Remove "encrypt at rest" flag from new AndroidKeyStore API. (96481c3d) · Commits · e / os / android_frameworks_base

api/current.txt

+0 −4

Original line number	Diff line number	Diff line
		@@ -28421,7 +28421,6 @@ package android.security.keystore {
		method public java.lang.String[] getSignaturePaddings();
		method public int getUserAuthenticationValidityDurationSeconds();
		method public boolean isDigestsSpecified();
		method public boolean isEncryptionAtRestRequired();
		method public boolean isRandomizedEncryptionRequired();
		method public boolean isUserAuthenticationRequired();
		}
		@@ -28436,7 +28435,6 @@ package android.security.keystore {
		method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSerialNumber(java.math.BigInteger);
		method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSubject(javax.security.auth.x500.X500Principal);
		method public android.security.keystore.KeyGenParameterSpec.Builder setDigests(java.lang.String...);
		method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionAtRestRequired(boolean);
		method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionPaddings(java.lang.String...);
		method public android.security.keystore.KeyGenParameterSpec.Builder setKeySize(int);
		method public android.security.keystore.KeyGenParameterSpec.Builder setKeyValidityEnd(java.util.Date);
		@@ -28525,7 +28523,6 @@ package android.security.keystore {
		method public java.lang.String[] getSignaturePaddings();
		method public int getUserAuthenticationValidityDurationSeconds();
		method public boolean isDigestsSpecified();
		method public boolean isEncryptionAtRestRequired();
		method public boolean isRandomizedEncryptionRequired();
		method public boolean isUserAuthenticationRequired();
		}
		@@ -28535,7 +28532,6 @@ package android.security.keystore {
		method public android.security.keystore.KeyProtection build();
		method public android.security.keystore.KeyProtection.Builder setBlockModes(java.lang.String...);
		method public android.security.keystore.KeyProtection.Builder setDigests(java.lang.String...);
		method public android.security.keystore.KeyProtection.Builder setEncryptionAtRestRequired(boolean);
		method public android.security.keystore.KeyProtection.Builder setEncryptionPaddings(java.lang.String...);
		method public android.security.keystore.KeyProtection.Builder setKeyValidityEnd(java.util.Date);
		method public android.security.keystore.KeyProtection.Builder setKeyValidityForConsumptionEnd(java.util.Date);

api/system-current.txt

+0 −4

Original line number	Diff line number	Diff line
		@@ -30449,7 +30449,6 @@ package android.security.keystore {
		method public java.lang.String[] getSignaturePaddings();
		method public int getUserAuthenticationValidityDurationSeconds();
		method public boolean isDigestsSpecified();
		method public boolean isEncryptionAtRestRequired();
		method public boolean isRandomizedEncryptionRequired();
		method public boolean isUserAuthenticationRequired();
		}
		@@ -30464,7 +30463,6 @@ package android.security.keystore {
		method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSerialNumber(java.math.BigInteger);
		method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSubject(javax.security.auth.x500.X500Principal);
		method public android.security.keystore.KeyGenParameterSpec.Builder setDigests(java.lang.String...);
		method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionAtRestRequired(boolean);
		method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionPaddings(java.lang.String...);
		method public android.security.keystore.KeyGenParameterSpec.Builder setKeySize(int);
		method public android.security.keystore.KeyGenParameterSpec.Builder setKeyValidityEnd(java.util.Date);
		@@ -30553,7 +30551,6 @@ package android.security.keystore {
		method public java.lang.String[] getSignaturePaddings();
		method public int getUserAuthenticationValidityDurationSeconds();
		method public boolean isDigestsSpecified();
		method public boolean isEncryptionAtRestRequired();
		method public boolean isRandomizedEncryptionRequired();
		method public boolean isUserAuthenticationRequired();
		}
		@@ -30563,7 +30560,6 @@ package android.security.keystore {
		method public android.security.keystore.KeyProtection build();
		method public android.security.keystore.KeyProtection.Builder setBlockModes(java.lang.String...);
		method public android.security.keystore.KeyProtection.Builder setDigests(java.lang.String...);
		method public android.security.keystore.KeyProtection.Builder setEncryptionAtRestRequired(boolean);
		method public android.security.keystore.KeyProtection.Builder setEncryptionPaddings(java.lang.String...);
		method public android.security.keystore.KeyProtection.Builder setKeyValidityEnd(java.util.Date);
		method public android.security.keystore.KeyProtection.Builder setKeyValidityForConsumptionEnd(java.util.Date);

keystore/java/android/security/keystore/AndroidKeyPairGeneratorSpi.java

+5 −2

Original line number	Diff line number	Diff line
		@@ -89,6 +89,7 @@ public abstract class AndroidKeyPairGeneratorSpi extends KeyPairGeneratorSpi {
		private KeyStore mKeyStore;

		private KeyGenParameterSpec mSpec;
		private boolean mEncryptionAtRestRequired;
		private @KeyProperties.KeyAlgorithmEnum String mKeyAlgorithm;
		private int mKeyType;
		private int mKeySize;
		@@ -123,7 +124,7 @@ public abstract class AndroidKeyPairGeneratorSpi extends KeyPairGeneratorSpi {

