diff options
20 files changed, 169 insertions, 263 deletions
diff --git a/keystore/Android.bp b/keystore/Android.bp index b58671c..ef8bc72 100644 --- a/keystore/Android.bp +++ b/keystore/Android.bp @@ -21,6 +21,7 @@ cc_binary { srcs: [ ":IKeyAttestationApplicationIdProvider.aidl", + "KeyStore.cpp", "auth_token_table.cpp", "blob.cpp", "entropy.cpp", @@ -28,7 +29,6 @@ cc_binary { "key_store_service.cpp", "keyblob_utils.cpp", "keymaster_enforcement.cpp", - "keystore.cpp", "keystore_attestation_id.cpp", "keystore_main.cpp", "keystore_utils.cpp", diff --git a/keystore/keystore.cpp b/keystore/KeyStore.cpp index 331151e..6952b54 100644 --- a/keystore/keystore.cpp +++ b/keystore/KeyStore.cpp @@ -16,7 +16,7 @@ #define LOG_TAG "keystore" -#include "keystore.h" +#include "KeyStore.h" #include <dirent.h> #include <fcntl.h> diff --git a/keystore/keystore.h b/keystore/KeyStore.h index a5ffd2f..4ffeaf2 100644 --- a/keystore/keystore.h +++ b/keystore/KeyStore.h @@ -17,8 +17,6 @@ #ifndef KEYSTORE_KEYSTORE_H_ #define KEYSTORE_KEYSTORE_H_ -#include "user_state.h" - #include <android/hardware/keymaster/3.0/IKeymasterDevice.h> #include <utils/Vector.h> @@ -26,6 +24,7 @@ #include "blob.h" #include "grant_store.h" #include "include/keystore/keymaster_tags.h" +#include "user_state.h" using ::keystore::NullOr; @@ -135,9 +134,7 @@ class KeyStore { ::keystore::GrantStore mGrants; - typedef struct { - uint32_t version; - } keystore_metadata_t; + typedef struct { uint32_t version; } keystore_metadata_t; keystore_metadata_t mMetaData; diff --git a/keystore/include/keystore/ExportResult.h b/keystore/include/keystore/ExportResult.h index c85f5ab..b548942 100644 --- a/keystore/include/keystore/ExportResult.h +++ b/keystore/include/keystore/ExportResult.h @@ -15,16 +15,9 @@ #ifndef KEYSTORE_INCLUDE_KEYSTORE_EXPORTRESULT_H_ #define KEYSTORE_INCLUDE_KEYSTORE_EXPORTRESULT_H_ -#include <stdint.h> - -#include <memory> -#include <vector> - #include <binder/Parcelable.h> -#include <hardware/keymaster_defs.h> #include "keystore_return_types.h" -#include "utils.h" namespace android { namespace security { diff --git a/keystore/include/keystore/KeyAttestationApplicationId.h b/keystore/include/keystore/KeyAttestationApplicationId.h index 550a7e1..c612929 100644 --- a/keystore/include/keystore/KeyAttestationApplicationId.h +++ b/keystore/include/keystore/KeyAttestationApplicationId.h @@ -15,11 +15,11 @@ #ifndef KEYSTORE_INCLUDE_KEYSTORE_KEYATTESTATIONAPPLICATIONID_H_ #define KEYSTORE_INCLUDE_KEYSTORE_KEYATTESTATIONAPPLICATIONID_H_ -#include "utils.h" -#include <binder/Parcelable.h> #include <memory> #include <vector> +#include <binder/Parcelable.h> + #include "KeyAttestationPackageInfo.h" namespace android { diff --git a/keystore/include/keystore/KeyAttestationPackageInfo.h b/keystore/include/keystore/KeyAttestationPackageInfo.h index 5ca6c8c..efc33a6 100644 --- a/keystore/include/keystore/KeyAttestationPackageInfo.h +++ b/keystore/include/keystore/KeyAttestationPackageInfo.h @@ -15,13 +15,16 @@ #ifndef KEYSTORE_INCLUDE_KEYSTORE_KEYATTESTATIONPACKAGEINFO_H_ #define KEYSTORE_INCLUDE_KEYSTORE_KEYATTESTATIONPACKAGEINFO_H_ -#include "Signature.h" -#include "utils.h" -#include <binder/Parcelable.h> -#include <memory> #include <stdint.h> + +#include <memory> #include <vector> +#include <binder/Parcelable.h> + +#include "Signature.h" +#include "utils.h" + namespace android { namespace security { namespace keymaster { diff --git a/keystore/include/keystore/KeyCharacteristics.h b/keystore/include/keystore/KeyCharacteristics.h index c1bffb2..ddb1208 100644 --- a/keystore/include/keystore/KeyCharacteristics.h +++ b/keystore/include/keystore/KeyCharacteristics.h @@ -16,7 +16,6 @@ #define KEYSTORE_INCLUDE_KEYSTORE_KEYCHARACTERISTICS_H_ #include <binder/Parcelable.h> -#include <hardware/keymaster_defs.h> #include "KeymasterArguments.h" diff --git a/keystore/include/keystore/KeymasterArguments.h b/keystore/include/keystore/KeymasterArguments.h