Merge \"Remove tied profile encryption key cache in keystore\" into nyc-mr1-dev

am: 3ed2a52bb1 Change-Id: I127bb8329b374e57147b42f13f699b3125872367
2016-07-15 10:18:36 +00:00
parent e7ad96f9a8 3ed2a52bb1
commit 39cfbde069
1 changed files with 42 additions and 29 deletions
--- a/services/core/java/com/android/server/LockSettingsService.java
+++ b/services/core/java/com/android/server/LockSettingsService.java
@@ -584,6 +584,18 @@ public class LockSettingsService extends ILockSettings.Stub {
                        Slog.e(TAG, "Invalid tied profile lock type: " + quality);
                    }
                }
                try {
                    final String alias = LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userInfo.id;
                    java.security.KeyStore keyStore =
                            java.security.KeyStore.getInstance("AndroidKeyStore");
                    keyStore.load(null);
                    if (keyStore.containsAlias(alias)) {
                        keyStore.deleteEntry(alias);
                    }
                } catch (KeyStoreException | NoSuchAlgorithmException |
                        CertificateException | IOException e) {
                    Slog.e(TAG, "Unable to remove tied profile key", e);
                }
            }
        } catch (RemoteException re) {
            Slog.e(TAG, "Unable to migrate old data", re);
@@ -1027,37 +1039,38 @@ public class LockSettingsService extends ILockSettings.Stub {
            KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES);
            keyGenerator.init(new SecureRandom());
            SecretKey secretKey = keyGenerator.generateKey();
            java.security.KeyStore keyStore = java.security.KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
-            keyStore.setEntry(
+            try {
-                    LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userId,
+                keyStore.setEntry(
-                    new java.security.KeyStore.SecretKeyEntry(secretKey),
+                        LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userId,
-                    new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT)
+                        new java.security.KeyStore.SecretKeyEntry(secretKey),
-                            .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+                        new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT)
-                            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
+                                .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
-                            .build());
+                                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
-            keyStore.setEntry(
+                                .build());
-                    LockPatternUtils.PROFILE_KEY_NAME_DECRYPT + userId,
+                keyStore.setEntry(
-                    new java.security.KeyStore.SecretKeyEntry(secretKey),
+                        LockPatternUtils.PROFILE_KEY_NAME_DECRYPT + userId,
-                    new KeyProtection.Builder(KeyProperties.PURPOSE_DECRYPT)
+                        new java.security.KeyStore.SecretKeyEntry(secretKey),
-                            .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+                        new KeyProtection.Builder(KeyProperties.PURPOSE_DECRYPT)
-                            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
+                                .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
-                            .setUserAuthenticationRequired(true)
+                                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
-                            .setUserAuthenticationValidityDurationSeconds(30)
+                                .setUserAuthenticationRequired(true)
-                            .build());
+                                .setUserAuthenticationValidityDurationSeconds(30)
-
+                                .build());
-            // Key imported, obtain a reference to it.
+                // Key imported, obtain a reference to it.
-            SecretKey keyStoreEncryptionKey = (SecretKey) keyStore.getKey(
+                SecretKey keyStoreEncryptionKey = (SecretKey) keyStore.getKey(
-                    LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userId, null);
+                        LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userId, null);
-            // The original key can now be discarded.
+                Cipher cipher = Cipher.getInstance(
-
+                        KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_GCM + "/"
-            Cipher cipher = Cipher.getInstance(
+                                + KeyProperties.ENCRYPTION_PADDING_NONE);
-                    KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_GCM + "/"
+                cipher.init(Cipher.ENCRYPT_MODE, keyStoreEncryptionKey);
-                            + KeyProperties.ENCRYPTION_PADDING_NONE);
+                encryptionResult = cipher.doFinal(randomLockSeed);
-            cipher.init(Cipher.ENCRYPT_MODE, keyStoreEncryptionKey);
+                iv = cipher.getIV();
-            encryptionResult = cipher.doFinal(randomLockSeed);
+            } finally {
-            iv = cipher.getIV();
+                // The original key can now be discarded.
                keyStore.deleteEntry(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userId);
            }
        } catch (CertificateException | UnrecoverableKeyException
                | IOException | BadPaddingException | IllegalBlockSizeException | KeyStoreException
                | NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException e) {