summaryrefslogtreecommitdiffstats
path: root/cmds/keystore
diff options
context:
space:
mode:
authorChung-yih Wang <cywang@google.com>2009-06-08 16:34:54 +0800
committerChung-yih Wang <cywang@google.com>2009-06-08 16:34:54 +0800
commita92d5dc0f6d3aadbc64a029ecfacca2f19a661e7 (patch)
tree12af6c9bb70c3f732500ea2be64543c69a4fbcc3 /cmds/keystore
parent383bce90737871de0b80082eb3a7925528aae754 (diff)
downloadframeworks_native-a92d5dc0f6d3aadbc64a029ecfacca2f19a661e7.zip
frameworks_native-a92d5dc0f6d3aadbc64a029ecfacca2f19a661e7.tar.gz
frameworks_native-a92d5dc0f6d3aadbc64a029ecfacca2f19a661e7.tar.bz2
First version of the keystore service.
The keystore service is protected by the user 'keystore'. Only keystore user/group can access the key content. All users are able to do the following commands from shell as well: listcerts listuserkeys installcert removecert installuserkey removeuserkey
Diffstat (limited to 'cmds/keystore')
-rw-r--r--cmds/keystore/Android.mk21
-rw-r--r--cmds/keystore/commands.c141
-rw-r--r--cmds/keystore/keystore.c248
-rw-r--r--cmds/keystore/keystore.h57
4 files changed, 467 insertions, 0 deletions
diff --git a/cmds/keystore/Android.mk b/cmds/keystore/Android.mk
new file mode 100644
index 0000000..20f4adf
--- /dev/null
+++ b/cmds/keystore/Android.mk
@@ -0,0 +1,21 @@
+ifneq ($(TARGET_SIMULATOR),true)
+
+LOCAL_PATH:= $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_SRC_FILES:= \
+ keystore.c commands.c
+
+LOCAL_C_INCLUDES := \
+ $(call include-path-for, system-core)/cutils
+
+LOCAL_SHARED_LIBRARIES := \
+ libcutils
+
+LOCAL_STATIC_LIBRARIES :=
+
+LOCAL_MODULE:= keystore
+
+include $(BUILD_EXECUTABLE)
+
+endif # !simulator))
diff --git a/cmds/keystore/commands.c b/cmds/keystore/commands.c
new file mode 100644
index 0000000..7474d81
--- /dev/null
+++ b/cmds/keystore/commands.c
@@ -0,0 +1,141 @@
+/*
+** Copyright 2008, The Android Open Source Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You may obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+
+#include "keystore.h"
+
+static DIR *open_keystore(const char *dir)
+{
+ DIR *d;
+ if ((d = opendir(dir)) == NULL) {
+ if (mkdir(dir, 0770) < 0) {
+ LOGE("cannot create dir '%s': %s\n", dir, strerror(errno));
+ unlink(dir);
+ return NULL;
+ }
+ d = open_keystore(dir);
+ }
+ return d;
+}
+
+static int list_files(const char *dir, char reply[REPLY_MAX]) {
+ struct dirent *de;
+ DIR *d;
+
+ if ((d = open_keystore(dir)) == NULL) {
+ return -1;
+ }
+ reply[0]=0;
+ while ((de = readdir(d))) {
+ if (de->d_type != DT_REG) continue;
+ strlcat(reply, " ", REPLY_MAX);
+ if (strlcat(reply, de->d_name, REPLY_MAX) >= REPLY_MAX) {
+ LOGE("reply is too long(too many files under '%s'\n", dir);
+ return -1;
+ }
+ }
+ closedir(d);
+ return 0;
+}
+
+static int copy_keyfile(const char *keystore, const char *srcfile) {
+ int srcfd, dstfd;
+ int length;
+ char buf[2048];
+ char dstfile[KEYNAME_LENGTH];
+ const char *filename = strrchr(srcfile, '/');
+
+ strlcpy(dstfile, keystore, KEYNAME_LENGTH);
+ strlcat(dstfile, "/", KEYNAME_LENGTH);
+ if (strlcat(dstfile, filename ? filename + 1 : srcfile,
+ KEYNAME_LENGTH) >= KEYNAME_LENGTH) {
+ LOGE("keyname is too long '%s'\n", srcfile);
+ return -1;
+ }
+
+ if ((srcfd = open(srcfile, O_RDONLY)) == -1) {
+ LOGE("Cannot open the original file '%s'\n", srcfile);
+ return -1;
+ }
+ if ((dstfd = open(dstfile, O_CREAT|O_RDWR)) == -1) {
+ LOGE("Cannot open the destination file '%s'\n", dstfile);
+ return -1;
+ }
+ while((length = read(srcfd, buf, 2048)) > 0) {
+ write(dstfd, buf, length);
+ }
+ close(srcfd);
+ close(dstfd);