index 0e7e64d..3f35a91 100644 --- a/keystore/include/keystore/KeymasterArguments.h +++ b/keystore/include/keystore/KeymasterArguments.h @@ -15,9 +15,10 @@ #ifndef KEYSTORE_INCLUDE_KEYSTORE_KEYMASTERARGUMENTS_H_ #define KEYSTORE_INCLUDE_KEYSTORE_KEYMASTERARGUMENTS_H_ -#include "authorization_set.h" #include <binder/Parcelable.h> +#include "keymaster_tags.h" + namespace android { namespace security { namespace keymaster { diff --git a/keystore/include/keystore/KeymasterBlob.h b/keystore/include/keystore/KeymasterBlob.h index 47cb7ee..fc849bd 100644 --- a/keystore/include/keystore/KeymasterBlob.h +++ b/keystore/include/keystore/KeymasterBlob.h @@ -15,9 +15,7 @@ #ifndef KEYSTORE_INCLUDE_KEYSTORE_KEYMASTERBLOB_H_ #define KEYSTORE_INCLUDE_KEYSTORE_KEYMASTERBLOB_H_ -#include "authorization_set.h" #include <binder/Parcelable.h> -#include <hardware/keymaster_defs.h> namespace android { namespace security { diff --git a/keystore/include/keystore/KeymasterCertificateChain.h b/keystore/include/keystore/KeymasterCertificateChain.h index 8c0a6fc..132862c 100644 --- a/keystore/include/keystore/KeymasterCertificateChain.h +++ b/keystore/include/keystore/KeymasterCertificateChain.h @@ -15,9 +15,7 @@ #ifndef KEYSTORE_INCLUDE_KEYSTORE_KEYMASTERCERTIFICATECHAIN_H_ #define KEYSTORE_INCLUDE_KEYSTORE_KEYMASTERCERTIFICATECHAIN_H_ -#include "authorization_set.h" #include <binder/Parcelable.h> -#include <hardware/keymaster_defs.h> namespace android { namespace security { diff --git a/keystore/include/keystore/KeystoreArg.h b/keystore/include/keystore/KeystoreArg.h index 31496f0..a5e68f2 100644 --- a/keystore/include/keystore/KeystoreArg.h +++ b/keystore/include/keystore/KeystoreArg.h @@ -17,16 +17,8 @@ #ifndef KEYSTORE_INCLUDE_KEYSTORE_KEYSTOREARG_H #define KEYSTORE_INCLUDE_KEYSTORE_KEYSTOREARG_H -#include <vector> - -#include <binder/IInterface.h> -#include <binder/Parcel.h> -#include <keystore/keymaster_tags.h> #include <utils/RefBase.h> -#include "keystore.h" -#include "keystore_return_types.h" - namespace android { namespace security { diff --git a/keystore/include/keystore/KeystoreArguments.h b/keystore/include/keystore/KeystoreArguments.h index a54a6d2..8c2e336 100644 --- a/keystore/include/keystore/KeystoreArguments.h +++ b/keystore/include/keystore/KeystoreArguments.h @@ -15,10 +15,12 @@ #ifndef KEYSTORE_INCLUDE_KEYSTORE_KEYSTOREARGUMENTS_H_ #define KEYSTORE_INCLUDE_KEYSTORE_KEYSTOREARGUMENTS_H_ -#include "KeystoreArg.h" #include <binder/Parcelable.h> #include <utils/RefBase.h> +#include "KeystoreArg.h" +#include "keystore_return_types.h" + namespace android { namespace security { diff --git a/keystore/include/keystore/OperationResult.h b/keystore/include/keystore/OperationResult.h index ada88fe..6dd5aef 100644 --- a/keystore/include/keystore/OperationResult.h +++ b/keystore/include/keystore/OperationResult.h @@ -15,10 +15,11 @@ #ifndef KEYSTORE_INCLUDE_KEYSTORE_OPERATIONRESULT_H_ #define KEYSTORE_INCLUDE_KEYSTORE_OPERATIONRESULT_H_ -#include "KeymasterArguments.h" -#include "keystore_return_types.h" -#include <binder/Parcelable.h> #include <binder/Parcel.h> +#include <binder/Parcelable.h> + +#include "keymaster_tags.h" +#include "keystore_return_types.h" namespace android { namespace security { diff --git a/keystore/include/keystore/Signature.h b/keystore/include/keystore/Signature.h index 59b77bf..3c996bb 100644 --- a/keystore/include/keystore/Signature.h +++ b/keystore/include/keystore/Signature.h @@ -15,10 +15,10 @@ #ifndef KEYSTORE_INCLUDE_KEYSTORE_SIGNATURE_H_ #define KEYSTORE_INCLUDE_KEYSTORE_SIGNATURE_H_ -#include <binder/Parcelable.h> -#include <stdint.h> #include <vector> +#include <binder/Parcelable.h> + namespace android { namespace content { namespace pm { diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index b309ad6..c95b06a 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -813,7 +813,7 @@ KeyStoreService::generateKey(const String16& name, const KeymasterArguments& par } if (containsTag(params.getParameters(), Tag::INCLUDE_UNIQUE_ID)) { - //TODO(jbires): remove uid checking upon implementation of b/25646100 + // TODO(jbires): remove uid checking upon implementation of b/25646100 if (!checkBinderPermission(P_GEN_UNIQUE_ID) || originalUid != IPCThreadState::self()->getCallingUid()) { *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED); @@ -1342,7 +1342,7 @@ Status KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, result->token = operationToken; if (authToken) { - mOperationMap.setOperationAuthToken(operationToken, authToken); + mOperationMap.setOperationAuthToken(operationToken, *authToken); } // Return the authentication lookup result. If this is a per operation // auth'd key then the resultCode will be ::OP_AUTH_NEEDED and the @@ -1363,74 +1363,65 @@ Status KeyStoreService::update(const sp<IBinder>& token, const KeymasterArgument result->resultCode = ErrorCode::INVALID_ARGUMENT; return Status::ok(); } - km_device_t dev; - uint64_t handle; - KeyPurpose purpose; - km_id_t keyid; - const KeyCharacteristics* characteristics; - if (!mOperationMap.getOperation(token, &handle, &keyid, &purpose, &dev, &characteristics)) { + + auto getOpResult = mOperationMap.getOperation(token); + if (!getOpResult.isOk()) { result->resultCode = ErrorCode::INVALID_OPERATION_HANDLE; return Status::ok(); } + const auto& op = getOpResult.value(); + AuthorizationSet opParams = params.getParameters(); result->resultCode = addOperationAuthTokenIfNeeded(token, &opParams); - if (!result->resultCode.isOk()) { - return Status::ok(); - } + if (!result->resultCode.isOk()) return Status::ok(); // Check that all key authorization policy requirements are met. - AuthorizationSet key_auths(characteristics->teeEnforced); - key_auths.append(&characteristics->softwareEnforced[0], - &characteristics->softwareEnforced[characteristics->softwareEnforced.size()]); + AuthorizationSet key_auths(op.characteristics.teeEnforced); + key_auths.append(op.characteristics.softwareEnforced.begin(), + op.characteristics.softwareEnforced.end()); + result->resultCode = enforcement_policy.AuthorizeOperation( - purpose, keyid, key_auths, opParams, handle, false /* is_begin_operation */); - if (!result->resultCode.isOk()) { - return Status::ok(); - } + op.purpose, op.keyid, key_auths, opParams, op.handle, false /* is_begin_operation */); + if (!result->resultCode.isOk()) return Status::ok(); auto hidlCb = [&](ErrorCode ret, uint32_t inputConsumed, const hidl_vec<KeyParameter>& outParams, const ::std::vector<uint8_t>& output) { result->resultCode = ret; - if (!result->resultCode.isOk()) { - return; + if (result->resultCode.isOk()) { + result->inputConsumed = inputConsumed; + result->outParams = outParams; + result->data = output; } - result->inputConsumed = inputConsumed; - result->outParams = outParams; - result->data = output; }; KeyStoreServiceReturnCode rc = - KS_HANDLE_HIDL_ERROR(dev->update(handle, opParams.hidl_data(), data, hidlCb)); + KS_HANDLE_HIDL_ERROR(op.device->update(op.handle, opParams.hidl_data(), data, hidlCb)); + // just a reminder: on success result->resultCode was set in the callback. So we only overwrite // it if there was a communication error indicated by the ErrorCode. - if (!rc.isOk()) { - result->resultCode = rc; - } + if (!rc.isOk()) result->resultCode = rc; + return Status::ok(); } Status KeyStoreService::finish(const sp<IBinder>& token, const KeymasterArguments& params, const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy, OperationResult* result) { - if (!checkAllowedOperationParams(params.getParameters())) { - result->resultCode = ErrorCode::INVALID_ARGUMENT; + auto getOpResult = mOperationMap.getOperation(token); + if (!getOpResult.isOk()) { + result->resultCode = ErrorCode::INVALID_OPERATION_HANDLE; return Status::ok(); } - km_device_t dev; - uint64_t handle; - KeyPurpose purpose; - km_id_t keyid; - const KeyCharacteristics* characteristics; - if (!mOperationMap.getOperation(token, &handle, &keyid, &purpose, &dev, &characteristics)) { - result->resultCode = ErrorCode::INVALID_OPERATION_HANDLE; + const auto& op = std::move(getOpResult.value()); + if (!checkAllowedOperationParams(params.getParameters())) { + result->resultCode = ErrorCode::INVALID_ARGUMENT; return Status::ok(); } + AuthorizationSet opParams = params.getParameters(); result->resultCode = addOperationAuthTokenIfNeeded(token, &opParams); - if (!result->resultCode.isOk()) { - return Status::ok(); - } + if (!result->resultCode.isOk()) return Status::ok(); if (entropy.size()) { int resultCode; @@ -1442,29 +1433,29 @@ Status KeyStoreService::finish(const sp<IBinder>& token, const KeymasterArgument } // Check that all key authorization policy requirements are met. - AuthorizationSet key_auths(characteristics->teeEnforced); - key_auths.append(&characteristics->softwareEnforced[0], - &characteristics->softwareEnforced[characteristics->softwareEnforced.size()]); + AuthorizationSet key_auths(op.characteristics.teeEnforced); + key_auths.append(op.characteristics.softwareEnforced.begin(), + op.characteristics.softwareEnforced.end()); + result->resultCode = enforcement_policy.AuthorizeOperation( - purpose, keyid, key_auths, opParams, handle, false /* is_begin_operation */); + op.purpose, op.keyid, key_auths, opParams, op.handle, false /* is_begin_operation */); if (!result->resultCode.isOk()) return Status::ok(); auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& outParams, const ::std::vector<uint8_t>& output) { result->resultCode = ret; - if (!result->resultCode.isOk()) { + if (result->resultCode.isOk()) { + result->outParams = outParams; + result->data = output; } - result->outParams = outParams; - result->data = output; }; KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR( - dev->finish(handle, opParams.hidl_data(), - ::std::vector<uint8_t>() /* TODO(swillden): wire up input to finish() */, - signature, hidlCb)); - // Remove the operation regardless of the result + op.device->finish(op.handle, opParams.hidl_data(), + ::std::vector<uint8_t>() /* TODO(swillden): wire up input to finish() */, + signature, hidlCb)); mOperationMap.removeOperation(token); - mAuthTokenTable.MarkCompleted(handle); + mAuthTokenTable.MarkCompleted(op.handle); // just a reminder: on success result->resultCode was set in the callback. So we only overwrite // it if there was a communication error indicated by the ErrorCode. @@ -1475,35 +1466,20 @@ Status KeyStoreService::finish(const sp<IBinder>& token, const KeymasterArgument } Status KeyStoreService::abort(const sp<IBinder>& token, int32_t* aidl_return) { - km_device_t dev; - uint64_t handle; - KeyPurpose purpose; - km_id_t keyid; - if (!mOperationMap.getOperation(token, &handle, &keyid, &purpose, &dev, NULL)) { - *aidl_return = - static_cast<int32_t>(KeyStoreServiceReturnCode(ErrorCode::INVALID_OPERATION_HANDLE)); + auto getOpResult = mOperationMap.removeOperation(token); + if (!getOpResult.isOk()) { + *aidl_return = static_cast<int32_t>(ErrorCode::INVALID_OPERATION_HANDLE); return Status::ok(); } - mOperationMap.removeOperation(token); + auto op = std::move(getOpResult.value()); + mAuthTokenTable.MarkCompleted(op.handle); - ErrorCode error_code = KS_HANDLE_HIDL_ERROR(dev->abort(handle)); - mAuthTokenTable.MarkCompleted(handle); + ErrorCode error_code = KS_HANDLE_HIDL_ERROR(op.device->abort(op.handle)); *aidl_return = static_cast<int32_t>(KeyStoreServiceReturnCode(error_code)); return Status::ok(); } Status KeyStoreService::isOperationAuthorized(const sp<IBinder>& token, bool* aidl_return) { - km_device_t dev; - uint64_t handle; - const KeyCharacteristics* characteristics; - KeyPurpose purpose; - km_id_t keyid; - if (!mOperationMap.getOperation(token, &handle, &keyid, &purpose, &dev, &characteristics)) { - *aidl_return = false; - return Status::ok(); - } - const HardwareAuthToken* authToken = NULL; - mOperationMap.getOperationAuthToken(token, &authToken); AuthorizationSet