Merge "Ports the first part of encryption/key to AOSP."

/*

 * Copyright (C) 2018 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.android.server.backup.encryption.keys;

import static com.android.internal.util.Preconditions.checkNotNull;

import android.annotation.IntDef;

import android.content.Context;

import android.security.keystore.recovery.InternalRecoveryServiceException;

import android.security.keystore.recovery.RecoveryController;

import android.util.Slog;

import javax.crypto.SecretKey;

/**

 * Wraps a {@link RecoveryController}'s {@link SecretKey}. These are kept in "AndroidKeyStore" (a

 * provider for {@link java.security.KeyStore} and {@link javax.crypto.KeyGenerator}. They are also

 * synced with the recoverable key store, wrapped by the primary key. This allows them to be

 * recovered on a user's subsequent device through providing their lock screen secret.

 */

public class RecoverableKeyStoreSecondaryKey {

    private static final String TAG = "RecoverableKeyStoreSecondaryKey";

    private final String mAlias;

    private final SecretKey mSecretKey;

    /**

     * A new instance.

     *

     * @param alias The alias. It is keyed with this in AndroidKeyStore and the recoverable key

     *     store.

     * @param secretKey The key.

     */

    public RecoverableKeyStoreSecondaryKey(String alias, SecretKey secretKey) {

        mAlias = checkNotNull(alias);

        mSecretKey = checkNotNull(secretKey);

    }

    /**

     * The ID, as stored in the recoverable {@link java.security.KeyStore}, and as used to identify

     * wrapped tertiary keys on the backup server.

     */

    public String getAlias() {

        return mAlias;

    }

    /** The secret key, to be used to wrap tertiary keys. */

    public SecretKey getSecretKey() {

        return mSecretKey;

    }

    /**

     * The status of the key. i.e., whether it's been synced to remote trusted hardware.

     *

     * @param context The application context.

     * @return One of {@link Status#SYNCED}, {@link Status#NOT_SYNCED} or {@link Status#DESTROYED}.

     */

    public @Status int getStatus(Context context) {

        try {

            return getStatusInternal(context);

        } catch (InternalRecoveryServiceException e) {

            Slog.wtf(TAG, "Internal error getting recovery status", e);

            // Return NOT_SYNCED by default, as we do not want the backups to fail or to repeatedly

            // attempt to reinitialize.

            return Status.NOT_SYNCED;

        }

    }

    private @Status int getStatusInternal(Context context) throws InternalRecoveryServiceException {

        int status = RecoveryController.getInstance(context).getRecoveryStatus(mAlias);

        switch (status) {

            case RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE:

                return Status.DESTROYED;

            case RecoveryController.RECOVERY_STATUS_SYNCED:

                return Status.SYNCED;

            case RecoveryController.RECOVERY_STATUS_SYNC_IN_PROGRESS:

                return Status.NOT_SYNCED;

            default:

                // Throw an exception if we encounter a status that doesn't match any of the above.

                throw new InternalRecoveryServiceException(

                        "Unexpected status from getRecoveryStatus: " + status);

        }

    }

    /** Status of a key in the recoverable key store. */

    @IntDef({Status.NOT_SYNCED, Status.SYNCED, Status.DESTROYED})

    public @interface Status {

        /**

         * The key has not yet been synced to remote trusted hardware. This may be because the user

         * has not yet unlocked their device.

         */

        int NOT_SYNCED = 1;

        /**

         * The key has been synced with remote trusted hardware. It should now be recoverable on

         * another device.

         */

        int SYNCED = 2;

        /** The key has been lost forever. This can occur if the user disables their lock screen. */

        int DESTROYED = 3;

    }

}

/*

 * Copyright (C) 2018 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.android.server.backup.encryption.keys;

import android.content.Context;

import android.security.keystore.recovery.InternalRecoveryServiceException;

import android.security.keystore.recovery.LockScreenRequiredException;

import android.security.keystore.recovery.RecoveryController;

import android.util.ByteStringUtils;

import com.android.internal.annotations.VisibleForTesting;

import java.security.SecureRandom;

import java.security.UnrecoverableKeyException;

import java.util.Optional;

import javax.crypto.SecretKey;

/**

 * Manages generating, deleting, and retrieving secondary keys through {@link RecoveryController}.

 *

 * <p>The recoverable key store will be synced remotely via the {@link RecoveryController}, allowing

 * recovery of keys on other devices owned by the user.

