Merge "Split key origin into TEE/not and generated/imported."

2015-04-09 23:34:44 +00:00
parent da164973f3 b503c52f07
commit c6eb62882b
3 changed files with 29 additions and 15 deletions
--- a/keystore/java/android/security/KeyStoreKeyCharacteristics.java
+++ b/keystore/java/android/security/KeyStoreKeyCharacteristics.java
@@ -31,7 +31,7 @@ public abstract class KeyStoreKeyCharacteristics {
    private KeyStoreKeyCharacteristics() {}

    @Retention(RetentionPolicy.SOURCE)
-    @IntDef({Origin.GENERATED_INSIDE_TEE, Origin.GENERATED_OUTSIDE_OF_TEE, Origin.IMPORTED})
+    @IntDef({Origin.GENERATED, Origin.IMPORTED})
    public @interface OriginEnum {}

    /**
@@ -40,14 +40,11 @@ public abstract class KeyStoreKeyCharacteristics {
    public static abstract class Origin {
        private Origin() {}

-        /** Key was generated inside a TEE. */
-        public static final int GENERATED_INSIDE_TEE = 1;
+        /** Key was generated inside AndroidKeyStore. */
+        public static final int GENERATED = 1 << 0;

-        /** Key was generated outside of a TEE. */
-        public static final int GENERATED_OUTSIDE_OF_TEE = 2;
-
-        /** Key was imported. */
-        public static final int IMPORTED = 0;
+        /** Key was imported into AndroidKeyStore. */
+        public static final int IMPORTED = 1 << 1;

        /**
         * @hide
@@ -55,9 +52,7 @@ public abstract class KeyStoreKeyCharacteristics {
        public static @OriginEnum int fromKeymaster(int origin) {
            switch (origin) {
                case KeymasterDefs.KM_ORIGIN_HARDWARE:
-                    return GENERATED_INSIDE_TEE;
-                case KeymasterDefs.KM_ORIGIN_SOFTWARE:
-                    return GENERATED_OUTSIDE_OF_TEE;
+                    return GENERATED;
                case KeymasterDefs.KM_ORIGIN_IMPORTED:
                    return IMPORTED;
                default:
--- a/keystore/java/android/security/KeyStoreKeySpec.java
+++ b/keystore/java/android/security/KeyStoreKeySpec.java
@@ -28,6 +28,7 @@ import java.util.Date;
 public class KeyStoreKeySpec implements KeySpec {
    private final String mKeystoreAlias;
    private final int mKeySize;
+    private final boolean mTeeBacked;
    private final @KeyStoreKeyCharacteristics.OriginEnum int mOrigin;
    private final Date mKeyValidityStart;
    private final Date mKeyValidityForOriginationEnd;
@@ -46,6 +47,7 @@ public class KeyStoreKeySpec implements KeySpec {
     * @hide
     */
    KeyStoreKeySpec(String keystoreKeyAlias,
+            boolean teeBacked,
            @KeyStoreKeyCharacteristics.OriginEnum int origin,
            int keySize,
            Date keyValidityStart,
@@ -60,6 +62,7 @@ public class KeyStoreKeySpec implements KeySpec {
            @KeyStoreKeyConstraints.UserAuthenticatorEnum int teeEnforcedUserAuthenticators,
            int userAuthenticationValidityDurationSeconds) {
        mKeystoreAlias = keystoreKeyAlias;
+        mTeeBacked = teeBacked;
        mOrigin = origin;
        mKeySize = keySize;
        mKeyValidityStart = keyValidityStart;
@@ -82,6 +85,14 @@ public class KeyStoreKeySpec implements KeySpec {
        return mKeystoreAlias;
    }

+    /**
+     * Returns {@code true} if the key is TEE-backed. Key material of TEE-backed keys is available
+     * in plaintext only inside the TEE.
+     */
+    public boolean isTeeBacked() {
+        return mTeeBacked;
+    }
+
    /**
     * Gets the origin of the key.
     */
--- a/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java
+++ b/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java
@@ -70,7 +70,8 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi {
                    + " Keystore error: " + errorCode);
        }

-        @KeyStoreKeyCharacteristics.OriginEnum Integer origin;
+        boolean teeBacked;
+        @KeyStoreKeyCharacteristics.OriginEnum int origin;
        int keySize;
        @KeyStoreKeyConstraints.PurposeEnum int purposes;
        @KeyStoreKeyConstraints.AlgorithmEnum int algorithm;
@@ -80,11 +81,17 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi {
        @KeyStoreKeyConstraints.UserAuthenticatorEnum int userAuthenticators;
        @KeyStoreKeyConstraints.UserAuthenticatorEnum int teeEnforcedUserAuthenticators;
        try {
-            origin = KeymasterUtils.getInt(keyCharacteristics, KeymasterDefs.KM_TAG_ORIGIN);
-            if (origin == null) {
+            if (keyCharacteristics.hwEnforced.containsTag(KeymasterDefs.KM_TAG_ORIGIN)) {
+                teeBacked = true;
+                origin = KeyStoreKeyCharacteristics.Origin.fromKeymaster(
+                        keyCharacteristics.hwEnforced.getInt(KeymasterDefs.KM_TAG_ORIGIN, -1));
+            } else if (keyCharacteristics.swEnforced.containsTag(KeymasterDefs.KM_TAG_ORIGIN)) {
+                teeBacked = false;
+                origin = KeyStoreKeyCharacteristics.Origin.fromKeymaster(
+                        keyCharacteristics.swEnforced.getInt(KeymasterDefs.KM_TAG_ORIGIN, -1));
+            } else {
                throw new InvalidKeySpecException("Key origin not available");
            }
-            origin = KeyStoreKeyCharacteristics.Origin.fromKeymaster(origin);
            Integer keySizeInteger =
                    KeymasterUtils.getInt(keyCharacteristics, KeymasterDefs.KM_TAG_KEY_SIZE);
            if (keySizeInteger == null) {
@@ -144,6 +151,7 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi {
                KeymasterUtils.getInt(keyCharacteristics, KeymasterDefs.KM_TAG_AUTH_TIMEOUT);

        return new KeyStoreKeySpec(entryAlias,
+                teeBacked,
                origin,
                keySize,
                keyValidityStart,