169a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// Copyright 2015 The Android Open Source Project 269a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// 369a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// Licensed under the Apache License, Version 2.0 (the "License"); 469a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// you may not use this file except in compliance with the License. 569a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// You may obtain a copy of the License at 669a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// 769a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// http://www.apache.org/licenses/LICENSE-2.0 869a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// 969a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// Unless required by applicable law or agreed to in writing, software 1069a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// distributed under the License is distributed on an "AS IS" BASIS, 1169a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1269a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// See the License for the specific language governing permissions and 1369a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn// limitations under the License. 1469a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 1569a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn#ifndef KEYSTORE_KEYSTORE_CLIENT_IMPL_H_ 1669a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn#define KEYSTORE_KEYSTORE_CLIENT_IMPL_H_ 1769a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 18c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis#include "keystore_client.h" 1969a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 2069a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn#include <map> 21a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev#include <string> 2269a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn#include <vector> 2369a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 24a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev#include <android/security/IKeystoreService.h> 25c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis#include <binder/IBinder.h> 26c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis#include <binder/IServiceManager.h> 27c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis#include <utils/StrongPointer.h> 2869a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 2969a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahnnamespace keystore { 3069a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 3169a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahnclass KeystoreClientImpl : public KeystoreClient { 3269a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn public: 3369a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn KeystoreClientImpl(); 3469a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn ~KeystoreClientImpl() override = default; 3569a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 3669a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn // KeystoreClient methods. 37251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn bool encryptWithAuthentication(const std::string& key_name, const std::string& data, 38c1460141c0eea24ae004edf7a964078611f45cc6Janis Danisevskis int32_t flags, std::string* encrypted_data) override; 39251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn bool decryptWithAuthentication(const std::string& key_name, const std::string& encrypted_data, 40251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn std::string* data) override; 41c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis bool oneShotOperation(KeyPurpose purpose, const std::string& key_name, 42c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis const keystore::AuthorizationSet& input_parameters, 43251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn const std::string& input_data, const std::string& signature_to_verify, 44c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis keystore::AuthorizationSet* output_parameters, 45251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn std::string* output_data) override; 46c1460141c0eea24ae004edf7a964078611f45cc6Janis Danisevskis KeyStoreNativeReturnCode addRandomNumberGeneratorEntropy(const std::string& entropy, 47c1460141c0eea24ae004edf7a964078611f45cc6Janis Danisevskis int32_t flags) override; 48a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev KeyStoreNativeReturnCode 49a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev generateKey(const std::string& key_name, const keystore::AuthorizationSet& key_parameters, 50c1460141c0eea24ae004edf7a964078611f45cc6Janis Danisevskis int32_t flags, keystore::AuthorizationSet* hardware_enforced_characteristics, 51a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev keystore::AuthorizationSet* software_enforced_characteristics) override; 52c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis KeyStoreNativeReturnCode 5369a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn getKeyCharacteristics(const std::string& key_name, 54c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis keystore::AuthorizationSet* hardware_enforced_characteristics, 55c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis keystore::AuthorizationSet* software_enforced_characteristics) override; 56a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev KeyStoreNativeReturnCode 57a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev importKey(const std::string& key_name, const keystore::AuthorizationSet& key_parameters, 58a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev KeyFormat key_format, const std::string& key_data, 59a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev keystore::AuthorizationSet* hardware_enforced_characteristics, 60a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev keystore::AuthorizationSet* software_enforced_characteristics) override; 61c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis KeyStoreNativeReturnCode exportKey(KeyFormat export_format, const std::string& key_name, 62a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev std::string* export_data) override; 63c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis KeyStoreNativeReturnCode deleteKey(const std::string& key_name) override; 64c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis KeyStoreNativeReturnCode deleteAllKeys() override; 65c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis KeyStoreNativeReturnCode beginOperation(KeyPurpose purpose, const std::string& key_name, 66a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev const keystore::AuthorizationSet& input_parameters, 67a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev keystore::AuthorizationSet* output_parameters, 68a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev uint64_t* handle) override; 69c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis KeyStoreNativeReturnCode updateOperation(uint64_t handle, 70a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev const keystore::AuthorizationSet& input_parameters, 71a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev const std::string& input_data, 72a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev size_t* num_input_bytes_consumed, 73a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev keystore::AuthorizationSet* output_parameters, 74a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev std::string* output_data) override; 75c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis KeyStoreNativeReturnCode finishOperation(uint64_t handle, 76a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev const keystore::AuthorizationSet& input_parameters, 77a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev const std::string& signature_to_verify, 78a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev keystore::AuthorizationSet* output_parameters, 79a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev std::string* output_data) override; 80c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis KeyStoreNativeReturnCode abortOperation(uint64_t handle) override; 8169a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn bool doesKeyExist(const std::string& key_name) override; 8269a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn bool listKeys(const std::string& prefix, std::vector<std::string>* key_name_list) override; 8369a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 8469a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn private: 8569a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn // Returns an available virtual operation handle. 86c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis uint64_t getNextVirtualHandle(); 8769a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 8869a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn // Maps a keystore error code to a code where all success cases use 8969a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn // KM_ERROR_OK (not keystore's NO_ERROR). 90a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev // int32_t mapKeystoreError(int32_t keystore_error); 9169a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 92251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn // Creates an encryption key suitable for EncryptWithAuthentication or 93251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn // verifies attributes if the key already exists. Returns true on success. 94c1460141c0eea24ae004edf7a964078611f45cc6Janis Danisevskis bool createOrVerifyEncryptionKey(const std::string& key_name, int32_t flags); 95251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn 96251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn // Creates an authentication key suitable for EncryptWithAuthentication or 97251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn // verifies attributes if the key already exists. Returns true on success. 98c1460141c0eea24ae004edf7a964078611f45cc6Janis Danisevskis bool createOrVerifyAuthenticationKey(const std::string& key_name, int32_t flags); 99251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn 100251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn // Verifies attributes of an encryption key suitable for 101251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn // EncryptWithAuthentication. Returns true on success and populates |verified| 102251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn // with the result of the verification. 103251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn bool verifyEncryptionKeyAttributes(const std::string& key_name, bool* verified); 104251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn 105251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn // Verifies attributes of an authentication key suitable for 106251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn // EncryptWithAuthentication. Returns true on success and populates |verified| 107251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn // with the result of the verification. 108251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn bool verifyAuthenticationKeyAttributes(const std::string& key_name, bool* verified); 109251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn 110251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn android::sp<android::IServiceManager> service_manager_; 111251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn android::sp<android::IBinder> keystore_binder_; 112a447b3c9af62540abcc2d01a4d62124838ffe89dDmitry Dementyev android::sp<android::security::IKeystoreService> keystore_; 113c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis uint64_t next_virtual_handle_ = 1; 114c7a9fa29c185a8c1889486d4acf00fd59c513870Janis Danisevskis std::map<uint64_t, android::sp<android::IBinder>> active_operations_; 115251cb28132e456f81374c8f8a983a5a9ad9aaee8Darren Krahn 11669a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn DISALLOW_COPY_AND_ASSIGN(KeystoreClientImpl); 11769a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn}; 11869a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 11969a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn} // namespace keystore 12069a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn 12169a3dbc2bbbe0b304eb91376ff7f79c8bde995a1Darren Krahn#endif // KEYSTORE_KEYSTORE_CLIENT_IMPL_H_ 122