Home | History | Annotate | Download | only in keystore 
      1 /*
      2  * Copyright (C) 2016 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #ifndef KEYSTORE_KEYSTORE_H_
     18 #define KEYSTORE_KEYSTORE_H_
     19 
     20 #include "user_state.h"
     21 
     22 #include <hardware/keymaster2.h>
     23 
     24 #include <utils/Vector.h>
     25 
     26 #include "blob.h"
     27 
     28 typedef struct {
     29     uint32_t uid;
     30     const uint8_t* filename;
     31 } grant_t;
     32 
     33 class KeyStore {
     34   public:
     35     KeyStore(Entropy* entropy, keymaster2_device_t* device, keymaster2_device_t* fallback);
     36     ~KeyStore();
     37 
     38     keymaster2_device_t* getDevice() const { return mDevice; }
     39 
     40     keymaster2_device_t* getFallbackDevice() const { return mFallbackDevice; }
     41 
     42     keymaster2_device_t* getDeviceForBlob(const Blob& blob) const {
     43         return blob.isFallback() ? mFallbackDevice : mDevice;
     44     }
     45 
     46     ResponseCode initialize();
     47 
     48     State getState(uid_t userId) { return getUserState(userId)->getState(); }
     49 
     50     ResponseCode initializeUser(const android::String8& pw, uid_t userId);
     51 
     52     ResponseCode copyMasterKey(uid_t srcUser, uid_t dstUser);
     53     ResponseCode writeMasterKey(const android::String8& pw, uid_t userId);
     54     ResponseCode readMasterKey(const android::String8& pw, uid_t userId);
     55 
     56     android::String8 getKeyName(const android::String8& keyName);
     57     android::String8 getKeyNameForUid(const android::String8& keyName, uid_t uid);
     58     android::String8 getKeyNameForUidWithDir(const android::String8& keyName, uid_t uid);
     59 
     60     /*
     61      * Delete entries owned by userId. If keepUnencryptedEntries is true
     62      * then only encrypted entries will be removed, otherwise all entries will
     63      * be removed.
     64      */
     65     void resetUser(uid_t userId, bool keepUnenryptedEntries);
     66     bool isEmpty(uid_t userId) const;
     67 
     68     void lock(uid_t userId);
     69 
     70     ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type, uid_t userId);
     71     ResponseCode put(const char* filename, Blob* keyBlob, uid_t userId);
     72     ResponseCode del(const char* filename, const BlobType type, uid_t userId);
     73     ResponseCode list(const android::String8& prefix, android::Vector<android::String16>* matches,
     74                       uid_t userId);
     75 
     76     void addGrant(const char* filename, uid_t granteeUid);
     77     bool removeGrant(const char* filename, uid_t granteeUid);
     78     bool hasGrant(const char* filename, const uid_t uid) const {
     79         return getGrant(filename, uid) != NULL;
     80     }
     81 
     82     ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId,
     83                            int32_t flags);
     84 
     85     bool isHardwareBacked(const android::String16& keyType) const;
     86 
     87     ResponseCode getKeyForName(Blob* keyBlob, const android::String8& keyName, const uid_t uid,
     88                                const BlobType type);
     89 
     90     /**
     91      * Returns any existing UserState or creates it if it doesn't exist.
     92      */
     93     UserState* getUserState(uid_t userId);
     94 
     95     /**
     96      * Returns any existing UserState or creates it if it doesn't exist.
     97      */
     98     UserState* getUserStateByUid(uid_t uid);
     99 
    100     /**
    101      * Returns NULL if the UserState doesn't already exist.
    102      */
    103     const UserState* getUserState(uid_t userId) const;
    104 
    105     /**
    106      * Returns NULL if the UserState doesn't already exist.
    107      */
    108     const UserState* getUserStateByUid(uid_t uid) const;
    109 
    110   private:
    111     static const char* sOldMasterKey;
    112     static const char* sMetaDataFile;
    113     static const android::String16 sRSAKeyType;
    114     Entropy* mEntropy;
    115 
    116     keymaster2_device_t* mDevice;
    117     keymaster2_device_t* mFallbackDevice;
    118 
    119     android::Vector<UserState*> mMasterKeys;
    120 
    121     android::Vector<grant_t*> mGrants;
    122 
    123     typedef struct { uint32_t version; } keystore_metadata_t;
    124 
    125     keystore_metadata_t mMetaData;
    126 
    127     const grant_t* getGrant(const char* filename, uid_t uid) const;
    128 
    129     /**
    130      * Upgrade the key from the current version to whatever is newest.
    131      */
    132     bool upgradeBlob(const char* filename, Blob* blob, const uint8_t oldVersion,
    133                      const BlobType type, uid_t uid);
    134 
    135     /**
    136      * Takes a blob that is an PEM-encoded RSA key as a byte array and converts it to a DER-encoded
    137      * PKCS#8 for import into a keymaster.  Then it overwrites the original blob with the new blob
    138      * format that is returned from the keymaster.
    139      */
    140     ResponseCode importBlobAsKey(Blob* blob, const char* filename, uid_t uid);
    141 
    142     void readMetaData();
    143     void writeMetaData();
    144 
    145     bool upgradeKeystore();
    146 };
    147 
    148 #endif  // KEYSTORE_KEYSTORE_H_
    149