Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Use Builder instead for KeyChainProtectionParams." into pi-dev

Browse Source
This commit is contained in:
Dmitry Dementyev
2018-03-26 23:07:23 +00:00
committed by Android (Google) Code Review
parent 22d10bc586 16d9db57f5
commit 5b4a0d6751
5 changed files with 43 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
core/java/android/security/keystore/recovery/KeyChainProtectionParams.java
View File

@@ -94,21 +94,6 @@ public final class KeyChainProtectionParams implements Parcelable {
private KeyDerivationParams mKeyDerivationParams;
private byte[] mSecret; // Derived from user secret. The field must have limited visibility.
/**
* @param secret Constructor creates a reference to the secret. Caller must use
* @link {#clearSecret} to overwrite its value in memory.
* @hide
*/
public KeyChainProtectionParams(@UserSecretType int userSecretType,
@LockScreenUiFormat int lockScreenUiFormat,
@NonNull KeyDerivationParams keyDerivationParams,
@NonNull byte[] secret) {
mUserSecretType = userSecretType;
mLockScreenUiFormat = lockScreenUiFormat;
mKeyDerivationParams = Preconditions.checkNotNull(keyDerivationParams);
mSecret = Preconditions.checkNotNull(secret);
}
private KeyChainProtectionParams() {
}
@@ -158,6 +143,7 @@ public final class KeyChainProtectionParams implements Parcelable {
/**
* Sets user secret type.
* Default value is {@link TYPE_LOCKSCREEN}.
*
* @see TYPE_LOCKSCREEN
* @param userSecretType The secret type
@@ -185,7 +171,7 @@ public final class KeyChainProtectionParams implements Parcelable {
/**
* Sets parameters of the key derivation function.
*
* @param keyDerivationParams Key derivation Params
* @param keyDerivationParams Key derivation parameters
* @return This builder.
*/
public Builder setKeyDerivationParams(@NonNull KeyDerivationParams

8
core/java/android/security/keystore/recovery/KeyChainSnapshot.java
View File

@@ -252,12 +252,12 @@ public final class KeyChainSnapshot implements Parcelable {
/**
* Sets UI and key derivation parameters
*
* @param recoveryMetadata The UI and key derivation parameters
* @param keyChainProtectionParams The UI and key derivation parameters
* @return This builder.
*/
public Builder setKeyChainProtectionParams(
@NonNull List<KeyChainProtectionParams> recoveryMetadata) {
mInstance.mKeyChainProtectionParams = recoveryMetadata;
@NonNull List<KeyChainProtectionParams> keyChainProtectionParams) {
mInstance.mKeyChainProtectionParams = keyChainProtectionParams;
return this;
}
@@ -292,7 +292,7 @@ public final class KeyChainSnapshot implements Parcelable {
*/
@NonNull public KeyChainSnapshot build() {
Preconditions.checkCollectionElementsNotNull(mInstance.mKeyChainProtectionParams,
"recoveryMetadata");
"keyChainProtectionParams");
Preconditions.checkCollectionElementsNotNull(mInstance.mEntryRecoveryData,
"entryRecoveryData");
Preconditions.checkNotNull(mInstance.mEncryptedRecoveryKeyBlob);

2
core/java/android/security/keystore/recovery/RecoveryController.java
View File

@@ -159,7 +159,7 @@ public class RecoveryController {
* Gets a new instance of the class.
*/
@RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
public static RecoveryController getInstance(Context context) {
@NonNull public static RecoveryController getInstance(@NonNull Context context) {
ILockSettings lockSettings =
ILockSettings.Stub.asInterface(ServiceManager.getService("lock_settings"));
return new RecoveryController(lockSettings, KeyStore.getInstance());

