Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 10a9f178 authored by Alex Klyubin's avatar Alex Klyubin
Browse files

Set Secure User ID from app level. 

When AndroidKeyStore keys require used authentication, they need to be
bound to a Keymaster's Secure User ID. This ID will be set by keystore
soon. Until then, set it from the framework level (i.e., from apps
which use AndroidKeyStore).

NOTE: Accessing gatekeeper to obtain the Secure User ID will be
blocked by SELinux policy. To test this code, disable SELinux
enforcing mode.

Bug: 18088752
Change-Id: I7a3315eb52f0fc978d14d5d0e9613f2f36c6c01e
parent aa0d7f60

keystore/java/android/security/AndroidKeyStore.java

+6 −0
Original line number Diff line number Diff line
@@ -535,6 +535,12 @@ public class AndroidKeyStore extends KeyStoreSpi { 
            args.addInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE,

                    KeyStoreKeyProperties.UserAuthenticator.allToKeymaster(

                            params.getUserAuthenticators()));

            long secureUserId = GateKeeper.getSecureUserId();

            if (secureUserId == 0) {

                throw new IllegalStateException("Secure lock screen must be enabled"

                        + " to import keys requiring user authentication");

            }

            args.addLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, secureUserId);

        }

        if (params.isInvalidatedOnNewFingerprintEnrolled()) {

            // TODO: Add the invalidate on fingerprint enrolled constraint once Keymaster supports

keystore/java/android/security/GateKeeper.java

0 → 100644
+30 −0
Original line number Diff line number Diff line 
package android.security;



import android.os.RemoteException;

import android.os.ServiceManager;

import android.os.UserHandle;

import android.service.gatekeeper.IGateKeeperService;



/**

 * Convenience class for accessing the gatekeeper service.

 *

 * @hide

 */

public abstract class GateKeeper {



    private GateKeeper() {}



    public static IGateKeeperService getService() {

        return IGateKeeperService.Stub.asInterface(

                ServiceManager.getService("android.service.gatekeeper.IGateKeeperService"));

    }



    public static long getSecureUserId() throws IllegalStateException {

        try {

            return GateKeeper.getService().getSecureUserId(UserHandle.myUserId());

        } catch (RemoteException e) {

            throw new IllegalStateException(

                    "Failed to obtain secure user ID from gatekeeper", e);

        }

    }

}

keystore/java/android/security/KeyStoreKeyGeneratorSpi.java

+6 −0
Original line number Diff line number Diff line
@@ -167,6 +167,12 @@ public abstract class KeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { 
            args.addInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE,

                    KeyStoreKeyProperties.UserAuthenticator.allToKeymaster(

                            spec.getUserAuthenticators()));

            long secureUserId = GateKeeper.getSecureUserId();

            if (secureUserId == 0) {

                throw new IllegalStateException("Secure lock screen must be enabled"

                        + " to generate keys requiring user authentication");

            }

            args.addLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, secureUserId);

        }

        if (spec.isInvalidatedOnNewFingerprintEnrolled()) {

            // TODO: Add the invalidate on fingerprint enrolled constraint once Keymaster supports