xref: /aosp_15_r20/system/security/identity/CredentialData.h (revision e1997b9af69e3155ead6e072d106a0077849ffba) 
1*e1997b9aSAndroid Build Coastguard Worker /*
2*e1997b9aSAndroid Build Coastguard Worker  * Copyright (c) 2019, The Android Open Source Project
3*e1997b9aSAndroid Build Coastguard Worker  *
4*e1997b9aSAndroid Build Coastguard Worker  * Licensed under the Apache License, Version 2.0 (the "License");
5*e1997b9aSAndroid Build Coastguard Worker  * you may not use this file except in compliance with the License.
6*e1997b9aSAndroid Build Coastguard Worker  * You may obtain a copy of the License at
7*e1997b9aSAndroid Build Coastguard Worker  *
8*e1997b9aSAndroid Build Coastguard Worker  *     http://www.apache.org/licenses/LICENSE-2.0
9*e1997b9aSAndroid Build Coastguard Worker  *
10*e1997b9aSAndroid Build Coastguard Worker  * Unless required by applicable law or agreed to in writing, software
11*e1997b9aSAndroid Build Coastguard Worker  * distributed under the License is distributed on an "AS IS" BASIS,
12*e1997b9aSAndroid Build Coastguard Worker  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*e1997b9aSAndroid Build Coastguard Worker  * See the License for the specific language governing permissions and
14*e1997b9aSAndroid Build Coastguard Worker  * limitations under the License.
15*e1997b9aSAndroid Build Coastguard Worker  */
16*e1997b9aSAndroid Build Coastguard Worker 
17*e1997b9aSAndroid Build Coastguard Worker #ifndef SYSTEM_SECURITY_CREDENTIAL_DATA_H_
18*e1997b9aSAndroid Build Coastguard Worker #define SYSTEM_SECURITY_CREDENTIAL_DATA_H_
19*e1997b9aSAndroid Build Coastguard Worker 
20*e1997b9aSAndroid Build Coastguard Worker #include <sys/types.h>
21*e1997b9aSAndroid Build Coastguard Worker #include <unistd.h>
22*e1997b9aSAndroid Build Coastguard Worker 
23*e1997b9aSAndroid Build Coastguard Worker #include <map>
24*e1997b9aSAndroid Build Coastguard Worker #include <string>
25*e1997b9aSAndroid Build Coastguard Worker #include <utility>
26*e1997b9aSAndroid Build Coastguard Worker #include <vector>
27*e1997b9aSAndroid Build Coastguard Worker 
28*e1997b9aSAndroid Build Coastguard Worker #include <android/hardware/identity/IIdentityCredential.h>
29*e1997b9aSAndroid Build Coastguard Worker #include <android/hardware/identity/SecureAccessControlProfile.h>
30*e1997b9aSAndroid Build Coastguard Worker 
31*e1997b9aSAndroid Build Coastguard Worker namespace android {
32*e1997b9aSAndroid Build Coastguard Worker namespace security {
33*e1997b9aSAndroid Build Coastguard Worker namespace identity {
34*e1997b9aSAndroid Build Coastguard Worker 
35*e1997b9aSAndroid Build Coastguard Worker using ::android::hardware::identity::Certificate;
36*e1997b9aSAndroid Build Coastguard Worker using ::android::hardware::identity::IIdentityCredential;
37*e1997b9aSAndroid Build Coastguard Worker using ::android::hardware::identity::SecureAccessControlProfile;
38*e1997b9aSAndroid Build Coastguard Worker using ::std::map;
39*e1997b9aSAndroid Build Coastguard Worker using ::std::optional;
40*e1997b9aSAndroid Build Coastguard Worker using ::std::string;
41*e1997b9aSAndroid Build Coastguard Worker using ::std::tuple;
42*e1997b9aSAndroid Build Coastguard Worker using ::std::vector;
43*e1997b9aSAndroid Build Coastguard Worker 
44*e1997b9aSAndroid Build Coastguard Worker struct EntryData {
EntryDataEntryData45*e1997b9aSAndroid Build Coastguard Worker     EntryData() {}
46*e1997b9aSAndroid Build Coastguard Worker 
47*e1997b9aSAndroid Build Coastguard Worker     uint64_t size = 0;
48*e1997b9aSAndroid Build Coastguard Worker     vector<int32_t> accessControlProfileIds;
49*e1997b9aSAndroid Build Coastguard Worker     vector<vector<uint8_t>> encryptedChunks;
50*e1997b9aSAndroid Build Coastguard Worker };
51*e1997b9aSAndroid Build Coastguard Worker 
52*e1997b9aSAndroid Build Coastguard Worker struct AuthKeyData {
AuthKeyDataAuthKeyData53*e1997b9aSAndroid Build Coastguard Worker     AuthKeyData() {}
54*e1997b9aSAndroid Build Coastguard Worker 
55*e1997b9aSAndroid Build Coastguard Worker     vector<uint8_t> certificate;
56*e1997b9aSAndroid Build Coastguard Worker     vector<uint8_t> keyBlob;
57*e1997b9aSAndroid Build Coastguard Worker     int64_t expirationDateMillisSinceEpoch = 0;
58*e1997b9aSAndroid Build Coastguard Worker     vector<uint8_t> staticAuthenticationData;
59*e1997b9aSAndroid Build Coastguard Worker     vector<uint8_t> pendingCertificate;
