1 /*
2  * Copyright (c) 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SYSTEM_SECURITY_CREDENTIAL_DATA_H_
18 #define SYSTEM_SECURITY_CREDENTIAL_DATA_H_
19 
20 #include <sys/types.h>
21 #include <unistd.h>
22 
23 #include <map>
24 #include <string>
25 #include <utility>
26 #include <vector>
27 
28 #include <android/hardware/identity/IIdentityCredential.h>
29 #include <android/hardware/identity/SecureAccessControlProfile.h>
30 
31 namespace android {
32 namespace security {
33 namespace identity {
34 
35 using ::android::hardware::identity::Certificate;
36 using ::android::hardware::identity::IIdentityCredential;
37 using ::android::hardware::identity::SecureAccessControlProfile;
38 using ::std::map;
39 using ::std::optional;
40 using ::std::string;
41 using ::std::tuple;
42 using ::std::vector;
43 
44 struct EntryData {
EntryDataEntryData45     EntryData() {}
46 
47     uint64_t size = 0;
48     vector<int32_t> accessControlProfileIds;
49     vector<vector<uint8_t>> encryptedChunks;
50 };
51 
52 struct AuthKeyData {
AuthKeyDataAuthKeyData53     AuthKeyData() {}
54 
55     vector<uint8_t> certificate;
56     vector<uint8_t> keyBlob;
57     int64_t expirationDateMillisSinceEpoch = 0;
58     vector<uint8_t> staticAuthenticationData;
59     vector<uint8_t> pendingCertificate;
60     vector<uint8_t> pendingKeyBlob;
61     int useCount = 0;
62 };
63 
64 class CredentialData : public RefBase {
65   public:
66     CredentialData(const string& dataPath, uid_t ownerUid, const string& name);
67 
68     static string calculateCredentialFileName(const string& dataPath, uid_t ownerUid,
69                                               const string& name);
70 
71     static optional<bool> credentialExists(const string& dataPath, uid_t ownerUid,
72                                            const string& name);
73 
74     void setSecureUserId(int64_t secureUserId);
75 
76     void setCredentialData(const vector<uint8_t>& credentialData);
77 
78     void setAttestationCertificate(const vector<uint8_t>& attestationCertificate);
79 
80     void
81     addSecureAccessControlProfile(const SecureAccessControlProfile& secureAccessControlProfile);
82 
83     void addEntryData(const string& namespaceName, const string& entryName, const EntryData& data);
84 
85     bool saveToDisk() const;
86 
87     bool loadFromDisk();
88 
89     bool deleteCredential();
90 
91     void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey,
92                                         int64_t minValidTimeMillis);
93 
94     // Getters
95 
96     int64_t getSecureUserId();
97 
98     const vector<uint8_t>& getCredentialData() const;
99 
100     const vector<uint8_t>& getAttestationCertificate() const;
101 
102     const vector<SecureAccessControlProfile>& getSecureAccessControlProfiles() const;
103 
104     bool hasEntryData(const string& namespaceName, const string& entryName) const;
105 
106     optional<EntryData> getEntryData(const string& namespaceName, const string& entryName) const;
107 
108     const vector<AuthKeyData>& getAuthKeyDatas() const;
109 
110     tuple<int /* keyCount */, int /*maxUsersPerKey */, int64_t /* minValidTimeMillis */>
111     getAvailableAuthenticationKeys() const;
112 
113     // Returns |nullptr| if a suitable key cannot be found. Otherwise returns
114     // the authentication and increases its use-count.
115     const AuthKeyData* selectAuthKey(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys,
116                                      bool incrementUsageCount);
117 
118     optional<vector<vector<uint8_t>>>
119     getAuthKeysNeedingCertification(const sp<IIdentityCredential>& halBinder);
120 
121     bool storeStaticAuthenticationData(const vector<uint8_t>& authenticationKey,
122                                        int64_t expirationDateMillisSinceEpoch,
123                                        const vector<uint8_t>& staticAuthData);
124 
125   private:
126     AuthKeyData* findAuthKey_(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys);
127 
128     // Set by constructor.
129     //
130     string dataPath_;
131     uid_t ownerUid_;
132     string name_;
133 
134     // Calculated at construction time, from |dataPath_|, |ownerUid_|, |name_|.
135     string fileName_;
136 
137     // Data serialized in CBOR from here:
138     //
139     int64_t secureUserId_;
140     vector<uint8_t> credentialData_;
141     vector<uint8_t> attestationCertificate_;
142     vector<SecureAccessControlProfile> secureAccessControlProfiles_;
143     map<string, EntryData> idToEncryptedChunks_;
144 
145     int keyCount_ = 0;
146     int maxUsesPerKey_ = 1;
147     int64_t minValidTimeMillis_ = 0;
148     vector<AuthKeyData> authKeyDatas_;  // Always |keyCount_| long.
149 };
150 
151 }  // namespace identity
152 }  // namespace security
153 }  // namespace android
154 
155 #endif  // SYSTEM_SECURITY_CREDENTIAL_DATA_H_
156