1 // Copyright 2015 The Android Open Source Project 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef KEYSTORE_KEYSTORE_CLIENT_IMPL_H_ 16 #define KEYSTORE_KEYSTORE_CLIENT_IMPL_H_ 17 18 #include "keystore_client.h" 19 20 #include <future> 21 #include <map> 22 #include <optional> 23 #include <string> 24 #include <vector> 25 26 #include <android/security/keystore/IKeystoreService.h> 27 #include <binder/IBinder.h> 28 #include <binder/IServiceManager.h> 29 #include <utils/StrongPointer.h> 30 31 namespace keystore { 32 33 class KeystoreClientImpl : public KeystoreClient { 34 public: 35 KeystoreClientImpl(); 36 ~KeystoreClientImpl() override = default; 37 38 // KeystoreClient methods. 39 bool encryptWithAuthentication(const std::string& key_name, const std::string& data, 40 int32_t flags, std::string* encrypted_data) override; 41 bool decryptWithAuthentication(const std::string& key_name, const std::string& encrypted_data, 42 std::string* data) override; 43 bool oneShotOperation(KeyPurpose purpose, const std::string& key_name, 44 const keystore::AuthorizationSet& input_parameters, 45 const std::string& input_data, const std::string& signature_to_verify, 46 keystore::AuthorizationSet* output_parameters, 47 std::string* output_data) override; 48 KeyStoreNativeReturnCode addRandomNumberGeneratorEntropy(const std::string& entropy, 49 int32_t flags) override; 50 KeyStoreNativeReturnCode 51 generateKey(const std::string& key_name, const keystore::AuthorizationSet& key_parameters, 52 int32_t flags, keystore::AuthorizationSet* hardware_enforced_characteristics, 53 keystore::AuthorizationSet* software_enforced_characteristics) override; 54 KeyStoreNativeReturnCode 55 getKeyCharacteristics(const std::string& key_name, 56 keystore::AuthorizationSet* hardware_enforced_characteristics, 57 keystore::AuthorizationSet* software_enforced_characteristics) override; 58 KeyStoreNativeReturnCode 59 importKey(const std::string& key_name, const keystore::AuthorizationSet& key_parameters, 60 KeyFormat key_format, const std::string& key_data, 61 keystore::AuthorizationSet* hardware_enforced_characteristics, 62 keystore::AuthorizationSet* software_enforced_characteristics) override; 63 KeyStoreNativeReturnCode exportKey(KeyFormat export_format, const std::string& key_name, 64 std::string* export_data) override; 65 KeyStoreNativeReturnCode deleteKey(const std::string& key_name) override; 66 KeyStoreNativeReturnCode deleteAllKeys() override; 67 KeyStoreNativeReturnCode beginOperation(KeyPurpose purpose, const std::string& key_name, 68 const keystore::AuthorizationSet& input_parameters, 69 keystore::AuthorizationSet* output_parameters, 70 uint64_t* handle) override; 71 KeyStoreNativeReturnCode updateOperation(uint64_t handle, 72 const keystore::AuthorizationSet& input_parameters, 73 const std::string& input_data, 74 size_t* num_input_bytes_consumed, 75 keystore::AuthorizationSet* output_parameters, 76 std::string* output_data) override; 77 KeyStoreNativeReturnCode finishOperation(uint64_t handle, 78 const keystore::AuthorizationSet& input_parameters, 79 const std::string& input_data, 80 const std::string& signature_to_verify, 81 keystore::AuthorizationSet* output_parameters, 82 std::string* output_data) override; 83 KeyStoreNativeReturnCode abortOperation(uint64_t handle) override; 84 bool doesKeyExist(const std::string& key_name) override; 85 bool listKeys(const std::string& prefix, std::vector<std::string>* key_name_list) override; 86 bool listKeysOfUid(const std::string& prefix, int uid, 87 std::vector<std::string>* key_name_list) override; 88 std::optional<std::vector<uint8_t>> getKey(const std::string& alias, int uid) override; 89 90 private: 91 // Returns an available virtual operation handle. 92 uint64_t getNextVirtualHandle(); 93 94 // Maps a keystore error code to a code where all success cases use 95 // KM_ERROR_OK (not keystore's NO_ERROR). 96 // int32_t mapKeystoreError(int32_t keystore_error); 97 98 // Creates an encryption key suitable for EncryptWithAuthentication or 99 // verifies attributes if the key already exists. Returns true on success. 100 bool createOrVerifyEncryptionKey(const std::string& key_name, int32_t flags); 101 102 // Creates an authentication key suitable for EncryptWithAuthentication or 103 // verifies attributes if the key already exists. Returns true on success. 104 bool createOrVerifyAuthenticationKey(const std::string& key_name, int32_t flags); 105 106 // Verifies attributes of an encryption key suitable for 107 // EncryptWithAuthentication. Returns true on success and populates |verified| 108 // with the result of the verification. 109 bool verifyEncryptionKeyAttributes(const std::string& key_name, bool* verified); 110 111 // Verifies attributes of an authentication key suitable for 112 // EncryptWithAuthentication. Returns true on success and populates |verified| 113 // with the result of the verification. 114 bool verifyAuthenticationKeyAttributes(const std::string& key_name, bool* verified); 115 116 android::sp<android::IServiceManager> service_manager_; 117 android::sp<android::IBinder> keystore_binder_; 118 android::sp<android::security::keystore::IKeystoreService> keystore_; 119 uint64_t next_virtual_handle_ = 1; 120 std::map<uint64_t, android::sp<android::IBinder>> active_operations_; 121 122 DISALLOW_COPY_AND_ASSIGN(KeystoreClientImpl); 123 }; 124 125 } // namespace keystore 126 127 #endif // KEYSTORE_KEYSTORE_CLIENT_IMPL_H_ 128