Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 55fff3a8 authored by Brian C. Young's avatar Brian C. Young
Browse files

Add "Unlocked device required" parameter to keys 

Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

Test: go/asym-write-test-plan

Bug: 67752510

Change-Id: I8b88ff8fceeafe14e7613776c9cf5427752d9172
parent e2975162

api/current.txt

+6 −0
Original line number Diff line number Diff line
@@ -38150,6 +38150,7 @@ package android.security.keystore { 
    method public boolean isRandomizedEncryptionRequired();

    method public boolean isStrongBoxBacked();

    method public boolean isTrustedUserPresenceRequired();

    method public boolean isUnlockedDeviceRequired();

    method public boolean isUserAuthenticationRequired();

    method public boolean isUserAuthenticationValidWhileOnBody();

  }
@@ -38176,6 +38177,7 @@ package android.security.keystore { 
    method public android.security.keystore.KeyGenParameterSpec.Builder setRandomizedEncryptionRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setSignaturePaddings(java.lang.String...);

    method public android.security.keystore.KeyGenParameterSpec.Builder setTrustedUserPresenceRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUnlockedDeviceRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidWhileOnBody(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidityDurationSeconds(int);
@@ -38265,6 +38267,8 @@ package android.security.keystore { 
    method public boolean isDigestsSpecified();

    method public boolean isInvalidatedByBiometricEnrollment();

    method public boolean isRandomizedEncryptionRequired();

    method public boolean isTrustedUserPresenceRequired();

    method public boolean isUnlockedDeviceRequired();

    method public boolean isUserAuthenticationRequired();

    method public boolean isUserAuthenticationValidWhileOnBody();

  }
@@ -38282,6 +38286,8 @@ package android.security.keystore { 
    method public android.security.keystore.KeyProtection.Builder setKeyValidityStart(java.util.Date);

    method public android.security.keystore.KeyProtection.Builder setRandomizedEncryptionRequired(boolean);

    method public android.security.keystore.KeyProtection.Builder setSignaturePaddings(java.lang.String...);

    method public android.security.keystore.KeyProtection.Builder setTrustedUserPresenceRequired(boolean);

    method public android.security.keystore.KeyProtection.Builder setUnlockedDeviceRequired(boolean);

    method public android.security.keystore.KeyProtection.Builder setUserAuthenticationRequired(boolean);

    method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidWhileOnBody(boolean);

    method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidityDurationSeconds(int);

core/java/android/security/IKeystoreService.aidl

+1 −1
Original line number Diff line number Diff line
@@ -71,7 +71,7 @@ interface IKeystoreService { 
        in byte[] entropy);

    int abort(IBinder handle);

    boolean isOperationAuthorized(IBinder token);

    int addAuthToken(in byte[] authToken);

    int addAuthToken(in byte[] authToken, in int androidId);

    int onUserAdded(int userId, int parentId);

    int onUserRemoved(int userId);

    int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain);

core/java/android/security/keymaster/KeymasterDefs.java

+3 −0
Original line number Diff line number Diff line
@@ -74,6 +74,7 @@ public final class KeymasterDefs { 
    public static final int KM_TAG_AUTH_TIMEOUT = KM_UINT | 505;

    public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506;

    public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507;

    public static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 509;



    public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600;

    public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601;
@@ -215,6 +216,7 @@ public final class KeymasterDefs { 
    public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;

    public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;

    public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;

    public static final int KM_ERROR_DEVICE_LOCKED = -72;

    public static final int KM_ERROR_UNIMPLEMENTED = -100;

    public static final int KM_ERROR_VERSION_MISMATCH = -101;

    public static final int KM_ERROR_UNKNOWN_ERROR = -1000;
@@ -261,6 +263,7 @@ public final class KeymasterDefs { 
        sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,

                "Invalid MAC or authentication tag length");

        sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");

        sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked");

        sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");

        sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");

    }

keystore/java/android/security/KeyStore.java

+2 −2
Original line number Diff line number Diff line
@@ -618,9 +618,9 @@ public class KeyStore { 
     * @return {@code KeyStore.NO_ERROR} on success, otherwise an error value corresponding to

     * a {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode.

     */

    public int addAuthToken(byte[] authToken) {

    public int addAuthToken(byte[] authToken, int userId) {

        try {

            return mBinder.addAuthToken(authToken);

            return mBinder.addAuthToken(authToken, userId);

        } catch (RemoteException e) {

            Log.w(TAG, "Cannot connect to keystore", e);

            return SYSTEM_ERROR;

keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java

+2 −15
Original line number Diff line number Diff line
@@ -243,12 +243,7 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { 
                // Check that user authentication related parameters are acceptable. This method

                // will throw an IllegalStateException if there are issues (e.g., secure lock screen

                // not set up).

                KeymasterUtils.addUserAuthArgs(new KeymasterArguments(),

                        spec.isUserAuthenticationRequired(),

                        spec.getUserAuthenticationValidityDurationSeconds(),

                        spec.isUserAuthenticationValidWhileOnBody(),

                        spec.isInvalidatedByBiometricEnrollment(),

                        GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */);

                KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), spec);

            } catch (IllegalStateException | IllegalArgumentException e) {

                throw new InvalidAlgorithmParameterException(e);

            }
@@ -284,15 +279,7 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { 
        args.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes);

        args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterPaddings);

        args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests);

        KeymasterUtils.addUserAuthArgs(args,

                spec.isUserAuthenticationRequired(),

                spec.getUserAuthenticationValidityDurationSeconds(),

                spec.isUserAuthenticationValidWhileOnBody(),

                spec.isInvalidatedByBiometricEnrollment(),

                GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */);

        if (spec.isTrustedUserPresenceRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);

        }

        KeymasterUtils.addUserAuthArgs(args, spec);

        KeymasterUtils.addMinMacLengthAuthorizationIfNecessary(

                args,

                mKeymasterAlgorithm,