60*e1997b9aSAndroid Build Coastguard Worker     vector<uint8_t> pendingKeyBlob;
61*e1997b9aSAndroid Build Coastguard Worker     int useCount = 0;
62*e1997b9aSAndroid Build Coastguard Worker };
63*e1997b9aSAndroid Build Coastguard Worker 
64*e1997b9aSAndroid Build Coastguard Worker class CredentialData : public RefBase {
65*e1997b9aSAndroid Build Coastguard Worker   public:
66*e1997b9aSAndroid Build Coastguard Worker     CredentialData(const string& dataPath, uid_t ownerUid, const string& name);
67*e1997b9aSAndroid Build Coastguard Worker 
68*e1997b9aSAndroid Build Coastguard Worker     static string calculateCredentialFileName(const string& dataPath, uid_t ownerUid,
69*e1997b9aSAndroid Build Coastguard Worker                                               const string& name);
70*e1997b9aSAndroid Build Coastguard Worker 
71*e1997b9aSAndroid Build Coastguard Worker     static optional<bool> credentialExists(const string& dataPath, uid_t ownerUid,
72*e1997b9aSAndroid Build Coastguard Worker                                            const string& name);
73*e1997b9aSAndroid Build Coastguard Worker 
74*e1997b9aSAndroid Build Coastguard Worker     void setSecureUserId(int64_t secureUserId);
75*e1997b9aSAndroid Build Coastguard Worker 
76*e1997b9aSAndroid Build Coastguard Worker     void setCredentialData(const vector<uint8_t>& credentialData);
77*e1997b9aSAndroid Build Coastguard Worker 
78*e1997b9aSAndroid Build Coastguard Worker     void setAttestationCertificate(const vector<uint8_t>& attestationCertificate);
79*e1997b9aSAndroid Build Coastguard Worker 
80*e1997b9aSAndroid Build Coastguard Worker     void
81*e1997b9aSAndroid Build Coastguard Worker     addSecureAccessControlProfile(const SecureAccessControlProfile& secureAccessControlProfile);
82*e1997b9aSAndroid Build Coastguard Worker 
83*e1997b9aSAndroid Build Coastguard Worker     void addEntryData(const string& namespaceName, const string& entryName, const EntryData& data);
84*e1997b9aSAndroid Build Coastguard Worker 
85*e1997b9aSAndroid Build Coastguard Worker     bool saveToDisk() const;
86*e1997b9aSAndroid Build Coastguard Worker 
87*e1997b9aSAndroid Build Coastguard Worker     bool loadFromDisk();
88*e1997b9aSAndroid Build Coastguard Worker 
89*e1997b9aSAndroid Build Coastguard Worker     bool deleteCredential();
90*e1997b9aSAndroid Build Coastguard Worker 
91*e1997b9aSAndroid Build Coastguard Worker     void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey,
92*e1997b9aSAndroid Build Coastguard Worker                                         int64_t minValidTimeMillis);
93*e1997b9aSAndroid Build Coastguard Worker 
94*e1997b9aSAndroid Build Coastguard Worker     // Getters
95*e1997b9aSAndroid Build Coastguard Worker 
96*e1997b9aSAndroid Build Coastguard Worker     int64_t getSecureUserId();
97*e1997b9aSAndroid Build Coastguard Worker 
98*e1997b9aSAndroid Build Coastguard Worker     const vector<uint8_t>& getCredentialData() const;
99*e1997b9aSAndroid Build Coastguard Worker 
100*e1997b9aSAndroid Build Coastguard Worker     const vector<uint8_t>& getAttestationCertificate() const;
101*e1997b9aSAndroid Build Coastguard Worker 
102*e1997b9aSAndroid Build Coastguard Worker     const vector<SecureAccessControlProfile>& getSecureAccessControlProfiles() const;
103*e1997b9aSAndroid Build Coastguard Worker 
104*e1997b9aSAndroid Build Coastguard Worker     bool hasEntryData(const string& namespaceName, const string& entryName) const;
105*e1997b9aSAndroid Build Coastguard Worker 
106*e1997b9aSAndroid Build Coastguard Worker     optional<EntryData> getEntryData(const string& namespaceName, const string& entryName) const;
107*e1997b9aSAndroid Build Coastguard Worker 
108*e1997b9aSAndroid Build Coastguard Worker     const vector<AuthKeyData>& getAuthKeyDatas() const;
109*e1997b9aSAndroid Build Coastguard Worker 
110*e1997b9aSAndroid Build Coastguard Worker     tuple<int /* keyCount */, int /*maxUsersPerKey */, int64_t /* minValidTimeMillis */>
111*e1997b9aSAndroid Build Coastguard Worker     getAvailableAuthenticationKeys() const;
112*e1997b9aSAndroid Build Coastguard Worker 
113*e1997b9aSAndroid Build Coastguard Worker     // Returns |nullptr| if a suitable key cannot be found. Otherwise returns
114*e1997b9aSAndroid Build Coastguard Worker     // the authentication and increases its use-count.
