You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
153 lines
4.6 KiB
153 lines
4.6 KiB
/*
|
|
* Copyright (c) 2019, The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#ifndef SYSTEM_SECURITY_CREDENTIAL_DATA_H_
|
|
#define SYSTEM_SECURITY_CREDENTIAL_DATA_H_
|
|
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
|
|
#include <map>
|
|
#include <string>
|
|
#include <utility>
|
|
#include <vector>
|
|
|
|
#include <android/hardware/identity/IIdentityCredential.h>
|
|
#include <android/hardware/identity/SecureAccessControlProfile.h>
|
|
|
|
namespace android {
|
|
namespace security {
|
|
namespace identity {
|
|
|
|
using ::android::hardware::identity::Certificate;
|
|
using ::android::hardware::identity::IIdentityCredential;
|
|
using ::android::hardware::identity::SecureAccessControlProfile;
|
|
using ::std::map;
|
|
using ::std::optional;
|
|
using ::std::pair;
|
|
using ::std::string;
|
|
using ::std::tuple;
|
|
using ::std::vector;
|
|
|
|
struct EntryData {
|
|
EntryData() {}
|
|
|
|
uint64_t size = 0;
|
|
vector<int32_t> accessControlProfileIds;
|
|
vector<vector<uint8_t>> encryptedChunks;
|
|
};
|
|
|
|
struct AuthKeyData {
|
|
AuthKeyData() {}
|
|
|
|
vector<uint8_t> certificate;
|
|
vector<uint8_t> keyBlob;
|
|
int64_t expirationDateMillisSinceEpoch = 0;
|
|
vector<uint8_t> staticAuthenticationData;
|
|
vector<uint8_t> pendingCertificate;
|
|
vector<uint8_t> pendingKeyBlob;
|
|
int useCount = 0;
|
|
};
|
|
|
|
class CredentialData : public RefBase {
|
|
public:
|
|
CredentialData(const string& dataPath, uid_t ownerUid, const string& name);
|
|
|
|
static string calculateCredentialFileName(const string& dataPath, uid_t ownerUid,
|
|
const string& name);
|
|
|
|
static optional<bool> credentialExists(const string& dataPath, uid_t ownerUid,
|
|
const string& name);
|
|
|
|
void setSecureUserId(int64_t secureUserId);
|
|
|
|
void setCredentialData(const vector<uint8_t>& credentialData);
|
|
|
|
void setAttestationCertificate(const vector<uint8_t>& attestationCertificate);
|
|
|
|
void
|
|
addSecureAccessControlProfile(const SecureAccessControlProfile& secureAccessControlProfile);
|
|
|
|
void addEntryData(const string& namespaceName, const string& entryName, const EntryData& data);
|
|
|
|
bool saveToDisk() const;
|
|
|
|
bool loadFromDisk();
|
|
|
|
bool deleteCredential();
|
|
|
|
void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey);
|
|
|
|
// Getters
|
|
|
|
int64_t getSecureUserId();
|
|
|
|
const vector<uint8_t>& getCredentialData() const;
|
|
|
|
const vector<uint8_t>& getAttestationCertificate() const;
|
|
|
|
const vector<SecureAccessControlProfile>& getSecureAccessControlProfiles() const;
|
|
|
|
bool hasEntryData(const string& namespaceName, const string& entryName) const;
|
|
|
|
optional<EntryData> getEntryData(const string& namespaceName, const string& entryName) const;
|
|
|
|
const vector<AuthKeyData>& getAuthKeyDatas() const;
|
|
|
|
pair<int /* keyCount */, int /*maxUsersPerKey */> getAvailableAuthenticationKeys();
|
|
|
|
// Returns |nullptr| if a suitable key cannot be found. Otherwise returns
|
|
// the authentication and increases its use-count.
|
|
const AuthKeyData* selectAuthKey(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys);
|
|
|
|
optional<vector<vector<uint8_t>>>
|
|
getAuthKeysNeedingCertification(const sp<IIdentityCredential>& halBinder);
|
|
|
|
bool storeStaticAuthenticationData(const vector<uint8_t>& authenticationKey,
|
|
int64_t expirationDateMillisSinceEpoch,
|
|
const vector<uint8_t>& staticAuthData);
|
|
|
|
private:
|
|
AuthKeyData* findAuthKey_(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys);
|
|
|
|
// Set by constructor.
|
|
//
|
|
string dataPath_;
|
|
uid_t ownerUid_;
|
|
string name_;
|
|
|
|
// Calculated at construction time, from |dataPath_|, |ownerUid_|, |name_|.
|
|
string fileName_;
|
|
|
|
// Data serialized in CBOR from here:
|
|
//
|
|
int64_t secureUserId_;
|
|
vector<uint8_t> credentialData_;
|
|
vector<uint8_t> attestationCertificate_;
|
|
vector<SecureAccessControlProfile> secureAccessControlProfiles_;
|
|
map<string, EntryData> idToEncryptedChunks_;
|
|
|
|
int keyCount_ = 0;
|
|
int maxUsesPerKey_ = 1;
|
|
vector<AuthKeyData> authKeyDatas_; // Always |keyCount_| long.
|
|
};
|
|
|
|
} // namespace identity
|
|
} // namespace security
|
|
} // namespace android
|
|
|
|
#endif // SYSTEM_SECURITY_CREDENTIAL_DATA_H_
|