+ chmod(dstfile, 0440);
+ return 0;
+}
+
+static int install_key(const char *dir, const char *keyfile)
+{
+ struct dirent *de;
+ DIR *d;
+
+ if ((d = open_keystore(dir)) == NULL) {
+ return -1;
+ }
+ return copy_keyfile(dir, keyfile);
+}
+
+static int remove_key(const char *dir, const char *keyfile)
+{
+ char dstfile[KEYNAME_LENGTH];
+
+ strlcpy(dstfile, dir, KEYNAME_LENGTH);
+ strlcat(dstfile, "/", KEYNAME_LENGTH);
+ if (strlcat(dstfile, keyfile, KEYNAME_LENGTH) >= KEYNAME_LENGTH) {
+ LOGE("keyname is too long '%s'\n", keyfile);
+ return -1;
+ }
+ if (unlink(dstfile)) {
+ LOGE("cannot delete '%s': %s\n", dstfile, strerror(errno));
+ return -1;
+ }
+ return 0;
+}
+
+int list_certs(char reply[REPLY_MAX])
+{
+ return list_files(CERTS_DIR, reply);
+}
+
+int list_userkeys(char reply[REPLY_MAX])
+{
+ return list_files(USERKEYS_DIR, reply);
+}
+
+int install_cert(const char *certfile)
+{
+ return install_key(CERTS_DIR, certfile);
+}
+
+int install_userkey(const char *keyfile)
+{
+ return install_key(USERKEYS_DIR, keyfile);
+}
+
+int remove_cert(const char *certfile)
+{
+ return remove_key(CERTS_DIR, certfile);
+}
+
+int remove_userkey(const char *keyfile)
+{
+ return remove_key(USERKEYS_DIR, keyfile);
+}
diff --git a/cmds/keystore/keystore.c b/cmds/keystore/keystore.c
new file mode 100644
index 0000000..dbb62b3
--- /dev/null
+++ b/cmds/keystore/keystore.c
@@ -0,0 +1,248 @@
+/*
+** Copyright 2009, The Android Open Source Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You may obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+
+#include "keystore.h"
+
+
+static int do_list_certs(char **arg, char reply[REPLY_MAX])
+{
+ return list_certs(reply);
+}
+
+static int do_list_userkeys(char **arg, char reply[REPLY_MAX])
+{
+ return list_userkeys(reply);
+}
+
+static int do_install_cert(char **arg, char reply[REPLY_MAX])
+{
+ return install_cert(arg[0]); /* move the certificate to keystore */
+}
+
+static int do_remove_cert(char **arg, char reply[REPLY_MAX])
+{
+ return remove_cert(arg[0]); /* certificate */
+}
+
+static int do_install_userkey(char **arg, char reply[REPLY_MAX])
+{
+ return install_userkey(arg[0]); /* move the certificate to keystore */
+}
+
+static int do_remove_userkey(char **arg, char reply[REPLY_MAX])
+{
+ return remove_userkey(arg[0]); /* userkey */
+}
+
+struct cmdinfo {
+ const char *name;
+ unsigned numargs;
+ int (*func)(char **arg, char reply[REPLY_MAX]);
+};
+
+
+struct cmdinfo cmds[] = {
+ { "listcerts", 0, do_list_certs },
+ { "listuserkeys", 0, do_list_userkeys },
+ { "installcert", 1, do_install_cert },
+ { "removecert", 1, do_remove_cert },
+ { "installuserkey", 1, do_install_userkey },
+ { "removeuserkey", 1, do_remove_userkey },
+};
+
+static int readx(int s, void *_buf, int count)
+{
+ char *buf = _buf;
+ int n = 0, r;
+ if (count < 0) return -1;
+ while (n < count) {
+ r = read(s, buf + n, count - n);
+ if (r < 0) {
+ if (errno == EINTR) continue;
+ LOGE("read error: %s\n", strerror(errno));
+ return -1;
+ }
+ if (r == 0) {
+ LOGE("eof\n");
+ return -1; /* EOF */
+ }
+ n += r;
+ }
+ return 0;
+}
+
+static int writex(int s, const void *_buf, int count)
+{
+ const char *buf = _buf;
+ int n = 0, r;
+ if (count < 0) return -1;
+ while (n < count) {
+ r = write(s, buf + n, count - n);
+ if (r < 0) {
+ if (errno == EINTR) continue;
+ LOGE("write error: %s\n", strerror(errno));
+ return -1;
+ }
+ n += r;
+ }
+ return 0;
+}
+
+
+/* Tokenize the command buffer, locate a matching command,
+ * ensure that the required number of arguments are provided,
+ * call the function(), return the result.
