78daac2ca8
The active Android user ID is not generally accessible from native code - UID is per-app, and PID can be split up even farther than that. Most processes even on the Java side don't have correct permissions to read their user ID, but the keyguard does, and we're already getting that signal from the state change calls. Keep track of that, and write it out to the saved authorization list that will be read back for the software authorization. Bug: 76430246 Test: CtsKeystoreTestCases, both as main and guest user Change-Id: I39baac7264196318bb42c75964d64b5d3b567b97
308 lines
17 KiB
C++
308 lines
17 KiB
C++
/*
|
|
* Copyright (C) 2016 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#ifndef KEYSTORE_KEYSTORE_SERVICE_H_
|
|
#define KEYSTORE_KEYSTORE_SERVICE_H_
|
|
|
|
#include <android/security/BnKeystoreService.h>
|
|
|
|
#include "auth_token_table.h"
|
|
#include "confirmation_manager.h"
|
|
|
|
#include "KeyStore.h"
|
|
#include "keystore_keymaster_enforcement.h"
|
|
#include "operation.h"
|
|
#include "permissions.h"
|
|
|
|
namespace keystore {
|
|
|
|
// Class provides implementation for generated BnKeystoreService.h based on
|
|
// gen/aidl/android/security/BnKeystoreService.h generated from
|
|
// java/android/security/IKeystoreService.aidl Note that all generated methods return binder::Status
|
|
// and use last arguments to send actual result to the caller. Private methods don't need to handle
|
|
// binder::Status. Input parameters cannot be null unless annotated with @nullable in .aidl file.
|
|
class KeyStoreService : public android::security::BnKeystoreService,
|
|
android::IBinder::DeathRecipient {
|
|
public:
|
|
explicit KeyStoreService(KeyStore* keyStore)
|
|
: mKeyStore(keyStore), mOperationMap(this),
|
|
mConfirmationManager(new ConfirmationManager(this)), mActiveUserId(0) {}
|
|
virtual ~KeyStoreService() = default;
|
|
|
|
void binderDied(const android::wp<android::IBinder>& who);
|
|
|
|
::android::binder::Status getState(int32_t userId, int32_t* _aidl_return) override;
|
|
::android::binder::Status get(const ::android::String16& name, int32_t uid,
|
|
::std::vector<uint8_t>* _aidl_return) override;
|
|
::android::binder::Status insert(const ::android::String16& name,
|
|
const ::std::vector<uint8_t>& item, int32_t uid, int32_t flags,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status del(const ::android::String16& name, int32_t uid,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status exist(const ::android::String16& name, int32_t uid,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status list(const ::android::String16& namePrefix, int32_t uid,
|
|
::std::vector<::android::String16>* _aidl_return) override;
|
|
::android::binder::Status reset(int32_t* _aidl_return) override;
|
|
::android::binder::Status onUserPasswordChanged(int32_t userId,
|
|
const ::android::String16& newPassword,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status lock(int32_t userId, int32_t* _aidl_return) override;
|
|
::android::binder::Status unlock(int32_t userId, const ::android::String16& userPassword,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status isEmpty(int32_t userId, int32_t* _aidl_return) override;
|
|
::android::binder::Status generate(const ::android::String16& name, int32_t uid,
|
|
int32_t keyType, int32_t keySize, int32_t flags,
|
|
const ::android::security::KeystoreArguments& args,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status import_key(const ::android::String16& name,
|
|
const ::std::vector<uint8_t>& data, int32_t uid,
|
|
int32_t flags, int32_t* _aidl_return) override;
|
|
::android::binder::Status sign(const ::android::String16& name,
|
|
const ::std::vector<uint8_t>& data,
|
|
::std::vector<uint8_t>* _aidl_return) override;
|
|
::android::binder::Status verify(const ::android::String16& name,
|
|
const ::std::vector<uint8_t>& data,
|
|
const ::std::vector<uint8_t>& signature,
|
|
int32_t* _aidl_return) override;
|
|
/*
|
|
* TODO: The abstraction between things stored in hardware and regular blobs
|
|
* of data stored on the filesystem should be moved down to keystore itself.
