Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 59ced28f authored by Rubin Xu's avatar Rubin Xu
Browse files

Add hidden KeyProtection API to specify SID 

Allows the caller to specify which SID the given key
should be bound to, overriding the default rule of
binding to the current root/fingerprint SID.

This is a prerequsite for introducing synthetic password
based authentication flow.

Test: cts-tradefed run cts -m CtsKeystoreTestCases
Bug: 33126414
Change-Id: Ide03c0f4fd33ecca7a169ea763c3d4d0b173d1dd
parent 451911ea

keystore/java/android/security/GateKeeper.java

+2 −0
Original line number Diff line number Diff line
@@ -29,6 +29,8 @@ import android.service.gatekeeper.IGateKeeperService; 
 */

public abstract class GateKeeper {



    public static final long INVALID_SECURE_USER_ID = 0;



    private GateKeeper() {}



    public static IGateKeeperService getService() {

keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java

+5 −2
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 
package android.security.keystore;



import android.security.Credentials;

import android.security.GateKeeper;

import android.security.KeyStore;

import android.security.keymaster.KeyCharacteristics;

import android.security.keymaster.KeymasterArguments;
@@ -235,7 +236,8 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { 
                        spec.isUserAuthenticationRequired(),

                        spec.getUserAuthenticationValidityDurationSeconds(),

                        spec.isUserAuthenticationValidWhileOnBody(),

                        spec.isInvalidatedByBiometricEnrollment());

                        spec.isInvalidatedByBiometricEnrollment(),

                        GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */);

            } catch (IllegalStateException | IllegalArgumentException e) {

                throw new InvalidAlgorithmParameterException(e);

            }
@@ -275,7 +277,8 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { 
                spec.isUserAuthenticationRequired(),

                spec.getUserAuthenticationValidityDurationSeconds(),

                spec.isUserAuthenticationValidWhileOnBody(),

                spec.isInvalidatedByBiometricEnrollment());

                spec.isInvalidatedByBiometricEnrollment(),

                GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */);

        KeymasterUtils.addMinMacLengthAuthorizationIfNecessary(

                args,

                mKeymasterAlgorithm,

keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java

+5 −2
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ package android.security.keystore; 


import android.annotation.Nullable;

import android.security.Credentials;

import android.security.GateKeeper;

import android.security.KeyPairGeneratorSpec;

import android.security.KeyStore;

import android.security.keymaster.KeyCharacteristics;
@@ -346,7 +347,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato 
                        mSpec.isUserAuthenticationRequired(),

                        mSpec.getUserAuthenticationValidityDurationSeconds(),

                        mSpec.isUserAuthenticationValidWhileOnBody(),

                        mSpec.isInvalidatedByBiometricEnrollment());

                        mSpec.isInvalidatedByBiometricEnrollment(),

                        GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */);

            } catch (IllegalArgumentException | IllegalStateException e) {

                throw new InvalidAlgorithmParameterException(e);

            }
@@ -533,7 +535,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato 
                mSpec.isUserAuthenticationRequired(),

                mSpec.getUserAuthenticationValidityDurationSeconds(),

                mSpec.isUserAuthenticationValidWhileOnBody(),

                mSpec.isInvalidatedByBiometricEnrollment());

                mSpec.isInvalidatedByBiometricEnrollment(),

                GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */);

        args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, mSpec.getKeyValidityStart());

        args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,

                mSpec.getKeyValidityForOriginationEnd());

keystore/java/android/security/keystore/AndroidKeyStoreSpi.java

+4 −2
Original line number Diff line number Diff line
@@ -500,7 +500,8 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { 
                        spec.isUserAuthenticationRequired(),

                        spec.getUserAuthenticationValidityDurationSeconds(),

                        spec.isUserAuthenticationValidWhileOnBody(),

                        spec.isInvalidatedByBiometricEnrollment());

                        spec.isInvalidatedByBiometricEnrollment(),

                        spec.getBoundToSpecificSecureUserId());

                importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME,

                        spec.getKeyValidityStart());

                importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
@@ -696,7 +697,8 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { 
                    params.isUserAuthenticationRequired(),

                    params.getUserAuthenticationValidityDurationSeconds(),

                    params.isUserAuthenticationValidWhileOnBody(),

                    params.isInvalidatedByBiometricEnrollment());

                    params.isInvalidatedByBiometricEnrollment(),

                    params.getBoundToSpecificSecureUserId());

