Merge "Track changes to the keystore binder API" into mnc-dev

core/java/android/security/IKeystoreService.aidl

@@ -65,7 +65,7 @@ interface IKeystoreService {
     ExportResult exportKey(String alias, int format, in KeymasterBlob clientId,
         in KeymasterBlob appId);
     OperationResult begin(IBinder appToken, String alias, int purpose, boolean pruneable,
-        in KeymasterArguments params, in byte[] entropy, out KeymasterArguments operationParams);
+        in KeymasterArguments params, in byte[] entropy);
     OperationResult update(IBinder token, in KeymasterArguments params, in byte[] input);
     OperationResult finish(IBinder token, in KeymasterArguments params, in byte[] signature);
     int abort(IBinder handle);

core/java/android/security/keymaster/OperationResult.java

@@ -31,6 +31,7 @@ public class OperationResult implements Parcelable {
     public final long operationHandle;
     public final int inputConsumed;
     public final byte[] output;
+    public final KeymasterArguments outParams;
 
     public static final Parcelable.Creator<OperationResult> CREATOR = new
             Parcelable.Creator<OperationResult>() {
@@ -49,6 +50,7 @@ public class OperationResult implements Parcelable {
         operationHandle = in.readLong();
         inputConsumed = in.readInt();
         output = in.createByteArray();
+        outParams = KeymasterArguments.CREATOR.createFromParcel(in);
     }
 
     @Override
@@ -63,5 +65,6 @@ public class OperationResult implements Parcelable {
         out.writeLong(operationHandle);
         out.writeInt(inputConsumed);
         out.writeByteArray(output);
+        outParams.writeToParcel(out, flags);
     }
 }

keystore/java/android/security/KeyStore.java

@@ -496,9 +496,9 @@ public class KeyStore {
     }
 
     public OperationResult begin(String alias, int purpose, boolean pruneable,
-            KeymasterArguments args, byte[] entropy, KeymasterArguments outArgs) {
+            KeymasterArguments args, byte[] entropy) {
         try {
-            return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, outArgs);
+            return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy);
         } catch (RemoteException e) {
             Log.w(TAG, "Cannot connect to keystore", e);
             return null;

keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java

@@ -216,8 +216,7 @@ abstract class AndroidKeyStoreCipherSpiBase extends CipherSpi implements KeyStor
                 mEncrypting ? KeymasterDefs.KM_PURPOSE_ENCRYPT : KeymasterDefs.KM_PURPOSE_DECRYPT,
                 true, // permit aborting this operation if keystore runs out of resources
                 keymasterInputArgs,
-                additionalEntropy,
-                keymasterOutputArgs);
+                additionalEntropy);
         if (opResult == null) {
             throw new KeyStoreConnectException();
         }
@@ -247,7 +246,7 @@ abstract class AndroidKeyStoreCipherSpiBase extends CipherSpi implements KeyStor
             throw new ProviderException("Keystore returned invalid operation handle");
         }
 
-        loadAlgorithmSpecificParametersFromBeginResult(keymasterOutputArgs);
+        loadAlgorithmSpecificParametersFromBeginResult(opResult.outParams);
         mMainDataStreamer = new KeyStoreCryptoOperationChunkedStreamer(
                 new KeyStoreCryptoOperationChunkedStreamer.MainDataStream(
                         mKeyStore, opResult.token));

keystore/java/android/security/keystore/AndroidKeyStoreHmacSpi.java

@@ -163,14 +163,13 @@ public abstract class AndroidKeyStoreHmacSpi extends MacSpi implements KeyStoreC
         keymasterArgs.addInt(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigest);
         keymasterArgs.addInt(KeymasterDefs.KM_TAG_MAC_LENGTH, mMacSizeBits);
 
-        KeymasterArguments keymasterOutputArgs = new KeymasterArguments();
         OperationResult opResult = mKeyStore.begin(
                 mKey.getAlias(),
                 KeymasterDefs.KM_PURPOSE_SIGN,
                 true,
                 keymasterArgs,
-                null, // no additional entropy needed for HMAC because it's deterministic
-                keymasterOutputArgs);
+                null); // no additional entropy needed for HMAC because it's deterministic
+
         if (opResult == null) {
             throw new KeyStoreConnectException();
         }

keystore/tests/src/android/security/KeyStoreTest.java

@@ -814,13 +814,12 @@ public class KeyStoreTest extends ActivityUnitTestCase<Activity> {
         int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics);
         assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc);
 
-        KeymasterArguments out = new KeymasterArguments();
         args = new KeymasterArguments();
         args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES);
         args.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_GCM);
         args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE);
         OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT,
-                true, args, null, out);
+                true, args, null);
         IBinder token = result.token;
         assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode);
         result = mKeyStore.update(token, null, new byte[] {0x01, 0x02, 0x03, 0x04});
@@ -849,9 +848,8 @@ public class KeyStoreTest extends ActivityUnitTestCase<Activity> {
                 new KeyCharacteristics());
     }
     private byte[] doOperation(String name, int purpose, byte[] in, KeymasterArguments beginArgs) {
-        KeymasterArguments out = new KeymasterArguments();
         OperationResult result = mKeyStore.begin(name, purpose,
-                true, beginArgs, null, out);
+                true, beginArgs, null);
         assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode);
         IBinder token = result.token;
         result = mKeyStore.update(token, null, in);
@@ -916,19 +914,17 @@ public class KeyStoreTest extends ActivityUnitTestCase<Activity> {
         int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics);
         assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc);
 
-        KeymasterArguments out = new KeymasterArguments();
         args = new KeymasterArguments();
         args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES);
         args.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_CTR);
         args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE);
         OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT,
-                true, args, null, out);
+                true, args, null);
         assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode);
         IBinder first = result.token;
         // Implementation detail: softkeymaster supports 16 concurrent operations
         for (int i = 0; i < 16; i++) {
-            result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, true, args, null,
-                    out);
+            result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, true, args, null);
             assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode);
         }
         // At this point the first operation should be pruned.
@@ -949,10 +945,9 @@ public class KeyStoreTest extends ActivityUnitTestCase<Activity> {
 
         KeyCharacteristics outCharacteristics = new KeyCharacteristics();
         int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics);
-        KeymasterArguments out = new KeymasterArguments();
         assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc);
         OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT,
-                true, args, null, out);
+                true, args, null);
         assertEquals("Begin should expect authorization", KeyStore.OP_AUTH_NEEDED,
                 result.resultCode);
         IBinder token = result.token;