diff --git a/api/current.txt b/api/current.txt index adad61aa89a3a..abc9e9a2b1636 100644 --- a/api/current.txt +++ b/api/current.txt @@ -34110,7 +34110,6 @@ package android.security.keystore { method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); method public boolean isDigestsSpecified(); - method public boolean isInvalidatedByBiometricEnrollment(); method public boolean isRandomizedEncryptionRequired(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationValidWhileOnBody(); @@ -34128,7 +34127,6 @@ package android.security.keystore { method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSubject(javax.security.auth.x500.X500Principal); method public android.security.keystore.KeyGenParameterSpec.Builder setDigests(java.lang.String...); method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionPaddings(java.lang.String...); - method public android.security.keystore.KeyGenParameterSpec.Builder setInvalidatedByBiometricEnrollment(boolean); method public android.security.keystore.KeyGenParameterSpec.Builder setKeySize(int); method public android.security.keystore.KeyGenParameterSpec.Builder setKeyValidityEnd(java.util.Date); method public android.security.keystore.KeyGenParameterSpec.Builder setKeyValidityForConsumptionEnd(java.util.Date); @@ -34155,7 +34153,6 @@ package android.security.keystore { method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); method public boolean isInsideSecureHardware(); - method public boolean isInvalidatedByBiometricEnrollment(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationRequirementEnforcedBySecureHardware(); method public boolean isUserAuthenticationValidWhileOnBody(); @@ -34219,7 +34216,6 @@ package android.security.keystore { method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); method public boolean isDigestsSpecified(); - method public boolean isInvalidatedByBiometricEnrollment(); method public boolean isRandomizedEncryptionRequired(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationValidWhileOnBody(); @@ -34231,7 +34227,6 @@ package android.security.keystore { method public android.security.keystore.KeyProtection.Builder setBlockModes(java.lang.String...); method public android.security.keystore.KeyProtection.Builder setDigests(java.lang.String...); method public android.security.keystore.KeyProtection.Builder setEncryptionPaddings(java.lang.String...); - method public android.security.keystore.KeyProtection.Builder setInvalidatedByBiometricEnrollment(boolean); method public android.security.keystore.KeyProtection.Builder setKeyValidityEnd(java.util.Date); method public android.security.keystore.KeyProtection.Builder setKeyValidityForConsumptionEnd(java.util.Date); method public android.security.keystore.KeyProtection.Builder setKeyValidityForOriginationEnd(java.util.Date); diff --git a/api/system-current.txt b/api/system-current.txt index 024398a8ec391..4e7157d0ff4ed 100644 --- a/api/system-current.txt +++ b/api/system-current.txt @@ -36606,7 +36606,6 @@ package android.security.keystore { method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); method public boolean isDigestsSpecified(); - method public boolean isInvalidatedByBiometricEnrollment(); method public boolean isRandomizedEncryptionRequired(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationValidWhileOnBody(); @@ -36624,7 +36623,6 @@ package android.security.keystore { method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSubject(javax.security.auth.x500.X500Principal); method public android.security.keystore.KeyGenParameterSpec.Builder setDigests(java.lang.String...); method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionPaddings(java.lang.String...); - method public android.security.keystore.KeyGenParameterSpec.Builder setInvalidatedByBiometricEnrollment(boolean); method public android.security.keystore.KeyGenParameterSpec.Builder setKeySize(int); method public android.security.keystore.KeyGenParameterSpec.Builder setKeyValidityEnd(java.util.Date); method public android.security.keystore.KeyGenParameterSpec.Builder setKeyValidityForConsumptionEnd(java.util.Date); @@ -36651,7 +36649,6 @@ package android.security.keystore { method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); method public boolean isInsideSecureHardware(); - method public boolean isInvalidatedByBiometricEnrollment(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationRequirementEnforcedBySecureHardware(); method public boolean isUserAuthenticationValidWhileOnBody(); @@ -36715,7 +36712,6 @@ package android.security.keystore { method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); method public boolean isDigestsSpecified(); - method public