Loading keystore/java/android/security/GateKeeper.java +2 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,8 @@ import android.service.gatekeeper.IGateKeeperService; */ public abstract class GateKeeper { public static final long INVALID_SECURE_USER_ID = 0; private GateKeeper() {} public static IGateKeeperService getService() { Loading keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java +5 −2 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ package android.security.keystore; import android.security.Credentials; import android.security.GateKeeper; import android.security.KeyStore; import android.security.keymaster.KeyCharacteristics; import android.security.keymaster.KeymasterArguments; Loading Loading @@ -235,7 +236,8 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { spec.isUserAuthenticationRequired(), spec.getUserAuthenticationValidityDurationSeconds(), spec.isUserAuthenticationValidWhileOnBody(), spec.isInvalidatedByBiometricEnrollment()); spec.isInvalidatedByBiometricEnrollment(), GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */); } catch (IllegalStateException | IllegalArgumentException e) { throw new InvalidAlgorithmParameterException(e); } Loading Loading @@ -275,7 +277,8 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { spec.isUserAuthenticationRequired(), spec.getUserAuthenticationValidityDurationSeconds(), spec.isUserAuthenticationValidWhileOnBody(), spec.isInvalidatedByBiometricEnrollment()); spec.isInvalidatedByBiometricEnrollment(), GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */); KeymasterUtils.addMinMacLengthAuthorizationIfNecessary( args, mKeymasterAlgorithm, Loading keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +5 −2 Original line number Diff line number Diff line Loading @@ -18,6 +18,7 @@ package android.security.keystore; import android.annotation.Nullable; import android.security.Credentials; import android.security.GateKeeper; import android.security.KeyPairGeneratorSpec; import android.security.KeyStore; import android.security.keymaster.KeyCharacteristics; Loading Loading @@ -346,7 +347,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato mSpec.isUserAuthenticationRequired(), mSpec.getUserAuthenticationValidityDurationSeconds(), mSpec.isUserAuthenticationValidWhileOnBody(), mSpec.isInvalidatedByBiometricEnrollment()); mSpec.isInvalidatedByBiometricEnrollment(), GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */); } catch (IllegalArgumentException | IllegalStateException e) { throw new InvalidAlgorithmParameterException(e); } Loading Loading @@ -533,7 +535,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato mSpec.isUserAuthenticationRequired(), mSpec.getUserAuthenticationValidityDurationSeconds(), mSpec.isUserAuthenticationValidWhileOnBody(), mSpec.isInvalidatedByBiometricEnrollment()); mSpec.isInvalidatedByBiometricEnrollment(), GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */); args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, mSpec.getKeyValidityStart()); args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME, mSpec.getKeyValidityForOriginationEnd()); Loading keystore/java/android/security/keystore/AndroidKeyStoreSpi.java +4 −2 Original line number Diff line number Diff line Loading @@ -500,7 +500,8 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { spec.isUserAuthenticationRequired(), spec.getUserAuthenticationValidityDurationSeconds(), spec.isUserAuthenticationValidWhileOnBody(), spec.isInvalidatedByBiometricEnrollment()); spec.isInvalidatedByBiometricEnrollment(), spec.getBoundToSpecificSecureUserId()); importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, spec.getKeyValidityStart()); importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME, Loading Loading @@ -696,7 +697,8 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { params.isUserAuthenticationRequired(), params.getUserAuthenticationValidityDurationSeconds(), params.isUserAuthenticationValidWhileOnBody(), params.isInvalidatedByBiometricEnrollment()); params.isInvalidatedByBiometricEnrollment(), params.getBoundToSpecificSecureUserId()); KeymasterUtils.addMinMacLengthAuthorizationIfNecessary( args, keymasterAlgorithm, Loading keystore/java/android/security/keystore/KeyProtection.java +46 −2 Original line number Diff line number Diff line Loading @@ -21,6 +21,7 @@ import android.annotation.NonNull; import android.annotation.Nullable; import android.app.KeyguardManager; import android.hardware.fingerprint.FingerprintManager; import android.security.GateKeeper; import java.security.Key; import java.security.Signature; Loading Loading @@ -225,6 +226,7 @@ public final class KeyProtection implements ProtectionParameter { private final int mUserAuthenticationValidityDurationSeconds; private final boolean mUserAuthenticationValidWhileOnBody; private final boolean mInvalidatedByBiometricEnrollment; private final long mBoundToSecureUserId; private KeyProtection( Date keyValidityStart, Loading @@ -239,7 +241,8 @@ public final class KeyProtection implements ProtectionParameter { boolean userAuthenticationRequired, int userAuthenticationValidityDurationSeconds, boolean userAuthenticationValidWhileOnBody, boolean invalidatedByBiometricEnrollment) { boolean invalidatedByBiometricEnrollment, long boundToSecureUserId) { mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart); mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd); mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd); Loading @@ -255,6 +258,7 @@ public final class