1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 /*
18  * A tool loads keys to keyring.
19  */
20 
21 #include <dirent.h>
22 #include <errno.h>
23 #include <error.h>
24 #include <stdio.h>
25 #include <sys/types.h>
26 #include <unistd.h>
27 
28 #include <iostream>
29 #include <iterator>
30 #include <string>
31 
32 #include <android-base/file.h>
33 #include <android-base/parseint.h>
34 #include <keyutils.h>
35 #include <mini_keyctl_utils.h>
36 
37 constexpr int kMaxCertSize = 4096;
38 
Usage(int exit_code)39 static void Usage(int exit_code) {
40   fprintf(stderr, "usage: mini-keyctl <action> [args,]\n");
41   fprintf(stderr, "       mini-keyctl add <type> <desc> <data> <keyring>\n");
42   fprintf(stderr, "       mini-keyctl padd <type> <desc> <keyring>\n");
43   fprintf(stderr, "       mini-keyctl unlink <key> <keyring>\n");
44   fprintf(stderr, "       mini-keyctl restrict_keyring <keyring>\n");
45   fprintf(stderr, "       mini-keyctl security <key>\n");
46   _exit(exit_code);
47 }
48 
parseKeyOrDie(const char * str)49 static key_serial_t parseKeyOrDie(const char* str) {
50   key_serial_t key;
51   if (!android::base::ParseInt(str, &key)) {
52     error(1 /* exit code */, 0 /* errno */, "Unparsable key: '%s'\n", str);
53   }
54   return key;
55 }
56 
Unlink(key_serial_t key,const std::string & keyring)57 int Unlink(key_serial_t key, const std::string& keyring) {
58   key_serial_t keyring_id = android::GetKeyringId(keyring);
59   if (keyctl_unlink(key, keyring_id) < 0) {
60     error(1, errno, "Failed to unlink key %x from keyring %s", key, keyring.c_str());
61     return 1;
62   }
63   return 0;
64 }
65 
Add(const std::string & type,const std::string & desc,const std::string & data,const std::string & keyring)66 int Add(const std::string& type, const std::string& desc, const std::string& data,
67         const std::string& keyring) {
68   if (data.size() > kMaxCertSize) {
69     error(1, 0, "Certificate too large");
70     return 1;
71   }
72 
73   key_serial_t keyring_id = android::GetKeyringId(keyring);
74   key_serial_t key = add_key(type.c_str(), desc.c_str(), data.c_str(), data.size(), keyring_id);
75 
76   if (key < 0) {
77     error(1, errno, "Failed to add key");
78     return 1;
79   }
80 
81   std::cout << key << std::endl;
82   return 0;
83 }
84 
Padd(const std::string & type,const std::string & desc,const std::string & keyring)85 int Padd(const std::string& type, const std::string& desc, const std::string& keyring) {
86   key_serial_t keyring_id = android::GetKeyringId(keyring);
87 
88   // read from stdin to get the certificates
89   std::istreambuf_iterator<char> begin(std::cin), end;
90   std::string data(begin, end);
91 
92   if (data.size() > kMaxCertSize) {
93     error(1, 0, "Certificate too large");
94     return 1;
95   }
96 
97   key_serial_t key = add_key(type.c_str(), desc.c_str(), data.c_str(), data.size(), keyring_id);
98 
99   if (key < 0) {
100     error(1, errno, "Failed to add key");
101     return 1;
102   }
103 
104   std::cout << key << std::endl;
105   return 0;
106 }
107 
RestrictKeyring(const std::string & keyring)108 int RestrictKeyring(const std::string& keyring) {
109   key_serial_t keyring_id = android::GetKeyringId(keyring);
110   if (keyctl_restrict_keyring(keyring_id, nullptr, nullptr) < 0) {
111     error(1, errno, "Cannot restrict keyring '%s'", keyring.c_str());
112     return 1;
113   }
114   return 0;
115 }
116 
RetrieveSecurityContext(key_serial_t key)117 std::string RetrieveSecurityContext(key_serial_t key) {
118   // Simply assume this size is enough in practice.
119   const int kMaxSupportedSize = 256;
120   std::string context;
121   context.resize(kMaxSupportedSize);
122   long retval = keyctl_get_security(key, context.data(), kMaxSupportedSize);
123   if (retval < 0) {
124     error(1, errno, "Cannot get security context of key %x", key);
125     return std::string();
126   }
127   if (retval > kMaxSupportedSize) {
128     error(1, 0, "The key has unexpectedly long security context than %d", kMaxSupportedSize);
129     return std::string();
130   }
131   context.resize(retval);
132   return context;
133 }
134 
main(int argc,const char ** argv)135 int main(int argc, const char** argv) {
136   if (argc < 2) Usage(1);
137   const std::string action = argv[1];
138 
139   if (action == "add") {
140     if (argc != 6) Usage(1);
141     std::string type = argv[2];
142     std::string desc = argv[3];
143     std::string data = argv[4];
144     std::string keyring = argv[5];
145     return Add(type, desc, data, keyring);
146   } else if (action == "padd") {
147     if (argc != 5) Usage(1);
148     std::string type = argv[2];
149     std::string desc = argv[3];
150     std::string keyring = argv[4];
151     return Padd(type, desc, keyring);
152   } else if (action == "restrict_keyring") {
153     if (argc != 3) Usage(1);
154     std::string keyring = argv[2];
155     return RestrictKeyring(keyring);
156   } else if (action == "unlink") {
157     if (argc != 4) Usage(1);
158     key_serial_t key = parseKeyOrDie(argv[2]);
159     const std::string keyring = argv[3];
160     return Unlink(key, keyring);
161   } else if (action == "security") {
162     if (argc != 3) Usage(1);
163     const char* key_str = argv[2];
164     key_serial_t key = parseKeyOrDie(key_str);
165     std::string context = RetrieveSecurityContext(key);
166     if (context.empty()) {
167       perror(key_str);
168       return 1;
169     }
170     fprintf(stderr, "%s\n", context.c_str());
171     return 0;
172   } else {
173     fprintf(stderr, "Unrecognized action: %s\n", action.c_str());
174     Usage(1);
175   }
176 
177   return 0;
178 }
179