Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5045b718 authored by Alex Klyubin's avatar Alex Klyubin
Browse files

Use Keymaster-friendly validity dates. 

Keymaster HAL currently requires that key validity start and end dates
always be specified. The framework API does not. This CL expresses
the framework API's "not specified" instants to Keymaster as instants
in distant past or future.

Bug: 18088752
Change-Id: Ia9d66d5e57bfca30628cdef6e0925a2781a3acfb
parent c461452e

keystore/java/android/security/AndroidKeyStore.java

+9 −11
Original line number Diff line number Diff line
@@ -544,17 +544,15 @@ public class AndroidKeyStore extends KeyStoreSpi { 
            args.addInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT,

                    params.getUserAuthenticationValidityDurationSeconds());

        }

        if (params.getKeyValidityStart() != null) {

            args.addDate(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, params.getKeyValidityStart());

        }

        if (params.getKeyValidityForOriginationEnd() != null) {

        args.addDate(KeymasterDefs.KM_TAG_ACTIVE_DATETIME,

                (params.getKeyValidityStart() != null)

                        ? params.getKeyValidityStart() : new Date(0));

        args.addDate(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,

                    params.getKeyValidityForOriginationEnd());

        }

        if (params.getKeyValidityForConsumptionEnd() != null) {

                (params.getKeyValidityForOriginationEnd() != null)

                        ? params.getKeyValidityForOriginationEnd() : new Date(Long.MAX_VALUE));

        args.addDate(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME,

                    params.getKeyValidityForConsumptionEnd());

        }

                (params.getKeyValidityForConsumptionEnd() != null)

                        ? params.getKeyValidityForConsumptionEnd() : new Date(Long.MAX_VALUE));



        // TODO: Remove this once keymaster does not require us to specify the size of imported key.

        args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, keyMaterial.length * 8);

keystore/java/android/security/KeyStoreKeyGeneratorSpi.java

+10 −11
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ import android.security.keymaster.KeymasterDefs; 
import java.security.InvalidAlgorithmParameterException;

import java.security.SecureRandom;

import java.security.spec.AlgorithmParameterSpec;

import java.util.Date;



import javax.crypto.KeyGeneratorSpi;

import javax.crypto.SecretKey;
@@ -144,17 +145,15 @@ public abstract class KeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { 
            args.addInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT,

                    spec.getUserAuthenticationValidityDurationSeconds());

        }

        if (spec.getKeyValidityStart() != null) {

            args.addDate(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, spec.getKeyValidityStart());

        }

        if (spec.getKeyValidityForOriginationEnd() != null) {

        args.addDate(KeymasterDefs.KM_TAG_ACTIVE_DATETIME,

                (spec.getKeyValidityStart() != null)

                ? spec.getKeyValidityStart() : new Date(0));

        args.addDate(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,

                    spec.getKeyValidityForOriginationEnd());

        }

        if (spec.getKeyValidityForConsumptionEnd() != null) {

                (spec.getKeyValidityForOriginationEnd() != null)

                ? spec.getKeyValidityForOriginationEnd() : new Date(Long.MAX_VALUE));

        args.addDate(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME,

                    spec.getKeyValidityForConsumptionEnd());

        }

                (spec.getKeyValidityForConsumptionEnd() != null)

                ? spec.getKeyValidityForConsumptionEnd() : new Date(Long.MAX_VALUE));



        if (((purposes & KeyStoreKeyConstraints.Purpose.ENCRYPT) != 0)

            || ((purposes & KeyStoreKeyConstraints.Purpose.DECRYPT) != 0)) {

keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java

+22 −5
Original line number Diff line number Diff line
@@ -22,6 +22,7 @@ import android.security.keymaster.KeymasterDefs; 
import java.security.InvalidKeyException;

import java.security.spec.InvalidKeySpecException;

import java.security.spec.KeySpec;

import java.util.Date;

import java.util.Set;



import javax.crypto.SecretKey;
@@ -112,6 +113,24 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { 
            throw new InvalidKeySpecException("Unsupported key characteristic", e);

        }



        Date keyValidityStart =

                KeymasterUtils.getDate(keyCharacteristics, KeymasterDefs.KM_TAG_ACTIVE_DATETIME);

        if ((keyValidityStart != null) && (keyValidityStart.getTime() <= 0)) {

            keyValidityStart = null;

        }

        Date keyValidityForOriginationEnd = KeymasterUtils.getDate(keyCharacteristics,

                KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME);

        if ((keyValidityForOriginationEnd != null)

                && (keyValidityForOriginationEnd.getTime() == Long.MAX_VALUE)) {

            keyValidityForOriginationEnd = null;

        }

        Date keyValidityForConsumptionEnd = KeymasterUtils.getDate(keyCharacteristics,

                KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME);

        if ((keyValidityForConsumptionEnd != null)

                && (keyValidityForConsumptionEnd.getTime() == Long.MAX_VALUE)) {

            keyValidityForConsumptionEnd = null;

        }



        int swEnforcedUserAuthenticatorIds =

                keyCharacteristics.swEnforced.getInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, 0);

        int hwEnforcedUserAuthenticatorIds =
@@ -126,11 +145,9 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { 
        return new KeyStoreKeySpec(entryAlias,

                origin,

                keySize,

                KeymasterUtils.getDate(keyCharacteristics, KeymasterDefs.KM_TAG_ACTIVE_DATETIME),

                KeymasterUtils.getDate(keyCharacteristics,

                        KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME),

                KeymasterUtils.getDate(keyCharacteristics,

                        KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME),

                keyValidityStart,

                keyValidityForOriginationEnd,

                keyValidityForConsumptionEnd,

                purposes,

                algorithm,

                padding,