Merge changes from topics "niap-asym-write-pi-dev", "niap-asym-write-api-pi-dev" into pi-dev (0186b42f) · Commits · e / os / android_frameworks_base

core/java/android/security/keymaster/KeymasterDefs.java

+3 −0

keystore/java/android/security/KeyStore.java

+6 −2

Original line number	Original line	Diff line number	Diff line
	@@ -16,6 +16,7 @@

	package android.security;		package android.security;

			import android.app.ActivityManager;
	import android.app.ActivityThread;		import android.app.ActivityThread;
	import android.app.Application;		import android.app.Application;
	import android.app.KeyguardManager;		import android.app.KeyguardManager;
	@@ -279,7 +280,7 @@ public class KeyStore {
	/**		/**
	* Attempt to lock the keystore for {@code user}.		* Attempt to lock the keystore for {@code user}.
	*		*
	* @param user Android user to lock.		* @param userId Android user to lock.
	* @return whether {@code user}'s keystore was locked.		* @return whether {@code user}'s keystore was locked.
	*/		*/
	public boolean lock(int userId) {		public boolean lock(int userId) {
	@@ -300,7 +301,7 @@ public class KeyStore {
	* This is required before keystore entries created with FLAG_ENCRYPTED can be accessed or		* This is required before keystore entries created with FLAG_ENCRYPTED can be accessed or
	* created.		* created.
	*		*
	* @param user Android user ID to operate on		* @param userId Android user ID to operate on
	* @param password user's keystore password. Should be the most recent value passed to		* @param password user's keystore password. Should be the most recent value passed to
	* {@link #onUserPasswordChanged} for the user.		* {@link #onUserPasswordChanged} for the user.
	*		*
	@@ -546,6 +547,9 @@ public class KeyStore {
	try {		try {
	args = args != null ? args : new KeymasterArguments();		args = args != null ? args : new KeymasterArguments();
	entropy = entropy != null ? entropy : new byte[0];		entropy = entropy != null ? entropy : new byte[0];
			if (!args.containsTag(KeymasterDefs.KM_TAG_USER_ID)) {
			args.addUnsignedInt(KeymasterDefs.KM_TAG_USER_ID, ActivityManager.getCurrentUser());
			}
	return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);		return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);
	} catch (RemoteException e) {		} catch (RemoteException e) {
	Log.w(TAG, "Cannot connect to keystore", e);		Log.w(TAG, "Cannot connect to keystore", e);

keystore/java/android/security/keystore/KeyGenParameterSpec.java

+28 −2

Original line number	Original line	Diff line number	Diff line
	@@ -266,6 +266,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
	private final boolean mInvalidatedByBiometricEnrollment;		private final boolean mInvalidatedByBiometricEnrollment;
	private final boolean mIsStrongBoxBacked;		private final boolean mIsStrongBoxBacked;
	private final boolean mUserConfirmationRequired;		private final boolean mUserConfirmationRequired;
			private final boolean mUnlockedDeviceRequired;

	/**		/**
	* @hide should be built with Builder		* @hide should be built with Builder
	@@ -296,7 +297,8 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
	boolean userAuthenticationValidWhileOnBody,		boolean userAuthenticationValidWhileOnBody,
	boolean invalidatedByBiometricEnrollment,		boolean invalidatedByBiometricEnrollment,
	boolean isStrongBoxBacked,		boolean isStrongBoxBacked,
	boolean userConfirmationRequired) {		boolean userConfirmationRequired,
			boolean unlockedDeviceRequired) {
	if (TextUtils.isEmpty(keyStoreAlias)) {		if (TextUtils.isEmpty(keyStoreAlias)) {
	throw new IllegalArgumentException("keyStoreAlias must not be empty");		throw new IllegalArgumentException("keyStoreAlias must not be empty");
	}		}
	@@ -345,6 +347,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
	mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;		mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
	mIsStrongBoxBacked = isStrongBoxBacked;		mIsStrongBoxBacked = isStrongBoxBacked;
	mUserConfirmationRequired = userConfirmationRequired;		mUserConfirmationRequired = userConfirmationRequired;
			mUnlockedDeviceRequired = unlockedDeviceRequired;
	}		}

	/**		/**
	@@ -669,6 +672,15 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
	return mIsStrongBoxBacked;		return mIsStrongBoxBacked;
	}		}

			/**
			* @hide Returns {@code true} if the key cannot be used unless the device screen is unlocked.
			*
			* @see Builder#setUnlockedDeviceRequired(boolean)
			*/
			public boolean isUnlockedDeviceRequired() {
			return mUnlockedDeviceRequired;
			}

