Merge changes I7c17ab51,I5bd4acb4,I93270f00 am: 18bbac10c1 am: 68acc834d4 am:... (a18b2db1) · Commits · e / os / android_frameworks_base

core/java/android/security/keymaster/KeymasterDefs.java

+3 −0

Original line number	Diff line number	Diff line
		@@ -218,6 +218,7 @@ public final class KeymasterDefs {
		public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;
		public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;
		public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;
		public static final int KM_ERROR_HARDWARE_TYPE_UNAVAILABLE = -68;
		public static final int KM_ERROR_DEVICE_LOCKED = -72;
		public static final int KM_ERROR_UNIMPLEMENTED = -100;
		public static final int KM_ERROR_VERSION_MISMATCH = -101;
		@@ -265,6 +266,8 @@ public final class KeymasterDefs {
		sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,
		"Invalid MAC or authentication tag length");
		sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");
		sErrorCodeToString.put(KM_ERROR_HARDWARE_TYPE_UNAVAILABLE, "Requested security level "
		+ "(likely Strongbox) is not available.");
		sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked");
		sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");
		sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");

keystore/java/android/security/Credentials.java

+35 −7

Original line number	Diff line number	Diff line
		@@ -49,18 +49,38 @@ public class Credentials {

		public static final String INSTALL_AS_USER_ACTION = "android.credentials.INSTALL_AS_USER";

		/** Key prefix for CA certificates. */
		/**
		* Key prefix for CA certificates.
		*
		* @deprecated Keystore no longer supports unstructured blobs. Public certificates are
		* stored in typed slots associated with a given alias.
		*/
		@Deprecated
		public static final String CA_CERTIFICATE = "CACERT_";

		/** Key prefix for user certificates. */
		/**
		* Key prefix for user certificates.
		*
		* @deprecated Keystore no longer supports unstructured blobs. Public certificates are
		* stored in typed slots associated with a given alias.
		*/
		@Deprecated
		public static final String USER_CERTIFICATE = "USRCERT_";

		/** Key prefix for user private and secret keys. */
		/**
		* Key prefix for user private and secret keys.
		*
		* @deprecated Keystore no longer uses alias prefixes to discriminate between entry types.
		*/
		@Deprecated
		public static final String USER_PRIVATE_KEY = "USRPKEY_";

		/** Key prefix for user secret keys.
		/**
		* Key prefix for user secret keys.
		*
		* @deprecated use {@code USER_PRIVATE_KEY} for this category instead.
		*/
		@Deprecated
		public static final String USER_SECRET_KEY = "USRSKEY_";

		/** Key prefix for VPN. */
		@@ -72,7 +92,13 @@ public class Credentials {
		/** Key prefix for WIFI. */
		public static final String WIFI = "WIFI_";

		/** Key prefix for App Source certificates. */
		/**
		* Key prefix for App Source certificates.
		*
		* @deprecated This was intended for FS-verity but never used. FS-verity is not
		* going to use this constant moving forward.
		*/
		@Deprecated
		public static final String APP_SOURCE_CERTIFICATE = "FSV_";

		/** Key containing suffix of lockdown VPN profile. */
		@@ -150,6 +176,7 @@ public class Credentials {
		pw.close();
		return bao.toByteArray();
		}

		/**
		* Convert objects from PEM format, which is used for
		* CA_CERTIFICATE and USER_CERTIFICATE entries.
		@@ -167,7 +194,8 @@ public class Credentials {
		PemObject o;
		while ((o = pr.readPemObject()) != null) {
		if (o.getType().equals("CERTIFICATE")) {
		Certificate c = cf.generateCertificate(new ByteArrayInputStream(o.getContent()));
		Certificate c = cf.generateCertificate(
		new ByteArrayInputStream(o.getContent()));
		result.add((X509Certificate) c);
		} else {
		throw new IllegalArgumentException("Unknown type " + o.getType());

keystore/java/android/security/KeyPairGeneratorSpec.java

+16 −10

Original line number	Diff line number	Diff line
		@@ -16,9 +16,9 @@

		package android.security;

		import android.app.KeyguardManager;
		import android.annotation.NonNull;
		import android.annotation.Nullable;
		import android.app.KeyguardManager;
		import android.content.Context;
		import android.security.keystore.KeyGenParameterSpec;
		import android.security.keystore.KeyProperties;
		@@ -78,8 +78,6 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {

		private final Date mEndDate;

		private final int mFlags;