boolean isInvalidatedByBiometricEnrollment(); method public boolean isRandomizedEncryptionRequired(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationValidWhileOnBody(); @@ -36727,7 +36723,6 @@ package android.security.keystore { method public android.security.keystore.KeyProtection.Builder setBlockModes(java.lang.String...); method public android.security.keystore.KeyProtection.Builder setDigests(java.lang.String...); method public android.security.keystore.KeyProtection.Builder setEncryptionPaddings(java.lang.String...); - method public android.security.keystore.KeyProtection.Builder setInvalidatedByBiometricEnrollment(boolean); method public android.security.keystore.KeyProtection.Builder setKeyValidityEnd(java.util.Date); method public android.security.keystore.KeyProtection.Builder setKeyValidityForConsumptionEnd(java.util.Date); method public android.security.keystore.KeyProtection.Builder setKeyValidityForOriginationEnd(java.util.Date); diff --git a/api/test-current.txt b/api/test-current.txt index 8444e3217592f..3878fbf25e315 100644 --- a/api/test-current.txt +++ b/api/test-current.txt @@ -34125,7 +34125,6 @@ package android.security.keystore { method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); method public boolean isDigestsSpecified(); - method public boolean isInvalidatedByBiometricEnrollment(); method public boolean isRandomizedEncryptionRequired(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationValidWhileOnBody(); @@ -34143,7 +34142,6 @@ package android.security.keystore { method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSubject(javax.security.auth.x500.X500Principal); method public android.security.keystore.KeyGenParameterSpec.Builder setDigests(java.lang.String...); method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionPaddings(java.lang.String...); - method public android.security.keystore.KeyGenParameterSpec.Builder setInvalidatedByBiometricEnrollment(boolean); method public android.security.keystore.KeyGenParameterSpec.Builder setKeySize(int); method public android.security.keystore.KeyGenParameterSpec.Builder setKeyValidityEnd(java.util.Date); method public android.security.keystore.KeyGenParameterSpec.Builder setKeyValidityForConsumptionEnd(java.util.Date); @@ -34170,7 +34168,6 @@ package android.security.keystore { method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); method public boolean isInsideSecureHardware(); - method public boolean isInvalidatedByBiometricEnrollment(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationRequirementEnforcedBySecureHardware(); method public boolean isUserAuthenticationValidWhileOnBody(); @@ -34234,7 +34231,6 @@ package android.security.keystore { method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); method public boolean isDigestsSpecified(); - method public boolean isInvalidatedByBiometricEnrollment(); method public boolean isRandomizedEncryptionRequired(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationValidWhileOnBody(); @@ -34246,7 +34242,6 @@ package android.security.keystore { method public android.security.keystore.KeyProtection.Builder setBlockModes(java.lang.String...); method public android.security.keystore.KeyProtection.Builder setDigests(java.lang.String...); method public android.security.keystore.KeyProtection.Builder setEncryptionPaddings(java.lang.String...); - method public android.security.keystore.KeyProtection.Builder setInvalidatedByBiometricEnrollment(boolean); method public android.security.keystore.KeyProtection.Builder setKeyValidityEnd(java.util.Date); method public android.security.keystore.KeyProtection.Builder setKeyValidityForConsumptionEnd(java.util.Date); method public android.security.keystore.KeyProtection.Builder setKeyValidityForOriginationEnd(java.util.Date); diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java index b234d0f81a894..1321a833acadf 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java @@ -234,8 +234,7 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), spec.isUserAuthenticationRequired(), spec.getUserAuthenticationValidityDurationSeconds(), - spec.isUserAuthenticationValidWhileOnBody(), - spec.isInvalidatedByBiometricEnrollment()); + spec.isUserAuthenticationValidWhileOnBody()); } catch (IllegalStateException | IllegalArgumentException e) { throw new InvalidAlgorithmParameterException(e); } @@ -274,8 +273,7 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { KeymasterUtils.addUserAuthArgs(args, spec.isUserAuthenticationRequired(), spec.getUserAuthenticationValidityDurationSeconds(), - spec.isUserAuthenticationValidWhileOnBody(), - spec.isInvalidatedByBiometricEnrollment()); + spec.isUserAuthenticationValidWhileOnBody()); KeymasterUtils.addMinMacLengthAuthorizationIfNecessary( args, mKeymasterAlgorithm, diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java