Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0186b42f authored by Brian Young's avatar Brian Young Committed by Android (Google) Code Review
Browse files

Merge changes from topics "niap-asym-write-pi-dev", "niap-asym-write-api-pi-dev" into pi-dev

* changes:
  Restore "Add "Unlocked device required" parameter to keys"
  Add "Unlocked device required" key API
parents 69196f6f 9272dab4
Loading
Loading
Loading
Loading
+3 −0
Original line number Original line Diff line number Diff line
@@ -75,6 +75,7 @@ public final class KeymasterDefs {
    public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506;
    public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506;
    public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507;
    public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507;
    public static final int KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508;
    public static final int KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508;
    public static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 509;


    public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600;
    public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600;
    public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601;
    public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601;
@@ -216,6 +217,7 @@ public final class KeymasterDefs {
    public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;
    public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;
    public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;
    public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;
    public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;
    public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;
    public static final int KM_ERROR_DEVICE_LOCKED = -72;
    public static final int KM_ERROR_UNIMPLEMENTED = -100;
    public static final int KM_ERROR_UNIMPLEMENTED = -100;
    public static final int KM_ERROR_VERSION_MISMATCH = -101;
    public static final int KM_ERROR_VERSION_MISMATCH = -101;
    public static final int KM_ERROR_UNKNOWN_ERROR = -1000;
    public static final int KM_ERROR_UNKNOWN_ERROR = -1000;
@@ -262,6 +264,7 @@ public final class KeymasterDefs {
        sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,
        sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,
                "Invalid MAC or authentication tag length");
                "Invalid MAC or authentication tag length");
        sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");
        sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");
        sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked");
        sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");
        sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");
        sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");
        sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");
    }
    }
+6 −2
Original line number Original line Diff line number Diff line
@@ -16,6 +16,7 @@


package android.security;
package android.security;


import android.app.ActivityManager;
import android.app.ActivityThread;
import android.app.ActivityThread;
import android.app.Application;
import android.app.Application;
import android.app.KeyguardManager;
import android.app.KeyguardManager;
@@ -279,7 +280,7 @@ public class KeyStore {
    /**
    /**
     * Attempt to lock the keystore for {@code user}.
     * Attempt to lock the keystore for {@code user}.
     *
     *
     * @param user Android user to lock.
     * @param userId Android user to lock.
     * @return whether {@code user}'s keystore was locked.
     * @return whether {@code user}'s keystore was locked.
     */
     */
    public boolean lock(int userId) {
    public boolean lock(int userId) {
@@ -300,7 +301,7 @@ public class KeyStore {
     * This is required before keystore entries created with FLAG_ENCRYPTED can be accessed or
     * This is required before keystore entries created with FLAG_ENCRYPTED can be accessed or
     * created.
     * created.
     *
     *
     * @param user Android user ID to operate on
     * @param userId Android user ID to operate on
     * @param password user's keystore password. Should be the most recent value passed to
     * @param password user's keystore password. Should be the most recent value passed to
     * {@link #onUserPasswordChanged} for the user.
     * {@link #onUserPasswordChanged} for the user.
     *
     *
@@ -546,6 +547,9 @@ public class KeyStore {
        try {
        try {
            args = args != null ? args : new KeymasterArguments();
            args = args != null ? args : new KeymasterArguments();
            entropy = entropy != null ? entropy : new byte[0];
            entropy = entropy != null ? entropy : new byte[0];
            if (!args.containsTag(KeymasterDefs.KM_TAG_USER_ID)) {
                args.addUnsignedInt(KeymasterDefs.KM_TAG_USER_ID, ActivityManager.getCurrentUser());
            }
            return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);
            return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);
        } catch (RemoteException e) {
        } catch (RemoteException e) {
            Log.w(TAG, "Cannot connect to keystore", e);
            Log.w(TAG, "Cannot connect to keystore", e);
+28 −2
Original line number Original line Diff line number Diff line
@@ -266,6 +266,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
    private final boolean mInvalidatedByBiometricEnrollment;
    private final boolean mInvalidatedByBiometricEnrollment;
    private final boolean mIsStrongBoxBacked;
    private final boolean mIsStrongBoxBacked;
    private final boolean mUserConfirmationRequired;
    private final boolean mUserConfirmationRequired;
    private final boolean mUnlockedDeviceRequired;


    /**
    /**
     * @hide should be built with Builder
     * @hide should be built with Builder
@@ -296,7 +297,8 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
            boolean userAuthenticationValidWhileOnBody,
            boolean userAuthenticationValidWhileOnBody,
            boolean invalidatedByBiometricEnrollment,
            boolean invalidatedByBiometricEnrollment,
            boolean isStrongBoxBacked,
            boolean isStrongBoxBacked,
            boolean userConfirmationRequired) {
            boolean userConfirmationRequired,
            boolean unlockedDeviceRequired) {
        if (TextUtils.isEmpty(keyStoreAlias)) {
        if (TextUtils.isEmpty(keyStoreAlias)) {
            throw new IllegalArgumentException("keyStoreAlias must not be empty");
            throw new IllegalArgumentException("keyStoreAlias must not be empty");
        }
        }
@@ -345,6 +347,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
        mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
        mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
        mIsStrongBoxBacked = isStrongBoxBacked;
        mIsStrongBoxBacked = isStrongBoxBacked;
        mUserConfirmationRequired = userConfirmationRequired;
        mUserConfirmationRequired = userConfirmationRequired;
        mUnlockedDeviceRequired = unlockedDeviceRequired;
    }
    }


