Loading core/java/android/security/keystore/recovery/RecoveryController.java +3 −3 Original line number Diff line number Diff line Loading @@ -43,7 +43,7 @@ import java.util.Map; /** * Backs up cryptographic keys to remote secure hardware, encrypted with the user's lock screen. * * <p>A system app with the {@link android.Manifest#RECOVER_KEYSTORE} permission may generate or * <p>A system app with the {@code android.permission.RECOVER_KEYSTORE} permission may generate or * import recoverable keys using this class. To generate a key, the app must call * {@link #generateKey(String)} with the desired alias for the key. This returns an AndroidKeyStore * reference to a 256-bit {@link javax.crypto.SecretKey}, which can be used for AES/GCM/NoPadding. Loading Loading @@ -292,7 +292,7 @@ public class RecoveryController { } catch (ServiceSpecificException e) { if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == ERROR_INVALID_CERTIFICATE) { throw new CertificateException(e.getMessage()); throw new CertificateException("Invalid certificate for recovery service", e); } throw wrapUnexpectedServiceSpecificException(e); } Loading Loading @@ -338,7 +338,7 @@ public class RecoveryController { } catch (ServiceSpecificException e) { if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == ERROR_INVALID_CERTIFICATE) { throw new CertificateException(e.getMessage()); throw new CertificateException("Invalid certificate for recovery service", e); } throw wrapUnexpectedServiceSpecificException(e); } Loading core/java/android/security/keystore/recovery/RecoverySession.java +3 −3 Original line number Diff line number Diff line Loading @@ -102,7 +102,7 @@ public class RecoverySession implements AutoCloseable { } catch (ServiceSpecificException e) { if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) { throw new CertificateException(e.getMessage()); throw new CertificateException("Invalid certificate for recovery session", e); } throw mRecoveryController.wrapUnexpectedServiceSpecificException(e); } Loading Loading @@ -137,7 +137,7 @@ public class RecoverySession implements AutoCloseable { } catch (ServiceSpecificException e) { if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) { throw new CertificateException(e.getMessage()); throw new CertificateException("Invalid certificate for recovery session", e); } throw mRecoveryController.wrapUnexpectedServiceSpecificException(e); } Loading Loading @@ -191,7 +191,7 @@ public class RecoverySession implements AutoCloseable { } catch (ServiceSpecificException e) { if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) { throw new CertificateException(e.getMessage()); throw new CertificateException("Invalid certificate for recovery session", e); } throw mRecoveryController.wrapUnexpectedServiceSpecificException(e); } Loading services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java +6 −12 Original line number Diff line number Diff line Loading @@ -227,8 +227,7 @@ public class RecoverableKeyStoreManager { certPath = certXml.getRandomEndpointCert(rootCert); } catch (CertValidationException e) { Log.e(TAG, "Invalid endpoint cert", e); throw new ServiceSpecificException( ERROR_INVALID_CERTIFICATE, "Failed to validate certificate."); throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage()); } boolean wasInitialized = mDatabase.getRecoveryServiceCertPath(userId, uid, Loading @@ -249,8 +248,7 @@ public class RecoverableKeyStoreManager { } } catch (CertificateEncodingException e) { Log.e(TAG, "Failed to encode CertPath", e); throw new ServiceSpecificException( ERROR_BAD_CERTIFICATE_FORMAT, "Failed to encode CertPath."); throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } } Loading Loading @@ -281,8 +279,7 @@ public class RecoverableKeyStoreManager { } catch (CertParsingException e) { Log.d(TAG, "Failed to parse the sig file: " + HexDump.toHexString( recoveryServiceSigFile)); throw new ServiceSpecificException( ERROR_BAD_CERTIFICATE_FORMAT, "Failed to parse the sig file."); throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } X509Certificate rootCert = Loading @@ -293,8 +290,7 @@ public class RecoverableKeyStoreManager { Log.d(TAG, "The signature over the cert file is invalid." + " Cert: " + HexDump.toHexString(recoveryServiceCertFile) + " Sig: " + HexDump.toHexString(recoveryServiceSigFile)); throw new ServiceSpecificException( ERROR_INVALID_CERTIFICATE, "The signature over the cert file is invalid."); throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage()); } initRecoveryService(rootCertificateAlias, recoveryServiceCertFile); Loading Loading @@ -471,8 +467,7 @@ public class RecoverableKeyStoreManager { try { publicKey = KeySyncUtils.deserializePublicKey(verifierPublicKey); } catch (InvalidKeySpecException e) { throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, "Not a valid X509 key"); throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } // The raw public key bytes contained in vaultParams must match the ones given in // verifierPublicKey; otherwise, the user secret may be decrypted by a key that is not owned Loading Loading @@ -537,8 +532,7 @@ public class RecoverableKeyStoreManager { try { certPath = verifierCertPath.getCertPath(); } catch (CertificateException e) { throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, "Failed decode the certificate path"); throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } try { Loading services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java +5 −3 Original line number Diff line number Diff line Loading @@ -18,6 +18,8 @@ package com.android.server.locksettings.recoverablekeystore; import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN; import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PASSWORD; import static android.security.keystore.recovery.RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT; import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE; import static com.google.common.truth.Truth.assertThat; import static org.junit.Assert.assertArrayEquals; Loading Loading @@ -386,7 +388,7 @@ public class RecoverableKeyStoreManagerTest { modifiedCertXml); fail("should have thrown"); } catch (ServiceSpecificException e) { assertThat(e.getMessage()).contains("validate cert"); assertThat(e.errorCode).isEqualTo(ERROR_INVALID_CERTIFICATE); } } Loading Loading @@ -518,7 +520,7 @@ public class RecoverableKeyStoreManagerTest { getUtf8Bytes("wrong-sig-file-format")); fail("should have thrown"); } catch (ServiceSpecificException e) { assertThat(e.getMessage()).contains("parse the sig file"); assertThat(e.errorCode).isEqualTo(ERROR_BAD_CERTIFICATE_FORMAT); } } Loading @@ -530,7 +532,7 @@ public class RecoverableKeyStoreManagerTest { INSECURE_CERTIFICATE_ALIAS, TestData.getCertXml(), TestData.getSigXml()); fail("should have thrown"); } catch (ServiceSpecificException e) { assertThat(e.getMessage()).contains("signature over the cert file is invalid"); assertThat(e.errorCode).isEqualTo(ERROR_INVALID_CERTIFICATE); } } Loading Loading
core/java/android/security/keystore/recovery/RecoveryController.java +3 −3 Original line number Diff line number Diff line Loading @@ -43,7 +43,7 @@ import java.util.Map; /** * Backs up cryptographic keys to remote secure hardware, encrypted with the user's lock screen. * * <p>A system app with the {@link android.Manifest#RECOVER_KEYSTORE} permission may generate or * <p>A system app with the {@code android.permission.RECOVER_KEYSTORE} permission may generate or * import recoverable keys using this class. To generate a key, the app must call * {@link #generateKey(String)} with the desired alias for the key. This returns an AndroidKeyStore * reference to a 256-bit {@link javax.crypto.SecretKey}, which can be used for AES/GCM/NoPadding. Loading Loading @@ -292,7 +292,7 @@ public class RecoveryController { } catch (ServiceSpecificException e) { if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == ERROR_INVALID_CERTIFICATE) { throw new CertificateException(e.getMessage()); throw new CertificateException("Invalid certificate for recovery service", e); } throw wrapUnexpectedServiceSpecificException(e); } Loading Loading @@ -338,7 +338,7 @@ public class RecoveryController { } catch (ServiceSpecificException e) { if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == ERROR_INVALID_CERTIFICATE) { throw new CertificateException(e.getMessage()); throw new CertificateException("Invalid certificate for recovery service", e); } throw wrapUnexpectedServiceSpecificException(e); } Loading
core/java/android/security/keystore/recovery/RecoverySession.java +3 −3 Original line number Diff line number Diff line Loading @@ -102,7 +102,7 @@ public class RecoverySession implements AutoCloseable { } catch (ServiceSpecificException e) { if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) { throw new CertificateException(e.getMessage()); throw new CertificateException("Invalid certificate for recovery session", e); } throw mRecoveryController.wrapUnexpectedServiceSpecificException(e); } Loading Loading @@ -137,7 +137,7 @@ public class RecoverySession implements AutoCloseable { } catch (ServiceSpecificException e) { if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) { throw new CertificateException(e.getMessage()); throw new CertificateException("Invalid certificate for recovery session", e); } throw mRecoveryController.wrapUnexpectedServiceSpecificException(e); } Loading Loading @@ -191,7 +191,7 @@ public class RecoverySession implements AutoCloseable { } catch (ServiceSpecificException e) { if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) { throw new CertificateException(e.getMessage()); throw new CertificateException("Invalid certificate for recovery session", e); } throw mRecoveryController.wrapUnexpectedServiceSpecificException(e); } Loading
