Loading core/java/android/security/keystore/recovery/KeyChainSnapshot.java +25 −5 Original line number Diff line number Diff line Loading @@ -18,12 +18,14 @@ package android.security.keystore.recovery; import android.annotation.NonNull; import android.annotation.SystemApi; import android.os.BadParcelableException; import android.os.Parcel; import android.os.Parcelable; import com.android.internal.util.Preconditions; import java.security.cert.CertPath; import java.security.cert.CertificateException; import java.util.List; /** Loading Loading @@ -54,7 +56,7 @@ public final class KeyChainSnapshot implements Parcelable { private long mCounterId = DEFAULT_COUNTER_ID; private byte[] mServerParams; private byte[] mPublicKey; // The raw public key bytes used private CertPath mCertPath; // The certificate path including the intermediate certificates private RecoveryCertPath mCertPath; // The cert path including necessary intermediate certs private List<KeyChainProtectionParams> mKeyChainProtectionParams; private List<WrappedApplicationKey> mEntryRecoveryData; private byte[] mEncryptedRecoveryKeyBlob; Loading Loading @@ -127,7 +129,17 @@ public final class KeyChainSnapshot implements Parcelable { */ // TODO: Change to @NonNull public CertPath getTrustedHardwareCertPath() { return mCertPath; if (mCertPath == null) { return null; } else { try { return mCertPath.getCertPath(); } catch (CertificateException e) { // Rethrow an unchecked exception as it should not happen. If such an issue exists, // an exception should have been thrown during service initialization. throw new BadParcelableException(e); } } } /** Loading Loading @@ -232,11 +244,17 @@ public final class KeyChainSnapshot implements Parcelable { * contain a certificate of the trusted hardware public key and any necessary intermediate * certificates. * * @param certPath The public key * @param certPath The certificate path * @throws CertificateException if the given certificate path cannot be encoded properly * @return This builder. */ public Builder setTrustedHardwareCertPath(CertPath certPath) { mInstance.mCertPath = certPath; public Builder setTrustedHardwareCertPath(CertPath certPath) throws CertificateException { // TODO: Make it NonNull when the caller code is all updated if (certPath == null) { mInstance.mCertPath = null; } else { mInstance.mCertPath = RecoveryCertPath.createRecoveryCertPath(certPath); } return this; } Loading Loading @@ -302,6 +320,7 @@ public final class KeyChainSnapshot implements Parcelable { out.writeLong(mCounterId); out.writeByteArray(mServerParams); out.writeByteArray(mPublicKey); out.writeTypedObject(mCertPath, /* no flags */ 0); } /** Loading @@ -316,6 +335,7 @@ public final class KeyChainSnapshot implements Parcelable { mCounterId = in.readLong(); mServerParams = in.createByteArray(); mPublicKey = in.createByteArray(); mCertPath = in.readTypedObject(RecoveryCertPath.CREATOR); } @Override Loading services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java +11 −4 Original line number Diff line number Diff line Loading @@ -45,6 +45,7 @@ import java.security.PublicKey; import java.security.SecureRandom; import java.security.UnrecoverableKeyException; import java.security.cert.CertPath; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; import java.util.Map; Loading Loading @@ -295,17 +296,23 @@ public class KeySyncTask implements Runnable { // If application keys are not updated, snapshot will not be created on next unlock. mRecoverableKeyStoreDb.setShouldCreateSnapshot(mUserId, recoveryAgentUid, false); mRecoverySnapshotStorage.put(recoveryAgentUid, new KeyChainSnapshot.Builder() KeyChainSnapshot.Builder keyChainSnapshotBuilder = new KeyChainSnapshot.Builder() .setSnapshotVersion(getSnapshotVersion(recoveryAgentUid, recreateCurrentVersion)) .setMaxAttempts(TRUSTED_HARDWARE_MAX_ATTEMPTS) .setCounterId(counterId) .setTrustedHardwarePublicKey(SecureBox.encodePublicKey(publicKey)) .setTrustedHardwareCertPath(certPath) .setServerParams(vaultHandle) .setKeyChainProtectionParams(metadataList) .setWrappedApplicationKeys(createApplicationKeyEntries(encryptedApplicationKeys)) .setEncryptedRecoveryKeyBlob(encryptedRecoveryKey) .build()); .setEncryptedRecoveryKeyBlob(encryptedRecoveryKey); try { keyChainSnapshotBuilder.setTrustedHardwareCertPath(certPath); } catch(CertificateException e) { // Should not happen, as it's just deserialized from bytes stored in the db Log.wtf(TAG, "Cannot serialize CertPath when calling setTrustedHardwareCertPath", e); return; } mRecoverySnapshotStorage.put(recoveryAgentUid, keyChainSnapshotBuilder.build()); mSnapshotListenersStorage.recoverySnapshotAvailable(recoveryAgentUid); } Loading Loading