    /**
    /**
@@ -669,6 +672,15 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
        return mIsStrongBoxBacked;
        return mIsStrongBoxBacked;
    }
    }


    /**
     * @hide Returns {@code true} if the key cannot be used unless the device screen is unlocked.
     *
     * @see Builder#setUnlockedDeviceRequired(boolean)
     */
    public boolean isUnlockedDeviceRequired() {
        return mUnlockedDeviceRequired;
    }

    /**
    /**
     * @hide
     * @hide
     */
     */
@@ -707,6 +719,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
        private boolean mInvalidatedByBiometricEnrollment = true;
        private boolean mInvalidatedByBiometricEnrollment = true;
        private boolean mIsStrongBoxBacked = false;
        private boolean mIsStrongBoxBacked = false;
        private boolean mUserConfirmationRequired;
        private boolean mUserConfirmationRequired;
        private boolean mUnlockedDeviceRequired = false;


        /**
        /**
         * Creates a new instance of the {@code Builder}.
         * Creates a new instance of the {@code Builder}.
@@ -1274,6 +1287,18 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
            return this;
            return this;
        }
        }


        /**
         * @hide Sets whether the keystore requires the screen to be unlocked before allowing decryption
         * using this key. If this is set to {@code true}, any attempt to decrypt using this key
         * while the screen is locked will fail. A locked device requires a PIN, password,
         * fingerprint, or other trusted factor to access.
         */
        @NonNull
        public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) {
            mUnlockedDeviceRequired = unlockedDeviceRequired;
            return this;
        }

        /**
        /**
         * Builds an instance of {@code KeyGenParameterSpec}.
         * Builds an instance of {@code KeyGenParameterSpec}.
         */
         */
@@ -1305,7 +1330,8 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
                    mUserAuthenticationValidWhileOnBody,
                    mUserAuthenticationValidWhileOnBody,
                    mInvalidatedByBiometricEnrollment,
                    mInvalidatedByBiometricEnrollment,
                    mIsStrongBoxBacked,
                    mIsStrongBoxBacked,
                    mUserConfirmationRequired);
                    mUserConfirmationRequired,
                    mUnlockedDeviceRequired);
        }
        }
    }
    }
}
}
+33 −6
Original line number Original line Diff line number Diff line
@@ -224,12 +224,13 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
    private final boolean mRandomizedEncryptionRequired;
    private final boolean mRandomizedEncryptionRequired;
    private final boolean mUserAuthenticationRequired;
    private final boolean mUserAuthenticationRequired;
    private final int mUserAuthenticationValidityDurationSeconds;
    private final int mUserAuthenticationValidityDurationSeconds;
    private final boolean mTrustedUserPresenceRequred;
    private final boolean mTrustedUserPresenceRequired;
    private final boolean mUserAuthenticationValidWhileOnBody;
    private final boolean mUserAuthenticationValidWhileOnBody;
    private final boolean mInvalidatedByBiometricEnrollment;
    private final boolean mInvalidatedByBiometricEnrollment;
    private final long mBoundToSecureUserId;
    private final long mBoundToSecureUserId;
    private final boolean mCriticalToDeviceEncryption;
    private final boolean mCriticalToDeviceEncryption;
    private final boolean mUserConfirmationRequired;
    private final boolean mUserConfirmationRequired;
    private final boolean mUnlockedDeviceRequired;


    private KeyProtection(
    private KeyProtection(
            Date keyValidityStart,
            Date keyValidityStart,
@@ -243,12 +244,13 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
            boolean randomizedEncryptionRequired,
            boolean randomizedEncryptionRequired,
            boolean userAuthenticationRequired,
            boolean userAuthenticationRequired,
            int userAuthenticationValidityDurationSeconds,
            int userAuthenticationValidityDurationSeconds,
            boolean trustedUserPresenceRequred,
            boolean trustedUserPresenceRequired,
            boolean userAuthenticationValidWhileOnBody,
            boolean userAuthenticationValidWhileOnBody,
            boolean invalidatedByBiometricEnrollment,
            boolean invalidatedByBiometricEnrollment,
            long boundToSecureUserId,
            long boundToSecureUserId,
            boolean criticalToDeviceEncryption,
            boolean criticalToDeviceEncryption,
            boolean userConfirmationRequired) {
            boolean userConfirmationRequired,
            boolean unlockedDeviceRequired) {
        mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart);
        mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart);
        mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd);
        mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd);
        mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd);
        mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd);
@@ -262,12 +264,13 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
        mRandomizedEncryptionRequired = randomizedEncryptionRequired;
        mRandomizedEncryptionRequired = randomizedEncryptionRequired;
        mUserAuthenticationRequired = userAuthenticationRequired;
        mUserAuthenticationRequired = userAuthenticationRequired;
        mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;
        mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;
        mTrustedUserPresenceRequred = trustedUserPresenceRequred;
        mTrustedUserPresenceRequired = trustedUserPresenceRequired;
        mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody;
        mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody;
        mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
        mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
        mBoundToSecureUserId = boundToSecureUserId;
        mBoundToSecureUserId = boundToSecureUserId;
        mCriticalToDeviceEncryption = criticalToDeviceEncryption;
        mCriticalToDeviceEncryption = criticalToDeviceEncryption;
        mUserConfirmationRequired = userConfirmationRequired;
        mUserConfirmationRequired = userConfirmationRequired;
        mUnlockedDeviceRequired = unlockedDeviceRequired;
    }
    }


