Add fingerprint-specific AndroidKeyStore API. (2ea13d42) · Commits · e / os / android_frameworks_base

keystore/java/android/security/AndroidKeyStore.java

+4 −0

Original line number	Diff line number	Diff line
		@@ -540,6 +540,10 @@ public class AndroidKeyStore extends KeyStoreSpi {
		KeyStoreKeyConstraints.UserAuthenticator.allToKeymaster(
		params.getUserAuthenticators()));
		}
		if (params.isInvalidatedOnNewFingerprintEnrolled()) {
		// TODO: Add the invalidate on fingerprint enrolled constraint once Keymaster supports
		// that.
		}
		if (params.getUserAuthenticationValidityDurationSeconds() != null) {
		args.addInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT,
		params.getUserAuthenticationValidityDurationSeconds());

keystore/java/android/security/KeyGeneratorSpec.java

+36 −2

Original line number	Diff line number	Diff line
		@@ -59,6 +59,7 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
		private final Integer mMaxUsesPerBoot;
		private final Set<Integer> mUserAuthenticators;
		private final Integer mUserAuthenticationValidityDurationSeconds;
		private final boolean mInvalidatedOnNewFingerprintEnrolled;

		private KeyGeneratorSpec(
		Context context,
		@@ -74,7 +75,8 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
		Integer minSecondsBetweenOperations,
		Integer maxUsesPerBoot,
		Set<Integer> userAuthenticators,
		Integer userAuthenticationValidityDurationSeconds) {
		Integer userAuthenticationValidityDurationSeconds,
		boolean invalidatedOnNewFingerprintEnrolled) {
		if (context == null) {
		throw new IllegalArgumentException("context == null");
		} else if (TextUtils.isEmpty(keyStoreAlias)) {
		@@ -101,6 +103,7 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
		? new HashSet<Integer>(userAuthenticators)
		: Collections.<Integer>emptySet();
		mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;
		mInvalidatedOnNewFingerprintEnrolled = invalidatedOnNewFingerprintEnrolled;
		}

		/**
		@@ -238,6 +241,19 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
		return mUserAuthenticationValidityDurationSeconds;
		}

		/**
		* Returns {@code true} if this key must be permanently invalidated once a new fingerprint is
		* enrolled. This constraint only has effect if fingerprint reader is one of the user
		* authenticators protecting access to this key.
		*
		* @see #getUserAuthenticators()
		*
		* @hide
		*/
		public boolean isInvalidatedOnNewFingerprintEnrolled() {
		return mInvalidatedOnNewFingerprintEnrolled;
		}

		/**
		* Returns {@code true} if the key must be encrypted in the {@link java.security.KeyStore}.
		*/
		@@ -260,6 +276,7 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
		private Integer mMaxUsesPerBoot;
		private Set<Integer> mUserAuthenticators;
		private Integer mUserAuthenticationValidityDurationSeconds;
		private boolean mInvalidatedOnNewFingerprintEnrolled;

		/**
		* Creates a new instance of the {@code Builder} with the given {@code context}. The
		@@ -472,6 +489,22 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
		return this;
		}

		/**
		* Sets whether this key must be invalidated (permanently) once a new fingerprint is
		* enrolled. This only has effect if fingerprint reader is one of the user authenticators
		* protecting access to the key.
		*
		* <p>By default, enrolling a new fingerprint does not invalidate the key.
		*
		* @see #setUserAuthenticators(Set)
		*
		* @hide
		*/
		public Builder setInvalidatedOnNewFingerprintEnrolled(boolean invalidated) {
		mInvalidatedOnNewFingerprintEnrolled = invalidated;
		return this;
		}

		/**
		* Builds a new instance instance of {@code KeyGeneratorSpec}.
		*
		@@ -481,7 +514,8 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
		return new KeyGeneratorSpec(mContext, mKeystoreAlias, mFlags, mKeySize,
		mKeyValidityStart, mKeyValidityForOriginationEnd, mKeyValidityForConsumptionEnd,
		mPurposes, mPadding, mBlockMode, mMinSecondsBetweenOperations, mMaxUsesPerBoot,
		mUserAuthenticators, mUserAuthenticationValidityDurationSeconds);
		mUserAuthenticators, mUserAuthenticationValidityDurationSeconds,
		mInvalidatedOnNewFingerprintEnrolled);
		}
		}
		}

keystore/java/android/security/KeyStoreKeyConstraints.java

+9 −0

Original line number	Diff line number	Diff line
		@@ -537,6 +537,9 @@ public abstract class KeyStoreKeyConstraints {
		/** Lock screen. */
		public static final int LOCK_SCREEN = 1;

