Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4a0ff7ca authored by Alex Klyubin's avatar Alex Klyubin
Browse files

Android Keystore keys are no longer backed by Conscrypt. 

This switches Android Keystore asymmetric keys from being backed by
Conscrypt (via keystore-engine which is an OpenSSL/BoringSSL ENGINE
which talks to keystore via the old KeyStore API) to being backed by
the AndroidKeyStore Provider which talks to keystore via the new
KeyStore API. In effect, this switches asymmetric crypto offered by
Android Keystore from old Keystore API to new KeyStore API, enabling
all the new features such as enforcement of authorizations on key use.

Some algorithms offered by Android Keystore, such as RSA with OAEP
or PSS padding schemes, are not supported by other providers. This
complicates matters because Android Keystore only supports public key
operations if the corresponding private key is in the keystore. Thus,
Android Keystore can only offer these operations for its own public
keys only. This requires AndroidKeyStore to use its own subclasses of
PublicKey everywhere. The ugliest place is where it needs to return
its own subclass of X509Certificate only to be able to return its
own subclass of PublicKey from Certificate.getPublicKey().

Bug: 18088752
Bug: 19284418
Bug: 20912868
Change-Id: Id234f9ab9ff72d353ca1ff66768bd3d46da50d64
parent f22030d1

keystore/java/android/security/KeyChain.java

+5 −10
Original line number Diff line number Diff line
@@ -29,15 +29,14 @@ import android.os.Looper; 
import android.os.Process;

import android.os.RemoteException;

import android.os.UserHandle;

import android.security.keystore.KeyInfo;

import android.security.keystore.AndroidKeyStoreProvider;

import android.security.keystore.KeyProperties;



import java.io.ByteArrayInputStream;

import java.io.Closeable;

import java.security.InvalidKeyException;

import java.security.KeyFactory;

import java.security.Principal;

import java.security.PrivateKey;

import java.security.UnrecoverableKeyException;

import java.security.cert.Certificate;

import java.security.cert.CertificateException;

import java.security.cert.CertificateFactory;
@@ -47,7 +46,6 @@ import java.util.Locale; 
import java.util.concurrent.BlockingQueue;

import java.util.concurrent.LinkedBlockingQueue;



import com.android.org.conscrypt.OpenSSLEngine;

import com.android.org.conscrypt.TrustedCertificateStore;



/**
@@ -90,8 +88,6 @@ import com.android.org.conscrypt.TrustedCertificateStore; 
// TODO reference intent for credential installation when public

public final class KeyChain {



    private static final String TAG = "KeyChain";



    /**

     * @hide Also used by KeyChainService implementation

     */
@@ -372,15 +368,14 @@ public final class KeyChain { 
            if (keyId == null) {

                throw new KeyChainException("keystore had a problem");

            }



            final OpenSSLEngine engine = OpenSSLEngine.getInstance("keystore");

            return engine.getPrivateKeyById(keyId);

            return AndroidKeyStoreProvider.loadAndroidKeyStorePrivateKeyFromKeystore(

                    KeyStore.getInstance(), keyId);

        } catch (RemoteException e) {

            throw new KeyChainException(e);

        } catch (RuntimeException e) {

            // only certain RuntimeExceptions can be propagated across the IKeyChainService call

            throw new KeyChainException(e);

        } catch (InvalidKeyException e) {

        } catch (UnrecoverableKeyException e) {

            throw new KeyChainException(e);

        } finally {

            keyChainConnection.close();

keystore/java/android/security/KeyPairGeneratorSpec.java

+3 −1
Original line number Diff line number Diff line
@@ -331,7 +331,9 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { 
            if (keyType == null) {

                throw new NullPointerException("keyType == null");

            } else {

                if (KeyStore.getKeyTypeForAlgorithm(keyType) == -1) {

                try {

                    KeyProperties.KeyAlgorithm.toKeymasterAsymmetricKeyAlgorithm(keyType);

                } catch (IllegalArgumentException e) {

                    throw new NoSuchAlgorithmException("Unsupported key type: " + keyType);

                }

            }

keystore/java/android/security/KeyStore.java

+0 −12
Original line number Diff line number Diff line
@@ -19,7 +19,6 @@ package android.security; 
import android.app.ActivityThread;

import android.app.Application;

import android.app.KeyguardManager;

import com.android.org.conscrypt.NativeConstants;



import android.content.Context;

import android.hardware.fingerprint.FingerprintManager;
@@ -38,7 +37,6 @@ import android.security.keymaster.OperationResult; 
import android.security.keystore.KeyExpiredException;

import android.security.keystore.KeyNotYetValidException;

import android.security.keystore.KeyPermanentlyInvalidatedException;

import android.security.keystore.KeyProperties;

import android.security.keystore.UserNotAuthenticatedException;

import android.util.Log;
@@ -136,16 +134,6 @@ public class KeyStore { 
        return mToken;

    }



    public static int getKeyTypeForAlgorithm(@KeyProperties.KeyAlgorithmEnum String keyType) {

        if (KeyProperties.KEY_ALGORITHM_RSA.equalsIgnoreCase(keyType)) {

            return NativeConstants.EVP_PKEY_RSA;

        } else if (KeyProperties.KEY_ALGORITHM_EC.equalsIgnoreCase(keyType)) {

            return NativeConstants.EVP_PKEY_EC;

        } else {

            return -1;

        }

    }



    public State state(int userId) {

        final int ret;

        try {

keystore/java/android/security/keystore/AndroidKeyStoreECPrivateKey.java

0 → 100644
+40 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2015 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



package android.security.keystore;



import java.security.PrivateKey;

import java.security.interfaces.ECKey;

import java.security.spec.ECParameterSpec;



/**

 * EC private key (instance of {@link PrivateKey} and {@link ECKey}) backed by keystore.

 *

 * @hide

 */

public class AndroidKeyStoreECPrivateKey extends AndroidKeyStorePrivateKey implements ECKey {

    private final ECParameterSpec mParams;



    public AndroidKeyStoreECPrivateKey(String alias, ECParameterSpec params) {

        super(alias, KeyProperties.KEY_ALGORITHM_EC);

        mParams = params;

    }



    @Override

    public ECParameterSpec getParams() {

        return mParams;

    }

}

keystore/java/android/security/keystore/AndroidKeyStoreKey.java

+38 −0
Original line number Diff line number Diff line
@@ -52,4 +52,42 @@ public class AndroidKeyStoreKey implements Key { 
        // This key does not export its key material

        return null;

    }



    @Override

    public int hashCode() {

        final int prime = 31;

        int result = 1;

        result = prime * result + ((mAlgorithm == null) ? 0 : mAlgorithm.hashCode());

        result = prime * result + ((mAlias == null) ? 0 : mAlias.hashCode());

        return result;

    }



    @Override

    public boolean equals(Object obj) {

        if (this == obj) {

            return true;

        }

        if (obj == null) {

            return false;

        }

        if (getClass() != obj.getClass()) {

            return false;

        }

        AndroidKeyStoreKey other = (AndroidKeyStoreKey) obj;

        if (mAlgorithm == null) {

            if (other.mAlgorithm != null) {

                return false;

            }

        } else if (!mAlgorithm.equals(other.mAlgorithm)) {

            return false;

        }

        if (mAlias == null) {

            if (other.mAlias != null) {

                return false;

            }

        } else if (!mAlias.equals(other.mAlias)) {

            return false;

        }

        return true;

    }

}