    /**
    /**
@@ -444,7 +447,7 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
     * been performed between the {@code Signature.initSign()} and {@code Signature.sign()} calls.
     * been performed between the {@code Signature.initSign()} and {@code Signature.sign()} calls.
     */
     */
    public boolean isTrustedUserPresenceRequired() {
    public boolean isTrustedUserPresenceRequired() {
        return mTrustedUserPresenceRequred;
        return mTrustedUserPresenceRequired;
    }
    }


    /**
    /**
@@ -504,6 +507,15 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
        return mCriticalToDeviceEncryption;
        return mCriticalToDeviceEncryption;
    }
    }


    /**
     * @hide Returns {@code true} if the key cannot be used unless the device screen is unlocked.
     *
     * @see Builder#setUnlockedDeviceRequired(boolean)
     */
    public boolean isUnlockedDeviceRequired() {
        return mUnlockedDeviceRequired;
    }

    /**
    /**
     * Builder of {@link KeyProtection} instances.
     * Builder of {@link KeyProtection} instances.
     */
     */
@@ -524,6 +536,8 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
        private boolean mUserAuthenticationValidWhileOnBody;
        private boolean mUserAuthenticationValidWhileOnBody;
        private boolean mInvalidatedByBiometricEnrollment = true;
        private boolean mInvalidatedByBiometricEnrollment = true;
        private boolean mUserConfirmationRequired;
        private boolean mUserConfirmationRequired;
        private boolean mUnlockedDeviceRequired = false;

        private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID;
        private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID;
        private boolean mCriticalToDeviceEncryption = false;
        private boolean mCriticalToDeviceEncryption = false;


@@ -913,6 +927,18 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
            return this;
            return this;
        }
        }


        /**
         * @hide Sets whether the keystore requires the screen to be unlocked before allowing decryption
         * using this key. If this is set to {@code true}, any attempt to decrypt using this key
         * while the screen is locked will fail. A locked device requires a PIN, password,
         * fingerprint, or other trusted factor to access.
         */
        @NonNull
        public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) {
            mUnlockedDeviceRequired = unlockedDeviceRequired;
            return this;
        }

        /**
        /**
         * Builds an instance of {@link KeyProtection}.
         * Builds an instance of {@link KeyProtection}.
         *
         *
@@ -937,7 +963,8 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
                    mInvalidatedByBiometricEnrollment,
                    mInvalidatedByBiometricEnrollment,
                    mBoundToSecureUserId,
                    mBoundToSecureUserId,
                    mCriticalToDeviceEncryption,
                    mCriticalToDeviceEncryption,
                    mUserConfirmationRequired);
                    mUserConfirmationRequired,
                    mUnlockedDeviceRequired);
        }
        }
    }
    }
}
}
+8 −4
Original line number Original line Diff line number Diff line
@@ -16,9 +16,8 @@


package android.security.keystore;
package android.security.keystore;


import android.util.Log;
import android.app.ActivityManager;
import android.hardware.fingerprint.FingerprintManager;
import android.hardware.fingerprint.FingerprintManager;
import android.os.UserHandle;
import android.security.GateKeeper;
import android.security.GateKeeper;
import android.security.KeyStore;
import android.security.KeyStore;
import android.security.keymaster.KeymasterArguments;
import android.security.keymaster.KeymasterArguments;
@@ -101,8 +100,9 @@ public abstract class KeymasterUtils {
     *         state (e.g., secure lock screen not set up) for generating or importing keys that
     *         state (e.g., secure lock screen not set up) for generating or importing keys that
     *         require user authentication.
     *         require user authentication.
     */
     */
    public static void addUserAuthArgs(KeymasterArguments args,
    public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) {
            UserAuthArgs spec) {
        args.addUnsignedInt(KeymasterDefs.KM_TAG_USER_ID, ActivityManager.getCurrentUser());

        if (spec.isUserConfirmationRequired()) {
        if (spec.isUserConfirmationRequired()) {
            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);
            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);
        }
        }
@@ -111,6 +111,10 @@ public abstract class KeymasterUtils {
            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);
            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);
        }
        }


        if (spec.isUnlockedDeviceRequired()) {
            args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED);
        }

        if (!spec.isUserAuthenticationRequired()) {
        if (!spec.isUserAuthenticationRequired()) {
            args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);
            args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);
            return;
            return;
Loading