Merge "Revert "Add "Unlocked device required" parameter to keys""

    method public boolean isRandomizedEncryptionRequired();

    method public boolean isRandomizedEncryptionRequired();

    method public boolean isStrongBoxBacked();

    method public boolean isStrongBoxBacked();

    method public boolean isTrustedUserPresenceRequired();

    method public boolean isTrustedUserPresenceRequired();

    method public boolean isUnlockedDeviceRequired();

    method public boolean isUserAuthenticationRequired();

    method public boolean isUserAuthenticationRequired();

    method public boolean isUserAuthenticationValidWhileOnBody();

    method public boolean isUserAuthenticationValidWhileOnBody();

    method public boolean isUserConfirmationRequired();

    method public boolean isUserConfirmationRequired();

    method public android.security.keystore.KeyGenParameterSpec.Builder setRandomizedEncryptionRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setRandomizedEncryptionRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setSignaturePaddings(java.lang.String...);

    method public android.security.keystore.KeyGenParameterSpec.Builder setSignaturePaddings(java.lang.String...);

    method public android.security.keystore.KeyGenParameterSpec.Builder setTrustedUserPresenceRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setTrustedUserPresenceRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUnlockedDeviceRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationRequired(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidWhileOnBody(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidWhileOnBody(boolean);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidityDurationSeconds(int);

    method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidityDurationSeconds(int);

    method public boolean isDigestsSpecified();

    method public boolean isDigestsSpecified();

    method public boolean isInvalidatedByBiometricEnrollment();

    method public boolean isInvalidatedByBiometricEnrollment();

    method public boolean isRandomizedEncryptionRequired();

    method public boolean isRandomizedEncryptionRequired();

    method public boolean isTrustedUserPresenceRequired();

    method public boolean isUnlockedDeviceRequired();

    method public boolean isUserAuthenticationRequired();

    method public boolean isUserAuthenticationRequired();

    method public boolean isUserAuthenticationValidWhileOnBody();

    method public boolean isUserAuthenticationValidWhileOnBody();

    method public boolean isUserConfirmationRequired();

    method public boolean isUserConfirmationRequired();

    method public android.security.keystore.KeyProtection.Builder setKeyValidityStart(java.util.Date);

    method public android.security.keystore.KeyProtection.Builder setKeyValidityStart(java.util.Date);

    method public android.security.keystore.KeyProtection.Builder setRandomizedEncryptionRequired(boolean);

    method public android.security.keystore.KeyProtection.Builder setRandomizedEncryptionRequired(boolean);

    method public android.security.keystore.KeyProtection.Builder setSignaturePaddings(java.lang.String...);

    method public android.security.keystore.KeyProtection.Builder setSignaturePaddings(java.lang.String...);

    method public android.security.keystore.KeyProtection.Builder setTrustedUserPresenceRequired(boolean);

    method public android.security.keystore.KeyProtection.Builder setUnlockedDeviceRequired(boolean);

    method public android.security.keystore.KeyProtection.Builder setUserAuthenticationRequired(boolean);

    method public android.security.keystore.KeyProtection.Builder setUserAuthenticationRequired(boolean);

    method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidWhileOnBody(boolean);

    method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidWhileOnBody(boolean);

    method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidityDurationSeconds(int);

    method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidityDurationSeconds(int);

    public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506;

    public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506;

    public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507;

    public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507;

    public static final int KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508;

    public static final int KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508;

    public static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 509;

    public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600;

    public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600;

    public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601;

    public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601;

    public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;

    public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;

    public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;

    public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;

    public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;

    public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;

    public static final int KM_ERROR_DEVICE_LOCKED = -72;

    public static final int KM_ERROR_UNIMPLEMENTED = -100;

    public static final int KM_ERROR_UNIMPLEMENTED = -100;

    public static final int KM_ERROR_VERSION_MISMATCH = -101;

    public static final int KM_ERROR_VERSION_MISMATCH = -101;

    public static final int KM_ERROR_UNKNOWN_ERROR = -1000;

    public static final int KM_ERROR_UNKNOWN_ERROR = -1000;

        sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,

        sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,

                "Invalid MAC or authentication tag length");