ignored; auto authResult = addOperationAuthTokenIfNeeded(token, &ignored); *aidl_return = authResult.isOk(); @@ -1940,26 +1916,18 @@ KeyStoreServiceReturnCode KeyStoreService::getAuthToken(const KeyCharacteristics */ KeyStoreServiceReturnCode KeyStoreService::addOperationAuthTokenIfNeeded(const sp<IBinder>& token, AuthorizationSet* params) { - const HardwareAuthToken* authToken = nullptr; - mOperationMap.getOperationAuthToken(token, &authToken); - if (!authToken) { - km_device_t dev; - uint64_t handle; - const KeyCharacteristics* characteristics = nullptr; - KeyPurpose purpose; - km_id_t keyid; - if (!mOperationMap.getOperation(token, &handle, &keyid, &purpose, &dev, &characteristics)) { - return ErrorCode::INVALID_OPERATION_HANDLE; - } - auto result = getAuthToken(*characteristics, handle, purpose, &authToken); - if (!result.isOk()) { - return result; - } - if (authToken) { - mOperationMap.setOperationAuthToken(token, authToken); - } - } - addAuthTokenToParams(params, authToken); + auto getOpResult = mOperationMap.getOperation(token); + if (!getOpResult.isOk()) return ErrorCode::INVALID_OPERATION_HANDLE; + const auto& op = getOpResult.value(); + + if (!op.authToken) { + const HardwareAuthToken* found = nullptr; + auto result = getAuthToken(op.characteristics, op.handle, op.purpose, &found); + if (!result.isOk()) return result; + if (found) mOperationMap.setOperationAuthToken(token, *found); + assert(*op.authToken == *found); + } + addAuthTokenToParams(params, op.authToken.get()); return ResponseCode::NO_ERROR; } diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h index 81a0df1..0a1b8f1 100644 --- a/keystore/key_store_service.h +++ b/keystore/key_store_service.h @@ -21,7 +21,7 @@ #include "auth_token_table.h" -#include "keystore.h" +#include "KeyStore.h" #include "keystore_keymaster_enforcement.h" #include "operation.h" #include "permissions.h" diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp index 97d81c5..7f9c38d 100644 --- a/keystore/keystore_attestation_id.cpp +++ b/keystore/keystore_attestation_id.cpp @@ -45,7 +45,9 @@ namespace android { namespace { -static std::vector<uint8_t> signature2SHA256(const content::pm::Signature& sig) { +constexpr const char* kAttestationSystemPackageName = "AndroidSystem"; + +std::vector<uint8_t> signature2SHA256(const content::pm::Signature& sig) { std::vector<uint8_t> digest_buffer(SHA256_DIGEST_LENGTH); SHA256(sig.data().data(), sig.data().size(), digest_buffer.data()); return digest_buffer; @@ -97,7 +99,8 @@ ASN1_SEQUENCE(KM_ATTESTATION_APPLICATION_ID) = { ASN1_SET_OF(KM_ATTESTATION_APPLICATION_ID, signature_digests, ASN1_OCTET_STRING), } ASN1_SEQUENCE_END(KM_ATTESTATION_APPLICATION_ID); IMPLEMENT_ASN1_FUNCTIONS(KM_ATTESTATION_APPLICATION_ID); -} + +} // namespace } // namespace android @@ -228,22 +231,18 @@ void unused_functions_silencer() { } // namespace StatusOr<std::vector<uint8_t>> gather_attestation_application_id(uid_t uid) { - auto& pm = KeyAttestationApplicationIdProvider::get(); + KeyAttestationApplicationId key_attestation_id; - /* Get the attestation application ID from package manager */ - KeyAttestationApplicationId* key_attestation_id = nullptr; if (uid == AID_SYSTEM) { - KeyAttestationPackageInfo::SharedSignaturesVector signatures( - new KeyAttestationPackageInfo::SignaturesVector()); - signatures->push_back(std::unique_ptr<content::pm::Signature>( - new content::pm::Signature())); - - std::unique_ptr<KeyAttestationPackageInfo> package_info( - new KeyAttestationPackageInfo( - String16("AndroidSystem"), 1, signatures)); - key_attestation_id = new KeyAttestationApplicationId(std::move(package_info)); + /* Use a fixed ID for system callers */ + auto pinfo = std::make_unique<KeyAttestationPackageInfo>( + String16(kAttestationSystemPackageName), 1 /* version code */, + std::make_shared<KeyAttestationPackageInfo::SignaturesVector>()); + key_attestation_id = KeyAttestationApplicationId(std::move(pinfo)); } else { - auto status = pm.getKeyAttestationApplicationId(uid, key_attestation_id); + /* Get the attestation application ID from package manager */ + auto& pm = KeyAttestationApplicationIdProvider::get(); + auto status = pm.getKeyAttestationApplicationId(uid, &key_attestation_id); if (!status.isOk()) { ALOGE("package manager request for key attestation ID failed with: %s %d", status.exceptionMessage().string(), status.exceptionCode()); @@ -252,7 +251,7 @@ StatusOr<std::vector<uint8_t>> gather_attestation_application_id(uid_t uid) { } /* DER encode the attestation application ID */ - return build_attestation_application_id(*key_attestation_id); + return build_attestation_application_id(key_attestation_id); } } // namespace security diff --git a/keystore/keystore_main.cpp b/keystore/keystore_main.cpp index e42d5a4..e048f88 100644 --- a/keystore/keystore_main.cpp +++ b/keystore/keystore_main.cpp @@ -26,14 +26,14 @@ #include <cutils/log.h> +#include "KeyStore.h" #include "entropy.h" +#include "include/keystore/keystore_hidl_support.h" +#include "include/keystore/keystore_return_types.h" #include "key_store_service.h" -#include "keystore.h" +#include "legacy_keymaster_device_wrapper.h" #include "permissions.h" #include <android/security/IKeystoreService.h> -#include "legacy_keymaster_device_wrapper.h" -#include "include/keystore/keystore_hidl_support.h" -#include "include/keystore/keystore_return_types.h" /* KeyStore is a secured storage for key-value pairs. In this implementation, * each file stores one key-value pair. Keys are encoded in file names, and @@ -41,9 +41,9 @@ * user-defined password. To keep things simple, buffers are always larger than * the maximum space we needed, so boundary checks on buffers are omitted. */ +using ::android::hardware::configureRpcThreadpool; using ::android::system::wifi::keystore::V1_0::IKeystore; using ::android::system::wifi::keystore::V1_0::implementation::Keystore; -using ::android::hardware::configureRpcThreadpool; /** * TODO implement keystore daemon using binderized keymaster HAL. @@ -81,14 +81,14 @@ int main(int argc, char* argv[]) { bool allowNewFallbackDevice = false; keystore::KeyStoreServiceReturnCode rc; - rc = KS_HANDLE_HIDL_ERROR(dev->getHardwareFeatures( - [&] (bool, bool, bool, bool supportsAttestation, bool, const hidl_string&, - const hidl_string&) { - // Attestation support indicates the hardware is keymaster 2.0 or higher. - // For these devices we will not allow the fallback device for import or generation - // of keys. The fallback device is only used for legacy keys present on the device. - allowNewFallbackDevice = !supportsAttestation; - })); + rc = KS_HANDLE_HIDL_ERROR( + dev->getHardwareFeatures([&](bool, bool, bool, bool supportsAttestation, bool, + const hidl_string&, const hidl_string&) { + // Attestation support indicates the hardware is keymaster 2.0 or higher. + // For these devices we will not allow the fallback device for import or generation + // of keys. The fallback device is only used for legacy keys present on the device. + allowNewFallbackDevice = !supportsAttestation; + })); if (!rc.isOk()) { return -1; diff --git a/keystore/operation.cpp b/keystore/operation.cpp index 8c39716..66fcee2 100644 --- a/keystore/operation.cpp +++ b/keystore/operation.cpp @@ -20,7 +20,6 @@ #include <algorithm> namespace keystore { -using namespace android; OperationMap::OperationMap(IBinder::DeathRecipient* deathRecipient) : mDeathRecipient(deathRecipient) {} @@ -29,38 +28,22 @@ sp<IBinder> OperationMap::addOperation(uint64_t handle, uint64_t keyid, KeyPurpo const OperationMap::km_device_t& dev, const sp<IBinder>& appToken, KeyCharacteristics&& characteristics, bool pruneable) { - sp<IBinder> token = new BBinder(); - mMap[token] = Operation(handle, keyid, purpose, dev, std::move(characteristics), appToken); - if (pruneable) { - mLru.push_back(token); - } - if (mAppTokenMap.find(appToken) == mAppTokenMap.end()) { - appToken->linkToDeath(mDeathRecipient); - } + sp<IBinder> token = new ::android::BBinder(); + mMap.emplace(token, + Operation(handle, keyid, purpose, dev, std::move(characteristics), appToken)); + if (pruneable) mLru.push_back(token); + if (mAppTokenMap.find(appToken) == mAppTokenMap.end()) appToken->linkToDeath(mDeathRecipient); mAppTokenMap[appToken].push_back(token); + return token; } -bool OperationMap::getOperation(const sp<IBinder>& token, uint64_t* outHandle, uint64_t* outKeyid, - KeyPurpose* outPurpose, km_device_t* outDevice, - const KeyCharacteristics** outCharacteristics) { - if (!outHandle || !outDevice) { - return false; - } +NullOr<const OperationMap::Operation&> OperationMap::getOperation(const sp<IBinder>& token) { auto entry = mMap.find(token); - if (entry == mMap.end()) { - return false; - } - updateLru(token); + if (entry == mMap.end()) return {}; - *outHandle = entry->second.handle; - *outKeyid = entry->second.keyid; - *outPurpose = entry->second.purpose; - *outDevice = entry->second.device; - if (outCharacteristics) { - *outCharacteristics = &entry->second.characteristics; - } - return true; + updateLru(token); + return entry->second; } void OperationMap::updateLru(const sp<IBinder>& token) { @@ -71,19 +54,18 @@ void OperationMap::updateLru(const sp<IBinder>& token) { } } -bool OperationMap::removeOperation(const sp<IBinder>& token) { +NullOr<OperationMap::Operation> OperationMap::removeOperation(const sp<IBinder>& token) { auto entry = mMap.find(token); - if (entry == mMap.end()) { - return false; - } - sp<IBinder> appToken = entry->second.appToken; + if (entry == mMap.end()) return {}; + + Operation op = std::move(entry->second); mMap.erase(entry); + auto lruEntry = std::find(mLru.begin(), mLru.end(), token); - if (lruEntry != mLru.end()) { - mLru.erase(lruEntry); - } - removeOperationTracking(token, appToken); - return true; + if (lruEntry != mLru.end()) mLru.erase(lruEntry); + removeOperationTracking(token, op.appToken); + + return op; } void OperationMap::removeOperationTracking(const sp<IBinder>& token, const sp<IBinder>& appToken) { @@ -102,7 +84,7 @@ void OperationMap::removeOperationTracking(const sp<IBinder>& token, const sp<IB } bool OperationMap::hasPruneableOperation() const { - return mLru.size() != 0; + return !mLru.empty(); } size_t OperationMap::getPruneableOperationCount() const { @@ -110,40 +92,22 @@ size_t OperationMap::getPruneableOperationCount() const { } sp<IBinder> OperationMap::getOldestPruneableOperation() { - if (!hasPruneableOperation()) { - return sp<IBinder>(NULL); - } - return mLru[0]; + if (!hasPruneableOperation()) return sp<IBinder>(nullptr); + return mLru.front(); } -bool OperationMap::getOperationAuthToken(const sp<IBinder>& token, - const HardwareAuthToken** outToken) { +bool OperationMap::setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken) { auto entry = mMap.find(token); - if (entry == mMap.end()) { - return false; - } - *outToken = entry->second.authToken.get(); - return true; -} + if (entry == mMap.end()) return false; -bool OperationMap::setOperationAuthToken(const sp<IBinder>& token, - const HardwareAuthToken* authToken) { - auto entry = mMap.find(token); - if (entry == mMap.end()) { - return false; - } - entry->second.authToken.reset(new HardwareAuthToken); - *entry->second.authToken = *authToken; + entry->second.authToken = std::make_unique<HardwareAuthToken>(std::move(authToken)); return true; } std::vector<sp<IBinder>> OperationMap::getOperationsForToken(const sp<IBinder>& appToken) { auto appEntry = mAppTokenMap.find(appToken); - if (appEntry != mAppTokenMap.end()) { - return appEntry->second; - } else { - return std::vector<sp<IBinder>>(); - } + if (appEntry == mAppTokenMap.end()) return {}; + return appEntry->second; } OperationMap::Operation::Operation(uint64_t handle_, uint64_t keyid_, KeyPurpose purpose_, @@ -152,7 +116,4 @@ OperationMap::Operation::Operation(uint64_t handle_, uint64_t