blob: 0af03e11b2eb84d9d1421721e3d242e93174b01b [file] [log] [blame]
/******************************************************************************
*
* Copyright 2019 Google, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
******************************************************************************/
#include "btif_keystore.h"
#include <base/files/file_util.h>
#include <base/logging.h>
#include <base/strings/string_number_conversions.h>
#include <base/strings/string_split.h>
#include <base/strings/string_util.h>
#include <base/strings/utf_string_conversions.h>
#include <sys/stat.h>
using namespace keystore;
using namespace bluetooth;
constexpr char kKeyStore[] = "AndroidKeystore";
namespace bluetooth {
BtifKeystore::BtifKeystore(keystore::KeystoreClient* keystore_client)
: keystore_client_(keystore_client) {}
std::string BtifKeystore::Encrypt(const std::string& data, int32_t flags) {
std::lock_guard<std::mutex> lock(api_mutex_);
std::string output;
if (data.empty()) {
LOG(ERROR) << __func__ << ": empty data";
return output;
}
if (!keystore_client_->doesKeyExist(kKeyStore)) {
auto gen_result = GenerateKey(kKeyStore, 0, false);
if (!gen_result.isOk()) {
LOG(FATAL) << "EncryptWithAuthentication Failed: generateKey response="
<< gen_result;
return output;
}
}
if (!keystore_client_->encryptWithAuthentication(kKeyStore, data, flags,
&output)) {
LOG(FATAL) << "EncryptWithAuthentication failed.";
return output;
}
return output;
}
std::string BtifKeystore::Decrypt(const std::string& input) {
std::lock_guard<std::mutex> lock(api_mutex_);
if (input.empty()) {
LOG(ERROR) << __func__ << ": empty input data";
return "";
}
std::string output;
if (!keystore_client_->decryptWithAuthentication(kKeyStore, input, &output)) {
LOG(FATAL) << "DecryptWithAuthentication failed.\n";
}
return output;
}
// Note: auth_bound keys created with this tool will not be usable.
KeyStoreNativeReturnCode BtifKeystore::GenerateKey(const std::string& name,
int32_t flags,
bool auth_bound) {
AuthorizationSetBuilder params;
params.RsaSigningKey(2048, 65537)
.Digest(Digest::SHA_2_224)
.Digest(Digest::SHA_2_256)
.Digest(Digest::SHA_2_384)
.Digest(Digest::SHA_2_512)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.Padding(PaddingMode::RSA_PSS);
if (auth_bound) {
// Gatekeeper normally generates the secure user id.
// Using zero allows the key to be created, but it will not be usuable.
params.Authorization(TAG_USER_SECURE_ID, 0);
} else {
params.Authorization(TAG_NO_AUTH_REQUIRED);
}
AuthorizationSet hardware_enforced_characteristics;
AuthorizationSet software_enforced_characteristics;
return keystore_client_->generateKey(name, params, flags,
&hardware_enforced_characteristics,
&software_enforced_characteristics);
}
bool BtifKeystore::DoesKeyExist() {
return keystore_client_->doesKeyExist(kKeyStore);
}
} // namespace bluetooth