Loading keystore/java/android/security/keystore/KeymasterUtils.java +59 −44 Original line number Diff line number Diff line Loading @@ -82,38 +82,22 @@ public abstract class KeymasterUtils { } } /** * Adds keymaster arguments to express the key's authorization policy supported by user * authentication. * * @param args The arguments sent to keymaster that need to be populated from the spec * @param spec The user authentication relevant portions of the spec passed in from the caller. * This spec will be translated into the relevant keymaster tags to be loaded into args. * @throws IllegalStateException if user authentication is required but the system is in a wrong * state (e.g., secure lock screen not set up) for generating or importing keys that * require user authentication. */ public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) { if (spec.isUserConfirmationRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED); } if (spec.isUserPresenceRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED); } if (spec.isUnlockedDeviceRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED); } if (!spec.isUserAuthenticationRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); return; private static void addSids(KeymasterArguments args, UserAuthArgs spec) { // If both biometric and credential are accepted, then just use the root sid from gatekeeper if (spec.getUserAuthenticationType() == (KeyProperties.AUTH_BIOMETRIC_STRONG | KeyProperties.AUTH_DEVICE_CREDENTIAL)) { if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) { args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(spec.getBoundToSpecificSecureUserId())); } else { // The key is authorized for use for the specified amount of time after the user has // authenticated. Whatever unlocks the secure lock screen should authorize this key. args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(getRootSid())); } if (spec.getUserAuthenticationValidityDurationSeconds() == 0) { // Every use of this key needs to be authorized by the user. } else { List<Long> sids = new ArrayList<>(); if ((spec.getUserAuthenticationType() & KeyProperties.AUTH_BIOMETRIC_STRONG) != 0) { final BiometricManager bm = KeyStore.getApplicationContext() .getSystemService(BiometricManager.class); Loading @@ -128,7 +112,6 @@ public abstract class KeymasterUtils { + " authentication for every use"); } List<Long> sids = new ArrayList<>(); if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) { sids.add(spec.getBoundToSpecificSecureUserId()); } else if (spec.isInvalidatedByBiometricEnrollment()) { Loading @@ -142,12 +125,53 @@ public abstract class KeymasterUtils { // enrolled fingerprints, allowing the key to remain valid. sids.add(getRootSid()); } } else if ((spec.getUserAuthenticationType() & KeyProperties.AUTH_DEVICE_CREDENTIAL) != 0) { sids.add(getRootSid()); } else { throw new IllegalStateException("Invalid or no authentication type specified."); } for (int i = 0; i < sids.size(); i++) { args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(sids.get(i))); } } } /** * Adds keymaster arguments to express the key's authorization policy supported by user * authentication. * * @param args The arguments sent to keymaster that need to be populated from the spec * @param spec The user authentication relevant portions of the spec passed in from the caller. * This spec will be translated into the relevant keymaster tags to be loaded into args. * @throws IllegalStateException if user authentication is required but the system is in a wrong * state (e.g., secure lock screen not set up) for generating or importing keys that * require user authentication. */ public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) { if (spec.isUserConfirmationRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED); } if (spec.isUserPresenceRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED); } if (spec.isUnlockedDeviceRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED); } if (!spec.isUserAuthenticationRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); return; } if (spec.getUserAuthenticationValidityDurationSeconds() == 0) { // Every use of this key needs to be authorized by the user. addSids(args, spec); args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, spec.getUserAuthenticationType()); if (spec.isUserAuthenticationValidWhileOnBody()) { Loading @@ -155,16 +179,7 @@ public abstract class KeymasterUtils { + "supported for keys requiring fingerprint authentication"); } } else { long sid; if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) { sid = spec.getBoundToSpecificSecureUserId(); } else { // The key is authorized for use for the specified amount of time after the user has // authenticated. Whatever unlocks the secure lock screen should authorize this key. sid = getRootSid(); } args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(sid)); addSids(args, spec); args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, spec.getUserAuthenticationType()); args.addUnsignedInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT, spec.getUserAuthenticationValidityDurationSeconds()); Loading Loading