core/java/android/security/keystore/recovery/KeyChainSnapshot.java +25 −5 Original line number Diff line number Diff line Loading @@ -18,12 +18,14 @@ package android.security.keystore.recovery; import android.annotation.NonNull; import android.annotation.SystemApi; import android.os.BadParcelableException; import android.os.Parcel; import android.os.Parcelable; import com.android.internal.util.Preconditions; import java.security.cert.CertPath; import java.security.cert.CertificateException; import java.util.List; /** Loading Loading @@ -54,7 +56,7 @@ public final class KeyChainSnapshot implements Parcelable { private long mCounterId = DEFAULT_COUNTER_ID; private byte[] mServerParams; private byte[] mPublicKey; // The raw public key bytes used private CertPath mCertPath; // The certificate path including the intermediate certificates private RecoveryCertPath mCertPath; // The cert path including necessary intermediate certs private List<KeyChainProtectionParams> mKeyChainProtectionParams; private List<WrappedApplicationKey> mEntryRecoveryData; private byte[] mEncryptedRecoveryKeyBlob; Loading Loading @@ -127,7 +129,17 @@ public final class KeyChainSnapshot implements Parcelable { */ // TODO: Change to @NonNull public CertPath getTrustedHardwareCertPath() { return mCertPath; if (mCertPath == null) { return null; } else { try { return mCertPath.getCertPath(); } catch (CertificateException e) { // Rethrow an unchecked exception as it should not happen. If such an issue exists, // an exception should have been thrown during service initialization. throw new BadParcelableException(e); } } } /** Loading Loading @@ -232,11 +244,17 @@ public final class KeyChainSnapshot implements Parcelable { * contain a certificate of the trusted hardware public key and any necessary intermediate * certificates. * * @param certPath The public key * @param certPath The certificate path * @throws CertificateException if the given certificate path cannot be encoded properly * @return This builder. */ public Builder setTrustedHardwareCertPath(CertPath certPath) { mInstance.mCertPath = certPath; public Builder setTrustedHardwareCertPath(CertPath certPath) throws CertificateException { // TODO: Make it NonNull when the caller code is all updated if (certPath == null) { mInstance.mCertPath = null; } else { mInstance.mCertPath = RecoveryCertPath.createRecoveryCertPath(certPath); } return this; } Loading Loading @@ -302,6 +320,7 @@ public final class KeyChainSnapshot implements Parcelable { out.writeLong(mCounterId); out.writeByteArray(mServerParams); out.writeByteArray(mPublicKey); out.writeTypedObject(mCertPath, /* no flags */ 0); } /** Loading @@ -316,6 +335,7 @@ public final class KeyChainSnapshot implements Parcelable { mCounterId = in.readLong(); mServerParams = in.createByteArray(); mPublicKey = in.createByteArray(); mCertPath = in.readTypedObject(RecoveryCertPath.CREATOR); } @Override Loading
services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java +11 −4 Original line number Diff line number Diff line Loading @@ -45,6 +45,7 @@ import java.security.PublicKey; import java.security.SecureRandom; import java.security.UnrecoverableKeyException; import java.security.cert.CertPath; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; import java.util.Map; Loading Loading @@ -295,17 +296,23 @@ public class KeySyncTask implements Runnable { // If application keys are not updated, snapshot will not be created on next unlock. mRecoverableKeyStoreDb.setShouldCreateSnapshot(mUserId, recoveryAgentUid, false); mRecoverySnapshotStorage.put(recoveryAgentUid, new KeyChainSnapshot.Builder() KeyChainSnapshot.Builder keyChainSnapshotBuilder = new KeyChainSnapshot.Builder() .setSnapshotVersion(getSnapshotVersion(recoveryAgentUid, recreateCurrentVersion)) .setMaxAttempts(TRUSTED_HARDWARE_MAX_ATTEMPTS) .setCounterId(counterId) .setTrustedHardwarePublicKey(SecureBox.encodePublicKey(publicKey)) .setTrustedHardwareCertPath(certPath) .setServerParams(vaultHandle) .setKeyChainProtectionParams(metadataList) .setWrappedApplicationKeys(createApplicationKeyEntries(encryptedApplicationKeys)) .setEncryptedRecoveryKeyBlob(encryptedRecoveryKey) .build()); .setEncryptedRecoveryKeyBlob(encryptedRecoveryKey); try { keyChainSnapshotBuilder.setTrustedHardwareCertPath(certPath); } catch(CertificateException e) { // Should not happen, as it's just deserialized from bytes stored in the db Log.wtf(TAG, "Cannot serialize CertPath when calling setTrustedHardwareCertPath", e); return; } mRecoverySnapshotStorage.put(recoveryAgentUid, keyChainSnapshotBuilder.build()); mSnapshotListenersStorage.recoverySnapshotAvailable(recoveryAgentUid); } Loading
