Merge "Use Builder instead for KeyChainProtectionParams." into pi-dev (82476a3d) · Commits · e / os / android_frameworks_base

core/java/android/security/keystore/recovery/KeyChainProtectionParams.java

+2 −16

Original line number	Diff line number	Diff line
		@@ -94,21 +94,6 @@ public final class KeyChainProtectionParams implements Parcelable {
		private KeyDerivationParams mKeyDerivationParams;
		private byte[] mSecret; // Derived from user secret. The field must have limited visibility.

		/**
		* @param secret Constructor creates a reference to the secret. Caller must use
		* @link {#clearSecret} to overwrite its value in memory.
		* @hide
		*/
		public KeyChainProtectionParams(@UserSecretType int userSecretType,
		@LockScreenUiFormat int lockScreenUiFormat,
		@NonNull KeyDerivationParams keyDerivationParams,
		@NonNull byte[] secret) {
		mUserSecretType = userSecretType;
		mLockScreenUiFormat = lockScreenUiFormat;
		mKeyDerivationParams = Preconditions.checkNotNull(keyDerivationParams);
		mSecret = Preconditions.checkNotNull(secret);
		}

		private KeyChainProtectionParams() {

		}
		@@ -158,6 +143,7 @@ public final class KeyChainProtectionParams implements Parcelable {

		/**
		* Sets user secret type.
		* Default value is {@link TYPE_LOCKSCREEN}.
		*
		* @see TYPE_LOCKSCREEN
		* @param userSecretType The secret type
		@@ -185,7 +171,7 @@ public final class KeyChainProtectionParams implements Parcelable {
		/**
		* Sets parameters of the key derivation function.
		*
		* @param keyDerivationParams Key derivation Params
		* @param keyDerivationParams Key derivation parameters
		* @return This builder.
		*/
		public Builder setKeyDerivationParams(@NonNull KeyDerivationParams

core/java/android/security/keystore/recovery/KeyChainSnapshot.java

+4 −4

Original line number	Diff line number	Diff line
		@@ -252,12 +252,12 @@ public final class KeyChainSnapshot implements Parcelable {
		/**
		* Sets UI and key derivation parameters
		*
		* @param recoveryMetadata The UI and key derivation parameters
		* @param keyChainProtectionParams The UI and key derivation parameters
		* @return This builder.
		*/
		public Builder setKeyChainProtectionParams(
		@NonNull List<KeyChainProtectionParams> recoveryMetadata) {
		mInstance.mKeyChainProtectionParams = recoveryMetadata;
		@NonNull List<KeyChainProtectionParams> keyChainProtectionParams) {
		mInstance.mKeyChainProtectionParams = keyChainProtectionParams;
		return this;
		}

		@@ -292,7 +292,7 @@ public final class KeyChainSnapshot implements Parcelable {
		*/
		@NonNull public KeyChainSnapshot build() {
		Preconditions.checkCollectionElementsNotNull(mInstance.mKeyChainProtectionParams,
		"recoveryMetadata");
		"keyChainProtectionParams");
		Preconditions.checkCollectionElementsNotNull(mInstance.mEntryRecoveryData,
		"entryRecoveryData");
		Preconditions.checkNotNull(mInstance.mEncryptedRecoveryKeyBlob);

core/java/android/security/keystore/recovery/RecoveryController.java

+1 −1

Original line number	Diff line number	Diff line
		@@ -159,7 +159,7 @@ public class RecoveryController {
		* Gets a new instance of the class.
		*/
		@RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
		public static RecoveryController getInstance(Context context) {
		@NonNull public static RecoveryController getInstance(@NonNull Context context) {
		ILockSettings lockSettings =
		ILockSettings.Stub.asInterface(ServiceManager.getService("lock_settings"));
		return new RecoveryController(lockSettings, KeyStore.getInstance());

