Merge changes Ib3c9affb,I1dbe3d02,I88681f21

* changes: Keystore 2.0 SPI: Adding the keystore AIDL interface to frameworks Keystore 2.0: KeyProperties SignaturePadding is now public but hidden Keystore SPI: Add SecurityLevelEnum to KeyProperties
2020-11-06 01:01:00 +00:00
parent cce157aaee 145e11ff93
commit 1f65c6b62e
5 changed files with 106 additions and 4 deletions
--- a/Android.bp
+++ b/Android.bp
@@ -480,6 +480,7 @@ java_library {
        "android.hardware.vibrator-V1.1-java",
        "android.hardware.vibrator-V1.2-java",
        "android.hardware.vibrator-V1.3-java",
+        "android.system.keystore2-java",
        "devicepolicyprotosnano",

        "com.android.sysprop.apex",
--- a/api/current.txt
+++ b/api/current.txt
@@ -42880,6 +42880,11 @@ package android.security.keystore {
    field public static final int PURPOSE_SIGN = 4; // 0x4
    field public static final int PURPOSE_VERIFY = 8; // 0x8
    field public static final int PURPOSE_WRAP_KEY = 32; // 0x20
+    field public static final int SECURITY_LEVEL_SOFTWARE = 0; // 0x0
+    field public static final int SECURITY_LEVEL_STRONGBOX = 2; // 0x2
+    field public static final int SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1; // 0x1
+    field public static final int SECURITY_LEVEL_UNKNOWN = -2; // 0xfffffffe
+    field public static final int SECURITY_LEVEL_UNKNOWN_SECURE = -1; // 0xffffffff
    field public static final String SIGNATURE_PADDING_RSA_PKCS1 = "PKCS1";
    field public static final String SIGNATURE_PADDING_RSA_PSS = "PSS";
  }
--- a/core/api/current.txt
+++ b/core/api/current.txt
@@ -41048,6 +41048,11 @@ package android.security.keystore {
    field public static final int PURPOSE_SIGN = 4; // 0x4
    field public static final int PURPOSE_VERIFY = 8; // 0x8
    field public static final int PURPOSE_WRAP_KEY = 32; // 0x20
+    field public static final int SECURITY_LEVEL_SOFTWARE = 0; // 0x0
+    field public static final int SECURITY_LEVEL_STRONGBOX = 2; // 0x2
+    field public static final int SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1; // 0x1
+    field public static final int SECURITY_LEVEL_UNKNOWN = -2; // 0xfffffffe
+    field public static final int SECURITY_LEVEL_UNKNOWN_SECURE = -1; // 0xffffffff
    field public static final String SIGNATURE_PADDING_RSA_PKCS1 = "PKCS1";
    field public static final String SIGNATURE_PADDING_RSA_PSS = "PSS";
  }
--- a/core/java/android/security/keymaster/KeymasterDefs.java
+++ b/core/java/android/security/keymaster/KeymasterDefs.java
@@ -157,6 +157,11 @@ public final class KeymasterDefs {
    public static final int HW_AUTH_PASSWORD = 1 << 0;
    public static final int HW_AUTH_BIOMETRIC = 1 << 1;

+    // Security Levels.
+    public static final int KM_SECURITY_LEVEL_SOFTWARE = 0;
+    public static final int KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1;
+    public static final int KM_SECURITY_LEVEL_STRONGBOX = 2;
+
    // Error codes.
    public static final int KM_ERROR_OK = 0;
    public static final int KM_ERROR_ROOT_OF_TRUST_ALREADY_SET = -1;
--- a/keystore/java/android/security/keystore/KeyProperties.java
+++ b/keystore/java/android/security/keystore/KeyProperties.java
@@ -496,10 +496,16 @@ public abstract class KeyProperties {
     */
    public static final String SIGNATURE_PADDING_RSA_PSS = "PSS";

-    static abstract class SignaturePadding {
+    /**
+     * @hide
+     */
+    public abstract static class SignaturePadding {
        private SignaturePadding() {}