|
|
* Unfortunately the Java code that calls this has naming conventions that it
|
|
* knows about. Ideally keystore shouldn't be used to store random blobs of
|
|
* data.
|
|
*
|
|
* Until that happens, it's necessary to have a separate "get_pubkey" and
|
|
* "del_key" since the Java code doesn't really communicate what it's
|
|
* intentions are.
|
|
*/
|
|
::android::binder::Status get_pubkey(const ::android::String16& name,
|
|
::std::vector<uint8_t>* _aidl_return) override;
|
|
::android::binder::Status grant(const ::android::String16& name, int32_t granteeUid,
|
|
::android::String16* _aidl_return) override;
|
|
::android::binder::Status ungrant(const ::android::String16& name, int32_t granteeUid,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status getmtime(const ::android::String16& name, int32_t uid,
|
|
int64_t* _aidl_return) override;
|
|
::android::binder::Status is_hardware_backed(const ::android::String16& string,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status clear_uid(int64_t uid, int32_t* _aidl_return) override;
|
|
::android::binder::Status addRngEntropy(const ::std::vector<uint8_t>& data, int32_t flags,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status
|
|
generateKey(const ::android::String16& alias,
|
|
const ::android::security::keymaster::KeymasterArguments& arguments,
|
|
const ::std::vector<uint8_t>& entropy, int32_t uid, int32_t flags,
|
|
::android::security::keymaster::KeyCharacteristics* characteristics,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status
|
|
getKeyCharacteristics(const ::android::String16& alias,
|
|
const ::android::security::keymaster::KeymasterBlob& clientId,
|
|
const ::android::security::keymaster::KeymasterBlob& appId, int32_t uid,
|
|
::android::security::keymaster::KeyCharacteristics* characteristics,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status
|
|
importKey(const ::android::String16& alias,
|
|
const ::android::security::keymaster::KeymasterArguments& arguments, int32_t format,
|
|
const ::std::vector<uint8_t>& keyData, int32_t uid, int32_t flags,
|
|
::android::security::keymaster::KeyCharacteristics* characteristics,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status
|
|
exportKey(const ::android::String16& alias, int32_t format,
|
|
const ::android::security::keymaster::KeymasterBlob& clientId,
|
|
const ::android::security::keymaster::KeymasterBlob& appId, int32_t uid,
|
|
::android::security::keymaster::ExportResult* _aidl_return) override;
|
|
::android::binder::Status
|
|
begin(const ::android::sp<::android::IBinder>& appToken, const ::android::String16& alias,
|
|
int32_t purpose, bool pruneable,
|
|
const ::android::security::keymaster::KeymasterArguments& params,
|
|
const ::std::vector<uint8_t>& entropy, int32_t uid,
|
|
::android::security::keymaster::OperationResult* _aidl_return) override;
|
|
::android::binder::Status
|
|
update(const ::android::sp<::android::IBinder>& token,
|
|
const ::android::security::keymaster::KeymasterArguments& params,
|
|
const ::std::vector<uint8_t>& input,
|
|
::android::security::keymaster::OperationResult* _aidl_return) override;
|
|
::android::binder::Status
|
|
finish(const ::android::sp<::android::IBinder>& token,
|
|
const ::android::security::keymaster::KeymasterArguments& params,
|
|
const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy,
|
|
::android::security::keymaster::OperationResult* _aidl_return) override;
|
|
::android::binder::Status abort(const ::android::sp<::android::IBinder>& handle,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token,
|
|
bool* _aidl_return) override;
|
|