+ */
+static int execute(int s, char cmd[BUFFER_MAX])
+{
+ char reply[REPLY_MAX];
+ char *arg[TOKEN_MAX+1];
+ unsigned i;
+ unsigned n = 0;
+ unsigned short count;
+ int ret = -1;
+
+ /* default reply is "" */
+ reply[0] = 0;
+
+ /* n is number of args (not counting arg[0]) */
+ arg[0] = cmd;
+ while (*cmd) {
+ if (isspace(*cmd)) {
+ *cmd++ = 0;
+ n++;
+ arg[n] = cmd;
+ if (n == TOKEN_MAX) {
+ LOGE("too many arguments\n");
+ goto done;
+ }
+ }
+ cmd++;
+ }
+
+ for (i = 0; i < sizeof(cmds) / sizeof(cmds[0]); i++) {
+ if (!strcmp(cmds[i].name,arg[0])) {
+ if (n != cmds[i].numargs) {
+ LOGE("%s requires %d arguments (%d given)\n",
+ cmds[i].name, cmds[i].numargs, n);
+ } else {
+ ret = cmds[i].func(arg + 1, reply);
+ }
+ goto done;
+ }
+ }
+ LOGE("unsupported command '%s'\n", arg[0]);
+
+done:
+ if (reply[0]) {
+ n = snprintf(cmd, BUFFER_MAX, "%d %s", ret, reply);
+ } else {
+ n = snprintf(cmd, BUFFER_MAX, "%d", ret);
+ }
+ if (n > BUFFER_MAX) n = BUFFER_MAX;
+ count = n;
+
+ if (writex(s, &count, sizeof(count))) return -1;
+ if (writex(s, cmd, count)) return -1;
+
+ return 0;
+}
+
+int shell_command(const int argc, const char **argv)
+{
+ int fd, i, r;
+ unsigned short count;
+ char cmd[BUFFER_MAX]="";
+
+ fd = socket_local_client(SOCKET_PATH,
+ ANDROID_SOCKET_NAMESPACE_RESERVED,
+ SOCK_STREAM);
+ if (fd == -1) {
+ fprintf(stderr, "Keystore service is not up and running\n");
+ exit(1);
+ }
+ for(i = 0; i < argc; i++) {
+ if (i > 0) strlcat(cmd, " ", BUFFER_MAX);
+ if(strlcat(cmd, argv[i], BUFFER_MAX) >= BUFFER_MAX) {
+ fprintf(stderr, "Arguments are too long\n");
+ exit(1);
+ }
+ }
+ count = strlen(cmd);
+ if (writex(fd, &count, sizeof(count))) return -1;
+ if (writex(fd, cmd, strlen(cmd))) return -1;
+ if (readx(fd, &count, sizeof(count))) return -1;
+ if (readx(fd, cmd, count)) return -1;
+ cmd[count]=0;
+ fprintf(stdout, "%s\n", cmd);
+ return 0;
+}
+
+int main(const int argc, const char *argv[])
+{
+ char buf[BUFFER_MAX];
+ struct sockaddr addr;
+ socklen_t alen;
+ int lsocket, s, count;
+
+ if (argc > 1) {
+ return shell_command(argc - 1, argv + 1);
+ }
+
+ lsocket = android_get_control_socket(SOCKET_PATH);
+ if (lsocket < 0) {
+ LOGE("Failed to get socket from environment: %s\n", strerror(errno));
+ exit(1);
+ }
+ if (listen(lsocket, 5)) {
+ LOGE("Listen on socket failed: %s\n", strerror(errno));
+ exit(1);
+ }
+ fcntl(lsocket, F_SETFD, FD_CLOEXEC);
+
+ for (;;) {
+ alen = sizeof(addr);
+ s = accept(lsocket, &addr, &alen);
+ if (s < 0) {
+ LOGE("Accept failed: %s\n", strerror(errno));
+ continue;
+ }
+ fcntl(s, F_SETFD, FD_CLOEXEC);
+
+ LOGI("new connection\n");
+ for (;;) {
+ unsigned short count;
+ if (readx(s, &count, sizeof(count))) {
+ LOGE("failed to read size\n");
+ break;
+ }
+ if ((count < 1) || (count >= BUFFER_MAX)) {
+ LOGE("invalid size %d\n", count);
+ break;
+ }
+ if (readx(s, buf, count)) {
+ LOGE("failed to read command\n");
+ break;
+ }
+ buf[count] = 0;
+ if (execute(s, buf)) break;
+ }
+ LOGI("closing connection\n");
+ close(s);
+ }
+
+ return 0;
+}
diff --git a/cmds/keystore/keystore.h b/cmds/keystore/keystore.h
new file mode 100644
index 0000000..35acf0b
--- /dev/null
+++ b/cmds/keystore/keystore.h
@@ -0,0 +1,57 @@
+/*
+**
+** Copyright 2009, The Android Open Source Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You may obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+
+#define LOG_TAG "keystore"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <utime.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <cutils/sockets.h>
+#include <cutils/log.h>
+#include <cutils/properties.h>
+
+#define SOCKET_PATH "keystore"
+
+
+/* path of the keystore */
+
+#define KEYSTORE_DIR_PREFIX "/data/misc/keystore"
+#define CERTS_DIR KEYSTORE_DIR_PREFIX "/certs"
+#define USERKEYS_DIR KEYSTORE_DIR_PREFIX "/userkeys"
+
+#define BUFFER_MAX 1024 /* input buffer for commands */
+#define TOKEN_MAX 8 /* max number of arguments in buffer */
+#define REPLY_MAX 1024 /* largest reply allowed */
+#define KEYNAME_LENGTH 128
+
+/* commands.c */
+int list_certs(char reply[REPLY_MAX]);
+int list_userkeys(char reply[REPLY_MAX]);
+int install_cert(const char *certfile);
+int install_userkey(const char *keyfile);
+int remove_cert(const char *certfile);
+int remove_userkey(const char *keyfile);