		/** Fingerprint reader/sensor. */
		public static final int FINGERPRINT_READER = 1 << 1;

		/**
		* @hide
		*/
		@@ -544,6 +547,8 @@ public abstract class KeyStoreKeyConstraints {
		switch (userAuthenticator) {
		case LOCK_SCREEN:
		return LOCK_SCREEN;
		case FINGERPRINT_READER:
		return FINGERPRINT_READER;
		default:
		throw new IllegalArgumentException(
		"Unknown user authenticator: " + userAuthenticator);
		@@ -557,6 +562,8 @@ public abstract class KeyStoreKeyConstraints {
		switch (userAuthenticator) {
		case LOCK_SCREEN:
		return LOCK_SCREEN;
		case FINGERPRINT_READER:
		return FINGERPRINT_READER;
		default:
		throw new IllegalArgumentException(
		"Unknown user authenticator: " + userAuthenticator);
		@@ -600,6 +607,8 @@ public abstract class KeyStoreKeyConstraints {
		switch (userAuthenticator) {
		case LOCK_SCREEN:
		return "LOCK_SCREEN";
		case FINGERPRINT_READER:
		return "FINGERPRINT_READER";
		default:
		throw new IllegalArgumentException(
		"Unknown user authenticator: " + userAuthenticator);

keystore/java/android/security/KeyStoreKeyGeneratorSpi.java

+4 −0

Original line number	Diff line number	Diff line
		@@ -141,6 +141,10 @@ public abstract class KeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
		KeyStoreKeyConstraints.UserAuthenticator.allToKeymaster(
		spec.getUserAuthenticators()));
		}
		if (spec.isInvalidatedOnNewFingerprintEnrolled()) {
		// TODO: Add the invalidate on fingerprint enrolled constraint once Keymaster supports
		// that.
		}
		if (spec.getUserAuthenticationValidityDurationSeconds() != null) {
		args.addInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT,
		spec.getUserAuthenticationValidityDurationSeconds());

keystore/java/android/security/KeyStoreKeySpec.java

+15 −1

Original line number	Diff line number	Diff line
		@@ -45,6 +45,7 @@ public class KeyStoreKeySpec implements KeySpec {
		private final Set<Integer> mUserAuthenticators;
		private final Set<Integer> mTeeBackedUserAuthenticators;
		private final Integer mUserAuthenticationValidityDurationSeconds;
		private final boolean mInvalidatedOnNewFingerprintEnrolled;


		/**
		@@ -63,7 +64,8 @@ public class KeyStoreKeySpec implements KeySpec {
		Integer maxUsesPerBoot,
		Set<Integer> userAuthenticators,
		Set<Integer> teeBackedUserAuthenticators,
		Integer userAuthenticationValidityDurationSeconds) {
		Integer userAuthenticationValidityDurationSeconds,
		boolean invalidatedOnNewFingerprintEnrolled) {
		mKeystoreAlias = keystoreKeyAlias;
		mOrigin = origin;
		mKeySize = keySize;
		@@ -84,6 +86,7 @@ public class KeyStoreKeySpec implements KeySpec {
		? new HashSet<Integer>(teeBackedUserAuthenticators)
		: Collections.<Integer>emptySet();
		mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;
		mInvalidatedOnNewFingerprintEnrolled = invalidatedOnNewFingerprintEnrolled;
		}

		/**
		@@ -223,4 +226,15 @@ public class KeyStoreKeySpec implements KeySpec {
		public Integer getUserAuthenticationValidityDurationSeconds() {
		return mUserAuthenticationValidityDurationSeconds;
		}

		/**
		* Returns {@code true} if this key will be permanently invalidated once a new fingerprint is
		* enrolled. This constraint only has effect if fingerprint reader is one of the user
		* authenticators protecting access to this key.
		*
		* @see #getUserAuthenticators()
		*/
		public boolean isInvalidatedOnNewFingerprintEnrolled() {
		return mInvalidatedOnNewFingerprintEnrolled;
		}
		}