Home | History | Annotate | Download | only in keystore
      1 /*
      2  * Copyright (C) 2012 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #ifndef KEYSTORE_IKEYSTORESERVICE_H
     18 #define KEYSTORE_IKEYSTORESERVICE_H
     19 
     20 #include <hardware/keymaster_defs.h>
     21 #include <utils/RefBase.h>
     22 #include <binder/IInterface.h>
     23 #include <binder/Parcel.h>
     24 #include <vector>
     25 
     26 namespace android {
     27 
     28 class KeystoreArg : public RefBase {
     29 public:
     30     KeystoreArg(const void *data, size_t len);
     31     ~KeystoreArg();
     32 
     33     const void* data() const;
     34     size_t size() const;
     35 
     36 private:
     37     const void* mData;
     38     size_t mSize;
     39 };
     40 
     41 struct MallocDeleter {
     42     void operator()(uint8_t* p) { free(p); }
     43 };
     44 
     45 // struct for serializing/deserializing a list of keymaster_key_param_t's
     46 struct KeymasterArguments {
     47     KeymasterArguments();
     48     ~KeymasterArguments();
     49     void readFromParcel(const Parcel& in);
     50     void writeToParcel(Parcel* out) const;
     51 
     52     std::vector<keymaster_key_param_t> params;
     53 };
     54 
     55 // struct for serializing the results of begin/update/finish
     56 struct OperationResult {
     57     OperationResult();
     58     ~OperationResult();
     59     void readFromParcel(const Parcel& in);
     60     void writeToParcel(Parcel* out) const;
     61 
     62     int resultCode;
     63     sp<IBinder> token;
     64     keymaster_operation_handle_t handle;
     65     int inputConsumed;
     66     std::unique_ptr<uint8_t[], MallocDeleter> data;
     67     size_t dataLength;
     68     KeymasterArguments outParams;
     69 };
     70 
     71 // struct for serializing the results of export
     72 struct ExportResult {
     73     ExportResult();
     74     ~ExportResult();
     75     void readFromParcel(const Parcel& in);
     76     void writeToParcel(Parcel* out) const;
     77 
     78     int resultCode;
     79     std::unique_ptr<uint8_t[], MallocDeleter> exportData;
     80     size_t dataLength;
     81 };
     82 
     83 // struct for serializing keymaster_key_characteristics_t's
     84 struct KeyCharacteristics {
     85     KeyCharacteristics();
     86     ~KeyCharacteristics();
     87     void readFromParcel(const Parcel& in);
     88     void writeToParcel(Parcel* out) const;
     89 
     90     keymaster_key_characteristics_t characteristics;
     91 };
     92 
     93 // struct for serializing keymaster_cert_chain_t's
     94 struct KeymasterCertificateChain {
     95     KeymasterCertificateChain();
     96     ~KeymasterCertificateChain();
     97     void readFromParcel(const Parcel& in);
     98     void writeToParcel(Parcel* out) const;
     99 
    100     void FreeChain();
    101 
    102     keymaster_cert_chain_t chain;
    103 };
    104 
    105 bool readKeymasterArgumentFromParcel(const Parcel& in, keymaster_key_param_t* out);
    106 void writeKeymasterArgumentToParcel(const keymaster_key_param_t& param, Parcel* out);
    107 
    108 /*
    109  * This must be kept manually in sync with frameworks/base's IKeystoreService.java
    110  */
    111 class IKeystoreService: public IInterface {
    112 public:
    113     enum {
    114         GET_STATE = IBinder::FIRST_CALL_TRANSACTION + 0,
    115         GET = IBinder::FIRST_CALL_TRANSACTION + 1,
    116         INSERT = IBinder::FIRST_CALL_TRANSACTION + 2,
    117         DEL = IBinder::FIRST_CALL_TRANSACTION + 3,
    118         EXIST = IBinder::FIRST_CALL_TRANSACTION + 4,
    119         LIST = IBinder::FIRST_CALL_TRANSACTION + 5,
    120         RESET = IBinder::FIRST_CALL_TRANSACTION + 6,
