1 /*
2  * Copyright (c) 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SYSTEM_SECURITY_CREDENTIAL_DATA_H_
18 #define SYSTEM_SECURITY_CREDENTIAL_DATA_H_
19 
20 #include <sys/types.h>
21 #include <unistd.h>
22 
23 #include <map>
24 #include <string>
25 #include <utility>
26 #include <vector>
27 
28 #include <android/hardware/identity/IIdentityCredential.h>
29 #include <android/hardware/identity/SecureAccessControlProfile.h>
30 
31 namespace android {
32 namespace security {
33 namespace identity {
34 
35 using ::android::hardware::identity::Certificate;
36 using ::android::hardware::identity::IIdentityCredential;
37 using ::android::hardware::identity::SecureAccessControlProfile;
38 using ::std::map;
39 using ::std::optional;
40 using ::std::pair;
41 using ::std::string;
42 using ::std::tuple;
43 using ::std::vector;
44 
45 struct EntryData {
EntryDataEntryData46     EntryData() {}
47 
48     uint64_t size = 0;
49     vector<int32_t> accessControlProfileIds;
50     vector<vector<uint8_t>> encryptedChunks;
51 };
52 
53 struct AuthKeyData {
AuthKeyDataAuthKeyData54     AuthKeyData() {}
55 
56     vector<uint8_t> certificate;
57     vector<uint8_t> keyBlob;
58     vector<uint8_t> staticAuthenticationData;
59     vector<uint8_t> pendingCertificate;
60     vector<uint8_t> pendingKeyBlob;
61     int useCount = 0;
62 };
63 
64 class CredentialData : public RefBase {
65   public:
66     CredentialData(const string& dataPath, uid_t ownerUid, const string& name);
67 
68     static string calculateCredentialFileName(const string& dataPath, uid_t ownerUid,
69                                               const string& name);
70 
71     static optional<bool> credentialExists(const string& dataPath, uid_t ownerUid,
72                                            const string& name);
73 
74     void setSecureUserId(int64_t secureUserId);
75 
76     void setCredentialData(const vector<uint8_t>& credentialData);
77 
78     void setAttestationCertificate(const vector<uint8_t>& attestationCertificate);
79 
80     void
81     addSecureAccessControlProfile(const SecureAccessControlProfile& secureAccessControlProfile);
82 
83     void addEntryData(const string& namespaceName, const string& entryName, const EntryData& data);
84 
85     bool saveToDisk() const;
86 
87     bool loadFromDisk();
88 
89     bool deleteCredential();
90 
91     void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey);
92 
93     // Getters
94 
95     int64_t getSecureUserId();
96 
97     const vector<uint8_t>& getCredentialData() const;
98 
99     const vector<uint8_t>& getAttestationCertificate() const;
100 
101     const vector<SecureAccessControlProfile>& getSecureAccessControlProfiles() const;
102 
103     bool hasEntryData(const string& namespaceName, const string& entryName) const;
104 
105     optional<EntryData> getEntryData(const string& namespaceName, const string& entryName) const;
106 
107     const vector<AuthKeyData>& getAuthKeyDatas() const;
108 
109     // Returns |nullptr| if a suitable key cannot be found. Otherwise returns
110     // the authentication and increases its use-count.
111     const AuthKeyData* selectAuthKey(bool allowUsingExhaustedKeys);
112 
113     optional<vector<vector<uint8_t>>>
114     getAuthKeysNeedingCertification(const sp<IIdentityCredential>& halBinder);
115 
116     bool storeStaticAuthenticationData(const vector<uint8_t>& authenticationKey,
117                                        const vector<uint8_t>& staticAuthData);
118 
119   private:
120     // Set by constructor.
121     //
122     string dataPath_;
123     uid_t ownerUid_;
124     string name_;
125 
126     // Calculated at construction time, from |dataPath_|, |ownerUid_|, |name_|.
127     string fileName_;
128 
129     // Data serialized in CBOR from here:
130     //
131     int64_t secureUserId_;
132     vector<uint8_t> credentialData_;
133     vector<uint8_t> attestationCertificate_;
134     vector<SecureAccessControlProfile> secureAccessControlProfiles_;
135     map<string, EntryData> idToEncryptedChunks_;
136 
137     int keyCount_ = 0;
138     int maxUsesPerKey_ = 1;
139     vector<AuthKeyData> authKeyDatas_;  // Always |keyCount_| long.
140 };
141 
142 }  // namespace identity
143 }  // namespace security
144 }  // namespace android
145 
146 #endif  // SYSTEM_SECURITY_CREDENTIAL_DATA_H_
147