index 1818f52c4fda8..830402a6a383a 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java @@ -345,8 +345,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), mSpec.isUserAuthenticationRequired(), mSpec.getUserAuthenticationValidityDurationSeconds(), - mSpec.isUserAuthenticationValidWhileOnBody(), - mSpec.isInvalidatedByBiometricEnrollment()); + mSpec.isUserAuthenticationValidWhileOnBody()); } catch (IllegalArgumentException | IllegalStateException e) { throw new InvalidAlgorithmParameterException(e); } @@ -532,8 +531,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato KeymasterUtils.addUserAuthArgs(args, mSpec.isUserAuthenticationRequired(), mSpec.getUserAuthenticationValidityDurationSeconds(), - mSpec.isUserAuthenticationValidWhileOnBody(), - mSpec.isInvalidatedByBiometricEnrollment()); + mSpec.isUserAuthenticationValidWhileOnBody()); args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, mSpec.getKeyValidityStart()); args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME, mSpec.getKeyValidityForOriginationEnd()); diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java index 40298adc2eb21..5f5f2c2441162 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java @@ -17,12 +17,10 @@ package android.security.keystore; import android.security.Credentials; -import android.security.GateKeeper; import android.security.KeyStore; import android.security.keymaster.KeyCharacteristics; import android.security.keymaster.KeymasterDefs; -import java.math.BigInteger; import java.security.InvalidKeyException; import java.security.ProviderException; import java.security.spec.InvalidKeySpecException; @@ -172,16 +170,6 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { boolean userAuthenticationValidWhileOnBody = keyCharacteristics.hwEnforced.getBoolean(KeymasterDefs.KM_TAG_ALLOW_WHILE_ON_BODY); - boolean invalidatedByBiometricEnrollment = false; - if (keyCharacteristics.getEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE) - == KeymasterDefs.HW_AUTH_FINGERPRINT) { - // Fingerprint-only key; will be invalidated if the root SID isn't in the list. - BigInteger rootSid = BigInteger.valueOf(GateKeeper.getSecureUserId()); - List sids = keyCharacteristics.getUnsignedLongs( - KeymasterDefs.KM_TAG_USER_SECURE_ID); - invalidatedByBiometricEnrollment = !sids.isEmpty() && !sids.contains(rootSid); - } - return new KeyInfo(entryAlias, insideSecureHardware, origin, @@ -197,8 +185,7 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { userAuthenticationRequired, (int) userAuthenticationValidityDurationSeconds, userAuthenticationRequirementEnforcedBySecureHardware, - userAuthenticationValidWhileOnBody, - invalidatedByBiometricEnrollment); + userAuthenticationValidWhileOnBody); } @Override diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java index d7d4f1c50e326..d6600208ecee5 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java @@ -499,8 +499,7 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { KeymasterUtils.addUserAuthArgs(importArgs, spec.isUserAuthenticationRequired(), spec.getUserAuthenticationValidityDurationSeconds(), - spec.isUserAuthenticationValidWhileOnBody(), - spec.isInvalidatedByBiometricEnrollment()); + spec.isUserAuthenticationValidWhileOnBody()); importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, spec.getKeyValidityStart()); importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME, @@ -695,8 +694,7 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { KeymasterUtils.addUserAuthArgs(args, params.isUserAuthenticationRequired(), params.getUserAuthenticationValidityDurationSeconds(), - params.isUserAuthenticationValidWhileOnBody(), - params.isInvalidatedByBiometricEnrollment()); + params.isUserAuthenticationValidWhileOnBody()); KeymasterUtils.addMinMacLengthAuthorizationIfNecessary( args, keymasterAlgorithm, diff --git a/keystore/java/android/security/keystore/KeyGenParameterSpec.java b/keystore/java/android/security/keystore/KeyGenParameterSpec.java index 127d756a2cff8..a84e7f34be8de 100644 --- a/keystore/java/android/security/keystore/KeyGenParameterSpec.java +++ b/keystore/java/android/security/keystore/KeyGenParameterSpec.java @@ -253,7 +253,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec { private final byte[] mAttestationChallenge; private final boolean mUniqueIdIncluded; private final boolean mUserAuthenticationValidWhileOnBody; - private final boolean mInvalidatedByBiometricEnrollment; /** * @hide should be built with Builder @@ -280,8 +279,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec { int userAuthenticationValidityDurationSeconds, byte[] attestationChallenge, boolean uniqueIdIncluded, - boolean userAuthenticationValidWhileOnBody, - boolean invalidatedByBiometricEnrollment) { + boolean userAuthenticationValidWhileOnBody) { if (TextUtils.isEmpty(keyStoreAlias)) { throw new IllegalArgumentException("keyStoreAlias must not be empty"); } @@ -326,7 +324,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec { mAttestationChallenge = Utils.cloneIfNotNull(attestationChallenge); mUniqueIdIncluded = uniqueIdIncluded; mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody; - mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment; } /** @@ -609,19 +606,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec { return mUserAuthenticationValidWhileOnBody; } - /** - * Returns {@code true} if the key is irreversibly invalidated when a new fingerprint is - * enrolled or all enrolled fingerprints are removed. This has effect only for keys that - * require fingerprint user authentication for every use. - * - * @see #isUserAuthenticationRequired() - * @see #getUserAuthenticationValidityDurationSeconds() - * @see Builder#setInvalidatedByBiometricEnrollment(boolean) - */ - public boolean isInvalidatedByBiometricEnrollment() { - return mInvalidatedByBiometricEnrollment; - } - /** * Builder of {@link KeyGenParameterSpec} instances. */ @@ -649,7 +633,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec { private byte[] mAttestationChallenge = null; private boolean mUniqueIdIncluded = false; private boolean mUserAuthenticationValidWhileOnBody; - private boolean mInvalidatedByBiometricEnrollment = true; /** * Creates a new instance of the {@code Builder}. @@ -983,10 +966,8 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec { * or when the secure lock screen is forcibly reset (e.g., by a Device Administrator). * Additionally, if the key requires that user authentication takes place for every use of * the key, it is also irreversibly invalidated once a new fingerprint is enrolled or once\ - * no more fingerprints are enrolled, unless {@link - * #setInvalidatedByBiometricEnrollment(boolean)} is used to allow validity after - * enrollment. Attempts to initialize cryptographic operations using such keys will throw - * {@link KeyPermanentlyInvalidatedException}. + * no more fingerprints are enrolled. Attempts to initialize cryptographic operations using + * such keys will throw {@link KeyPermanentlyInvalidatedException}. * * *

This authorization applies only to secret key and private key operations. Public key @@ -1128,30 +1109,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec { return this; } - /** - * Sets whether this key should be invalidated on fingerprint enrollment. This - * applies only to keys which require user authentication (see {@link - * #setUserAuthenticationRequired(boolean)}) and if no positive validity duration has been - * set (see {@link #setUserAuthenticationValidityDurationSeconds(int)}, meaning the key is - * valid for fingerprint authentication only. - * - *

By default, {@code invalidateKey} is {@code true}, so keys that are valid for - * fingerprint authentication only are irreversibly invalidated when a new - * fingerprint is enrolled, or when all existing fingerprints are deleted. That may be - * changed by calling this method with {@code invalidateKey} set to {@code false}. - * - *

Invalidating keys on enrollment of a new finger or unenrollment of all fingers - * improves security by ensuring that an unauthorized person who obtains the password can't - * gain the use of fingerprint-authenticated keys by enrolling their own finger. However, - * invalidating keys makes key-dependent operations impossible, requiring some fallback - * procedure to authenticate the user and set up a new key. - */ - @NonNull - public Builder setInvalidatedByBiometricEnrollment(boolean invalidateKey) { - mInvalidatedByBiometricEnrollment = invalidateKey; - return this; - } - /** * Builds an instance of {@code KeyGenParameterSpec}. */ @@ -1179,8 +1136,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec { mUserAuthenticationValidityDurationSeconds, mAttestationChallenge, mUniqueIdIncluded, - mUserAuthenticationValidWhileOnBody, - mInvalidatedByBiometricEnrollment); + mUserAuthenticationValidWhileOnBody); } } } diff --git a/keystore/java/android/security/keystore/KeyInfo.java b/keystore/java/android/security/keystore/KeyInfo.java index fa6d8b3517f6a..f77b5bac0363b 100644 --- a/keystore/java/android/security/keystore/KeyInfo.java +++ b/keystore/java/android/security/keystore/KeyInfo.java @@ -80,7 +80,6 @@ public class KeyInfo implements KeySpec { private final int