Home | History | Annotate | Download | only in keystore 
      1 /*
      2  * Copyright (C) 2014 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #ifndef KEYSTORE_KEYMASTER_ENFORCEMENT_H
     18 #define KEYSTORE_KEYMASTER_ENFORCEMENT_H
     19 
     20 #include <stdio.h>
     21 
     22 #include <keystore/authorization_set.h>
     23 
     24 namespace keystore {
     25 
     26 typedef uint64_t km_id_t;
     27 
     28 class KeymasterEnforcementContext {
     29   public:
     30     virtual ~KeymasterEnforcementContext() {}
     31     /*
     32      * Get current time.
     33      */
     34 };
     35 
     36 class AccessTimeMap;
     37 class AccessCountMap;
     38 
     39 class KeymasterEnforcement {
     40   public:
     41     /**
     42      * Construct a KeymasterEnforcement.
     43      */
     44     KeymasterEnforcement(uint32_t max_access_time_map_size, uint32_t max_access_count_map_size);
     45     virtual ~KeymasterEnforcement();
     46 
     47     /**
     48      * Iterates through the authorization set and returns the corresponding keymaster error. Will
     49      * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with
     50      * the given operation params and handle. Used for encrypt, decrypt sign, and verify.
     51      */
     52     ErrorCode AuthorizeOperation(const KeyPurpose purpose, const km_id_t keyid,
     53                                  const AuthorizationSet& auth_set,
     54                                  const AuthorizationSet& operation_params, uint64_t op_handle,
     55                                  bool is_begin_operation);
     56 
     57     /**
     58      * Iterates through the authorization set and returns the corresponding keymaster error. Will
     59      * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with
     60      * the given operation params. Used for encrypt, decrypt sign, and verify.
     61      */
     62     ErrorCode AuthorizeBegin(const KeyPurpose purpose, const km_id_t keyid,
     63                              const AuthorizationSet& auth_set,
     64                              const AuthorizationSet& operation_params);
     65 
     66     /**
     67      * Iterates through the authorization set and returns the corresponding keymaster error. Will
     68      * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with
     69      * the given operation params and handle. Used for encrypt, decrypt sign, and verify.
     70      */
     71     ErrorCode AuthorizeUpdate(const AuthorizationSet& auth_set,
     72                               const AuthorizationSet& operation_params, uint64_t op_handle) {
     73         return AuthorizeUpdateOrFinish(auth_set, operation_params, op_handle);
     74     }
     75 
     76     /**
     77      * Iterates through the authorization set and returns the corresponding keymaster error. Will
     78      * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with
     79      * the given operation params and handle. Used for encrypt, decrypt sign, and verify.
     80      */
     81     ErrorCode AuthorizeFinish(const AuthorizationSet& auth_set,
     82                               const AuthorizationSet& operation_params, uint64_t op_handle) {
     83         return AuthorizeUpdateOrFinish(auth_set, operation_params, op_handle);
     84     }
     85 
     86     /**
     87      * Creates a key ID for use in subsequent calls to AuthorizeOperation.  Clients needn't use this
     88      * method of creating key IDs, as long as they use something consistent and unique.  This method
     89      * hashes the key blob.
     90      *
     91      * Returns false if an error in the crypto library prevents creation of an ID.
     92      */
     93     static bool CreateKeyId(const hidl_vec<uint8_t>& key_blob, km_id_t* keyid);
     94 
     95     //
     96     // Methods that must be implemented by subclasses
     97     //
     98     // The time-related methods address the fact that different enforcement contexts may have
     99     // different time-related capabilities.  In particular:
    100     //
    101     // - They may or may not be able to check dates against real-world clocks.
    102     //
    103     // - They may or may not be able to check timestampls against authentication trustlets (minters
    104     //   of hw_auth_token_t structs).
    105     //
    106     // - They must have some time source for relative times, but may not be able to provide more
    107     //   than reliability and monotonicity.
    108 
    109     /*
    110      * Returns true if the specified activation date has passed, or if activation cannot be
    111      * enforced.
    112      */
    113     virtual bool activation_date_valid(uint64_t activation_date) const = 0;
    114 
    115     /*
    116      * Returns true if the specified expiration date has passed.  Returns false if it has not, or if
    117      * expiration cannot be enforced.
    118      */
    119     virtual bool expiration_date_passed(uint64_t expiration_date) const = 0;
    120 
    121     /*
    122      * Returns true if the specified auth_token is older than the specified timeout.
    123      */
    124     virtual bool auth_token_timed_out(const hw_auth_token_t& token, uint32_t timeout) const = 0;
    125 
    126     /*
    127      * Get current time in seconds from some starting point.  This value is used to compute relative
    128      * times between events.  It must be monotonically increasing, and must not skip or lag.  It
    129      * need not have any relation to any external time standard (other than the duration of
    130      * "second").
    131      *
    132      * On POSIX systems, it's recommented to use clock_gettime(CLOCK_MONOTONIC, ...) to implement
    133      * this method.
    134      */
    135     virtual uint32_t get_current_time() const = 0;
    136 
    137     /*
    138      * Returns true if the specified auth_token has a valid signature, or if signature validation is
    139      * not available.
    140      */
    141     virtual bool ValidateTokenSignature(const hw_auth_token_t& token) const = 0;
    142 
    143   private:
    144     ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
    145                                       const AuthorizationSet& operation_params, uint64_t op_handle);
    146 
    147     bool MinTimeBetweenOpsPassed(uint32_t min_time_between, const km_id_t keyid);
    148     bool MaxUsesPerBootNotExceeded(const km_id_t keyid, uint32_t max_uses);
    149     bool AuthTokenMatches(const AuthorizationSet& auth_set,
    150                           const AuthorizationSet& operation_params, const uint64_t user_secure_id,
    151                           const int auth_type_index, const int auth_timeout_index,
    152                           const uint64_t op_handle, bool is_begin_operation) const;
    153 
    154     AccessTimeMap* access_time_map_;
    155     AccessCountMap* access_count_map_;
    156 };
    157 
    158 }; /* namespace keystore */
    159 
    160 #endif  // KEYSTORE_KEYMASTER_ENFORCEMENT_H
    161