::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status onUserAdded(int32_t userId, int32_t parentId,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status onUserRemoved(int32_t userId, int32_t* _aidl_return) override;
|
|
::android::binder::Status
|
|
attestKey(const ::android::String16& alias,
|
|
const ::android::security::keymaster::KeymasterArguments& params,
|
|
::android::security::keymaster::KeymasterCertificateChain* chain,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status
|
|
attestDeviceIds(const ::android::security::keymaster::KeymasterArguments& params,
|
|
::android::security::keymaster::KeymasterCertificateChain* chain,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status onDeviceOffBody(int32_t* _aidl_return) override;
|
|
|
|
::android::binder::Status importWrappedKey(
|
|
const ::android::String16& wrappedKeyAlias, const ::std::vector<uint8_t>& wrappedKey,
|
|
const ::android::String16& wrappingKeyAlias, const ::std::vector<uint8_t>& maskingKey,
|
|
const ::android::security::keymaster::KeymasterArguments& params, int64_t rootSid,
|
|
int64_t fingerprintSid, ::android::security::keymaster::KeyCharacteristics* characteristics,
|
|
int32_t* _aidl_return) override;
|
|
|
|
::android::binder::Status presentConfirmationPrompt(
|
|
const ::android::sp<::android::IBinder>& listener, const ::android::String16& promptText,
|
|
const ::std::vector<uint8_t>& extraData, const ::android::String16& locale,
|
|
int32_t uiOptionsAsFlags, int32_t* _aidl_return) override;
|
|
::android::binder::Status
|
|
cancelConfirmationPrompt(const ::android::sp<::android::IBinder>& listener,
|
|
int32_t* _aidl_return) override;
|
|
::android::binder::Status isConfirmationPromptSupported(bool* _aidl_return) override;
|
|
|
|
::android::binder::Status onKeyguardVisibilityChanged(bool isShowing, int32_t userId,
|
|
int32_t* _aidl_return);
|
|
|
|
private:
|
|
static const int32_t UID_SELF = -1;
|
|
|
|
/**
|
|
* Prune the oldest pruneable operation.
|
|
*/
|
|
bool pruneOperation();
|
|
|
|
/**
|
|
* Get the effective target uid for a binder operation that takes an
|
|
* optional uid as the target.
|
|
*/
|
|
uid_t getEffectiveUid(int32_t targetUid);
|
|
|
|
/**
|
|
* Check if the caller of the current binder method has the required
|
|
* permission and if acting on other uids the grants to do so.
|
|
*/
|
|
bool checkBinderPermission(perm_t permission, int32_t targetUid = UID_SELF);
|
|
|
|
/**
|
|
* Check if the caller of the current binder method has the required
|
|
* permission and the target uid is the caller or the caller is system.
|
|
*/
|
|
bool checkBinderPermissionSelfOrSystem(perm_t permission, int32_t targetUid);
|
|
|
|
/**
|
|
* Check if the caller of the current binder method has the required
|
|
* permission or the target of the operation is the caller's uid. This is
|
|
* for operation where the permission is only for cross-uid activity and all
|
|
* uids are allowed to act on their own (ie: clearing all entries for a
|
|
* given uid).
|
|
*/
|
|
bool checkBinderPermissionOrSelfTarget(perm_t permission, int32_t targetUid);
|
|
|
|
/**
|
|
* Helper method to check that the caller has the required permission as
|
|
* well as the keystore is in the unlocked state if checkUnlocked is true.
|
|
*
|
|
* Returns NO_ERROR on success, PERMISSION_DENIED on a permission error and
|
|
* otherwise the state of keystore when not unlocked and checkUnlocked is
|
|
* true.
|
|
*/
|
|
KeyStoreServiceReturnCode checkBinderPermissionAndKeystoreState(perm_t permission,
|
|
int32_t targetUid = -1,
|
|
bool checkUnlocked = true);
|
|
|
|
bool isKeystoreUnlocked(State state);
|
|
|
|
/**
|
|
* Check that all keymaster_key_param_t's provided by the application are
|
|
* allowed. Any parameter that keystore adds itself should be disallowed here.