mUserAuthenticationValidityDurationSeconds; private final boolean mUserAuthenticationRequirementEnforcedBySecureHardware; private final boolean mUserAuthenticationValidWhileOnBody; - private final boolean mInvalidatedByBiometricEnrollment; /** * @hide @@ -100,8 +99,7 @@ public class KeyInfo implements KeySpec { boolean userAuthenticationRequired, int userAuthenticationValidityDurationSeconds, boolean userAuthenticationRequirementEnforcedBySecureHardware, - boolean userAuthenticationValidWhileOnBody, - boolean invalidatedByBiometricEnrollment) { + boolean userAuthenticationValidWhileOnBody) { mKeystoreAlias = keystoreKeyAlias; mInsideSecureHardware = insideSecureHardware; mOrigin = origin; @@ -121,7 +119,6 @@ public class KeyInfo implements KeySpec { mUserAuthenticationRequirementEnforcedBySecureHardware = userAuthenticationRequirementEnforcedBySecureHardware; mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody; - mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment; } /** @@ -293,12 +290,4 @@ public class KeyInfo implements KeySpec { public boolean isUserAuthenticationValidWhileOnBody() { return mUserAuthenticationValidWhileOnBody; } - - /** - * Returns {@code true} if the key will be invalidated by enrollment of a new fingerprint or - * removal of all fingerprints. - */ - public boolean isInvalidatedByBiometricEnrollment() { - return mInvalidatedByBiometricEnrollment; - } } diff --git a/keystore/java/android/security/keystore/KeyProtection.java b/keystore/java/android/security/keystore/KeyProtection.java index fa57bdb52b32e..4700b68261db1 100644 --- a/keystore/java/android/security/keystore/KeyProtection.java +++ b/keystore/java/android/security/keystore/KeyProtection.java @@ -215,7 +215,6 @@ public final class KeyProtection implements ProtectionParameter { private final boolean mUserAuthenticationRequired; private final int mUserAuthenticationValidityDurationSeconds; private final boolean mUserAuthenticationValidWhileOnBody; - private final boolean mInvalidatedByBiometricEnrollment; private KeyProtection( Date keyValidityStart, @@ -229,8 +228,7 @@ public final class KeyProtection implements ProtectionParameter { boolean randomizedEncryptionRequired, boolean userAuthenticationRequired, int userAuthenticationValidityDurationSeconds, - boolean userAuthenticationValidWhileOnBody, - boolean invalidatedByBiometricEnrollment) { + boolean userAuthenticationValidWhileOnBody) { mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart); mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd); mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd); @@ -245,7 +243,6 @@ public final class KeyProtection implements ProtectionParameter { mUserAuthenticationRequired = userAuthenticationRequired; mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds; mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody; - mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment; } /** @@ -414,19 +411,6 @@ public final class KeyProtection implements ProtectionParameter { return mUserAuthenticationValidWhileOnBody; } - /** - * Returns {@code true} if the key is irreversibly invalidated when a new fingerprint is - * enrolled or all enrolled fingerprints are removed. This has effect only for keys that - * require fingerprint user authentication for every use. - * - * @see #isUserAuthenticationRequired() - * @see #getUserAuthenticationValidityDurationSeconds() - * @see Builder#setInvalidatedByBiometricEnrollment(boolean) - */ - public boolean isInvalidatedByBiometricEnrollment() { - return mInvalidatedByBiometricEnrollment; - } - /** * Builder of {@link KeyProtection} instances. */ @@ -444,7 +428,6 @@ public final class KeyProtection implements ProtectionParameter { private boolean mUserAuthenticationRequired; private int mUserAuthenticationValidityDurationSeconds = -1; private boolean mUserAuthenticationValidWhileOnBody; - private boolean mInvalidatedByBiometricEnrollment = true; /** * Creates a new instance of the {@code Builder}. @@ -655,10 +638,9 @@ public final class KeyProtection implements ProtectionParameter { * or when the secure lock screen is forcibly reset (e.g., by a Device Administrator). * Additionally, if the key requires that user authentication takes place for every use of * the key, it is also irreversibly invalidated once a new fingerprint is enrolled or once\ - * no more fingerprints are enrolled, unless {@link - * #setInvalidatedByBiometricEnrollment(boolean)} is used to allow validity after - * enrollment. Attempts to initialize cryptographic operations using such keys will throw - * {@link KeyPermanentlyInvalidatedException}. + * no more fingerprints are enrolled. Attempts to initialize cryptographic operations using + * such keys will throw {@link KeyPermanentlyInvalidatedException}. + * * *

