Merge "Fixing how SIDs are added to keys during generation time" into rvc-dev...

        }

        }

    }

    }

    /**

    private static void addSids(KeymasterArguments args, UserAuthArgs spec) {

     * Adds keymaster arguments to express the key's authorization policy supported by user

        // If both biometric and credential are accepted, then just use the root sid from gatekeeper

     * authentication.

        if (spec.getUserAuthenticationType() == (KeyProperties.AUTH_BIOMETRIC_STRONG

     *

                                                 | KeyProperties.AUTH_DEVICE_CREDENTIAL)) {

     * @param args The arguments sent to keymaster that need to be populated from the spec

            if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) {

     * @param spec The user authentication relevant portions of the spec passed in from the caller.

                args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID,

     *        This spec will be translated into the relevant keymaster tags to be loaded into args.

                        KeymasterArguments.toUint64(spec.getBoundToSpecificSecureUserId()));

     * @throws IllegalStateException if user authentication is required but the system is in a wrong

            } else {

     *         state (e.g., secure lock screen not set up) for generating or importing keys that

                // The key is authorized for use for the specified amount of time after the user has

     *         require user authentication.

                // authenticated. Whatever unlocks the secure lock screen should authorize this key.

     */

                args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID,

    public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) {

                        KeymasterArguments.toUint64(getRootSid()));

        if (spec.isUserConfirmationRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);

        }

        if (spec.isUserPresenceRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);

        }

        if (spec.isUnlockedDeviceRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED);

        }

        if (!spec.isUserAuthenticationRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);

            return;

            }

            }

        } else {

        if (spec.getUserAuthenticationValidityDurationSeconds() == 0) {

            List<Long> sids = new ArrayList<>();

            // Every use of this key needs to be authorized by the user.

            if ((spec.getUserAuthenticationType() & KeyProperties.AUTH_BIOMETRIC_STRONG) != 0) {

                final BiometricManager bm = KeyStore.getApplicationContext()

                final BiometricManager bm = KeyStore.getApplicationContext()

                        .getSystemService(BiometricManager.class);

                        .getSystemService(BiometricManager.class);

                            + " authentication for every use");

                            + " authentication for every use");

                }

                }

            List<Long> sids = new ArrayList<>();

                if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) {

                if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) {

                    sids.add(spec.getBoundToSpecificSecureUserId());

                    sids.add(spec.getBoundToSpecificSecureUserId());

                } else if (spec.isInvalidatedByBiometricEnrollment()) {

                } else if (spec.isInvalidatedByBiometricEnrollment()) {

                    // enrolled fingerprints, allowing the key to remain valid.

                    // enrolled fingerprints, allowing the key to remain valid.

                    sids.add(getRootSid());

                    sids.add(getRootSid());

                }

                }

            } else if ((spec.getUserAuthenticationType() & KeyProperties.AUTH_DEVICE_CREDENTIAL)

                            != 0) {

                sids.add(getRootSid());

            } else {

                throw new IllegalStateException("Invalid or no authentication type specified.");

            }

            for (int i = 0; i < sids.size(); i++) {

            for (int i = 0; i < sids.size(); i++) {

                args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID,

                args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID,

                        KeymasterArguments.toUint64(sids.get(i)));

                        KeymasterArguments.toUint64(sids.get(i)));

            }

            }

        }

    }

    /**

     * Adds keymaster arguments to express the key's authorization policy supported by user

     * authentication.

     *

     * @param args The arguments sent to keymaster that need to be populated from the spec

     * @param spec The user authentication relevant portions of the spec passed in from the caller.

     *        This spec will be translated into the relevant keymaster tags to be loaded into args.

     * @throws IllegalStateException if user authentication is required but the system is in a wrong

     *         state (e.g., secure lock screen not set up) for generating or importing keys that

     *         require user authentication.

     */

    public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) {

        if (spec.isUserConfirmationRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);

        }

        if (spec.isUserPresenceRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);

        }

        if (spec.isUnlockedDeviceRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED);

        }

        if (!spec.isUserAuthenticationRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);

            return;

        }

        if (spec.getUserAuthenticationValidityDurationSeconds() == 0) {

            // Every use of this key needs to be authorized by the user.

            addSids(args, spec);

            args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, spec.getUserAuthenticationType());

            args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, spec.getUserAuthenticationType());

            if (spec.isUserAuthenticationValidWhileOnBody()) {

            if (spec.isUserAuthenticationValidWhileOnBody()) {

                        + "supported for keys requiring fingerprint authentication");

                        + "supported for keys requiring fingerprint authentication");

            }

            }

        } else {

        } else {

            long sid;

            addSids(args, spec);

            if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) {

                sid = spec.getBoundToSpecificSecureUserId();

            } else {

                // The key is authorized for use for the specified amount of time after the user has

                // authenticated. Whatever unlocks the secure lock screen should authorize this key.

                sid = getRootSid();

            }

            args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID,

                    KeymasterArguments.toUint64(sid));

            args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, spec.getUserAuthenticationType());

            args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, spec.getUserAuthenticationType());

            args.addUnsignedInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT,

            args.addUnsignedInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT,

                    spec.getUserAuthenticationValidityDurationSeconds());

                    spec.getUserAuthenticationValidityDurationSeconds());