1 /*
2  * Copyright (c) 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SYSTEM_SECURITY_CREDENTIAL_DATA_H_
18 #define SYSTEM_SECURITY_CREDENTIAL_DATA_H_
19 
20 #include <sys/types.h>
21 #include <unistd.h>
22 
23 #include <map>
24 #include <string>
25 #include <utility>
26 #include <vector>
27 
28 #include <android/hardware/identity/IIdentityCredential.h>
29 #include <android/hardware/identity/SecureAccessControlProfile.h>
30 
31 namespace android {
32 namespace security {
33 namespace identity {
34 
35 using ::android::hardware::identity::Certificate;
36 using ::android::hardware::identity::IIdentityCredential;
37 using ::android::hardware::identity::SecureAccessControlProfile;
38 using ::std::map;
39 using ::std::optional;
40 using ::std::pair;
41 using ::std::string;
42 using ::std::tuple;
43 using ::std::vector;
44 
45 struct EntryData {
EntryDataEntryData46     EntryData() {}
47 
48     uint64_t size = 0;
49     vector<int32_t> accessControlProfileIds;
50     vector<vector<uint8_t>> encryptedChunks;
51 };
52 
53 struct AuthKeyData {
AuthKeyDataAuthKeyData54     AuthKeyData() {}
55 
56     vector<uint8_t> certificate;
57     vector<uint8_t> keyBlob;
58     int64_t expirationDateMillisSinceEpoch = 0;
59     vector<uint8_t> staticAuthenticationData;
60     vector<uint8_t> pendingCertificate;
61     vector<uint8_t> pendingKeyBlob;
62     int useCount = 0;
63 };
64 
65 class CredentialData : public RefBase {
66   public:
67     CredentialData(const string& dataPath, uid_t ownerUid, const string& name);
68 
69     static string calculateCredentialFileName(const string& dataPath, uid_t ownerUid,
70                                               const string& name);
71 
72     static optional<bool> credentialExists(const string& dataPath, uid_t ownerUid,
73                                            const string& name);
74 
75     void setSecureUserId(int64_t secureUserId);
76 
77     void setCredentialData(const vector<uint8_t>& credentialData);
78 
79     void setAttestationCertificate(const vector<uint8_t>& attestationCertificate);
80 
81     void
82     addSecureAccessControlProfile(const SecureAccessControlProfile& secureAccessControlProfile);
83 
84     void addEntryData(const string& namespaceName, const string& entryName, const EntryData& data);
85 
86     bool saveToDisk() const;
87 
88     bool loadFromDisk();
89 
90     bool deleteCredential();
91 
92     void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey);
93 
94     // Getters
95 
96     int64_t getSecureUserId();
97 
98     const vector<uint8_t>& getCredentialData() const;
99 
100     const vector<uint8_t>& getAttestationCertificate() const;
101 
102     const vector<SecureAccessControlProfile>& getSecureAccessControlProfiles() const;
103 
104     bool hasEntryData(const string& namespaceName, const string& entryName) const;
105 
106     optional<EntryData> getEntryData(const string& namespaceName, const string& entryName) const;
107 
108     const vector<AuthKeyData>& getAuthKeyDatas() const;
109 
110     pair<int /* keyCount */, int /*maxUsersPerKey */> getAvailableAuthenticationKeys();
111 
112     // Returns |nullptr| if a suitable key cannot be found. Otherwise returns
113     // the authentication and increases its use-count.
114     const AuthKeyData* selectAuthKey(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys);
115 
116     optional<vector<vector<uint8_t>>>
117     getAuthKeysNeedingCertification(const sp<IIdentityCredential>& halBinder);
118 
119     bool storeStaticAuthenticationData(const vector<uint8_t>& authenticationKey,
120                                        int64_t expirationDateMillisSinceEpoch,
121                                        const vector<uint8_t>& staticAuthData);
122 
123   private:
124     AuthKeyData* findAuthKey_(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys);
125 
126     // Set by constructor.
127     //
128     string dataPath_;
129     uid_t ownerUid_;
130     string name_;
131 
132     // Calculated at construction time, from |dataPath_|, |ownerUid_|, |name_|.
133     string fileName_;
134 
135     // Data serialized in CBOR from here:
136     //
137     int64_t secureUserId_;
138     vector<uint8_t> credentialData_;
139     vector<uint8_t> attestationCertificate_;
140     vector<SecureAccessControlProfile> secureAccessControlProfiles_;
141     map<string, EntryData> idToEncryptedChunks_;
142 
143     int keyCount_ = 0;
144     int maxUsesPerKey_ = 1;
145     vector<AuthKeyData> authKeyDatas_;  // Always |keyCount_| long.
146 };
147 
148 }  // namespace identity
149 }  // namespace security
150 }  // namespace android
151 
152 #endif  // SYSTEM_SECURITY_CREDENTIAL_DATA_H_
153