| /* |
| * Copyright (C) 2019 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| /* |
| * A tool loads keys to keyring. |
| */ |
| |
| #include <dirent.h> |
| #include <errno.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| #include <fstream> |
| #include <iostream> |
| #include <iterator> |
| #include <sstream> |
| #include <string> |
| #include <vector> |
| |
| #include <android-base/file.h> |
| #include <android-base/logging.h> |
| #include <android-base/properties.h> |
| #include <android-base/strings.h> |
| #include <keyutils.h> |
| |
| static constexpr int kMaxCertSize = 4096; |
| |
| // Add all the certs from directory path to keyring with keyring_id. Returns the number of keys |
| // added. |
| int AddKeys(const std::string& path, const key_serial_t keyring_id, const std::string& keyring_desc, |
| int start_index) { |
| std::unique_ptr<DIR, int (*)(DIR*)> dir(opendir(path.c_str()), closedir); |
| if (!dir) { |
| PLOG(WARNING) << "Failed to open directory " << path; |
| return 0; |
| } |
| int keys_added = 0; |
| struct dirent* dp; |
| while ((dp = readdir(dir.get())) != NULL) { |
| if (dp->d_type != DT_REG) { |
| continue; |
| } |
| std::string cert_path = path + "/" + dp->d_name; |
| std::string cert_buf; |
| if (!android::base::ReadFileToString(cert_path, &cert_buf, false /* follow_symlinks */)) { |
| LOG(ERROR) << "Failed to read " << cert_path; |
| continue; |
| } |
| |
| if (cert_buf.size() > kMaxCertSize) { |
| LOG(ERROR) << "Certficate size too large: " << cert_path; |
| continue; |
| } |
| |
| // Add key to keyring. |
| int key_desc_index = keys_added + start_index; |
| std::string key_desc = keyring_desc + "-key" + std::to_string(key_desc_index); |
| key_serial_t key = |
| add_key("asymmetric", key_desc.c_str(), &cert_buf[0], cert_buf.size(), keyring_id); |
| if (key < 0) { |
| PLOG(ERROR) << "Failed to add key to keyring: " << cert_path; |
| continue; |
| } |
| keys_added++; |
| } |
| return keys_added; |
| } |
| |
| std::vector<std::string> SplitBySpace(const std::string& s) { |
| std::istringstream iss(s); |
| return std::vector<std::string>{std::istream_iterator<std::string>{iss}, |
| std::istream_iterator<std::string>{}}; |
| } |
| |
| // Find the keyring id. Because request_key(2) syscall is not available or the key is |
| // kernel keyring, the id is looked up from /proc/keys. The keyring description may contain other |
| // information in the descritption section depending on the key type, only the first word in the |
| // keyring description is used for searching. |
| bool GetKeyringId(const std::string& keyring_desc, key_serial_t* keyring_id) { |
| if (!keyring_id) { |
| LOG(ERROR) << "keyring_id is null"; |
| return false; |
| } |
| |
| // Only keys allowed by SELinux rules will be shown here. |
| std::ifstream proc_keys_file("/proc/keys"); |
| if (!proc_keys_file.is_open()) { |
| PLOG(ERROR) << "Failed to open /proc/keys"; |
| return false; |
| } |
| |
| std::string line; |
| while (getline(proc_keys_file, line)) { |
| std::vector<std::string> tokens = SplitBySpace(line); |
| if (tokens.size() < 9) { |
| continue; |
| } |
| std::string key_id = tokens[0]; |
| std::string key_type = tokens[7]; |
| // The key description may contain space. |
| std::string key_desc_prefix = tokens[8]; |
| // The prefix has a ":" at the end |
| std::string key_desc_pattern = keyring_desc + ":"; |
| if (key_type != "keyring" || key_desc_prefix != key_desc_pattern) { |
| continue; |
| } |
| *keyring_id = std::stoi(key_id, nullptr, 16); |
| return true; |
| } |
| return false; |
| } |
| |
| static void Usage(int exit_code) { |
| fprintf(stderr, "usage: mini-keyctl -c PATHS -s DESCRIPTION\n"); |
| fprintf(stderr, "\n"); |
| fprintf(stderr, "-c, --cert_dirs the certificate locations, separated by comma\n"); |
| fprintf(stderr, "-k, --keyring the keyring description\n"); |
| _exit(exit_code); |
| } |
| |
| int main(int argc, char** argv) { |
| if (argc < 5) Usage(1); |
| |
| std::string arg_cert_dirs; |
| std::string arg_keyring_desc; |
| |
| for (int i = 1; i < argc; i++) { |
| std::string option = argv[i]; |
| if (option == "-c" || option == "--cert_dirs") { |
| if (i + 1 < argc) arg_cert_dirs = argv[++i]; |
| } else if (option == "-k" || option == "--keyring") { |
| if (i + 1 < argc) arg_keyring_desc = argv[++i]; |
| } |
| } |
| |
| if (arg_cert_dirs.empty() || arg_keyring_desc.empty()) { |
| LOG(ERROR) << "Missing cert_dirs or keyring desc"; |
| Usage(1); |
| } |
| |
| // Get the keyring id |
| key_serial_t key_ring_id; |
| if (!GetKeyringId(arg_keyring_desc, &key_ring_id)) { |
| PLOG(ERROR) << "Can't find keyring with " << arg_keyring_desc; |
| return 1; |
| } |
| |
| std::vector<std::string> cert_dirs = android::base::Split(arg_cert_dirs, ","); |
| int start_index = 0; |
| for (const auto& cert_dir : cert_dirs) { |
| int keys_added = AddKeys(cert_dir, key_ring_id, arg_keyring_desc, start_index); |
| start_index += keys_added; |
| } |
| |
| // Prevent new keys to be added. |
| if (!android::base::GetBoolProperty("ro.debuggable", false) && |
| keyctl_restrict_keyring(key_ring_id, nullptr, nullptr) < 0) { |
| PLOG(ERROR) << "Failed to restrict key ring " << arg_keyring_desc; |
| return 1; |
| } |
| |
| return 0; |
| } |