Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge changes from topics "niap-asym-write-pi-dev", "niap-asym-write-api-pi-dev" into pi-dev

Browse Source 
* changes:
  Restore "Add "Unlocked device required" parameter to keys"
  Add "Unlocked device required" key API
This commit is contained in:
Brian Young
2018-03-30 14:21:19 +00:00
committed by Android (Google) Code Review
parent 69196f6fad 9272dab49e
commit 0186b42f2a
7 changed files with 93 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
core/java/android/security/keymaster/KeymasterDefs.java
View File

@@ -75,6 +75,7 @@ public final class KeymasterDefs {
public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506;
public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507;
public static final int KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508;
public static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 509;
public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600;
public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601;
@@ -216,6 +217,7 @@ public final class KeymasterDefs {
public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;
public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;
public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;
public static final int KM_ERROR_DEVICE_LOCKED = -72;
public static final int KM_ERROR_UNIMPLEMENTED = -100;
public static final int KM_ERROR_VERSION_MISMATCH = -101;
public static final int KM_ERROR_UNKNOWN_ERROR = -1000;
@@ -262,6 +264,7 @@ public final class KeymasterDefs {
sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,
"Invalid MAC or authentication tag length");
sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");
sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked");
sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");
sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");
}

8
keystore/java/android/security/KeyStore.java
View File

@@ -16,6 +16,7 @@
package android.security;
import android.app.ActivityManager;
import android.app.ActivityThread;
import android.app.Application;
import android.app.KeyguardManager;
@@ -279,7 +280,7 @@ public class KeyStore {
/**
* Attempt to lock the keystore for {@code user}.
*
* @param user Android user to lock.
* @param userId Android user to lock.
* @return whether {@code user}'s keystore was locked.
*/
public boolean lock(int userId) {
@@ -300,7 +301,7 @@ public class KeyStore {
* This is required before keystore entries created with FLAG_ENCRYPTED can be accessed or
* created.
*
* @param user Android user ID to operate on
* @param userId Android user ID to operate on
* @param password user's keystore password. Should be the most recent value passed to
* {@link #onUserPasswordChanged} for the user.
*
@@ -546,6 +547,9 @@ public class KeyStore {
try {
args = args != null ? args : new KeymasterArguments();
entropy = entropy != null ? entropy : new byte[0];
if (!args.containsTag(KeymasterDefs.KM_TAG_USER_ID)) {
args.addUnsignedInt(KeymasterDefs.KM_TAG_USER_ID, ActivityManager.getCurrentUser());
}
return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);
} catch (RemoteException e) {
Log.w(TAG, "Cannot connect to keystore", e);

30
keystore/java/android/security/keystore/KeyGenParameterSpec.java
View File

@@ -266,6 +266,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
private final boolean mInvalidatedByBiometricEnrollment;
private final boolean mIsStrongBoxBacked;
private final boolean mUserConfirmationRequired;
private final boolean mUnlockedDeviceRequired;
/**
* @hide should be built with Builder
@@ -296,7 +297,8 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
boolean userAuthenticationValidWhileOnBody,
boolean invalidatedByBiometricEnrollment,
boolean isStrongBoxBacked,
boolean userConfirmationRequired) {
boolean userConfirmationRequired,
boolean unlockedDeviceRequired) {
if (TextUtils.isEmpty(keyStoreAlias)) {
throw new IllegalArgumentException("keyStoreAlias must not be empty");
}
@@ -345,6 +347,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
mIsStrongBoxBacked = isStrongBoxBacked;
mUserConfirmationRequired = userConfirmationRequired;
mUnlockedDeviceRequired = unlockedDeviceRequired;
}
/**
@@ -669,6 +672,15 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
return mIsStrongBoxBacked;
}
/**
* @hide Returns {@code true} if the key cannot be used unless the device screen is unlocked.
*
* @see Builder#setUnlockedDeviceRequired(boolean)
*/
public boolean isUnlockedDeviceRequired() {
return mUnlockedDeviceRequired;
}
/**
* @hide
*/
@@ -707,6 +719,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
private boolean mInvalidatedByBiometricEnrollment = true;
private boolean mIsStrongBoxBacked = false;
private boolean mUserConfirmationRequired;
private boolean mUnlockedDeviceRequired = false;
/**
* Creates a new instance of the {@code Builder}.
@@ -1274,6 +1287,18 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
return this;
}
/**
* @hide Sets whether the keystore requires the screen to be unlocked before allowing decryption
* using this key. If this is set to {@code true}, any attempt to decrypt using this key
* while the screen is locked will fail. A locked device requires a PIN, password,
* fingerprint, or other trusted factor to access.
*/
@NonNull
public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) {
mUnlockedDeviceRequired = unlockedDeviceRequired;
return this;
}
/**
* Builds an instance of {@code KeyGenParameterSpec}.
*/
@@ -1305,7 +1330,8 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
mUserAuthenticationValidWhileOnBody,
mInvalidatedByBiometricEnrollment,
mIsStrongBoxBacked,
mUserConfirmationRequired);
mUserConfirmationRequired,
mUnlockedDeviceRequired);
}
}
}