|
|
*/
|
|
bool checkAllowedOperationParams(const hidl_vec<KeyParameter>& params);
|
|
|
|
ErrorCode getOperationCharacteristics(const hidl_vec<uint8_t>& key, sp<Keymaster>* dev,
|
|
const AuthorizationSet& params, KeyCharacteristics* out);
|
|
|
|
/**
|
|
* Get the auth token for this operation from the auth token table.
|
|
*
|
|
* Returns NO_ERROR if the auth token was found or none was required. If not needed, the
|
|
* token will be empty (which keymaster interprets as no auth token).
|
|
* OP_AUTH_NEEDED if it is a per op authorization, no authorization token exists for
|
|
* that operation and failOnTokenMissing is false.
|
|
* KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth token for the operation
|
|
*/
|
|
std::pair<KeyStoreServiceReturnCode, HardwareAuthToken>
|
|
getAuthToken(const KeyCharacteristics& characteristics, uint64_t handle, KeyPurpose purpose,
|
|
bool failOnTokenMissing = true);
|
|
|
|
/**
|
|
* Get the auth token for the operation if the operation requires authorization. Uses the cached
|
|
* result in the OperationMap if available otherwise gets the token from the AuthTokenTable and
|
|
* caches the result.
|
|
*
|
|
* Returns NO_ERROR if the auth token was found or not needed. If not needed, the token will
|
|
* be empty (which keymaster interprets as no auth token).
|
|
* KM_ERROR_KEY_USER_NOT_AUTHENTICATED if the operation is not authenticated.
|
|
* KM_ERROR_INVALID_OPERATION_HANDLE if token is not a valid operation token.
|
|
*/
|
|
std::pair<KeyStoreServiceReturnCode, const HardwareAuthToken&>
|
|
getOperationAuthTokenIfNeeded(const sp<android::IBinder>& token);
|
|
|
|
/**
|
|
* Translate a result value to a legacy return value. All keystore errors are
|
|
* preserved and keymaster errors become SYSTEM_ERRORs
|
|
*/
|
|
KeyStoreServiceReturnCode translateResultToLegacyResult(int32_t result);
|
|
|
|
void addLegacyBeginParams(const android::String16& name, AuthorizationSet* params);
|
|
|
|
KeyStoreServiceReturnCode doLegacySignVerify(const android::String16& name,
|
|
const hidl_vec<uint8_t>& data,
|
|
hidl_vec<uint8_t>* out,
|
|
const hidl_vec<uint8_t>& signature,
|
|
KeyPurpose purpose);
|
|
|
|
/**
|
|
* Upgrade a key blob under alias "name", returning the new blob in "blob". If "blob"
|
|
* previously contained data, it will be overwritten.
|
|
*
|
|
* Returns ::NO_ERROR if the key was upgraded successfully.
|
|
* KM_ERROR_VERSION_MISMATCH if called on a key whose patch level is greater than or
|
|
* equal to the current system patch level.
|
|
*/
|
|
KeyStoreServiceReturnCode upgradeKeyBlob(const android::String16& name, uid_t targetUid,
|
|
const AuthorizationSet& params, Blob* blob);
|
|
|
|
/**
|
|
* Adds a Confirmation Token to the key parameters if needed.
|
|
*/
|
|
void appendConfirmationTokenIfNeeded(const KeyCharacteristics& keyCharacteristics,
|
|
std::vector<KeyParameter>* params);
|
|
|
|
KeyStore* mKeyStore;
|
|
OperationMap mOperationMap;
|
|
android::sp<ConfirmationManager> mConfirmationManager;
|
|
keystore::AuthTokenTable mAuthTokenTable;
|
|
KeystoreKeymasterEnforcement enforcement_policy;
|
|
int32_t mActiveUserId;
|
|
};
|
|
|
|
}; // namespace keystore
|
|
|
|
#endif // KEYSTORE_KEYSTORE_SERVICE_H_
|