services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java

+23 −85

Original line number	Diff line number	Diff line
		@@ -144,6 +144,13 @@ public class RecoverableKeyStoreManagerTest {
		private static final String ANDROID_KEY_STORE_PROVIDER = "AndroidKeyStore";
		private static final String WRAPPING_KEY_ALIAS = "RecoverableKeyStoreManagerTest/WrappingKey";
		private static final String TEST_ROOT_CERT_ALIAS = "";
		private static final KeyChainProtectionParams TEST_PROTECTION_PARAMS =
		new KeyChainProtectionParams.Builder()
		.setUserSecretType(TYPE_LOCKSCREEN)
		.setLockScreenUiFormat(UI_FORMAT_PASSWORD)
		.setKeyDerivationParams(KeyDerivationParams.createSha256Params(TEST_SALT))
		.setSecret(TEST_SECRET)
		.build();

		@Mock private Context mMockContext;
		@Mock private RecoverySnapshotListenersStorage mMockListenersStorage;
		@@ -459,12 +466,7 @@ public class RecoverableKeyStoreManagerTest {
		TEST_PUBLIC_KEY,
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(
		new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));

		verify(mMockContext, times(1))
		.enforceCallingOrSelfPermission(
		@@ -481,12 +483,7 @@ public class RecoverableKeyStoreManagerTest {
		RecoveryCertPath.createRecoveryCertPath(TestData.CERT_PATH_1),
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(
		new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));

		assertEquals(1, mRecoverySessionStorage.size());
		RecoverySessionStorage.Entry entry =
		@@ -503,12 +500,7 @@ public class RecoverableKeyStoreManagerTest {
		RecoveryCertPath.createRecoveryCertPath(TestData.CERT_PATH_1),
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(
		new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));

		verify(mMockContext, times(2))
		.enforceCallingOrSelfPermission(
		@@ -522,12 +514,7 @@ public class RecoverableKeyStoreManagerTest {
		TEST_PUBLIC_KEY,
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(
		new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));

		assertEquals(1, mRecoverySessionStorage.size());
		RecoverySessionStorage.Entry entry =
		@@ -543,12 +530,7 @@ public class RecoverableKeyStoreManagerTest {
		TEST_PUBLIC_KEY,
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(
		new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));

		mRecoverableKeyStoreManager.closeSession(TEST_SESSION_ID);

		@@ -562,12 +544,7 @@ public class RecoverableKeyStoreManagerTest {
		TEST_PUBLIC_KEY,
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(
		new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));

		mRecoverableKeyStoreManager.closeSession("some random session");

		@@ -604,18 +581,14 @@ public class RecoverableKeyStoreManagerTest {
		public void startRecoverySession_throwsIfPublicKeysMismatch() throws Exception {
		byte[] vaultParams = TEST_VAULT_PARAMS.clone();
		vaultParams[1] ^= (byte) 1; // Flip 1 bit

		try {
		mRecoverableKeyStoreManager.startRecoverySession(
		TEST_SESSION_ID,
		TEST_PUBLIC_KEY,
		vaultParams,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(
		new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));
		fail("should have thrown");
		} catch (ServiceSpecificException e) {
		assertThat(e.getMessage()).contains("do not match");
		@@ -650,12 +623,7 @@ public class RecoverableKeyStoreManagerTest {
		RecoveryCertPath.createRecoveryCertPath(TestData.CERT_PATH_1),
		vaultParams,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(
		new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));
		fail("should have thrown");
		} catch (ServiceSpecificException e) {
		assertThat(e.getMessage()).contains("do not match");
		@@ -673,12 +641,7 @@ public class RecoverableKeyStoreManagerTest {
		RecoveryCertPath.createRecoveryCertPath(emptyCertPath),
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(
		new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));
		fail("should have thrown");
		} catch (ServiceSpecificException e) {
		assertThat(e.getMessage()).contains("empty");
		@@ -698,12 +661,7 @@ public class RecoverableKeyStoreManagerTest {
		RecoveryCertPath.createRecoveryCertPath(shortCertPath),
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(
		new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));
		fail("should have thrown");
		} catch (ServiceSpecificException e) {
		// expected
		@@ -734,11 +692,7 @@ public class RecoverableKeyStoreManagerTest {
		TEST_PUBLIC_KEY,
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));