39
keystore/java/android/security/keystore/KeyProtection.java
View File

@@ -224,12 +224,13 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
private final boolean mRandomizedEncryptionRequired;
private final boolean mUserAuthenticationRequired;
private final int mUserAuthenticationValidityDurationSeconds;
private final boolean mTrustedUserPresenceRequred;
private final boolean mTrustedUserPresenceRequired;
private final boolean mUserAuthenticationValidWhileOnBody;
private final boolean mInvalidatedByBiometricEnrollment;
private final long mBoundToSecureUserId;
private final boolean mCriticalToDeviceEncryption;
private final boolean mUserConfirmationRequired;
private final boolean mUnlockedDeviceRequired;
private KeyProtection(
Date keyValidityStart,
@@ -243,12 +244,13 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
boolean randomizedEncryptionRequired,
boolean userAuthenticationRequired,
int userAuthenticationValidityDurationSeconds,
boolean trustedUserPresenceRequred,
boolean trustedUserPresenceRequired,
boolean userAuthenticationValidWhileOnBody,
boolean invalidatedByBiometricEnrollment,
long boundToSecureUserId,
boolean criticalToDeviceEncryption,
boolean userConfirmationRequired) {
boolean userConfirmationRequired,
boolean unlockedDeviceRequired) {
mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart);
mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd);
mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd);
@@ -262,12 +264,13 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
mRandomizedEncryptionRequired = randomizedEncryptionRequired;
mUserAuthenticationRequired = userAuthenticationRequired;
mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;
mTrustedUserPresenceRequred = trustedUserPresenceRequred;
mTrustedUserPresenceRequired = trustedUserPresenceRequired;
mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody;
mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
mBoundToSecureUserId = boundToSecureUserId;
mCriticalToDeviceEncryption = criticalToDeviceEncryption;
mUserConfirmationRequired = userConfirmationRequired;
mUnlockedDeviceRequired = unlockedDeviceRequired;
}
/**
@@ -444,7 +447,7 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
* been performed between the {@code Signature.initSign()} and {@code Signature.sign()} calls.
*/
public boolean isTrustedUserPresenceRequired() {
return mTrustedUserPresenceRequred;
return mTrustedUserPresenceRequired;
}
/**
@@ -504,6 +507,15 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
return mCriticalToDeviceEncryption;
}
/**
* @hide Returns {@code true} if the key cannot be used unless the device screen is unlocked.
*
* @see Builder#setUnlockedDeviceRequired(boolean)
*/
public boolean isUnlockedDeviceRequired() {
return mUnlockedDeviceRequired;
}
/**
* Builder of {@link KeyProtection} instances.
*/
@@ -524,6 +536,8 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
private boolean mUserAuthenticationValidWhileOnBody;
private boolean mInvalidatedByBiometricEnrollment = true;
private boolean mUserConfirmationRequired;
private boolean mUnlockedDeviceRequired = false;
private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID;
private boolean mCriticalToDeviceEncryption = false;
@@ -913,6 +927,18 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
return this;
}
/**
* @hide Sets whether the keystore requires the screen to be unlocked before allowing decryption
* using this key. If this is set to {@code true}, any attempt to decrypt using this key
* while the screen is locked will fail. A locked device requires a PIN, password,
* fingerprint, or other trusted factor to access.
*/
@NonNull
public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) {
mUnlockedDeviceRequired = unlockedDeviceRequired;
return this;
}
/**
* Builds an instance of {@link KeyProtection}.
*
@@ -937,7 +963,8 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
mInvalidatedByBiometricEnrollment,
mBoundToSecureUserId,
mCriticalToDeviceEncryption,
mUserConfirmationRequired);
mUserConfirmationRequired,
mUnlockedDeviceRequired);
}
}
}

