Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit baa651cb authored by Eric Biggers's avatar Eric Biggers
Browse files

Add isUnlockedDeviceRequired() method to KeyInfo 

Bug: 296475382
Test: atest CtsKeystoreTestCases:KeyInfoTest
Change-Id: I30cc00ec39dc1552eb2b7c12b0fab41e844c952e
parent d648615e

core/api/current.txt

+1 −0
Original line number Diff line number Diff line
@@ -39247,6 +39247,7 @@ package android.security.keystore { 
    method @Deprecated public boolean isInsideSecureHardware();

    method public boolean isInvalidatedByBiometricEnrollment();

    method public boolean isTrustedUserPresenceRequired();

    method @FlaggedApi("android.security.keyinfo_unlocked_device_required") public boolean isUnlockedDeviceRequired();

    method public boolean isUserAuthenticationRequired();

    method public boolean isUserAuthenticationRequirementEnforcedBySecureHardware();

    method public boolean isUserAuthenticationValidWhileOnBody();

core/java/android/security/flags.aconfig

+7 −0
Original line number Diff line number Diff line
@@ -30,6 +30,13 @@ flag { 
    is_fixed_read_only: true

}



flag {

    name: "keyinfo_unlocked_device_required"

    namespace: "hardware_backed_security"

    description: "Add the API android.security.keystore.KeyInfo#isUnlockedDeviceRequired()"

    bug: "296475382"

}



flag {

    name: "deprecate_fsv_sig"

    namespace: "hardware_backed_security"

keystore/java/android/security/keystore/KeyInfo.java

+18 −0
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 


package android.security.keystore;



import android.annotation.FlaggedApi;

import android.annotation.NonNull;

import android.annotation.Nullable;
@@ -81,6 +82,7 @@ public class KeyInfo implements KeySpec { 
    private final @KeyProperties.AuthEnum int mUserAuthenticationType;

    private final boolean mUserAuthenticationRequirementEnforcedBySecureHardware;

    private final boolean mUserAuthenticationValidWhileOnBody;

    private final boolean mUnlockedDeviceRequired;

    private final boolean mTrustedUserPresenceRequired;

    private final boolean mInvalidatedByBiometricEnrollment;

    private final boolean mUserConfirmationRequired;
@@ -107,6 +109,7 @@ public class KeyInfo implements KeySpec { 
            @KeyProperties.AuthEnum int userAuthenticationType,

            boolean userAuthenticationRequirementEnforcedBySecureHardware,

            boolean userAuthenticationValidWhileOnBody,

            boolean unlockedDeviceRequired,

            boolean trustedUserPresenceRequired,

            boolean invalidatedByBiometricEnrollment,

            boolean userConfirmationRequired,
@@ -132,6 +135,7 @@ public class KeyInfo implements KeySpec { 
        mUserAuthenticationRequirementEnforcedBySecureHardware =

                userAuthenticationRequirementEnforcedBySecureHardware;

        mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody;

        mUnlockedDeviceRequired = unlockedDeviceRequired;

        mTrustedUserPresenceRequired = trustedUserPresenceRequired;

        mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;

        mUserConfirmationRequired = userConfirmationRequired;
@@ -274,6 +278,20 @@ public class KeyInfo implements KeySpec { 
        return mUserAuthenticationRequired;

    }



    /**

     * Returns {@code true} if the key is authorized to be used only when the device is unlocked.

     *

     * <p>This authorization applies only to secret key and private key operations. Public key

     * operations are not restricted.

     *

     * @see KeyGenParameterSpec.Builder#setUnlockedDeviceRequired(boolean)

     * @see KeyProtection.Builder#setUnlockedDeviceRequired(boolean)

     */

    @FlaggedApi(android.security.Flags.FLAG_KEYINFO_UNLOCKED_DEVICE_REQUIRED)

    public boolean isUnlockedDeviceRequired() {

        return mUnlockedDeviceRequired;

    }



    /**

     * Returns {@code true} if the key is authorized to be used only for messages confirmed by the

     * user.

keystore/java/android/security/keystore2/AndroidKeyStoreSecretKeyFactorySpi.java

+5 −0
Original line number Diff line number Diff line
@@ -93,6 +93,7 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { 
        long userAuthenticationValidityDurationSeconds = 0;

        boolean userAuthenticationRequired = true;

        boolean userAuthenticationValidWhileOnBody = false;

        boolean unlockedDeviceRequired = false;

        boolean trustedUserPresenceRequired = false;

        boolean trustedUserConfirmationRequired = false;

        int remainingUsageCount = KeyProperties.UNRESTRICTED_USAGE_COUNT;
@@ -184,6 +185,9 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { 
                                    + userAuthenticationValidityDurationSeconds + " seconds");

                        }

                        break;

                    case KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED:

                        unlockedDeviceRequired = true;

                        break;

                    case KeymasterDefs.KM_TAG_ALLOW_WHILE_ON_BODY:

                        userAuthenticationValidWhileOnBody =

                                KeyStore2ParameterUtils.isSecureHardware(a.securityLevel);
@@ -257,6 +261,7 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { 
                        : keymasterSwEnforcedUserAuthenticators,

                userAuthenticationRequirementEnforcedBySecureHardware,

                userAuthenticationValidWhileOnBody,

                unlockedDeviceRequired,

                trustedUserPresenceRequired,

                invalidatedByBiometricEnrollment,

                trustedUserConfirmationRequired,