		/**
		* Parameter specification for the "{@code AndroidKeyPairGenerator}"
		* instance of the {@link java.security.KeyPairGenerator} API. The
		@@ -144,7 +142,6 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
		mSerialNumber = serialNumber;
		mStartDate = startDate;
		mEndDate = endDate;
		mFlags = flags;
		}

		/**
		@@ -229,7 +226,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
		* @hide
		*/
		public int getFlags() {
		return mFlags;
		return 0;
		}

		/**
		@@ -243,9 +240,15 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
		* screen after boot.
		*
		* @see KeyguardManager#isDeviceSecure()
		*
		* @deprecated Encryption at rest is on by default. If extra binding to the lockscreen screen
		* credential is desired use
		* {@link KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean)}.
		* This flag will be ignored from Android S.
		*/
		@Deprecated
		public boolean isEncryptionRequired() {
		return (mFlags & KeyStore.FLAG_ENCRYPTED) != 0;
		return false;
		}

		/**
		@@ -292,8 +295,6 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {

		private Date mEndDate;

		private int mFlags;

		/**
		* Creates a new instance of the {@code Builder} with the given
		* {@code context}. The {@code context} passed in may be used to pop up
		@@ -431,10 +432,15 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
		* secure lock screen after boot.
		*
		* @see KeyguardManager#isDeviceSecure()
		*
		* @deprecated Data at rest encryption is enabled by default. If extra binding to the
		* lockscreen credential is desired, use
		* {@link KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean)}.
		* This flag will be ignored from Android S.
		*/
		@NonNull
		@Deprecated
		public Builder setEncryptionRequired() {
		mFlags \|= KeyStore.FLAG_ENCRYPTED;
		return this;
		}

		@@ -455,7 +461,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
		mSerialNumber,
		mStartDate,
		mEndDate,
		mFlags);
		0);
		}
		}
		}

keystore/java/android/security/KeyStoreParameter.java

+16 −12

Original line number	Diff line number	Diff line
		@@ -48,18 +48,16 @@ import java.security.KeyStore.ProtectionParameter;
		*/
		@Deprecated
		public final class KeyStoreParameter implements ProtectionParameter {
		private final int mFlags;

		private KeyStoreParameter(
		int flags) {
		mFlags = flags;
		}

		/**
		* @hide
		*/
		public int getFlags() {
		return mFlags;
		return 0;
		}

		/**
		@@ -74,9 +72,16 @@ public final class KeyStoreParameter implements ProtectionParameter {
		* screen after boot.
		*
		* @see KeyguardManager#isDeviceSecure()
		*
		* @deprecated Data at rest encryption is enabled by default. If extra binding to the
		* lockscreen credential is desired, use
		* {@link android.security.keystore.KeyGenParameterSpec
		* .Builder#setUserAuthenticationRequired(boolean)}.
		* This flag will be ignored from Android S.
		*/
		@Deprecated
		public boolean isEncryptionRequired() {
		return (mFlags & KeyStore.FLAG_ENCRYPTED) != 0;
		return false;
		}

		/**
		@@ -100,7 +105,6 @@ public final class KeyStoreParameter implements ProtectionParameter {
		*/
		@Deprecated
		public final static class Builder {
		private int mFlags;

		/**
		* Creates a new instance of the {@code Builder} with the given
		@@ -126,14 +130,15 @@ public final class KeyStoreParameter implements ProtectionParameter {
		* the user unlocks the secure lock screen after boot.
		*
		* @see KeyguardManager#isDeviceSecure()
		*
		* @deprecated Data at rest encryption is enabled by default. If extra binding to the
		* lockscreen credential is desired, use
		* {@link android.security.keystore.KeyGenParameterSpec
		* .Builder#setUserAuthenticationRequired(boolean)}.
		* This flag will be ignored from Android S.
		*/
		@NonNull
		public Builder setEncryptionRequired(boolean required) {
		if (required) {
		mFlags \|= KeyStore.FLAG_ENCRYPTED;
		} else {
		mFlags &= ~KeyStore.FLAG_ENCRYPTED;
		}
		return this;
		}

		@@ -145,8 +150,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
		*/
		@NonNull
		public KeyStoreParameter build() {
		return new KeyStoreParameter(
		mFlags);
		return new KeyStoreParameter(0 /* flags */);
		}
		}
		}