Merge "Add "Unlocked device required" parameter to keys" (d8a2054c) · Commits · e / os / android_frameworks_base

api/current.txt

+6 −0

Original line number	Diff line number	Diff line
		@@ -38296,6 +38296,7 @@ package android.security.keystore {
		method public boolean isRandomizedEncryptionRequired();
		method public boolean isStrongBoxBacked();
		method public boolean isTrustedUserPresenceRequired();
		method public boolean isUnlockedDeviceRequired();
		method public boolean isUserAuthenticationRequired();
		method public boolean isUserAuthenticationValidWhileOnBody();
		}
		@@ -38322,6 +38323,7 @@ package android.security.keystore {
		method public android.security.keystore.KeyGenParameterSpec.Builder setRandomizedEncryptionRequired(boolean);
		method public android.security.keystore.KeyGenParameterSpec.Builder setSignaturePaddings(java.lang.String...);
		method public android.security.keystore.KeyGenParameterSpec.Builder setTrustedUserPresenceRequired(boolean);
		method public android.security.keystore.KeyGenParameterSpec.Builder setUnlockedDeviceRequired(boolean);
		method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationRequired(boolean);
		method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidWhileOnBody(boolean);
		method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidityDurationSeconds(int);
		@@ -38411,6 +38413,8 @@ package android.security.keystore {
		method public boolean isDigestsSpecified();
		method public boolean isInvalidatedByBiometricEnrollment();
		method public boolean isRandomizedEncryptionRequired();
		method public boolean isTrustedUserPresenceRequired();
		method public boolean isUnlockedDeviceRequired();
		method public boolean isUserAuthenticationRequired();
		method public boolean isUserAuthenticationValidWhileOnBody();
		}
		@@ -38428,6 +38432,8 @@ package android.security.keystore {
		method public android.security.keystore.KeyProtection.Builder setKeyValidityStart(java.util.Date);
		method public android.security.keystore.KeyProtection.Builder setRandomizedEncryptionRequired(boolean);
		method public android.security.keystore.KeyProtection.Builder setSignaturePaddings(java.lang.String...);
		method public android.security.keystore.KeyProtection.Builder setTrustedUserPresenceRequired(boolean);
		method public android.security.keystore.KeyProtection.Builder setUnlockedDeviceRequired(boolean);
		method public android.security.keystore.KeyProtection.Builder setUserAuthenticationRequired(boolean);
		method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidWhileOnBody(boolean);
		method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidityDurationSeconds(int);

core/java/android/security/IKeystoreService.aidl

+1 −1

Original line number	Diff line number	Diff line
		@@ -71,7 +71,7 @@ interface IKeystoreService {
		in byte[] entropy);
		int abort(IBinder handle);
		boolean isOperationAuthorized(IBinder token);
		int addAuthToken(in byte[] authToken);
		int addAuthToken(in byte[] authToken, in int androidId);
		int onUserAdded(int userId, int parentId);
		int onUserRemoved(int userId);
		int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain);

core/java/android/security/keymaster/KeymasterDefs.java

+3 −0

Original line number	Diff line number	Diff line
		@@ -74,6 +74,7 @@ public final class KeymasterDefs {
		public static final int KM_TAG_AUTH_TIMEOUT = KM_UINT \| 505;
		public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL \| 506;
		public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL \| 507;
		public static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL \| 509;

		public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL \| 600;
		public static final int KM_TAG_APPLICATION_ID = KM_BYTES \| 601;
		@@ -215,6 +216,7 @@ public final class KeymasterDefs {
		public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;
		public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;
		public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;
		public static final int KM_ERROR_DEVICE_LOCKED = -72;
		public static final int KM_ERROR_UNIMPLEMENTED = -100;
		public static final int KM_ERROR_VERSION_MISMATCH = -101;
		public static final int KM_ERROR_UNKNOWN_ERROR = -1000;
		@@ -261,6 +263,7 @@ public final class KeymasterDefs {
		sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,
		"Invalid MAC or authentication tag length");
		sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");
		sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked");
		sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");
		sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");
		}

keystore/java/android/security/KeyStore.java

+2 −2

Original line number	Diff line number	Diff line
		@@ -618,9 +618,9 @@ public class KeyStore {
		* @return {@code KeyStore.NO_ERROR} on success, otherwise an error value corresponding to
		* a {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode.
		*/
		public int addAuthToken(byte[] authToken) {
		public int addAuthToken(byte[] authToken, int userId) {
		try {
		return mBinder.addAuthToken(authToken);
		return mBinder.addAuthToken(authToken, userId);
		} catch (RemoteException e) {
		Log.w(TAG, "Cannot connect to keystore", e);
		return SYSTEM_ERROR;

keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java

+2 −15

Original line number	Diff line number	Diff line
		@@ -243,12 +243,7 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
		// Check that user authentication related parameters are acceptable. This method
		// will throw an IllegalStateException if there are issues (e.g., secure lock screen
		// not set up).
		KeymasterUtils.addUserAuthArgs(new KeymasterArguments(),
		spec.isUserAuthenticationRequired(),
		spec.getUserAuthenticationValidityDurationSeconds(),
		spec.isUserAuthenticationValidWhileOnBody(),
		spec.isInvalidatedByBiometricEnrollment(),
		GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */);
		KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), spec);
		} catch (IllegalStateException \| IllegalArgumentException e) {
		throw new InvalidAlgorithmParameterException(e);
		}
		@@ -284,15 +279,7 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
		args.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes);
		args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterPaddings);
		args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests);
		KeymasterUtils.addUserAuthArgs(args,
		spec.isUserAuthenticationRequired(),
		spec.getUserAuthenticationValidityDurationSeconds(),
		spec.isUserAuthenticationValidWhileOnBody(),
		spec.isInvalidatedByBiometricEnrollment(),
		GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */);
		if (spec.isTrustedUserPresenceRequired()) {
		args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);
		}
		KeymasterUtils.addUserAuthArgs(args, spec);
		KeymasterUtils.addMinMacLengthAuthorizationIfNecessary(
		args,
		mKeymasterAlgorithm,