115*e1997b9aSAndroid Build Coastguard Worker     const AuthKeyData* selectAuthKey(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys,
116*e1997b9aSAndroid Build Coastguard Worker                                      bool incrementUsageCount);
117*e1997b9aSAndroid Build Coastguard Worker 
118*e1997b9aSAndroid Build Coastguard Worker     optional<vector<vector<uint8_t>>>
119*e1997b9aSAndroid Build Coastguard Worker     getAuthKeysNeedingCertification(const sp<IIdentityCredential>& halBinder);
120*e1997b9aSAndroid Build Coastguard Worker 
121*e1997b9aSAndroid Build Coastguard Worker     bool storeStaticAuthenticationData(const vector<uint8_t>& authenticationKey,
122*e1997b9aSAndroid Build Coastguard Worker                                        int64_t expirationDateMillisSinceEpoch,
123*e1997b9aSAndroid Build Coastguard Worker                                        const vector<uint8_t>& staticAuthData);
124*e1997b9aSAndroid Build Coastguard Worker 
125*e1997b9aSAndroid Build Coastguard Worker   private:
126*e1997b9aSAndroid Build Coastguard Worker     AuthKeyData* findAuthKey_(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys);
127*e1997b9aSAndroid Build Coastguard Worker 
128*e1997b9aSAndroid Build Coastguard Worker     // Set by constructor.
129*e1997b9aSAndroid Build Coastguard Worker     //
130*e1997b9aSAndroid Build Coastguard Worker     string dataPath_;
131*e1997b9aSAndroid Build Coastguard Worker     uid_t ownerUid_;
132*e1997b9aSAndroid Build Coastguard Worker     string name_;
133*e1997b9aSAndroid Build Coastguard Worker 
134*e1997b9aSAndroid Build Coastguard Worker     // Calculated at construction time, from |dataPath_|, |ownerUid_|, |name_|.
135*e1997b9aSAndroid Build Coastguard Worker     string fileName_;
136*e1997b9aSAndroid Build Coastguard Worker 
137*e1997b9aSAndroid Build Coastguard Worker     // Data serialized in CBOR from here:
138*e1997b9aSAndroid Build Coastguard Worker     //
139*e1997b9aSAndroid Build Coastguard Worker     int64_t secureUserId_;
140*e1997b9aSAndroid Build Coastguard Worker     vector<uint8_t> credentialData_;
141*e1997b9aSAndroid Build Coastguard Worker     vector<uint8_t> attestationCertificate_;
142*e1997b9aSAndroid Build Coastguard Worker     vector<SecureAccessControlProfile> secureAccessControlProfiles_;
143*e1997b9aSAndroid Build Coastguard Worker     map<string, EntryData> idToEncryptedChunks_;
144*e1997b9aSAndroid Build Coastguard Worker 
145*e1997b9aSAndroid Build Coastguard Worker     int keyCount_ = 0;
146*e1997b9aSAndroid Build Coastguard Worker     int maxUsesPerKey_ = 1;
147*e1997b9aSAndroid Build Coastguard Worker     int64_t minValidTimeMillis_ = 0;
148*e1997b9aSAndroid Build Coastguard Worker     vector<AuthKeyData> authKeyDatas_;  // Always |keyCount_| long.
149*e1997b9aSAndroid Build Coastguard Worker };
150*e1997b9aSAndroid Build Coastguard Worker 
151*e1997b9aSAndroid Build Coastguard Worker }  // namespace identity
152*e1997b9aSAndroid Build Coastguard Worker }  // namespace security
153*e1997b9aSAndroid Build Coastguard Worker }  // namespace android
154*e1997b9aSAndroid Build Coastguard Worker 
155*e1997b9aSAndroid Build Coastguard Worker #endif  // SYSTEM_SECURITY_CREDENTIAL_DATA_H_
156