services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java +6 −12 Original line number Diff line number Diff line Loading @@ -227,8 +227,7 @@ public class RecoverableKeyStoreManager { certPath = certXml.getRandomEndpointCert(rootCert); } catch (CertValidationException e) { Log.e(TAG, "Invalid endpoint cert", e); throw new ServiceSpecificException( ERROR_INVALID_CERTIFICATE, "Failed to validate certificate."); throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage()); } boolean wasInitialized = mDatabase.getRecoveryServiceCertPath(userId, uid, Loading @@ -249,8 +248,7 @@ public class RecoverableKeyStoreManager { } } catch (CertificateEncodingException e) { Log.e(TAG, "Failed to encode CertPath", e); throw new ServiceSpecificException( ERROR_BAD_CERTIFICATE_FORMAT, "Failed to encode CertPath."); throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } } Loading Loading @@ -281,8 +279,7 @@ public class RecoverableKeyStoreManager { } catch (CertParsingException e) { Log.d(TAG, "Failed to parse the sig file: " + HexDump.toHexString( recoveryServiceSigFile)); throw new ServiceSpecificException( ERROR_BAD_CERTIFICATE_FORMAT, "Failed to parse the sig file."); throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } X509Certificate rootCert = Loading @@ -293,8 +290,7 @@ public class RecoverableKeyStoreManager { Log.d(TAG, "The signature over the cert file is invalid." + " Cert: " + HexDump.toHexString(recoveryServiceCertFile) + " Sig: " + HexDump.toHexString(recoveryServiceSigFile)); throw new ServiceSpecificException( ERROR_INVALID_CERTIFICATE, "The signature over the cert file is invalid."); throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage()); } initRecoveryService(rootCertificateAlias, recoveryServiceCertFile); Loading Loading @@ -471,8 +467,7 @@ public class RecoverableKeyStoreManager { try { publicKey = KeySyncUtils.deserializePublicKey(verifierPublicKey); } catch (InvalidKeySpecException e) { throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, "Not a valid X509 key"); throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } // The raw public key bytes contained in vaultParams must match the ones given in // verifierPublicKey; otherwise, the user secret may be decrypted by a key that is not owned Loading Loading @@ -537,8 +532,7 @@ public class RecoverableKeyStoreManager { try { certPath = verifierCertPath.getCertPath(); } catch (CertificateException e) { throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, "Failed decode the certificate path"); throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } try { Loading
services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java +5 −3 Original line number Diff line number Diff line Loading @@ -18,6 +18,8 @@ package com.android.server.locksettings.recoverablekeystore; import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN; import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PASSWORD; import static android.security.keystore.recovery.RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT; import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE; import static com.google.common.truth.Truth.assertThat; import static org.junit.Assert.assertArrayEquals; Loading Loading @@ -386,7 +388,7 @@ public class RecoverableKeyStoreManagerTest { modifiedCertXml); fail("should have thrown"); } catch (ServiceSpecificException e) { assertThat(e.getMessage()).contains("validate cert"); assertThat(e.errorCode).isEqualTo(ERROR_INVALID_CERTIFICATE); } } Loading Loading @@ -518,7 +520,7 @@ public class RecoverableKeyStoreManagerTest { getUtf8Bytes("wrong-sig-file-format")); fail("should have thrown"); } catch (ServiceSpecificException e) { assertThat(e.getMessage()).contains("parse the sig file"); assertThat(e.errorCode).isEqualTo(ERROR_BAD_CERTIFICATE_FORMAT); } } Loading @@ -530,7 +532,7 @@ public class RecoverableKeyStoreManagerTest { INSECURE_CERTIFICATE_ALIAS, TestData.getCertXml(), TestData.getSigXml()); fail("should have thrown"); } catch (ServiceSpecificException e) { assertThat(e.getMessage()).contains("signature over the cert file is invalid"); assertThat(e.errorCode).isEqualTo(ERROR_INVALID_CERTIFICATE); } } Loading