KeyProtection implements ProtectionParameter { mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds; mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody; mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment; mBoundToSecureUserId = boundToSecureUserId; } /** Loading Loading @@ -435,6 +439,24 @@ public final class KeyProtection implements ProtectionParameter { return mInvalidatedByBiometricEnrollment; } /** * Return the secure user id that this key should be bound to. * * Normally an authentication-bound key is tied to the secure user id of the current user * (either the root SID from GateKeeper for auth-bound keys with a timeout, or the authenticator * id of the current fingerprint set for keys requiring explicit fingerprint authorization). * If this parameter is set (this method returning non-zero value), the key should be tied to * the specified secure user id, overriding the logic above. * * This is only applicable when {@link #isUserAuthenticationRequired} is {@code true} * * @see KeymasterUtils#addUserAuthArgs * @hide */ public long getBoundToSpecificSecureUserId() { return mBoundToSecureUserId; } /** * Builder of {@link KeyProtection} instances. */ Loading @@ -454,6 +476,7 @@ public final class KeyProtection implements ProtectionParameter { private boolean mUserAuthenticationValidWhileOnBody; private boolean mInvalidatedByBiometricEnrollment = true; private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID; /** * Creates a new instance of the {@code Builder}. * Loading Loading @@ -773,6 +796,26 @@ public final class KeyProtection implements ProtectionParameter { return this; } /** * Set the secure user id that this key should be bound to. * * Normally an authentication-bound key is tied to the secure user id of the current user * (either the root SID from GateKeeper for auth-bound keys with a timeout, or the * authenticator id of the current fingerprint set for keys requiring explicit fingerprint * authorization). If this parameter is set (this method returning non-zero value), the key * should be tied to the specified secure user id, overriding the logic above. * * This is only applicable when {@link #setUserAuthenticationRequired} is set to * {@code true} * * @see KeyProtection#getBoundToSpecificSecureUserId() * @hide */ public Builder setBoundToSpecificSecureUserId(long secureUserId) { mBoundToSecureUserId = secureUserId; return this; } /** * Builds an instance of {@link KeyProtection}. * Loading @@ -793,7 +836,8 @@ public final class KeyProtection implements ProtectionParameter { mUserAuthenticationRequired, mUserAuthenticationValidityDurationSeconds, mUserAuthenticationValidWhileOnBody, mInvalidatedByBiometricEnrollment); mInvalidatedByBiometricEnrollment, mBoundToSecureUserId); } } } Loading
keystore/java/android/security/GateKeeper.java +2 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,8 @@ import android.service.gatekeeper.IGateKeeperService; */ public abstract class GateKeeper { public static final long INVALID_SECURE_USER_ID = 0; private GateKeeper() {} public static IGateKeeperService getService() { Loading
keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java +5 −2 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ package android.security.keystore; import android.security.Credentials; import android.security.GateKeeper; import android.security.KeyStore; import android.security.keymaster.KeyCharacteristics; import android.security.keymaster.KeymasterArguments; Loading Loading @@ -235,7 +236,8 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { spec.isUserAuthenticationRequired(), spec.getUserAuthenticationValidityDurationSeconds(), spec.isUserAuthenticationValidWhileOnBody(), spec.isInvalidatedByBiometricEnrollment()); spec.isInvalidatedByBiometricEnrollment(), GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */); } catch (IllegalStateException | IllegalArgumentException e) { throw new InvalidAlgorithmParameterException(e); } Loading Loading @@ -275,7 +277,8 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { spec.isUserAuthenticationRequired(), spec.getUserAuthenticationValidityDurationSeconds(), spec.isUserAuthenticationValidWhileOnBody(), spec.isInvalidatedByBiometricEnrollment()); spec.isInvalidatedByBiometricEnrollment(), GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */); KeymasterUtils.addMinMacLengthAuthorizationIfNecessary( args, mKeymasterAlgorithm, Loading
keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +5 −2 Original line number Diff line number Diff line Loading @@ -18,6 +18,7 @@ package android.security.keystore; import android.annotation.Nullable; import android.security.Credentials; import android.security.GateKeeper; import android.security.KeyPairGeneratorSpec; import android.security.KeyStore; import android.security.keymaster.KeyCharacteristics; Loading Loading @@ -346,7 +347,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato mSpec.isUserAuthenticationRequired(), mSpec.getUserAuthenticationValidityDurationSeconds(), mSpec.isUserAuthenticationValidWhileOnBody(), mSpec.isInvalidatedByBiometricEnrollment()); mSpec.isInvalidatedByBiometricEnrollment(), GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */); } catch (IllegalArgumentException | IllegalStateException e) { throw new InvalidAlgorithmParameterException(e); } Loading Loading @@ -533,7 +535,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato mSpec.isUserAuthenticationRequired(), mSpec.getUserAuthenticationValidityDurationSeconds(), mSpec.isUserAuthenticationValidWhileOnBody(), mSpec.isInvalidatedByBiometricEnrollment()); mSpec.isInvalidatedByBiometricEnrollment(), GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */); args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, mSpec.getKeyValidityStart()); args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME, mSpec.getKeyValidityForOriginationEnd()); Loading