 */

public class RecoverableKeyStoreSecondaryKeyManager {

    private static final String BACKUP_KEY_ALIAS_PREFIX =

            "com.android.server.backup/recoverablekeystore/";

    private static final int BACKUP_KEY_SUFFIX_LENGTH_BITS = 128;

    private static final int BITS_PER_BYTE = 8;

    /** A new instance. */

    public static RecoverableKeyStoreSecondaryKeyManager getInstance(Context context) {

        return new RecoverableKeyStoreSecondaryKeyManager(

                RecoveryController.getInstance(context), new SecureRandom());

    }

    private final RecoveryController mRecoveryController;

    private final SecureRandom mSecureRandom;

    @VisibleForTesting

    public RecoverableKeyStoreSecondaryKeyManager(

            RecoveryController recoveryController, SecureRandom secureRandom) {

        mRecoveryController = recoveryController;

        mSecureRandom = secureRandom;

    }

    /**

     * Generates a new recoverable key using the {@link RecoveryController}.

     *

     * @throws InternalRecoveryServiceException if an unexpected error occurred generating the key.

     * @throws LockScreenRequiredException if the user does not have a lock screen. A lock screen is

     *     required to generate a recoverable key.

     */

    public RecoverableKeyStoreSecondaryKey generate()

            throws InternalRecoveryServiceException, LockScreenRequiredException,

                    UnrecoverableKeyException {

        String alias = generateId();

        mRecoveryController.generateKey(alias);

        SecretKey key = (SecretKey) mRecoveryController.getKey(alias);

        if (key == null) {

            throw new InternalRecoveryServiceException(

                    String.format(

                            "Generated key %s but could not get it back immediately afterwards.",

                            alias));

        }

        return new RecoverableKeyStoreSecondaryKey(alias, key);

    }

    /**

     * Removes the secondary key. This means the key will no longer be recoverable.

     *

     * @param alias The alias of the key.

     * @throws InternalRecoveryServiceException if there was a {@link RecoveryController} error.

     */

    public void remove(String alias) throws InternalRecoveryServiceException {

        mRecoveryController.removeKey(alias);

    }

    /**

     * Returns the {@link RecoverableKeyStoreSecondaryKey} with {@code alias} if it is in the {@link

     * RecoveryController}. Otherwise, {@link Optional#empty()}.

     */

    public Optional<RecoverableKeyStoreSecondaryKey> get(String alias)

            throws InternalRecoveryServiceException, UnrecoverableKeyException {

        SecretKey secretKey = (SecretKey) mRecoveryController.getKey(alias);

        return Optional.ofNullable(secretKey)

                .map(key -> new RecoverableKeyStoreSecondaryKey(alias, key));

    }

    /**

     * Generates a new key alias. This has more entropy than a UUID - it can be considered

     * universally unique.

     */

    private String generateId() {

        byte[] id = new byte[BACKUP_KEY_SUFFIX_LENGTH_BITS / BITS_PER_BYTE];

        mSecureRandom.nextBytes(id);

        return BACKUP_KEY_ALIAS_PREFIX + ByteStringUtils.toHexString(id);

    }

    /** Constructs a {@link RecoverableKeyStoreSecondaryKeyManager}. */

    public interface RecoverableKeyStoreSecondaryKeyManagerProvider {

        /** Returns a newly constructed {@link RecoverableKeyStoreSecondaryKeyManager}. */

        RecoverableKeyStoreSecondaryKeyManager get();

    }

}

/*

 * Copyright (C) 2018 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.android.server.backup.encryption.keys;

import java.security.NoSuchAlgorithmException;

import java.security.SecureRandom;

import javax.crypto.KeyGenerator;

import javax.crypto.SecretKey;

/** 256-bit AES key generator. Each app should have its own separate AES key. */

public class TertiaryKeyGenerator {

    private static final int KEY_SIZE_BITS = 256;

    private static final String KEY_ALGORITHM = "AES";

    private final KeyGenerator mKeyGenerator;

    /** New instance generating keys using {@code secureRandom}. */

    public TertiaryKeyGenerator(SecureRandom secureRandom) {

        try {

            mKeyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM);

            mKeyGenerator.init(KEY_SIZE_BITS, secureRandom);

        } catch (NoSuchAlgorithmException e) {

            throw new RuntimeException(

                    "Impossible condition: JCE thinks it does not support AES.", e);

        }

    }

    /** Generates a new random AES key. */

    public SecretKey generate() {

        return mKeyGenerator.generateKey();

    }

}

/*

 * Copyright (C) 2018 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.android.server.backup.encryption.keys;

import android.content.Context;

import android.content.SharedPreferences;

import android.util.Slog;

import com.android.internal.annotations.VisibleForTesting;

import java.util.Locale;

/**

 * Tracks when a tertiary key rotation is due.