-        static int toKeymaster(@NonNull @SignaturePaddingEnum String padding) {
+        /**
+         * @hide
+         */
+        public static int toKeymaster(@NonNull @SignaturePaddingEnum String padding) {
            switch (padding.toUpperCase(Locale.US)) {
                case SIGNATURE_PADDING_RSA_PKCS1:
                    return KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_SIGN;
@@ -512,7 +518,7 @@ public abstract class KeyProperties {
        }

        @NonNull
-        static @SignaturePaddingEnum String fromKeymaster(int padding) {
+        public static @SignaturePaddingEnum String fromKeymaster(int padding) {
            switch (padding) {
                case KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_SIGN:
                    return SIGNATURE_PADDING_RSA_PKCS1;
@@ -524,7 +530,7 @@ public abstract class KeyProperties {
        }

        @NonNull
-        static int[] allToKeymaster(@Nullable @SignaturePaddingEnum String[] paddings) {
+        public static int[] allToKeymaster(@Nullable @SignaturePaddingEnum String[] paddings) {
            if ((paddings == null) || (paddings.length == 0)) {
                return EmptyArray.INT;
            }
@@ -771,4 +777,84 @@ public abstract class KeyProperties {
        }
        return result;
    }
+
+    /**
+     * @hide
+     */
+    @Retention(RetentionPolicy.SOURCE)
+    @IntDef(prefix = { "SECURITY_LEVEL_" }, value = {
+            SECURITY_LEVEL_UNKNOWN,
+            SECURITY_LEVEL_UNKNOWN_SECURE,
+            SECURITY_LEVEL_SOFTWARE,
+            SECURITY_LEVEL_TRUSTED_ENVIRONMENT,
+            SECURITY_LEVEL_STRONGBOX,
+    })
+    public @interface SecurityLevelEnum {}
+
+    /**
+     * This security level indicates that no assumptions can be made about the security level of the
+     * respective key.
+     */
+    public static final int SECURITY_LEVEL_UNKNOWN = -2;
+    /**
+     * This security level indicates that due to the target API level of the caller no exact
+     * statement can be made about the security level of the key, however, the security level
+     * can be considered is at least equivalent to {@link #SECURITY_LEVEL_TRUSTED_ENVIRONMENT}.
+     */
+    public static final int SECURITY_LEVEL_UNKNOWN_SECURE = -1;
+
+    /** Indicates enforcement by system software. */
+    public static final int SECURITY_LEVEL_SOFTWARE = 0;
+
+    /** Indicates enforcement by a trusted execution environment. */
+    public static final int SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1;
+
+    /**
+     * Indicates enforcement by environment meeting the Strongbox security profile,
+     * such as a secure element.
+     */
+    public static final int SECURITY_LEVEL_STRONGBOX = 2;
+
+    /**
+     * @hide
+     */
+    public abstract static class SecurityLevel {
+        private SecurityLevel() {}
+
+        /**
+         * @hide
+         */
+        public static int toKeymaster(int securityLevel) {
+            switch (securityLevel) {
+                case SECURITY_LEVEL_SOFTWARE:
+                    return KeymasterDefs.KM_SECURITY_LEVEL_SOFTWARE;
+                case SECURITY_LEVEL_TRUSTED_ENVIRONMENT:
+                    return KeymasterDefs.KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT;
+                case SECURITY_LEVEL_STRONGBOX:
+                    return KeymasterDefs.KM_SECURITY_LEVEL_STRONGBOX;
+                default:
+                    throw new IllegalArgumentException("Unsupported security level: "
+                            + securityLevel);
+            }
+        }
+
+        /**
+         * @hide
+         */
+        @NonNull
+        public static int fromKeymaster(int securityLevel) {
+            switch (securityLevel) {
+                case KeymasterDefs.KM_SECURITY_LEVEL_SOFTWARE:
+                    return SECURITY_LEVEL_SOFTWARE;
+                case KeymasterDefs.KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT:
+                    return SECURITY_LEVEL_TRUSTED_ENVIRONMENT;
+                case KeymasterDefs.KM_SECURITY_LEVEL_STRONGBOX:
+                    return SECURITY_LEVEL_STRONGBOX;
+                default:
+                    throw new IllegalArgumentException("Unsupported security level: "
+                            + securityLevel);
+            }
+        }
+    }
+
 }