108
services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java
View File

@@ -144,6 +144,13 @@ public class RecoverableKeyStoreManagerTest {
private static final String ANDROID_KEY_STORE_PROVIDER = "AndroidKeyStore";
private static final String WRAPPING_KEY_ALIAS = "RecoverableKeyStoreManagerTest/WrappingKey";
private static final String TEST_ROOT_CERT_ALIAS = "";
private static final KeyChainProtectionParams TEST_PROTECTION_PARAMS =
new KeyChainProtectionParams.Builder()
.setUserSecretType(TYPE_LOCKSCREEN)
.setLockScreenUiFormat(UI_FORMAT_PASSWORD)
.setKeyDerivationParams(KeyDerivationParams.createSha256Params(TEST_SALT))
.setSecret(TEST_SECRET)
.build();
@Mock private Context mMockContext;
@Mock private RecoverySnapshotListenersStorage mMockListenersStorage;
@@ -459,12 +466,7 @@ public class RecoverableKeyStoreManagerTest {
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(
new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
verify(mMockContext, times(1))
.enforceCallingOrSelfPermission(
@@ -481,12 +483,7 @@ public class RecoverableKeyStoreManagerTest {
RecoveryCertPath.createRecoveryCertPath(TestData.CERT_PATH_1),
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(
new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
assertEquals(1, mRecoverySessionStorage.size());
RecoverySessionStorage.Entry entry =
@@ -503,12 +500,7 @@ public class RecoverableKeyStoreManagerTest {
RecoveryCertPath.createRecoveryCertPath(TestData.CERT_PATH_1),
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(
new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
verify(mMockContext, times(2))
.enforceCallingOrSelfPermission(
@@ -522,12 +514,7 @@ public class RecoverableKeyStoreManagerTest {
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(
new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
assertEquals(1, mRecoverySessionStorage.size());
RecoverySessionStorage.Entry entry =
@@ -543,12 +530,7 @@ public class RecoverableKeyStoreManagerTest {
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(
new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
mRecoverableKeyStoreManager.closeSession(TEST_SESSION_ID);
@@ -562,12 +544,7 @@ public class RecoverableKeyStoreManagerTest {
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(
new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
mRecoverableKeyStoreManager.closeSession("some random session");
@@ -604,18 +581,14 @@ public class RecoverableKeyStoreManagerTest {
public void startRecoverySession_throwsIfPublicKeysMismatch() throws Exception {
byte[] vaultParams = TEST_VAULT_PARAMS.clone();
vaultParams[1] ^= (byte) 1; // Flip 1 bit
try {
mRecoverableKeyStoreManager.startRecoverySession(
TEST_SESSION_ID,
TEST_PUBLIC_KEY,
vaultParams,
TEST_VAULT_CHALLENGE,
ImmutableList.of(
new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
fail("should have thrown");
} catch (ServiceSpecificException e) {
assertThat(e.getMessage()).contains("do not match");
@@ -650,12 +623,7 @@ public class RecoverableKeyStoreManagerTest {
RecoveryCertPath.createRecoveryCertPath(TestData.CERT_PATH_1),
vaultParams,
TEST_VAULT_CHALLENGE,
ImmutableList.of(
new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
fail("should have thrown");
} catch (ServiceSpecificException e) {
assertThat(e.getMessage()).contains("do not match");
@@ -673,12 +641,7 @@ public class RecoverableKeyStoreManagerTest {
RecoveryCertPath.createRecoveryCertPath(emptyCertPath),
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(
new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
fail("should have thrown");
} catch (ServiceSpecificException e) {
assertThat(e.getMessage()).contains("empty");
@@ -698,12 +661,7 @@ public class RecoverableKeyStoreManagerTest {
RecoveryCertPath.createRecoveryCertPath(shortCertPath),
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(
new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
fail("should have thrown");
} catch (ServiceSpecificException e) {
// expected
@@ -734,11 +692,7 @@ public class RecoverableKeyStoreManagerTest {
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
try {
mRecoverableKeyStoreManager.recoverKeyChainSnapshot(
@@ -758,11 +712,7 @@ public class RecoverableKeyStoreManagerTest {
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
.getKeyClaimant();
SecretKey recoveryKey = randomRecoveryKey();
@@ -792,11 +742,7 @@ public class RecoverableKeyStoreManagerTest {
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
.getKeyClaimant();
SecretKey recoveryKey = randomRecoveryKey();
@@ -816,11 +762,7 @@ public class RecoverableKeyStoreManagerTest {
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
.getKeyClaimant();
SecretKey recoveryKey = randomRecoveryKey();
@@ -850,11 +792,7 @@ public class RecoverableKeyStoreManagerTest {
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
ImmutableList.of(new KeyChainProtectionParams(
TYPE_LOCKSCREEN,
UI_FORMAT_PASSWORD,
KeyDerivationParams.createSha256Params(TEST_SALT),
TEST_SECRET)));
ImmutableList.of(TEST_PROTECTION_PARAMS));
byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
.getKeyClaimant();
SecretKey recoveryKey = randomRecoveryKey();

26
services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java
View File

@@ -15,6 +15,15 @@ import java.util.ArrayList;
@SmallTest
@RunWith(AndroidJUnit4.class)
public class RecoverySnapshotStorageTest {
private static final KeyChainSnapshot MINIMAL_KEYCHAIN_SNAPSHOT = new KeyChainSnapshot.Builder()
.setCounterId(1)
.setSnapshotVersion(1)
.setServerParams(new byte[0])
.setMaxAttempts(10)
.setEncryptedRecoveryKeyBlob(new byte[0])
.setKeyChainProtectionParams(new ArrayList<>())
.setWrappedApplicationKeys(new ArrayList<>())
.build();
private final RecoverySnapshotStorage mRecoverySnapshotStorage = new RecoverySnapshotStorage();
@@ -26,26 +35,17 @@ public class RecoverySnapshotStorageTest {
@Test
public void get_returnsSetSnapshot() {
int userId = 1000;
KeyChainSnapshot keyChainSnapshot = new KeyChainSnapshot(
/*snapshotVersion=*/ 1,
new ArrayList<>(),
new ArrayList<>(),
new byte[0]);
mRecoverySnapshotStorage.put(userId, keyChainSnapshot);
assertEquals(keyChainSnapshot, mRecoverySnapshotStorage.get(userId));
mRecoverySnapshotStorage.put(userId, MINIMAL_KEYCHAIN_SNAPSHOT);
assertEquals(MINIMAL_KEYCHAIN_SNAPSHOT, mRecoverySnapshotStorage.get(userId));
}
@Test
public void remove_removesSnapshots() {
int userId = 1000;
KeyChainSnapshot keyChainSnapshot = new KeyChainSnapshot(
/*snapshotVersion=*/ 1,
new ArrayList<>(),
new ArrayList<>(),
new byte[0]);
mRecoverySnapshotStorage.put(userId, keyChainSnapshot);
mRecoverySnapshotStorage.put(userId, MINIMAL_KEYCHAIN_SNAPSHOT);
mRecoverySnapshotStorage.remove(userId);
assertNull(mRecoverySnapshotStorage.get(1000));