Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 20f982fa authored by Eran Messeri's avatar Eran Messeri
Browse files

Individual attestation: throw if unsupported 

Throw if a caller requests the individual device attestation certificate
to be used for key attestation, but the feature is unavailable in the
device's StrongBox implementation.

Bug: 140194470
Bug: 136494773
Test: atest CtsDevicePolicyManagerTestCases:com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement
Change-Id: Ie289dae2949400443efd14832cb847761b2b92e7
parent 8ffc40aa

core/java/android/app/admin/DevicePolicyManager.java

+11 −6
Original line number Diff line number Diff line
@@ -5061,12 +5061,17 @@ public class DevicePolicyManager { 
     *         owner. If Device ID attestation is requested (using {@link #ID_TYPE_SERIAL},

     *         {@link #ID_TYPE_IMEI} or {@link #ID_TYPE_MEID}), the caller must be the Device Owner

     *         or the Certificate Installer delegate.

     * @throws IllegalArgumentException if the alias in {@code keySpec} is empty, if the

     *         algorithm specification in {@code keySpec} is not {@code RSAKeyGenParameterSpec}

     *         or {@code ECGenParameterSpec}, or if Device ID attestation was requested but the

     *         {@code keySpec} does not contain an attestation challenge.

     * @throws UnsupportedOperationException if Device ID attestation was requested but the

     *         underlying hardware does not support it.

     * @throws IllegalArgumentException in the following cases:

     *         <p>

     *         <ul>

     *         <li>The alias in {@code keySpec} is empty.</li>

     *         <li>The algorithm specification in {@code keySpec} is not

     *         {@code RSAKeyGenParameterSpec} or {@code ECGenParameterSpec}.</li>

     *         <li>Device ID attestation was requested but the {@code keySpec} does not contain an

     *         attestation challenge.</li>

     *         </ul>

     * @throws UnsupportedOperationException if Device ID attestation or individual attestation

     *         was requested but the underlying hardware does not support it.

     * @throws StrongBoxUnavailableException if the use of StrongBox for key generation was

     *         specified in {@code keySpec} but the device does not have one.

     * @see KeyGenParameterSpec.Builder#setAttestationChallenge(byte[])

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+14 −1
Original line number Diff line number Diff line
@@ -84,6 +84,7 @@ import static android.provider.Settings.Global.PRIVATE_DNS_SPECIFIER; 
import static android.provider.Telephony.Carriers.DPC_URI;

import static android.provider.Telephony.Carriers.ENFORCE_KEY;

import static android.provider.Telephony.Carriers.ENFORCE_MANAGED_URI;

import static android.security.keystore.AttestationUtils.USE_INDIVIDUAL_ATTESTATION;















import static com.android.internal.logging.nano.MetricsProto.MetricsEvent.PROVISIONING_ENTRY_POINT_ADB;















import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_NONE;










@@ -5873,7 +5874,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        idTypeToAttestationFlag.put(ID_TYPE_IMEI, AttestationUtils.ID_TYPE_IMEI);















        idTypeToAttestationFlag.put(ID_TYPE_MEID, AttestationUtils.ID_TYPE_MEID);















        idTypeToAttestationFlag.put(













                ID_TYPE_INDIVIDUAL_ATTESTATION, AttestationUtils.USE_INDIVIDUAL_ATTESTATION);













                ID_TYPE_INDIVIDUAL_ATTESTATION, USE_INDIVIDUAL_ATTESTATION);





























        int numFlagsSet = Integer.bitCount(idAttestationFlags);















        // No flags are set - return null to indicate no device ID attestation information should










@@ -5913,6 +5914,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {



























        if (deviceIdAttestationRequired && attestationUtilsFlags.length > 0) {















            enforceCallerCanRequestDeviceIdAttestation(who, callerPackage, callingUid);













            enforceIndividualAttestationSupportedIfRequested(attestationUtilsFlags);















        } else {















            enforceCanManageScope(who, callerPackage, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER,















                    DELEGATION_CERT_INSTALL);










@@ -6007,6 +6009,17 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        return false;















    }



























    private void enforceIndividualAttestationSupportedIfRequested(int[] attestationUtilsFlags) {













        for (int attestationFlag : attestationUtilsFlags) {













            if (attestationFlag == USE_INDIVIDUAL_ATTESTATION













                    && !mInjector.getPackageManager().hasSystemFeature(













                    PackageManager.FEATURE_DEVICE_UNIQUE_ATTESTATION)) {













                throw new UnsupportedOperationException("Device Individual attestation is not "













                        + "supported on this device.");













            }













        }













    }



























    @Override















    public boolean setKeyPairCertificate(ComponentName who, String callerPackage, String alias,















            byte[] cert, byte[] chain, boolean isUserSelectable) {