    121         ON_USER_PASSWORD_CHANGED = IBinder::FIRST_CALL_TRANSACTION + 7,
    122         LOCK = IBinder::FIRST_CALL_TRANSACTION + 8,
    123         UNLOCK = IBinder::FIRST_CALL_TRANSACTION + 9,
    124         IS_EMPTY = IBinder::FIRST_CALL_TRANSACTION + 10,
    125         GENERATE = IBinder::FIRST_CALL_TRANSACTION + 11,
    126         IMPORT = IBinder::FIRST_CALL_TRANSACTION + 12,
    127         SIGN = IBinder::FIRST_CALL_TRANSACTION + 13,
    128         VERIFY = IBinder::FIRST_CALL_TRANSACTION + 14,
    129         GET_PUBKEY = IBinder::FIRST_CALL_TRANSACTION + 15,
    130         GRANT = IBinder::FIRST_CALL_TRANSACTION + 16,
    131         UNGRANT = IBinder::FIRST_CALL_TRANSACTION + 17,
    132         GETMTIME = IBinder::FIRST_CALL_TRANSACTION + 18,
    133         DUPLICATE = IBinder::FIRST_CALL_TRANSACTION + 19,
    134         IS_HARDWARE_BACKED = IBinder::FIRST_CALL_TRANSACTION + 20,
    135         CLEAR_UID = IBinder::FIRST_CALL_TRANSACTION + 21,
    136         ADD_RNG_ENTROPY = IBinder::FIRST_CALL_TRANSACTION + 22,
    137         GENERATE_KEY = IBinder::FIRST_CALL_TRANSACTION + 23,
    138         GET_KEY_CHARACTERISTICS = IBinder::FIRST_CALL_TRANSACTION + 24,
    139         IMPORT_KEY = IBinder::FIRST_CALL_TRANSACTION + 25,
    140         EXPORT_KEY = IBinder::FIRST_CALL_TRANSACTION + 26,
    141         BEGIN = IBinder::FIRST_CALL_TRANSACTION + 27,
    142         UPDATE = IBinder::FIRST_CALL_TRANSACTION + 28,
    143         FINISH = IBinder::FIRST_CALL_TRANSACTION + 29,
    144         ABORT = IBinder::FIRST_CALL_TRANSACTION + 30,
    145         IS_OPERATION_AUTHORIZED = IBinder::FIRST_CALL_TRANSACTION + 31,
    146         ADD_AUTH_TOKEN = IBinder::FIRST_CALL_TRANSACTION + 32,
    147         ON_USER_ADDED = IBinder::FIRST_CALL_TRANSACTION + 33,
    148         ON_USER_REMOVED = IBinder::FIRST_CALL_TRANSACTION + 34,
    149         ATTEST_KEY = IBinder::FIRST_CALL_TRANSACTION + 35,
    150     };
    151 
    152     DECLARE_META_INTERFACE(KeystoreService);
    153 
    154     virtual int32_t getState(int32_t userId) = 0;
    155 
    156     virtual int32_t get(const String16& name, int32_t uid, uint8_t** item, size_t* itemLength) = 0;
    157 
    158     virtual int32_t insert(const String16& name, const uint8_t* item, size_t itemLength, int uid,
    159             int32_t flags) = 0;
    160 
    161     virtual int32_t del(const String16& name, int uid) = 0;
    162 
    163     virtual int32_t exist(const String16& name, int uid) = 0;
    164 
    165     virtual int32_t list(const String16& prefix, int uid, Vector<String16>* matches) = 0;
    166 
    167     virtual int32_t reset() = 0;
    168 
    169     virtual int32_t onUserPasswordChanged(int32_t userId, const String16& newPassword) = 0;
    170 
    171     virtual int32_t lock(int32_t userId) = 0;
    172 
    173     virtual int32_t unlock(int32_t userId, const String16& password) = 0;
    174 
    175     virtual bool isEmpty(int32_t userId) = 0;
    176 
    177     virtual int32_t generate(const String16& name, int32_t uid, int32_t keyType, int32_t keySize,
    178             int32_t flags, Vector<sp<KeystoreArg> >* args) = 0;
    179 
    180     virtual int32_t import(const String16& name, const uint8_t* data, size_t length, int uid,
    181             int32_t flags) = 0;
    182 
    183     virtual int32_t sign(const String16& name, const uint8_t* data, size_t length, uint8_t** out,
    184             size_t* outLength) = 0;
    185 
    186     virtual int32_t verify(const String16& name, const uint8_t* data, size_t dataLength,
    187             const uint8_t* signature, size_t signatureLength) = 0;
    188 
    189     virtual int32_t get_pubkey(const String16& name, uint8_t** pubkey, size_t* pubkeyLength) = 0;
    190 
    191     virtual int32_t grant(const String16& name, int32_t granteeUid) = 0;