This authorization applies only to secret key and private key operations. Public key * operations are not restricted. @@ -746,30 +728,6 @@ public final class KeyProtection implements ProtectionParameter { return this; } - /** - * Sets whether this key should be invalidated on fingerprint enrollment. This - * applies only to keys which require user authentication (see {@link - * #setUserAuthenticationRequired(boolean)}) and if no positive validity duration has been - * set (see {@link #setUserAuthenticationValidityDurationSeconds(int)}, meaning the key is - * valid for fingerprint authentication only. - * - *

By default, {@code invalidateKey} is {@code true}, so keys that are valid for - * fingerprint authentication only are irreversibly invalidated when a new - * fingerprint is enrolled, or when all existing fingerprints are deleted. That may be - * changed by calling this method with {@code invalidateKey} set to {@code false}. - * - *

Invalidating keys on enrollment of a new finger or unenrollment of all fingers - * improves security by ensuring that an unauthorized person who obtains the password can't - * gain the use of fingerprint-authenticated keys by enrolling their own finger. However, - * invalidating keys makes key-dependent operations impossible, requiring some fallback - * procedure to authenticate the user and set up a new key. - */ - @NonNull - public Builder setInvalidatedByBiometricEnrollment(boolean invalidateKey) { - mInvalidatedByBiometricEnrollment = invalidateKey; - return this; - } - /** * Builds an instance of {@link KeyProtection}. * @@ -789,8 +747,7 @@ public final class KeyProtection implements ProtectionParameter { mRandomizedEncryptionRequired, mUserAuthenticationRequired, mUserAuthenticationValidityDurationSeconds, - mUserAuthenticationValidWhileOnBody, - mInvalidatedByBiometricEnrollment); + mUserAuthenticationValidWhileOnBody); } } } diff --git a/keystore/java/android/security/keystore/KeymasterUtils.java b/keystore/java/android/security/keystore/KeymasterUtils.java index f5272aa233e98..3a008bcf68324 100644 --- a/keystore/java/android/security/keystore/KeymasterUtils.java +++ b/keystore/java/android/security/keystore/KeymasterUtils.java @@ -97,8 +97,7 @@ public abstract class KeymasterUtils { public static void addUserAuthArgs(KeymasterArguments args, boolean userAuthenticationRequired, int userAuthenticationValidityDurationSeconds, - boolean userAuthenticationValidWhileOnBody, - boolean invalidatedByBiometricEnrollment) { + boolean userAuthenticationValidWhileOnBody) { if (!userAuthenticationRequired) { args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); return; @@ -118,20 +117,8 @@ public abstract class KeymasterUtils { "At least one fingerprint must be enrolled to create keys requiring user" + " authentication for every use"); } - - long sid; - if (invalidatedByBiometricEnrollment) { - // The fingerprint-only SID will change on fingerprint enrollment or removal of all, - // enrolled fingerprints, invalidating the key. - sid = fingerprintOnlySid; - } else { - // The root SID will *not* change on fingerprint enrollment, or removal of all - // enrolled fingerprints, allowing the key to remain valid. - sid = getRootSid(); - } - - args.addUnsignedLong( - KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(sid)); + args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, + KeymasterArguments.toUint64(fingerprintOnlySid)); args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, KeymasterDefs.HW_AUTH_FINGERPRINT); if (userAuthenticationValidWhileOnBody) { throw new ProviderException("Key validity extension while device is on-body is not " @@ -140,7 +127,11 @@ public abstract class KeymasterUtils { } else { // The key is authorized for use for the specified amount of time after the user has // authenticated. Whatever unlocks the secure lock screen should authorize this key. - long rootSid = getRootSid(); + long rootSid = GateKeeper.getSecureUserId(); + if (rootSid == 0) { + throw new IllegalStateException("Secure lock screen must be enabled" + + " to create keys requiring user authentication"); + } args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(rootSid)); args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, @@ -193,13 +184,4 @@ public abstract class KeymasterUtils { break; } } - - private static long getRootSid() { - long rootSid = GateKeeper.getSecureUserId(); - if (rootSid == 0) { - throw new IllegalStateException("Secure lock screen must be enabled" - + " to create keys requiring user authentication"); - } - return rootSid; - } }