keyid_, KeyPurpose : handle(handle_), keyid(keyid_), purpose(purpose_), device(device_), characteristics(characteristics_), appToken(appToken_) {} -OperationMap::Operation::Operation() - : handle(0), keyid(0), device(nullptr), characteristics(), appToken(nullptr) {} - -} // namespace android +} // namespace keystore diff --git a/keystore/operation.h b/keystore/operation.h index e69b43a..ac8e945 100644 --- a/keystore/operation.h +++ b/keystore/operation.h @@ -38,51 +38,45 @@ using ::android::sp; */ class OperationMap { - typedef ::android::sp<::android::hardware::keymaster::V3_0::IKeymasterDevice> km_device_t; + typedef sp<::android::hardware::keymaster::V3_0::IKeymasterDevice> km_device_t; public: - explicit OperationMap(IBinder::DeathRecipient* deathRecipient); - android::sp<android::IBinder> addOperation(uint64_t handle, uint64_t keyid, KeyPurpose purpose, - const km_device_t& dev, - const android::sp<android::IBinder>& appToken, - KeyCharacteristics&& characteristics, - bool pruneable); - bool getOperation(const android::sp<android::IBinder>& token, uint64_t* outHandle, - uint64_t* outKeyid, KeyPurpose* outPurpose, km_device_t* outDev, - const KeyCharacteristics** outCharacteristics); - bool removeOperation(const android::sp<android::IBinder>& token); - bool hasPruneableOperation() const; - size_t getOperationCount() const { return mMap.size(); } - size_t getPruneableOperationCount() const; - bool getOperationAuthToken(const android::sp<android::IBinder>& token, - const HardwareAuthToken** outToken); - bool setOperationAuthToken(const android::sp<android::IBinder>& token, - const HardwareAuthToken* authToken); - android::sp<android::IBinder> getOldestPruneableOperation(); - std::vector<android::sp<android::IBinder>> - getOperationsForToken(const android::sp<android::IBinder>& appToken); - - private: - void updateLru(const android::sp<android::IBinder>& token); - void removeOperationTracking(const android::sp<android::IBinder>& token, - const android::sp<android::IBinder>& appToken); struct Operation { - Operation(); + Operation() = default; Operation(uint64_t handle, uint64_t keyid, KeyPurpose purpose, const km_device_t& device, - KeyCharacteristics&& characteristics, android::sp<android::IBinder> appToken); + KeyCharacteristics&& characteristics, sp<IBinder> appToken); + Operation(Operation&&) = default; + Operation(const Operation&) = delete; + uint64_t handle; uint64_t keyid; KeyPurpose purpose; km_device_t device; KeyCharacteristics characteristics; - android::sp<android::IBinder> appToken; + sp<IBinder> appToken; std::unique_ptr<HardwareAuthToken> authToken; }; - std::map<android::sp<android::IBinder>, Operation> mMap; - std::vector<android::sp<android::IBinder>> mLru; - std::map<android::sp<android::IBinder>, std::vector<android::sp<android::IBinder>>> - mAppTokenMap; - android::IBinder::DeathRecipient* mDeathRecipient; + + explicit OperationMap(IBinder::DeathRecipient* deathRecipient); + sp<IBinder> addOperation(uint64_t handle, uint64_t keyid, KeyPurpose purpose, + const km_device_t& dev, const sp<IBinder>& appToken, + KeyCharacteristics&& characteristics, bool pruneable); + NullOr<const Operation&> getOperation(const sp<IBinder>& token); + NullOr<Operation> removeOperation(const sp<IBinder>& token); + bool hasPruneableOperation() const; + size_t getOperationCount() const { return mMap.size(); } + size_t getPruneableOperationCount() const; + bool setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken); + sp<IBinder> getOldestPruneableOperation(); + std::vector<sp<IBinder>> getOperationsForToken(const sp<IBinder>& appToken); + + private: + void updateLru(const sp<IBinder>& token); + void removeOperationTracking(const sp<IBinder>& token, const sp<IBinder>& appToken); + std::map<sp<IBinder>, Operation> mMap; + std::vector<sp<IBinder>> mLru; + std::map<sp<IBinder>, std::vector<sp<IBinder>>> mAppTokenMap; + IBinder::DeathRecipient* mDeathRecipient; }; } // namespace keystore |