	/**		/**
	* @hide		* @hide
	*/		*/
	@@ -707,6 +719,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
	private boolean mInvalidatedByBiometricEnrollment = true;		private boolean mInvalidatedByBiometricEnrollment = true;
	private boolean mIsStrongBoxBacked = false;		private boolean mIsStrongBoxBacked = false;
	private boolean mUserConfirmationRequired;		private boolean mUserConfirmationRequired;
			private boolean mUnlockedDeviceRequired = false;

	/**		/**
	* Creates a new instance of the {@code Builder}.		* Creates a new instance of the {@code Builder}.
	@@ -1274,6 +1287,18 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
	return this;		return this;
	}		}

			/**
			* @hide Sets whether the keystore requires the screen to be unlocked before allowing decryption
			* using this key. If this is set to {@code true}, any attempt to decrypt using this key
			* while the screen is locked will fail. A locked device requires a PIN, password,
			* fingerprint, or other trusted factor to access.
			*/
			@NonNull
			public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) {
			mUnlockedDeviceRequired = unlockedDeviceRequired;
			return this;
			}

	/**		/**
	* Builds an instance of {@code KeyGenParameterSpec}.		* Builds an instance of {@code KeyGenParameterSpec}.
	*/		*/
	@@ -1305,7 +1330,8 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
	mUserAuthenticationValidWhileOnBody,		mUserAuthenticationValidWhileOnBody,
	mInvalidatedByBiometricEnrollment,		mInvalidatedByBiometricEnrollment,
	mIsStrongBoxBacked,		mIsStrongBoxBacked,
	mUserConfirmationRequired);		mUserConfirmationRequired,
			mUnlockedDeviceRequired);
	}		}
	}		}
	}		}

keystore/java/android/security/keystore/KeyProtection.java

+33 −6

Original line number	Original line	Diff line number	Diff line
	@@ -224,12 +224,13 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
	private final boolean mRandomizedEncryptionRequired;		private final boolean mRandomizedEncryptionRequired;
	private final boolean mUserAuthenticationRequired;		private final boolean mUserAuthenticationRequired;
	private final int mUserAuthenticationValidityDurationSeconds;		private final int mUserAuthenticationValidityDurationSeconds;
	private final boolean mTrustedUserPresenceRequred;		private final boolean mTrustedUserPresenceRequired;
	private final boolean mUserAuthenticationValidWhileOnBody;		private final boolean mUserAuthenticationValidWhileOnBody;
	private final boolean mInvalidatedByBiometricEnrollment;		private final boolean mInvalidatedByBiometricEnrollment;
	private final long mBoundToSecureUserId;		private final long mBoundToSecureUserId;
	private final boolean mCriticalToDeviceEncryption;		private final boolean mCriticalToDeviceEncryption;
	private final boolean mUserConfirmationRequired;		private final boolean mUserConfirmationRequired;
			private final boolean mUnlockedDeviceRequired;

	private KeyProtection(		private KeyProtection(
	Date keyValidityStart,		Date keyValidityStart,
	@@ -243,12 +244,13 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
	boolean randomizedEncryptionRequired,		boolean randomizedEncryptionRequired,
	boolean userAuthenticationRequired,		boolean userAuthenticationRequired,
	int userAuthenticationValidityDurationSeconds,		int userAuthenticationValidityDurationSeconds,
	boolean trustedUserPresenceRequred,		boolean trustedUserPresenceRequired,
	boolean userAuthenticationValidWhileOnBody,		boolean userAuthenticationValidWhileOnBody,
	boolean invalidatedByBiometricEnrollment,		boolean invalidatedByBiometricEnrollment,
	long boundToSecureUserId,		long boundToSecureUserId,
	boolean criticalToDeviceEncryption,		boolean criticalToDeviceEncryption,
	boolean userConfirmationRequired) {		boolean userConfirmationRequired,
			boolean unlockedDeviceRequired) {
	mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart);		mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart);
	mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd);		mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd);
	mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd);		mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd);
	@@ -262,12 +264,13 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
	mRandomizedEncryptionRequired = randomizedEncryptionRequired;		mRandomizedEncryptionRequired = randomizedEncryptionRequired;
	mUserAuthenticationRequired = userAuthenticationRequired;		mUserAuthenticationRequired = userAuthenticationRequired;
	mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;		mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;
	mTrustedUserPresenceRequred = trustedUserPresenceRequred;		mTrustedUserPresenceRequired = trustedUserPresenceRequired;
	mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody;		mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody;
	mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;		mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
	mBoundToSecureUserId = boundToSecureUserId;		mBoundToSecureUserId = boundToSecureUserId;
	mCriticalToDeviceEncryption = criticalToDeviceEncryption;		mCriticalToDeviceEncryption = criticalToDeviceEncryption;
	mUserConfirmationRequired = userConfirmationRequired;		mUserConfirmationRequired = userConfirmationRequired;
			mUnlockedDeviceRequired = unlockedDeviceRequired;
	}		}