12
keystore/java/android/security/keystore/KeymasterUtils.java
View File

@@ -16,9 +16,8 @@
package android.security.keystore;
import android.util.Log;
import android.app.ActivityManager;
import android.hardware.fingerprint.FingerprintManager;
import android.os.UserHandle;
import android.security.GateKeeper;
import android.security.KeyStore;
import android.security.keymaster.KeymasterArguments;
@@ -101,8 +100,9 @@ public abstract class KeymasterUtils {
* state (e.g., secure lock screen not set up) for generating or importing keys that
* require user authentication.
*/
public static void addUserAuthArgs(KeymasterArguments args,
UserAuthArgs spec) {
public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) {
args.addUnsignedInt(KeymasterDefs.KM_TAG_USER_ID, ActivityManager.getCurrentUser());
if (spec.isUserConfirmationRequired()) {
args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);
}
@@ -111,6 +111,10 @@ public abstract class KeymasterUtils {
args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);
}
if (spec.isUnlockedDeviceRequired()) {
args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED);
}
if (!spec.isUserAuthenticationRequired()) {
args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);
return;

1
keystore/java/android/security/keystore/UserAuthArgs.java
View File

@@ -33,5 +33,6 @@ public interface UserAuthArgs {
boolean isUserConfirmationRequired();
long getBoundToSpecificSecureUserId();
boolean isTrustedUserPresenceRequired();
boolean isUnlockedDeviceRequired();
}

15
services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
View File

@@ -19,6 +19,8 @@ package com.android.server.policy.keyguard;
import android.app.ActivityManager;
import android.content.Context;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.security.IKeystoreService;
import android.util.Slog;
import com.android.internal.policy.IKeyguardService;
@@ -51,11 +53,16 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub {
private final LockPatternUtils mLockPatternUtils;
private final StateCallback mCallback;
IKeystoreService mKeystoreService;
public KeyguardStateMonitor(Context context, IKeyguardService service, StateCallback callback) {
mLockPatternUtils = new LockPatternUtils(context);
mCurrentUserId = ActivityManager.getCurrentUser();
mCallback = callback;
mKeystoreService = IKeystoreService.Stub.asInterface(ServiceManager
.getService("android.security.keystore"));
try {
service.addStateMonitorCallback(this);
} catch (RemoteException e) {
@@ -86,6 +93,12 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub {
@Override // Binder interface
public void onShowingStateChanged(boolean showing) {
mIsShowing = showing;
try {
mKeystoreService.onKeyguardVisibilityChanged(showing, mCurrentUserId);
} catch (RemoteException e) {
Slog.e(TAG, "Error informing keystore of screen lock", e);
}
}
@Override // Binder interface
@@ -130,4 +143,4 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub {
pw.println(prefix + "mTrusted=" + mTrusted);
pw.println(prefix + "mCurrentUserId=" + mCurrentUserId);
}
}
}