    192 
    193     virtual int32_t ungrant(const String16& name, int32_t granteeUid) = 0;
    194 
    195     virtual int64_t getmtime(const String16& name, int32_t uid) = 0;
    196 
    197     virtual int32_t duplicate(const String16& srcKey, int32_t srcUid, const String16& destKey,
    198             int32_t destUid) = 0;
    199 
    200     virtual int32_t is_hardware_backed(const String16& keyType) = 0;
    201 
    202     virtual int32_t clear_uid(int64_t uid) = 0;
    203 
    204     virtual int32_t addRngEntropy(const uint8_t* data, size_t dataLength) = 0;
    205 
    206     virtual int32_t generateKey(const String16& name, const KeymasterArguments& params,
    207                                 const uint8_t* entropy, size_t entropyLength, int uid, int flags,
    208                                 KeyCharacteristics* outCharacteristics) = 0;
    209 
    210     virtual int32_t getKeyCharacteristics(const String16& name,
    211                                           const keymaster_blob_t* clientId,
    212                                           const keymaster_blob_t* appData,
    213                                           int32_t uid,
    214                                           KeyCharacteristics* outCharacteristics) = 0;
    215 
    216     virtual int32_t importKey(const String16& name, const KeymasterArguments&  params,
    217                               keymaster_key_format_t format, const uint8_t *keyData,
    218                               size_t keyLength, int uid, int flags,
    219                               KeyCharacteristics* outCharacteristics) = 0;
    220 
    221     virtual void exportKey(const String16& name, keymaster_key_format_t format,
    222                            const keymaster_blob_t* clientId,
    223                            const keymaster_blob_t* appData, int32_t uid, ExportResult* result) = 0;
    224 
    225     virtual void begin(const sp<IBinder>& apptoken, const String16& name,
    226                        keymaster_purpose_t purpose, bool pruneable,
    227                        const KeymasterArguments& params, const uint8_t* entropy,
    228                        size_t entropyLength, int32_t uid, OperationResult* result) = 0;
    229 
    230     virtual void update(const sp<IBinder>& token, const KeymasterArguments& params,
    231                         const uint8_t* data, size_t dataLength, OperationResult* result) = 0;
    232 
    233     virtual void finish(const sp<IBinder>& token, const KeymasterArguments& params,
    234                         const uint8_t* signature, size_t signatureLength,
    235                         const uint8_t* entropy, size_t entropyLength,
    236                         OperationResult* result) = 0;
    237 
    238     virtual int32_t abort(const sp<IBinder>& handle) = 0;
    239 
    240     virtual bool isOperationAuthorized(const sp<IBinder>& handle) = 0;
    241 
    242     virtual int32_t addAuthToken(const uint8_t* token, size_t length) = 0;
    243 
    244     virtual int32_t onUserAdded(int32_t userId, int32_t parentId) = 0;
    245 
    246     virtual int32_t onUserRemoved(int32_t userId) = 0;
    247 
    248     virtual int32_t attestKey(const String16& name, const KeymasterArguments& params,
    249                               KeymasterCertificateChain* outChain) = 0;
    250 
    251 };
    252 
    253 // ----------------------------------------------------------------------------
    254 
    255 class BnKeystoreService: public BnInterface<IKeystoreService> {
    256 public:
    257     virtual status_t onTransact(uint32_t code, const Parcel& data, Parcel* reply,
    258             uint32_t flags = 0);
    259 };
    260 
    261 } // namespace android
    262 
    263 #endif
    264