob that is an PEM-encoded RSA key as a byte array and converts it to a DER-encoded
139      * PKCS#8 for import into a keymaster.  Then it overwrites the original blob with the new blob
140      * format that is returned from the keymaster.
141      */
142     ResponseCode importBlobAsKey(Blob* blob, const char* filename, uid_t uid);
143 
144     void readMetaData();
145     void writeMetaData();
146 
147     bool upgradeKeystore();
148 };
149 
150 #endif  // KEYSTORE_KEYSTORE_H_
151