Merge "Introduce KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION" into oc-dev (4f86a894) · Commits · e / os / android_frameworks_base

keystore/java/android/security/KeyStore.java

+10 −0

Original line number	Diff line number	Diff line
		@@ -93,6 +93,16 @@ public class KeyStore {
		*/
		public static final int FLAG_ENCRYPTED = 1;

		/**
		* A private flag that's only available to system server to indicate that this key is part of
		* device encryption flow so it receives special treatment from keystore. For example this key
		* will not be super encrypted, and it will be stored separately under an unique UID instead
		* of the caller UID i.e. SYSTEM.
		*
		* Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h
		*/
		public static final int FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3;

		// States
		public enum State { UNLOCKED, LOCKED, UNINITIALIZED };

keystore/java/android/security/keystore/AndroidKeyStoreSpi.java

+8 −1

Original line number	Diff line number	Diff line
		@@ -351,6 +351,9 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {
		}
		} else if (param instanceof KeyProtection) {
		spec = (KeyProtection) param;
		if (spec.isCriticalToDeviceEncryption()) {
		flags \|= KeyStore.FLAG_CRITICAL_TO_DEVICE_ENCRYPTION;
		}
		} else {
		throw new KeyStoreException(
		"Unsupported protection parameter class:" + param.getClass().getName()
		@@ -719,6 +722,10 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {
		} catch (IllegalArgumentException \| IllegalStateException e) {
		throw new KeyStoreException(e);
		}
		int flags = 0;
		if (params.isCriticalToDeviceEncryption()) {
		flags \|= KeyStore.FLAG_CRITICAL_TO_DEVICE_ENCRYPTION;
		}

		Credentials.deleteAllTypesForAlias(mKeyStore, entryAlias, mUid);
		String keyAliasInKeystore = Credentials.USER_SECRET_KEY + entryAlias;
		@@ -728,7 +735,7 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {
		KeymasterDefs.KM_KEY_FORMAT_RAW,
		keyMaterial,
		mUid,
		0, // flags
		flags,
		new KeyCharacteristics());
		if (errorCode != KeyStore.NO_ERROR) {
		throw new KeyStoreException("Failed to import secret key. Keystore error code: "

keystore/java/android/security/keystore/KeyProtection.java

+31 −2

Original line number	Diff line number	Diff line
		@@ -227,6 +227,7 @@ public final class KeyProtection implements ProtectionParameter {
		private final boolean mUserAuthenticationValidWhileOnBody;
		private final boolean mInvalidatedByBiometricEnrollment;
		private final long mBoundToSecureUserId;
		private final boolean mCriticalToDeviceEncryption;

		private KeyProtection(
		Date keyValidityStart,
		@@ -242,7 +243,8 @@ public final class KeyProtection implements ProtectionParameter {
		int userAuthenticationValidityDurationSeconds,
		boolean userAuthenticationValidWhileOnBody,
		boolean invalidatedByBiometricEnrollment,
		long boundToSecureUserId) {
		long boundToSecureUserId,
		boolean criticalToDeviceEncryption) {
		mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart);
		mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd);
		mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd);
		@@ -259,6 +261,7 @@ public final class KeyProtection implements ProtectionParameter {
		mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody;
		mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
		mBoundToSecureUserId = boundToSecureUserId;
		mCriticalToDeviceEncryption = criticalToDeviceEncryption;
		}

		/**
		@@ -457,6 +460,16 @@ public final class KeyProtection implements ProtectionParameter {
		return mBoundToSecureUserId;
		}

		/**
		* Return whether this key is critical to the device encryption flow.
		*
		* @see android.security.KeyStore#FLAG_CRITICAL_TO_DEVICE_ENCRYPTION
		* @hide
		*/
		public boolean isCriticalToDeviceEncryption() {
		return mCriticalToDeviceEncryption;
		}

		/**
		* Builder of {@link KeyProtection} instances.
		*/
		@@ -477,6 +490,7 @@ public final class KeyProtection implements ProtectionParameter {
		private boolean mInvalidatedByBiometricEnrollment = true;

		private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID;
		private boolean mCriticalToDeviceEncryption = false;
		/**
		* Creates a new instance of the {@code Builder}.
		*
		@@ -816,6 +830,20 @@ public final class KeyProtection implements ProtectionParameter {
		return this;
		}

		/**
		* Set whether this key is critical to the device encryption flow
		*
		* This is a special flag only available to system servers to indicate the current key
		* is part of the device encryption flow.
		*
		* @see android.security.KeyStore#FLAG_CRITICAL_TO_DEVICE_ENCRYPTION
		* @hide
		*/
		public Builder setCriticalToDeviceEncryption(boolean critical) {
		mCriticalToDeviceEncryption = critical;
		return this;
		}

		/**
		* Builds an instance of {@link KeyProtection}.
		*
		@@ -837,7 +865,8 @@ public final class KeyProtection implements ProtectionParameter {
		mUserAuthenticationValidityDurationSeconds,
		mUserAuthenticationValidWhileOnBody,
		mInvalidatedByBiometricEnrollment,
		mBoundToSecureUserId);
		mBoundToSecureUserId,
		mCriticalToDeviceEncryption);
		}
		}
		}

services/core/java/com/android/server/SyntheticPasswordCrypto.java

+3 −1

Original line number	Diff line number	Diff line
		@@ -139,12 +139,14 @@ public class SyntheticPasswordCrypto {
		keyStore.load(null);
		KeyProtection.Builder builder = new KeyProtection.Builder(KeyProperties.PURPOSE_DECRYPT)
		.setBlockModes(KeyProperties.BLOCK_MODE_GCM)
		.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE);
		.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
		.setCriticalToDeviceEncryption(true);
		if (sid != 0) {
		builder.setUserAuthenticationRequired(true)
		.setBoundToSpecificSecureUserId(sid)
		.setUserAuthenticationValidityDurationSeconds(USER_AUTHENTICATION_VALIDITY);
		}

		keyStore.setEntry(keyAlias,
		new KeyStore.SecretKeyEntry(secretKey),
		builder.build());