Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cabdc5ea authored by Michael Groover's avatar Michael Groover
Browse files

Add APIs to support granting access to Android Keystore keys 

To this point, there has been no way for an app to grant access
to keys it owns in the Android Keystore to other apps on the
device. This commit adds a new KeyStoreManager class that
interfaces with the KeyStoreService to support granting and
revoking access to keys as well as for a grantee app to access
a key in the grant domain through the key's ID.

Bug: 351158708
Test: atest KeyStoreManagerTest
Change-Id: Id2d785228fa852b21324d2792e3f34c27756034d
parent a401c5dd

core/api/current.txt

+9 −0
Original line number Diff line number Diff line
@@ -10740,6 +10740,7 @@ package android.content { 
    field public static final String IPSEC_SERVICE = "ipsec";

    field public static final String JOB_SCHEDULER_SERVICE = "jobscheduler";

    field public static final String KEYGUARD_SERVICE = "keyguard";

    field @FlaggedApi("android.security.keystore_grant_api") public static final String KEYSTORE_SERVICE = "keystore";

    field public static final String LAUNCHER_APPS_SERVICE = "launcherapps";

    field @UiContext public static final String LAYOUT_INFLATER_SERVICE = "layout_inflater";

    field public static final String LOCALE_SERVICE = "locale";
@@ -39945,6 +39946,14 @@ package android.security.keystore { 
    method @NonNull public android.security.keystore.KeyProtection.Builder setUserPresenceRequired(boolean);

  }













  @FlaggedApi("android.security.keystore_grant_api") public class KeyStoreManager {













    method @NonNull public java.util.List<java.security.cert.X509Certificate> getGrantedCertificateChainFromId(long) throws android.security.keystore.KeyPermanentlyInvalidatedException, java.security.UnrecoverableKeyException;













    method @NonNull public java.security.Key getGrantedKeyFromId(long) throws android.security.keystore.KeyPermanentlyInvalidatedException, java.security.UnrecoverableKeyException;













    method @NonNull public java.security.KeyPair getGrantedKeyPairFromId(long) throws android.security.keystore.KeyPermanentlyInvalidatedException, java.security.UnrecoverableKeyException;













    method public long grantKeyAccess(@NonNull String, int) throws android.security.KeyStoreException, java.security.UnrecoverableKeyException;













    method public void revokeKeyAccess(@NonNull String, int) throws android.security.KeyStoreException, java.security.UnrecoverableKeyException;













  }



























  public class SecureKeyImportUnavailableException extends java.security.ProviderException {















    ctor public SecureKeyImportUnavailableException();















    ctor public SecureKeyImportUnavailableException(String);

























core/java/android/app/SystemServiceRegistry.java



+12
−0




























Original line number
Diff line number
Diff line








@@ -227,6 +227,7 @@ import android.security.FileIntegrityManager;













import android.security.IFileIntegrityService;















import android.security.attestationverification.AttestationVerificationManager;















import android.security.attestationverification.IAttestationVerificationManagerService;













import android.security.keystore.KeyStoreManager;















import android.service.oemlock.IOemLockService;















import android.service.oemlock.OemLockManager;















import android.service.persistentdata.IPersistentDataBlockService;










@@ -1668,6 +1669,17 @@ public final class SystemServiceRegistry {













                    }















                });





























        registerService(Context.KEYSTORE_SERVICE, KeyStoreManager.class,













                new StaticServiceFetcher<KeyStoreManager>() {













                    @Override













                    public KeyStoreManager createService()













                            throws ServiceNotFoundException {













                        if (!android.security.Flags.keystoreGrantApi()) {













                            throw new ServiceNotFoundException("KeyStoreManager is not supported");













                        }













                        return KeyStoreManager.getInstance();













                    }});





























        registerService(Context.CONTACT_KEYS_SERVICE, E2eeContactKeysManager.class,















                new CachedServiceFetcher<E2eeContactKeysManager>() {















                    @Override

































core/java/android/content/Context.java



+12
−0




























Original line number
Diff line number
Diff line








@@ -4751,6 +4751,18 @@ public abstract class Context {













     */















    public static final String SENSOR_PRIVACY_SERVICE = "sensor_privacy";





























    /**













     * Use with {@link #getSystemService(String)} to retrieve a {@link













     * android.security.keystore.KeyStoreManager} for accessing













     * <a href="/privacy-and-security/keystore">Android Keystore</a>













     * functions.













     *













     * @see #getSystemService(String)













     * @see android.security.keystore.KeyStoreManager













     */













    @FlaggedApi(android.security.Flags.FLAG_KEYSTORE_GRANT_API)













    public static final String KEYSTORE_SERVICE = "keystore";





























    /**















     * Use with {@link #getSystemService(String)} to retrieve a {@link















     * android.os.storage.StorageManager} for accessing system storage

































core/java/android/security/flags.aconfig



+7
−0




























Original line number
Diff line number
Diff line








@@ -113,3 +113,10 @@ flag {













    description: "AFL feature"















    bug: "365994454"















}



























flag {













    name: "keystore_grant_api"













    namespace: "hardware_backed_security"













    description: "Feature flag for exposing KeyStore grant APIs"













    bug: "351158708"













}
























keystore/java/android/security/OWNERS



+1
−0




























Original line number
Diff line number
Diff line















per-file *.java,*.aidl = eranm@google.com,pgrafov@google.com,rubinxu@google.com













per-file KeyStoreManager.java = mpgroover@google.com