 *

 * <p>After a certain number of incremental backups, the device schedules a full backup, which will

 * generate a new encryption key, effecting a key rotation. We should do this on a regular basis so

 * that if a key does become compromised it has limited value to the attacker.

 *

 * <p>No additional synchronization of this class is provided. Only one instance should be used at

 * any time. This should be fine as there should be no parallelism in backups.

 */

public class TertiaryKeyRotationTracker {

    private static final int MAX_BACKUPS_UNTIL_TERTIARY_KEY_ROTATION = 31;

    private static final String SHARED_PREFERENCES_NAME = "tertiary_key_rotation_tracker";

    private static final String TAG = "TertiaryKeyRotationTracker";

    private static final boolean DEBUG = false;

    /**

     * A new instance, using {@code context} to commit data to disk via {@link SharedPreferences}.

     */

    public static TertiaryKeyRotationTracker getInstance(Context context) {

        return new TertiaryKeyRotationTracker(

                context.getSharedPreferences(SHARED_PREFERENCES_NAME, Context.MODE_PRIVATE));

    }

    private final SharedPreferences mSharedPreferences;

    /** New instance, storing data in {@code mSharedPreferences}. */

    @VisibleForTesting

    TertiaryKeyRotationTracker(SharedPreferences sharedPreferences) {

        mSharedPreferences = sharedPreferences;

    }

    /**

     * Returns {@code true} if the given app is due having its key rotated.

     *

     * @param packageName The package name of the app.

     */

    public boolean isKeyRotationDue(String packageName) {

        return getBackupsSinceRotation(packageName) >= MAX_BACKUPS_UNTIL_TERTIARY_KEY_ROTATION;

    }

    /**

     * Records that an incremental backup has occurred. Each incremental backup brings the app

     * closer to the time when its key should be rotated.

     *

     * @param packageName The package name of the app for which the backup occurred.

     */

    public void recordBackup(String packageName) {

        int backupsSinceRotation = getBackupsSinceRotation(packageName) + 1;

        mSharedPreferences.edit().putInt(packageName, backupsSinceRotation).apply();

        if (DEBUG) {

            Slog.d(

                    TAG,

                    String.format(

                            Locale.US,

                            "Incremental backup for %s. %d backups until key rotation.",

                            packageName,

                            Math.max(

                                    0,

                                    MAX_BACKUPS_UNTIL_TERTIARY_KEY_ROTATION

                                            - backupsSinceRotation)));

        }

    }

    /**

     * Resets the rotation delay for the given app. Should be invoked after a key rotation.

     *

     * @param packageName Package name of the app whose key has rotated.

     */

    public void resetCountdown(String packageName) {

        mSharedPreferences.edit().putInt(packageName, 0).apply();

    }

    /** Marks all enrolled packages for key rotation. */

    public void markAllForRotation() {

        SharedPreferences.Editor editor = mSharedPreferences.edit();

        for (String packageName : mSharedPreferences.getAll().keySet()) {

            editor.putInt(packageName, MAX_BACKUPS_UNTIL_TERTIARY_KEY_ROTATION);

        }

        editor.apply();

    }

    private int getBackupsSinceRotation(String packageName) {

        return mSharedPreferences.getInt(packageName, 0);

    }

}

/*

 * Copyright (C) 2018 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.android.server.backup.encryption.keys;

import static com.google.common.truth.Truth.assertThat;

import static org.testng.Assert.assertThrows;

import android.content.Context;

import android.platform.test.annotations.Presubmit;

import android.security.keystore.recovery.InternalRecoveryServiceException;

import android.security.keystore.recovery.RecoveryController;

import com.android.server.testing.shadows.ShadowInternalRecoveryServiceException;

import com.android.server.testing.shadows.ShadowRecoveryController;

import org.junit.After;

import org.junit.Before;

import org.junit.Test;

import org.junit.runner.RunWith;

import org.robolectric.RobolectricTestRunner;

import org.robolectric.RuntimeEnvironment;

import org.robolectric.annotation.Config;

import java.security.SecureRandom;

import java.util.Optional;

/** Tests for {@link RecoverableKeyStoreSecondaryKeyManager}. */

@RunWith(RobolectricTestRunner.class)