keystore/java/android/security/keystore/KeymasterUtils.java +59 −44 Original line number Diff line number Diff line Loading @@ -82,38 +82,22 @@ public abstract class KeymasterUtils { } } /** * Adds keymaster arguments to express the key's authorization policy supported by user * authentication. * * @param args The arguments sent to keymaster that need to be populated from the spec * @param spec The user authentication relevant portions of the spec passed in from the caller. * This spec will be translated into the relevant keymaster tags to be loaded into args. * @throws IllegalStateException if user authentication is required but the system is in a wrong * state (e.g., secure lock screen not set up) for generating or importing keys that * require user authentication. */ public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) { if (spec.isUserConfirmationRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED); } if (spec.isUserPresenceRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED); } if (spec.isUnlockedDeviceRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED); } if (!spec.isUserAuthenticationRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); return; private static void addSids(KeymasterArguments args, UserAuthArgs spec) { // If both biometric and credential are accepted, then just use the root sid from gatekeeper if (spec.getUserAuthenticationType() == (KeyProperties.AUTH_BIOMETRIC_STRONG | KeyProperties.AUTH_DEVICE_CREDENTIAL)) { if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) { args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(spec.getBoundToSpecificSecureUserId())); } else { // The key is authorized for use for the specified amount of time after the user has // authenticated. Whatever unlocks the secure lock screen should authorize this key. args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(getRootSid())); } if (spec.getUserAuthenticationValidityDurationSeconds() == 0) { // Every use of this key needs to be authorized by the user. } else { List<Long> sids = new ArrayList<>(); if ((spec.getUserAuthenticationType() & KeyProperties.AUTH_BIOMETRIC_STRONG) != 0) { final BiometricManager bm = KeyStore.getApplicationContext() .getSystemService(BiometricManager.class); Loading @@ -128,7 +112,6 @@ public abstract class KeymasterUtils { + " authentication for every use"); } List<Long> sids = new ArrayList<>(); if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) { sids.add(spec.getBoundToSpecificSecureUserId()); } else if (spec.isInvalidatedByBiometricEnrollment()) { Loading @@ -142,12 +125,53 @@ public abstract class KeymasterUtils { // enrolled fingerprints, allowing the key to remain valid. sids.add(getRootSid()); } } else if ((spec.getUserAuthenticationType() & KeyProperties.AUTH_DEVICE_CREDENTIAL) != 0) { sids.add(getRootSid()); } else { throw new IllegalStateException("Invalid or no authentication type specified."); } for (int i = 0; i < sids.size(); i++) { args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(sids.get(i))); } } } /** * Adds keymaster arguments to express the key's authorization policy supported by user * authentication. * * @param args The arguments sent to keymaster that need to be populated from the spec * @param spec The user authentication relevant portions of the spec passed in from the caller. * This spec will be translated into the relevant keymaster tags to be loaded into args. * @throws IllegalStateException if user authentication is required but the system is in a wrong * state (e.g., secure lock screen not set up) for generating or importing keys that * require user authentication. */ public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) { if (spec.isUserConfirmationRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED); } if (spec.isUserPresenceRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED); } if (spec.isUnlockedDeviceRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED); } if (!spec.isUserAuthenticationRequired()) { args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); return; } if (spec.getUserAuthenticationValidityDurationSeconds() == 0) { // Every use of this key needs to be authorized by the user. addSids(args, spec); args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, spec.getUserAuthenticationType()); if (spec.isUserAuthenticationValidWhileOnBody()) { Loading @@ -155,16 +179,7 @@ public abstract class KeymasterUtils { + "supported for keys requiring fingerprint authentication"); } } else { long sid; if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) { sid = spec.getBoundToSpecificSecureUserId(); } else { // The key is authorized for use for the specified amount of time after the user has // authenticated. Whatever unlocks the secure lock screen should authorize this key. sid = getRootSid(); } args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(sid)); addSids(args, spec); args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, spec.getUserAuthenticationType()); args.addUnsignedInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT, spec.getUserAuthenticationValidityDurationSeconds()); Loading