keystore/java/android/security/keystore/AndroidKeyStoreSpi.java +4 −2 Original line number Diff line number Diff line Loading @@ -500,7 +500,8 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { spec.isUserAuthenticationRequired(), spec.getUserAuthenticationValidityDurationSeconds(), spec.isUserAuthenticationValidWhileOnBody(), spec.isInvalidatedByBiometricEnrollment()); spec.isInvalidatedByBiometricEnrollment(), spec.getBoundToSpecificSecureUserId()); importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, spec.getKeyValidityStart()); importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME, Loading Loading @@ -696,7 +697,8 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { params.isUserAuthenticationRequired(), params.getUserAuthenticationValidityDurationSeconds(), params.isUserAuthenticationValidWhileOnBody(), params.isInvalidatedByBiometricEnrollment()); params.isInvalidatedByBiometricEnrollment(), params.getBoundToSpecificSecureUserId()); KeymasterUtils.addMinMacLengthAuthorizationIfNecessary( args, keymasterAlgorithm, Loading
keystore/java/android/security/keystore/KeyProtection.java +46 −2 Original line number Diff line number Diff line Loading @@ -21,6 +21,7 @@ import android.annotation.NonNull; import android.annotation.Nullable; import android.app.KeyguardManager; import android.hardware.fingerprint.FingerprintManager; import android.security.GateKeeper; import java.security.Key; import java.security.Signature; Loading Loading @@ -225,6 +226,7 @@ public final class KeyProtection implements ProtectionParameter { private final int mUserAuthenticationValidityDurationSeconds; private final boolean mUserAuthenticationValidWhileOnBody; private final boolean mInvalidatedByBiometricEnrollment; private final long mBoundToSecureUserId; private KeyProtection( Date keyValidityStart, Loading @@ -239,7 +241,8 @@ public final class KeyProtection implements ProtectionParameter { boolean userAuthenticationRequired, int userAuthenticationValidityDurationSeconds, boolean userAuthenticationValidWhileOnBody, boolean invalidatedByBiometricEnrollment) { boolean invalidatedByBiometricEnrollment, long boundToSecureUserId) { mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart); mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd); mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd); Loading @@ -255,6 +258,7 @@ public final class KeyProtection implements ProtectionParameter { mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds; mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody; mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment; mBoundToSecureUserId = boundToSecureUserId; } /** Loading Loading @@ -435,6 +439,24 @@ public final class KeyProtection implements ProtectionParameter { return mInvalidatedByBiometricEnrollment; } /** * Return the secure user id that this key should be bound to. * * Normally an authentication-bound key is tied to the secure user id of the current user * (either the root SID from GateKeeper for auth-bound keys with a timeout, or the authenticator * id of the current fingerprint set for keys requiring explicit fingerprint authorization). * If this parameter is set (this method returning non-zero value), the key should be tied to * the specified secure user id, overriding the logic above. * * This is only applicable when {@link #isUserAuthenticationRequired} is {@code true} * * @see KeymasterUtils#addUserAuthArgs * @hide */ public long getBoundToSpecificSecureUserId() { return mBoundToSecureUserId; } /** * Builder of {@link KeyProtection} instances. */ Loading @@ -454,6 +476,7 @@ public final class KeyProtection implements ProtectionParameter { private boolean mUserAuthenticationValidWhileOnBody; private boolean mInvalidatedByBiometricEnrollment = true; private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID; /** * Creates a new instance of the {@code Builder}. * Loading Loading @@ -773,6 +796,26 @@ public final class KeyProtection implements ProtectionParameter { return this; } /** * Set the secure user id that this key should be bound to. * * Normally an authentication-bound key is tied to the secure user id of the current user * (either the root SID from GateKeeper for auth-bound keys with a timeout, or the * authenticator id of the current fingerprint set for keys requiring explicit fingerprint * authorization). If this parameter is set (this method returning non-zero value), the key * should be tied to the specified secure user id, overriding the logic above. * * This is only applicable when {@link #setUserAuthenticationRequired} is set to * {@code true} * * @see KeyProtection#getBoundToSpecificSecureUserId() * @hide */ public Builder setBoundToSpecificSecureUserId(long secureUserId) { mBoundToSecureUserId = secureUserId; return this; } /** * Builds an instance of {@link KeyProtection}. * Loading @@ -793,7 +836,8 @@ public final class KeyProtection implements ProtectionParameter { mUserAuthenticationRequired, mUserAuthenticationValidityDurationSeconds, mUserAuthenticationValidWhileOnBody, mInvalidatedByBiometricEnrollment); mInvalidatedByBiometricEnrollment, mBoundToSecureUserId); } } }