@Presubmit

@Config(shadows = {ShadowRecoveryController.class, ShadowInternalRecoveryServiceException.class})

public class RecoverableKeyStoreSecondaryKeyManagerTest {

    private static final String BACKUP_KEY_ALIAS_PREFIX =

            "com.android.server.backup/recoverablekeystore/";

    private static final int BITS_PER_BYTE = 8;

    private static final int BACKUP_KEY_SUFFIX_LENGTH_BYTES = 128 / BITS_PER_BYTE;

    private static final int HEX_PER_BYTE = 2;

    private static final int BACKUP_KEY_ALIAS_LENGTH =

            BACKUP_KEY_ALIAS_PREFIX.length() + BACKUP_KEY_SUFFIX_LENGTH_BYTES * HEX_PER_BYTE;

    private static final String NONEXISTENT_KEY_ALIAS = "NONEXISTENT_KEY_ALIAS";

    private RecoverableKeyStoreSecondaryKeyManager mRecoverableKeyStoreSecondaryKeyManager;

    private Context mContext;

    /** Create a new {@link RecoverableKeyStoreSecondaryKeyManager} to use in tests. */

    @Before

    public void setUp() throws Exception {

        mContext = RuntimeEnvironment.application;

        mRecoverableKeyStoreSecondaryKeyManager =

                new RecoverableKeyStoreSecondaryKeyManager(

                        RecoveryController.getInstance(mContext), new SecureRandom());

    }

    /** Reset the {@link ShadowRecoveryController}. */

    @After

    public void tearDown() throws Exception {

        ShadowRecoveryController.reset();

    }

    /** The generated key should always have the prefix {@code BACKUP_KEY_ALIAS_PREFIX}. */

    @Test

    public void generate_generatesKeyWithExpectedPrefix() throws Exception {

        RecoverableKeyStoreSecondaryKey key = mRecoverableKeyStoreSecondaryKeyManager.generate();

        assertThat(key.getAlias()).startsWith(BACKUP_KEY_ALIAS_PREFIX);

    }

    /** The generated key should always have length {@code BACKUP_KEY_ALIAS_LENGTH}. */

    @Test

    public void generate_generatesKeyWithExpectedLength() throws Exception {

        RecoverableKeyStoreSecondaryKey key = mRecoverableKeyStoreSecondaryKeyManager.generate();

        assertThat(key.getAlias()).hasLength(BACKUP_KEY_ALIAS_LENGTH);

    }

    /** Ensure that hidden API exceptions are rethrown when generating keys. */

    @Test

    public void generate_encounteringHiddenApiException_rethrowsException() {

        ShadowRecoveryController.setThrowsInternalError(true);

        assertThrows(

                InternalRecoveryServiceException.class,

                mRecoverableKeyStoreSecondaryKeyManager::generate);

    }

    /** Ensure that retrieved keys correspond to those generated earlier. */

    @Test

    public void get_getsKeyGeneratedByController() throws Exception {

        RecoverableKeyStoreSecondaryKey key = mRecoverableKeyStoreSecondaryKeyManager.generate();

        Optional<RecoverableKeyStoreSecondaryKey> retrievedKey =

                mRecoverableKeyStoreSecondaryKeyManager.get(key.getAlias());

        assertThat(retrievedKey.isPresent()).isTrue();

        assertThat(retrievedKey.get().getAlias()).isEqualTo(key.getAlias());

        assertThat(retrievedKey.get().getSecretKey()).isEqualTo(key.getSecretKey());

    }

    /**

     * Ensure that a call to {@link RecoverableKeyStoreSecondaryKeyManager#get(java.lang.String)}

     * for nonexistent aliases returns an emtpy {@link Optional}.

     */

    @Test

    public void get_forNonExistentKey_returnsEmptyOptional() throws Exception {

        Optional<RecoverableKeyStoreSecondaryKey> retrievedKey =

                mRecoverableKeyStoreSecondaryKeyManager.get(NONEXISTENT_KEY_ALIAS);

        assertThat(retrievedKey.isPresent()).isFalse();

    }

    /**

     * Ensure that exceptions occurring during {@link

     * RecoverableKeyStoreSecondaryKeyManager#get(java.lang.String)} are not rethrown.

     */

    @Test

    public void get_encounteringInternalException_doesNotPropagateException() throws Exception {

        ShadowRecoveryController.setThrowsInternalError(true);

        // Should not throw exception

        mRecoverableKeyStoreSecondaryKeyManager.get(NONEXISTENT_KEY_ALIAS);

    }

    /** Ensure that keys are correctly removed from the store. */

    @Test

    public void remove_removesKeyFromRecoverableStore() throws Exception {

        RecoverableKeyStoreSecondaryKey key = mRecoverableKeyStoreSecondaryKeyManager.generate();

        mRecoverableKeyStoreSecondaryKeyManager.remove(key.getAlias());

        assertThat(RecoveryController.getInstance(mContext).getAliases())

                .doesNotContain(key.getAlias());

    }

}