1/* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#ifndef KEYSTORE_KEYSTORE_H_ 18#define KEYSTORE_KEYSTORE_H_ 19 20#include "user_state.h" 21 22#include <android/hardware/keymaster/3.0/IKeymasterDevice.h> 23 24#include <utils/Vector.h> 25 26#include "blob.h" 27#include "include/keystore/keymaster_tags.h" 28#include "grant_store.h" 29 30using ::keystore::NullOr; 31 32class KeyStore { 33 typedef ::android::sp<::android::hardware::keymaster::V3_0::IKeymasterDevice> km_device_t; 34 35 public: 36 KeyStore(Entropy* entropy, const km_device_t& device, const km_device_t& fallback, 37 bool allowNewFallback); 38 ~KeyStore(); 39 40 km_device_t& getDevice() { return mDevice; } 41 42 NullOr<km_device_t&> getFallbackDevice() { 43 // we only return the fallback device if the creation of new fallback key blobs is 44 // allowed. (also see getDevice below) 45 if (mAllowNewFallback) { 46 return mFallbackDevice; 47 } else { 48 return {}; 49 } 50 } 51 52 km_device_t& getDevice(const Blob& blob) { 53 // We return a device, based on the nature of the blob to provide backward 54 // compatibility with old key blobs generated using the fallback device. 55 return blob.isFallback() ? mFallbackDevice : mDevice; 56 } 57 58 ResponseCode initialize(); 59 60 State getState(uid_t userId) { return getUserState(userId)->getState(); } 61 62 ResponseCode initializeUser(const android::String8& pw, uid_t userId); 63 64 ResponseCode copyMasterKey(uid_t srcUser, uid_t dstUser); 65 ResponseCode writeMasterKey(const android::String8& pw, uid_t userId); 66 ResponseCode readMasterKey(const android::String8& pw, uid_t userId); 67 68 android::String8 getKeyName(const android::String8& keyName, const BlobType type); 69 android::String8 getKeyNameForUid(const android::String8& keyName, uid_t uid, 70 const BlobType type); 71 android::String8 getKeyNameForUidWithDir(const android::String8& keyName, uid_t uid, 72 const BlobType type); 73 NullOr<android::String8> getBlobFileNameIfExists(const android::String8& alias, uid_t uid, 74 const BlobType type); 75 76 /* 77 * Delete entries owned by userId. If keepUnencryptedEntries is true 78 * then only encrypted entries will be removed, otherwise all entries will 79 * be removed. 80 */ 81 void resetUser(uid_t userId, bool keepUnenryptedEntries); 82 bool isEmpty(uid_t userId) const; 83 84 void lock(uid_t userId); 85 86 ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type, uid_t userId); 87 ResponseCode put(const char* filename, Blob* keyBlob, uid_t userId); 88 ResponseCode del(const char* filename, const BlobType type, uid_t userId); 89 ResponseCode list(const android::String8& prefix, android::Vector<android::String16>* matches, 90 uid_t userId); 91 92 std::string addGrant(const char* alias, uid_t granterUid, uid_t granteeUid); 93 bool removeGrant(const char* alias, const uid_t granterUid, const uid_t granteeUid); 94 void removeAllGrantsToUid(const uid_t granteeUid); 95 96 ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId, 97 int32_t flags); 98 99 bool isHardwareBacked(const android::String16& keyType) const; 100 101 ResponseCode getKeyForName(Blob* keyBlob, const android::String8& keyName, const uid_t uid, 102 const BlobType type); 103 104 /** 105 * Returns any existing UserState or creates it if it doesn't exist. 106 */ 107 UserState* getUserState(uid_t userId); 108 109 /** 110 * Returns any existing UserState or creates it if it doesn't exist. 111 */ 112 UserState* getUserStateByUid(uid_t uid); 113 114 /** 115 * Returns NULL if the UserState doesn't already exist. 116 */ 117 const UserState* getUserState(uid_t userId) const; 118 119 /** 120 * Returns NULL if the UserState doesn't already exist. 121 */ 122 const UserState* getUserStateByUid(uid_t uid) const; 123 124 private: 125 static const char* sOldMasterKey; 126 static const char* sMetaDataFile; 127 static const android::String16 sRSAKeyType; 128 Entropy* mEntropy; 129 130 km_device_t mDevice; 131 km_device_t mFallbackDevice; 132 bool mAllowNewFallback; 133 134 android::Vector<UserState*> mMasterKeys; 135 136 ::keystore::GrantStore mGrants; 137 138 typedef struct { uint32_t version; } keystore_metadata_t; 139 140 keystore_metadata_t mMetaData; 141 142 /** 143 * Upgrade the key from the current version to whatever is newest. 144 */ 145 bool upgradeBlob(const char* filename, Blob* blob, const uint8_t oldVersion, 146 const BlobType type, uid_t uid); 147 148 /** 149 * Takes a blob that is an PEM-encoded RSA key as a byte array and converts it to a DER-encoded 150 * PKCS#8 for import into a keymaster. Then it overwrites the original blob with the new blob 151 * format that is returned from the keymaster. 152 */ 153 ResponseCode importBlobAsKey(Blob* blob, const char* filename, uid_t uid); 154 155 void readMetaData(); 156 void writeMetaData(); 157 158 bool upgradeKeystore(); 159}; 160 161#endif // KEYSTORE_KEYSTORE_H_ 162