	/**		/**
	@@ -444,7 +447,7 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
	* been performed between the {@code Signature.initSign()} and {@code Signature.sign()} calls.		* been performed between the {@code Signature.initSign()} and {@code Signature.sign()} calls.
	*/		*/
	public boolean isTrustedUserPresenceRequired() {		public boolean isTrustedUserPresenceRequired() {
	return mTrustedUserPresenceRequred;		return mTrustedUserPresenceRequired;
	}		}

	/**		/**
	@@ -504,6 +507,15 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
	return mCriticalToDeviceEncryption;		return mCriticalToDeviceEncryption;
	}		}

			/**
			* @hide Returns {@code true} if the key cannot be used unless the device screen is unlocked.
			*
			* @see Builder#setUnlockedDeviceRequired(boolean)
			*/
			public boolean isUnlockedDeviceRequired() {
			return mUnlockedDeviceRequired;
			}

	/**		/**
	* Builder of {@link KeyProtection} instances.		* Builder of {@link KeyProtection} instances.
	*/		*/
	@@ -524,6 +536,8 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
	private boolean mUserAuthenticationValidWhileOnBody;		private boolean mUserAuthenticationValidWhileOnBody;
	private boolean mInvalidatedByBiometricEnrollment = true;		private boolean mInvalidatedByBiometricEnrollment = true;
	private boolean mUserConfirmationRequired;		private boolean mUserConfirmationRequired;
			private boolean mUnlockedDeviceRequired = false;

	private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID;		private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID;
	private boolean mCriticalToDeviceEncryption = false;		private boolean mCriticalToDeviceEncryption = false;

	@@ -913,6 +927,18 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
	return this;		return this;
	}		}

			/**
			* @hide Sets whether the keystore requires the screen to be unlocked before allowing decryption
			* using this key. If this is set to {@code true}, any attempt to decrypt using this key
			* while the screen is locked will fail. A locked device requires a PIN, password,
			* fingerprint, or other trusted factor to access.
			*/
			@NonNull
			public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) {
			mUnlockedDeviceRequired = unlockedDeviceRequired;
			return this;
			}

	/**		/**
	* Builds an instance of {@link KeyProtection}.		* Builds an instance of {@link KeyProtection}.
	*		*
	@@ -937,7 +963,8 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
	mInvalidatedByBiometricEnrollment,		mInvalidatedByBiometricEnrollment,
	mBoundToSecureUserId,		mBoundToSecureUserId,
	mCriticalToDeviceEncryption,		mCriticalToDeviceEncryption,
	mUserConfirmationRequired);		mUserConfirmationRequired,
			mUnlockedDeviceRequired);
	}		}
	}		}
	}		}

keystore/java/android/security/keystore/KeymasterUtils.java

+8 −4

Original line number	Original line	Diff line number	Diff line
	@@ -16,9 +16,8 @@

	package android.security.keystore;		package android.security.keystore;

	import android.util.Log;		import android.app.ActivityManager;
	import android.hardware.fingerprint.FingerprintManager;		import android.hardware.fingerprint.FingerprintManager;
	import android.os.UserHandle;
	import android.security.GateKeeper;		import android.security.GateKeeper;
	import android.security.KeyStore;		import android.security.KeyStore;
	import android.security.keymaster.KeymasterArguments;		import android.security.keymaster.KeymasterArguments;
	@@ -101,8 +100,9 @@ public abstract class KeymasterUtils {
	* state (e.g., secure lock screen not set up) for generating or importing keys that		* state (e.g., secure lock screen not set up) for generating or importing keys that
	* require user authentication.		* require user authentication.
	*/		*/
	public static void addUserAuthArgs(KeymasterArguments args,		public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) {
	UserAuthArgs spec) {		args.addUnsignedInt(KeymasterDefs.KM_TAG_USER_ID, ActivityManager.getCurrentUser());

	if (spec.isUserConfirmationRequired()) {		if (spec.isUserConfirmationRequired()) {
	args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);		args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);
	}		}
	@@ -111,6 +111,10 @@ public abstract class KeymasterUtils {
	args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);		args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);
	}		}

			if (spec.isUnlockedDeviceRequired()) {
			args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED);
			}

	if (!spec.isUserAuthenticationRequired()) {		if (!spec.isUserAuthenticationRequired()) {
	args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);		args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);
	return;		return;