            KeymasterUtils.addMinMacLengthAuthorizationIfNecessary(

                    args,

                    keymasterAlgorithm,

keystore/java/android/security/keystore/KeyProtection.java

+46 −2
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ import android.annotation.NonNull; 
import android.annotation.Nullable;

import android.app.KeyguardManager;

import android.hardware.fingerprint.FingerprintManager;

import android.security.GateKeeper;



import java.security.Key;

import java.security.Signature;
@@ -225,6 +226,7 @@ public final class KeyProtection implements ProtectionParameter { 
    private final int mUserAuthenticationValidityDurationSeconds;

    private final boolean mUserAuthenticationValidWhileOnBody;

    private final boolean mInvalidatedByBiometricEnrollment;

    private final long mBoundToSecureUserId;



    private KeyProtection(

            Date keyValidityStart,
@@ -239,7 +241,8 @@ public final class KeyProtection implements ProtectionParameter { 
            boolean userAuthenticationRequired,

            int userAuthenticationValidityDurationSeconds,

            boolean userAuthenticationValidWhileOnBody,

            boolean invalidatedByBiometricEnrollment) {

            boolean invalidatedByBiometricEnrollment,

            long boundToSecureUserId) {

        mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart);

        mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd);

        mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd);
@@ -255,6 +258,7 @@ public final class KeyProtection implements ProtectionParameter { 
        mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;

        mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody;

        mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;

        mBoundToSecureUserId = boundToSecureUserId;

    }



    /**
@@ -435,6 +439,24 @@ public final class KeyProtection implements ProtectionParameter { 
        return mInvalidatedByBiometricEnrollment;

    }



    /**

     * Return the secure user id that this key should be bound to.

     *

     * Normally an authentication-bound key is tied to the secure user id of the current user

     * (either the root SID from GateKeeper for auth-bound keys with a timeout, or the authenticator

     * id of the current fingerprint set for keys requiring explicit fingerprint authorization).

     * If this parameter is set (this method returning non-zero value), the key should be tied to

     * the specified secure user id, overriding the logic above.

     *

     * This is only applicable when {@link #isUserAuthenticationRequired} is {@code true}

     *

     * @see KeymasterUtils#addUserAuthArgs

     * @hide

     */

    public long getBoundToSpecificSecureUserId() {

        return mBoundToSecureUserId;

    }



    /**

     * Builder of {@link KeyProtection} instances.

     */
@@ -454,6 +476,7 @@ public final class KeyProtection implements ProtectionParameter { 
        private boolean mUserAuthenticationValidWhileOnBody;

        private boolean mInvalidatedByBiometricEnrollment = true;



        private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID;

        /**

         * Creates a new instance of the {@code Builder}.

         *
@@ -773,6 +796,26 @@ public final class KeyProtection implements ProtectionParameter { 
            return this;

        }



        /**

         * Set the secure user id that this key should be bound to.

         *

         * Normally an authentication-bound key is tied to the secure user id of the current user

         * (either the root SID from GateKeeper for auth-bound keys with a timeout, or the

         * authenticator id of the current fingerprint set for keys requiring explicit fingerprint

         * authorization). If this parameter is set (this method returning non-zero value), the key

         * should be tied to the specified secure user id, overriding the logic above.

         *

         * This is only applicable when {@link #setUserAuthenticationRequired} is set to

         * {@code true}

         *

         * @see KeyProtection#getBoundToSpecificSecureUserId()

         * @hide

         */

        public Builder setBoundToSpecificSecureUserId(long secureUserId) {

            mBoundToSecureUserId = secureUserId;

            return this;

        }



        /**

         * Builds an instance of {@link KeyProtection}.

         *
@@ -793,7 +836,8 @@ public final class KeyProtection implements ProtectionParameter { 
                    mUserAuthenticationRequired,

                    mUserAuthenticationValidityDurationSeconds,

                    mUserAuthenticationValidWhileOnBody,

                    mInvalidatedByBiometricEnrollment);

                    mInvalidatedByBiometricEnrollment,

                    mBoundToSecureUserId);

        }

    }

}