		try {
		mRecoverableKeyStoreManager.recoverKeyChainSnapshot(
		@@ -758,11 +712,7 @@ public class RecoverableKeyStoreManagerTest {
		TEST_PUBLIC_KEY,
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));
		byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
		.getKeyClaimant();
		SecretKey recoveryKey = randomRecoveryKey();
		@@ -792,11 +742,7 @@ public class RecoverableKeyStoreManagerTest {
		TEST_PUBLIC_KEY,
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));
		byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
		.getKeyClaimant();
		SecretKey recoveryKey = randomRecoveryKey();
		@@ -816,11 +762,7 @@ public class RecoverableKeyStoreManagerTest {
		TEST_PUBLIC_KEY,
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));
		byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
		.getKeyClaimant();
		SecretKey recoveryKey = randomRecoveryKey();
		@@ -850,11 +792,7 @@ public class RecoverableKeyStoreManagerTest {
		TEST_PUBLIC_KEY,
		TEST_VAULT_PARAMS,
		TEST_VAULT_CHALLENGE,
		ImmutableList.of(new KeyChainProtectionParams(
		TYPE_LOCKSCREEN,
		UI_FORMAT_PASSWORD,
		KeyDerivationParams.createSha256Params(TEST_SALT),
		TEST_SECRET)));
		ImmutableList.of(TEST_PROTECTION_PARAMS));
		byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
		.getKeyClaimant();
		SecretKey recoveryKey = randomRecoveryKey();

services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java

+14 −14

Original line number	Diff line number	Diff line
		@@ -15,6 +15,15 @@ import java.util.ArrayList;
		@SmallTest
		@RunWith(AndroidJUnit4.class)
		public class RecoverySnapshotStorageTest {
		private static final KeyChainSnapshot MINIMAL_KEYCHAIN_SNAPSHOT = new KeyChainSnapshot.Builder()
		.setCounterId(1)
		.setSnapshotVersion(1)
		.setServerParams(new byte[0])
		.setMaxAttempts(10)
		.setEncryptedRecoveryKeyBlob(new byte[0])
		.setKeyChainProtectionParams(new ArrayList<>())
		.setWrappedApplicationKeys(new ArrayList<>())
		.build();

		private final RecoverySnapshotStorage mRecoverySnapshotStorage = new RecoverySnapshotStorage();

		@@ -26,26 +35,17 @@ public class RecoverySnapshotStorageTest {
		@Test
		public void get_returnsSetSnapshot() {
		int userId = 1000;
		KeyChainSnapshot keyChainSnapshot = new KeyChainSnapshot(
		/snapshotVersion=/ 1,
		new ArrayList<>(),
		new ArrayList<>(),
		new byte[0]);
		mRecoverySnapshotStorage.put(userId, keyChainSnapshot);

		assertEquals(keyChainSnapshot, mRecoverySnapshotStorage.get(userId));

		mRecoverySnapshotStorage.put(userId, MINIMAL_KEYCHAIN_SNAPSHOT);

		assertEquals(MINIMAL_KEYCHAIN_SNAPSHOT, mRecoverySnapshotStorage.get(userId));
		}

		@Test
		public void remove_removesSnapshots() {
		int userId = 1000;
		KeyChainSnapshot keyChainSnapshot = new KeyChainSnapshot(
		/snapshotVersion=/ 1,
		new ArrayList<>(),
		new ArrayList<>(),
		new byte[0]);
		mRecoverySnapshotStorage.put(userId, keyChainSnapshot);

		mRecoverySnapshotStorage.put(userId, MINIMAL_KEYCHAIN_SNAPSHOT);
		mRecoverySnapshotStorage.remove(userId);

		assertNull(mRecoverySnapshotStorage.get(1000));