                "Invalid MAC or authentication tag length");

        sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");

        sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");

        sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked");

        sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");

        sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");

        sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");

        sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");

    }

    }

        try {

        try {

            args = args != null ? args : new KeymasterArguments();

            args = args != null ? args : new KeymasterArguments();

            entropy = entropy != null ? entropy : new byte[0];

            entropy = entropy != null ? entropy : new byte[0];

            OperationResult res = mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);

            return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);

            // This result is -26 (KEY_USER_NOT_AUTHENTICATED) but why??

            return res;

        } catch (RemoteException e) {

        } catch (RemoteException e) {

            Log.w(TAG, "Cannot connect to keystore", e);

            Log.w(TAG, "Cannot connect to keystore", e);

            return null;

            return null;

        try {

        try {

            arguments = arguments != null ? arguments : new KeymasterArguments();

            arguments = arguments != null ? arguments : new KeymasterArguments();

            input = input != null ? input : new byte[0];

            input = input != null ? input : new byte[0];

            OperationResult res = mBinder.update(token, arguments, input);

            return mBinder.update(token, arguments, input);

            return res;

        } catch (RemoteException e) {

        } catch (RemoteException e) {

            Log.w(TAG, "Cannot connect to keystore", e);

            Log.w(TAG, "Cannot connect to keystore", e);

            return null;

            return null;

     * @return {@code KeyStore.NO_ERROR} on success, otherwise an error value corresponding to

     * @return {@code KeyStore.NO_ERROR} on success, otherwise an error value corresponding to

     * a {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode.

     * a {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode.

     */

     */

    public int addAuthToken(byte[] authToken, int userId) {

    public int addAuthToken(byte[] authToken) {

        try {

        try {

            return mBinder.addAuthToken(authToken, userId);

            return mBinder.addAuthToken(authToken);

        } catch (RemoteException e) {

        } catch (RemoteException e) {

            Log.w(TAG, "Cannot connect to keystore", e);

            Log.w(TAG, "Cannot connect to keystore", e);

            return SYSTEM_ERROR;

            return SYSTEM_ERROR;

    public InvalidKeyException getInvalidKeyException(

    public InvalidKeyException getInvalidKeyException(

            String keystoreKeyAlias, int uid, KeyStoreException e) {

            String keystoreKeyAlias, int uid, KeyStoreException e) {

        switch (e.getErrorCode()) {

        switch (e.getErrorCode()) {

            case LOCKED: // 2

            case LOCKED:

                return new UserNotAuthenticatedException();

                return new UserNotAuthenticatedException();

            case KeymasterDefs.KM_ERROR_KEY_EXPIRED: // -25

            case KeymasterDefs.KM_ERROR_KEY_EXPIRED:

                return new KeyExpiredException();

                return new KeyExpiredException();

            case KeymasterDefs.KM_ERROR_KEY_NOT_YET_VALID: // -2

            case KeymasterDefs.KM_ERROR_KEY_NOT_YET_VALID:

                return new KeyNotYetValidException();

                return new KeyNotYetValidException();

            case KeymasterDefs.KM_ERROR_KEY_USER_NOT_AUTHENTICATED: // -26

            case KeymasterDefs.KM_ERROR_KEY_USER_NOT_AUTHENTICATED:

            case OP_AUTH_NEEDED: // 15

            case OP_AUTH_NEEDED:

            {

            {

                // We now need to determine whether the key/operation can become usable if user

                // We now need to determine whether the key/operation can become usable if user

                // authentication is performed, or whether it can never become usable again.

                // authentication is performed, or whether it can never become usable again.

