Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d2c944bc authored by Janis Danisevskis's avatar Janis Danisevskis
Browse files

Keystore SPI: Add SecurityLevelEnum to KeyProperties 

This patch adds the SecurityLevelEnum to KeyProperties. This enum can be
used by the public API surface to express levels of enforcements of key
properties. And to select a designated residence for a newly generated
or imported key.

The values UNKNOWN and UNKNOWN_SECURE are used to convey to older target
APIs API levels that have not been defined when they where published.

Test: None
Change-Id: I88681f21b8a8ea9a383d32ba99f3ab7d7c8909c3
parent 2c0bf15a

api/current.txt

+5 −0
Original line number Diff line number Diff line
@@ -42868,6 +42868,11 @@ package android.security.keystore { 
    field public static final int PURPOSE_SIGN = 4; // 0x4

    field public static final int PURPOSE_VERIFY = 8; // 0x8

    field public static final int PURPOSE_WRAP_KEY = 32; // 0x20

    field public static final int SECURITY_LEVEL_SOFTWARE = 0; // 0x0

    field public static final int SECURITY_LEVEL_STRONGBOX = 2; // 0x2

    field public static final int SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1; // 0x1

    field public static final int SECURITY_LEVEL_UNKNOWN = -2; // 0xfffffffe

    field public static final int SECURITY_LEVEL_UNKNOWN_SECURE = -1; // 0xffffffff

    field public static final String SIGNATURE_PADDING_RSA_PKCS1 = "PKCS1";

    field public static final String SIGNATURE_PADDING_RSA_PSS = "PSS";

  }

core/api/current.txt

+5 −0
Original line number Diff line number Diff line
@@ -41036,6 +41036,11 @@ package android.security.keystore { 
    field public static final int PURPOSE_SIGN = 4; // 0x4

    field public static final int PURPOSE_VERIFY = 8; // 0x8

    field public static final int PURPOSE_WRAP_KEY = 32; // 0x20

    field public static final int SECURITY_LEVEL_SOFTWARE = 0; // 0x0

    field public static final int SECURITY_LEVEL_STRONGBOX = 2; // 0x2

    field public static final int SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1; // 0x1

    field public static final int SECURITY_LEVEL_UNKNOWN = -2; // 0xfffffffe

    field public static final int SECURITY_LEVEL_UNKNOWN_SECURE = -1; // 0xffffffff

    field public static final String SIGNATURE_PADDING_RSA_PKCS1 = "PKCS1";

    field public static final String SIGNATURE_PADDING_RSA_PSS = "PSS";

  }

core/java/android/security/keymaster/KeymasterDefs.java

+5 −0
Original line number Diff line number Diff line
@@ -157,6 +157,11 @@ public final class KeymasterDefs { 
    public static final int HW_AUTH_PASSWORD = 1 << 0;

    public static final int HW_AUTH_BIOMETRIC = 1 << 1;



    // Security Levels.

    public static final int KM_SECURITY_LEVEL_SOFTWARE = 0;

    public static final int KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1;

    public static final int KM_SECURITY_LEVEL_STRONGBOX = 2;



    // Error codes.

    public static final int KM_ERROR_OK = 0;

    public static final int KM_ERROR_ROOT_OF_TRUST_ALREADY_SET = -1;

keystore/java/android/security/keystore/KeyProperties.java

+80 −0
Original line number Diff line number Diff line
@@ -771,4 +771,84 @@ public abstract class KeyProperties { 
        }

        return result;

    }



    /**

     * @hide

     */

    @Retention(RetentionPolicy.SOURCE)

    @IntDef(prefix = { "SECURITY_LEVEL_" }, value = {

            SECURITY_LEVEL_UNKNOWN,

            SECURITY_LEVEL_UNKNOWN_SECURE,

            SECURITY_LEVEL_SOFTWARE,

            SECURITY_LEVEL_TRUSTED_ENVIRONMENT,

            SECURITY_LEVEL_STRONGBOX,

    })

    public @interface SecurityLevelEnum {}



    /**

     * This security level indicates that no assumptions can be made about the security level of the

     * respective key.

     */

    public static final int SECURITY_LEVEL_UNKNOWN = -2;

    /**

     * This security level indicates that due to the target API level of the caller no exact

     * statement can be made about the security level of the key, however, the security level

     * can be considered is at least equivalent to {@link #SECURITY_LEVEL_TRUSTED_ENVIRONMENT}.

     */

    public static final int SECURITY_LEVEL_UNKNOWN_SECURE = -1;



    /** Indicates enforcement by system software. */

    public static final int SECURITY_LEVEL_SOFTWARE = 0;



    /** Indicates enforcement by a trusted execution environment. */

    public static final int SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1;



    /**

     * Indicates enforcement by environment meeting the Strongbox security profile,

     * such as a secure element.

     */

    public static final int SECURITY_LEVEL_STRONGBOX = 2;



    /**

     * @hide

     */

    public abstract static class SecurityLevel {

        private SecurityLevel() {}



        /**

         * @hide

         */

        public static int toKeymaster(int securityLevel) {

            switch (securityLevel) {

                case SECURITY_LEVEL_SOFTWARE:

                    return KeymasterDefs.KM_SECURITY_LEVEL_SOFTWARE;

                case SECURITY_LEVEL_TRUSTED_ENVIRONMENT:

                    return KeymasterDefs.KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT;

                case SECURITY_LEVEL_STRONGBOX:

                    return KeymasterDefs.KM_SECURITY_LEVEL_STRONGBOX;

                default:

                    throw new IllegalArgumentException("Unsupported security level: "

                            + securityLevel);

            }

        }



        /**

         * @hide

         */

        @NonNull

        public static int fromKeymaster(int securityLevel) {

            switch (securityLevel) {

                case KeymasterDefs.KM_SECURITY_LEVEL_SOFTWARE:

                    return SECURITY_LEVEL_SOFTWARE;

                case KeymasterDefs.KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT:

                    return SECURITY_LEVEL_TRUSTED_ENVIRONMENT;

                case KeymasterDefs.KM_SECURITY_LEVEL_STRONGBOX:

                    return SECURITY_LEVEL_STRONGBOX;

                default:

                    throw new IllegalArgumentException("Unsupported security level: "

                            + securityLevel);

            }

        }

    }



}