Add encryption in incidentd.

+ Sections which require encryption will be encryted on disk.

+ When the sections are requested by clients (e.g., permission controller, report assignee),
  incidentd will decrypte the data.

+ For efficiency, encryption is done ONLY for sections that require encryption.

+ Use Keystore API for key management.

Bug: 131084614
Test: incidentd_test
Change-Id: I84d6b86807ba5bbde1051e847b2df6e79e6b5be5

1 files changed, 87 insertions, 0 deletions

diff --git a/cmds/incidentd/src/cipher/IncidentKeyStore.cpp b/cmds/incidentd/src/cipher/IncidentKeyStore.cpp
new file mode 100644
index 000000000000..ae0a92094d0b
--- /dev/null
+++ b/cmds/incidentd/src/cipher/IncidentKeyStore.cpp
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "Log.h"
+
+#include "IncidentKeyStore.h"
+
+#include <sys/stat.h>
+
+static constexpr size_t AES_KEY_BYTES = 32;
+static constexpr size_t GCM_MAC_BYTES = 16;
+constexpr char kKeyname[] = "IncidentKey";
+
+namespace android {
+namespace os {
+namespace incidentd {
+
+using namespace keystore;
+using std::string;
+
+IncidentKeyStore& IncidentKeyStore::getInstance() {
+    static IncidentKeyStore sInstance(new keystore::KeystoreClientImpl);
+    return sInstance;
+}
+
+bool IncidentKeyStore::encrypt(const string& data, int32_t flags, string* output) {
+    std::lock_guard<std::mutex> lock(mMutex);
+    if (data.empty()) {
+        ALOGW("IncidentKeyStore: Encrypt empty data?!");
+        return false;
+    }
+    if (!mClient->doesKeyExist(kKeyname)) {
+        auto gen_result = generateKeyLocked(kKeyname, 0);
+        if (!gen_result.isOk()) {
+            ALOGE("IncidentKeyStore: Key generate failed.");
+            return false;
+        }
+    }
+    if (!mClient->encryptWithAuthentication(kKeyname, data, flags, output)) {
+        ALOGE("IncidentKeyStore: Encryption failed.");
+        return false;
+    }
+    return true;
+}
+
+bool IncidentKeyStore::decrypt(const std::string& input, string* output) {
+    std::lock_guard<std::mutex> lock(mMutex);
+    if (input.empty()) {
+        ALOGE("IncidentKeyStore: Decrypt empty input?");
+        return false;
+    }
+    if (!mClient->decryptWithAuthentication(kKeyname, input, output)) {
+        ALOGE("IncidentKeyStore: Decryption failed.");
+        return false;
+    }
+    return true;
+}
+
+KeyStoreNativeReturnCode IncidentKeyStore::generateKeyLocked(const std::string& name,
+                                                             int32_t flags) {
+    auto paramBuilder = AuthorizationSetBuilder()
+                                .AesEncryptionKey(AES_KEY_BYTES * 8)
+                                .GcmModeMinMacLen(GCM_MAC_BYTES * 8)
+                                .Authorization(TAG_NO_AUTH_REQUIRED);
+
+    AuthorizationSet hardware_enforced_characteristics;
+    AuthorizationSet software_enforced_characteristics;
+    return mClient->generateKey(name, paramBuilder, flags, &hardware_enforced_characteristics,
+                                &software_enforced_characteristics);
+}
+
+}  // namespace incidentd
+}  // namespace os
+}  // namespace android