                // None of the key's SIDs can ever be authenticated

                // None of the key's SIDs can ever be authenticated

                return new KeyPermanentlyInvalidatedException();

                return new KeyPermanentlyInvalidatedException();

            }

            }

            case UNINITIALIZED: // 3

            case UNINITIALIZED:

                return new KeyPermanentlyInvalidatedException();

                return new KeyPermanentlyInvalidatedException();

            default:

            default:

                return new InvalidKeyException("Keystore operation failed", e);

                return new InvalidKeyException("Keystore operation failed", e);

                // Check that user authentication related parameters are acceptable. This method

                // Check that user authentication related parameters are acceptable. This method

                // will throw an IllegalStateException if there are issues (e.g., secure lock screen

                // will throw an IllegalStateException if there are issues (e.g., secure lock screen

                // not set up).

                // not set up).

                KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), spec);

                KeymasterUtils.addUserAuthArgs(new KeymasterArguments(),

                        spec.isUserAuthenticationRequired(),

                        spec.getUserAuthenticationValidityDurationSeconds(),

                        spec.isUserAuthenticationValidWhileOnBody(),

                        spec.isInvalidatedByBiometricEnrollment(),

                        GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */,

                        spec.isUserConfirmationRequired());

            } catch (IllegalStateException | IllegalArgumentException e) {

            } catch (IllegalStateException | IllegalArgumentException e) {

                throw new InvalidAlgorithmParameterException(e);

                throw new InvalidAlgorithmParameterException(e);

            }

            }

        args.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes);

        args.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes);

        args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterPaddings);

        args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterPaddings);

        args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests);

        args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests);

        KeymasterUtils.addUserAuthArgs(args, spec);

        KeymasterUtils.addUserAuthArgs(args,

                spec.isUserAuthenticationRequired(),

                spec.getUserAuthenticationValidityDurationSeconds(),

                spec.isUserAuthenticationValidWhileOnBody(),

                spec.isInvalidatedByBiometricEnrollment(),

                GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */,

                spec.isUserConfirmationRequired());

        if (spec.isTrustedUserPresenceRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);

        }

        KeymasterUtils.addMinMacLengthAuthorizationIfNecessary(

        KeymasterUtils.addMinMacLengthAuthorizationIfNecessary(

                args,

                args,

                mKeymasterAlgorithm,

                mKeymasterAlgorithm,

                // Check that user authentication related parameters are acceptable. This method

                // Check that user authentication related parameters are acceptable. This method

                // will throw an IllegalStateException if there are issues (e.g., secure lock screen

                // will throw an IllegalStateException if there are issues (e.g., secure lock screen

                // not set up).

                // not set up).

                KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), mSpec);

                KeymasterUtils.addUserAuthArgs(new KeymasterArguments(),

                        mSpec.isUserAuthenticationRequired(),

                        mSpec.getUserAuthenticationValidityDurationSeconds(),

                        mSpec.isUserAuthenticationValidWhileOnBody(),

                        mSpec.isInvalidatedByBiometricEnrollment(),

                        GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */,

                        mSpec.isUserConfirmationRequired());

            } catch (IllegalArgumentException | IllegalStateException e) {

            } catch (IllegalArgumentException | IllegalStateException e) {

                throw new InvalidAlgorithmParameterException(e);

                throw new InvalidAlgorithmParameterException(e);

            }

            }

        args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterSignaturePaddings);

        args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterSignaturePaddings);

        args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests);

        args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests);

        KeymasterUtils.addUserAuthArgs(args, mSpec);

        KeymasterUtils.addUserAuthArgs(args,

                mSpec.isUserAuthenticationRequired(),

                mSpec.getUserAuthenticationValidityDurationSeconds(),

                mSpec.isUserAuthenticationValidWhileOnBody(),

                mSpec.isInvalidatedByBiometricEnrollment(),

                GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */,

                mSpec.isUserConfirmationRequired());

        args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, mSpec.getKeyValidityStart());

        args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, mSpec.getKeyValidityStart());

        args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,

        args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,

                mSpec.getKeyValidityForOriginationEnd());

                mSpec.getKeyValidityForOriginationEnd());