		}

		final int flags = mSpec.getFlags();
		final int flags = (mEncryptionAtRestRequired) ? KeyStore.FLAG_ENCRYPTED : 0;
		if (((flags & KeyStore.FLAG_ENCRYPTED) != 0)
		&& (mKeyStore.state() != KeyStore.State.UNLOCKED)) {
		throw new IllegalStateException(
		@@ -296,6 +297,7 @@ public abstract class AndroidKeyPairGeneratorSpi extends KeyPairGeneratorSpi {

		String keyAlgorithm;
		KeyGenParameterSpec spec;
		boolean encryptionAtRestRequired = false;
		if (params instanceof KeyPairGeneratorSpec) {
		KeyPairGeneratorSpec legacySpec = (KeyPairGeneratorSpec) params;
		try {
		@@ -353,7 +355,7 @@ public abstract class AndroidKeyPairGeneratorSpi extends KeyPairGeneratorSpi {
		specBuilder.setCertificateSerialNumber(legacySpec.getSerialNumber());
		specBuilder.setCertificateNotBefore(legacySpec.getStartDate());
		specBuilder.setCertificateNotAfter(legacySpec.getEndDate());
		specBuilder.setEncryptionAtRestRequired(legacySpec.isEncryptionRequired());
		encryptionAtRestRequired = legacySpec.isEncryptionRequired();
		specBuilder.setUserAuthenticationRequired(false);

		spec = specBuilder.build();
		@@ -390,6 +392,7 @@ public abstract class AndroidKeyPairGeneratorSpi extends KeyPairGeneratorSpi {
		mKeyType = keyType;
		mKeySize = keySize;
		mSpec = spec;
		mEncryptionAtRestRequired = encryptionAtRestRequired;
		mKeyStore = KeyStore.getInstance();
		}
		}

keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java

+1 −8

Original line number	Diff line number	Diff line
		@@ -264,13 +264,6 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
		throw new IllegalStateException("Not initialized");
		}

		if ((spec.isEncryptionAtRestRequired())
		&& (mKeyStore.state() != KeyStore.State.UNLOCKED)) {
		throw new IllegalStateException(
		"Requested to import a key which must be encrypted at rest using secure lock"
		+ " screen credential, but the credential hasn't yet been entered by the user");
		}

		KeymasterArguments args = new KeymasterArguments();
		args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits);
		args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, mKeymasterAlgorithm);
		@@ -300,7 +293,7 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
		byte[] additionalEntropy =
		KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng(
		mRng, (mKeySizeBits + 7) / 8);
		int flags = spec.getFlags();
		int flags = 0;
		String keyAliasInKeystore = Credentials.USER_SECRET_KEY + spec.getKeystoreAlias();
		KeyCharacteristics resultingKeyCharacteristics = new KeyCharacteristics();
		int errorCode = mKeyStore.generateKey(

keystore/java/android/security/keystore/AndroidKeyStoreSpi.java

+5 −4

Original line number	Diff line number	Diff line
		@@ -274,6 +274,7 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {

		private void setPrivateKeyEntry(String alias, PrivateKey key, Certificate[] chain,
		java.security.KeyStore.ProtectionParameter param) throws KeyStoreException {
		int flags = 0;
		KeyProtection spec;
		if (param instanceof KeyStoreParameter) {
		KeyStoreParameter legacySpec = (KeyStoreParameter) param;
		@@ -319,7 +320,9 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {
		} else {
		throw new KeyStoreException("Unsupported key algorithm: " + keyAlgorithm);
		}
		specBuilder.setEncryptionAtRestRequired(legacySpec.isEncryptionRequired());
		if (legacySpec.isEncryptionRequired()) {
		flags = android.security.KeyStore.FLAG_ENCRYPTED;
		}
		specBuilder.setUserAuthenticationRequired(false);

		spec = specBuilder.build();
		@@ -449,8 +452,6 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {
		Credentials.deleteSecretKeyTypeForAlias(mKeyStore, alias);
		}

		final int flags = (spec == null) ? 0 : spec.getFlags();

		if (shouldReplacePrivateKey
		&& !mKeyStore.importKey(Credentials.USER_PRIVATE_KEY + alias, keyBytes,
		android.security.KeyStore.UID_SELF, flags)) {
		@@ -636,7 +637,7 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {
		args,
		KeymasterDefs.KM_KEY_FORMAT_RAW,
		keyMaterial,
		params.getFlags(),
		0, // flags
		new KeyCharacteristics());
		if (errorCode != android.security.KeyStore.NO_ERROR) {
		throw new KeyStoreException("Failed to import secret key. Keystore error code: "