1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
/*
* Copyright (C) 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <mini_keyctl_utils.h>
#include <dirent.h>
#include <errno.h>
#include <sys/types.h>
#include <unistd.h>
#include <fstream>
#include <iostream>
#include <iterator>
#include <sstream>
#include <string>
#include <vector>
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/parseint.h>
#include <android-base/properties.h>
#include <android-base/strings.h>
#include <keyutils.h>
static constexpr int kMaxCertSize = 4096;
static std::vector<std::string> SplitBySpace(const std::string& s) {
std::istringstream iss(s);
return std::vector<std::string>{std::istream_iterator<std::string>{iss},
std::istream_iterator<std::string>{}};
}
// Find the keyring id. Because request_key(2) syscall is not available or the key is
// kernel keyring, the id is looked up from /proc/keys. The keyring description may contain other
// information in the descritption section depending on the key type, only the first word in the
// keyring description is used for searching.
static bool GetKeyringId(const std::string& keyring_desc, key_serial_t* keyring_id) {
if (!keyring_id) {
LOG(ERROR) << "keyring_id is null";
return false;
}
// If the keyring id is already a hex number, directly convert it to keyring id
if (android::base::ParseInt(keyring_desc.c_str(), keyring_id)) {
return true;
}
// Only keys allowed by SELinux rules will be shown here.
std::ifstream proc_keys_file("/proc/keys");
if (!proc_keys_file.is_open()) {
PLOG(ERROR) << "Failed to open /proc/keys";
return false;
}
std::string line;
while (getline(proc_keys_file, line)) {
std::vector<std::string> tokens = SplitBySpace(line);
if (tokens.size() < 9) {
continue;
}
std::string key_id = tokens[0];
std::string key_type = tokens[7];
// The key description may contain space.
std::string key_desc_prefix = tokens[8];
// The prefix has a ":" at the end
std::string key_desc_pattern = keyring_desc + ":";
if (key_type != "keyring" || key_desc_prefix != key_desc_pattern) {
continue;
}
*keyring_id = std::stoi(key_id, nullptr, 16);
return true;
}
return false;
}
int Unlink(key_serial_t key, const std::string& keyring) {
key_serial_t keyring_id;
if (!GetKeyringId(keyring, &keyring_id)) {
LOG(ERROR) << "Can't find keyring " << keyring;
return 1;
}
if (keyctl_unlink(key, keyring_id) < 0) {
PLOG(ERROR) << "Failed to unlink key 0x" << std::hex << key << " from keyring " << keyring_id;
return 1;
}
return 0;
}
int Add(const std::string& type, const std::string& desc, const std::string& data,
const std::string& keyring) {
if (data.size() > kMaxCertSize) {
LOG(ERROR) << "Certificate too large";
return 1;
}
key_serial_t keyring_id;
if (!GetKeyringId(keyring, &keyring_id)) {
LOG(ERROR) << "Can not find keyring id";
return 1;
}
key_serial_t key = add_key(type.c_str(), desc.c_str(), data.c_str(), data.size(), keyring_id);
if (key < 0) {
PLOG(ERROR) << "Failed to add key";
return 1;
}
LOG(INFO) << "Key " << desc << " added to " << keyring << " with key id: 0x" << std::hex << key;
return 0;
}
int Padd(const std::string& type, const std::string& desc, const std::string& keyring) {
key_serial_t keyring_id;
if (!GetKeyringId(keyring, &keyring_id)) {
LOG(ERROR) << "Can not find keyring id";
return 1;
}
// read from stdin to get the certificates
std::istreambuf_iterator<char> begin(std::cin), end;
std::string data(begin, end);
if (data.size() > kMaxCertSize) {
LOG(ERROR) << "Certificate too large";
return 1;
}
key_serial_t key = add_key(type.c_str(), desc.c_str(), data.c_str(), data.size(), keyring_id);
if (key < 0) {
PLOG(ERROR) << "Failed to add key";
return 1;
}
LOG(INFO) << "Key " << desc << " added to " << keyring << " with key id: 0x" << std::hex << key;
return 0;
}
int RestrictKeyring(const std::string& keyring) {
key_serial_t keyring_id;
if (!GetKeyringId(keyring, &keyring_id)) {
LOG(ERROR) << "Cannot find keyring id";
return 1;
}
if (keyctl_restrict_keyring(keyring_id, nullptr, nullptr) < 0) {
PLOG(ERROR) << "Cannot restrict keyring " << keyring;
return 1;
}
return 0;
}
std::string RetrieveSecurityContext(key_serial_t key) {
// Simply assume this size is enough in practice.
const int kMaxSupportedSize = 256;
std::string context;
context.resize(kMaxSupportedSize);
long retval = keyctl_get_security(key, context.data(), kMaxSupportedSize);
if (retval < 0) {
PLOG(ERROR) << "Cannot get security context of key 0x" << std::hex << key;
return std::string();
}
if (retval > kMaxSupportedSize) {
LOG(ERROR) << "The key has unexpectedly long security context than " << kMaxSupportedSize;
return std::string();
}
context.resize(retval);
return context;
}
|
