Merge "Import TertiaryKeyManager"

packages/BackupEncryption/src/com/android/server/backup/encryption/keys/TertiaryKeyManager.java

@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.backup.encryption.keys;
+
+import android.annotation.Nullable;
+import android.content.Context;
+import android.util.Slog;
+
+import com.android.server.backup.encryption.protos.nano.WrappedKeyProto;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.Optional;
+
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+
+/**
+ * Gets the correct tertiary key to use during a backup, rotating it if required.
+ *
+ * <p>Calling any method on this class will count a incremental backup against the app, and the key
+ * will be rotated if required.
+ */
+public class TertiaryKeyManager {
+
+    private static final String TAG = "TertiaryKeyMgr";
+
+    private final TertiaryKeyStore mKeyStore;
+    private final TertiaryKeyGenerator mKeyGenerator;
+    private final TertiaryKeyRotationScheduler mTertiaryKeyRotationScheduler;
+    private final RecoverableKeyStoreSecondaryKey mSecondaryKey;
+    private final String mPackageName;
+
+    private boolean mKeyRotated;
+    @Nullable private SecretKey mTertiaryKey;
+
+    public TertiaryKeyManager(
+            Context context,
+            SecureRandom secureRandom,
+            TertiaryKeyRotationScheduler tertiaryKeyRotationScheduler,
+            RecoverableKeyStoreSecondaryKey secondaryKey,
+            String packageName) {
+        mSecondaryKey = secondaryKey;
+        mPackageName = packageName;
+        mKeyGenerator = new TertiaryKeyGenerator(secureRandom);
+        mKeyStore = TertiaryKeyStore.newInstance(context, secondaryKey);
+        mTertiaryKeyRotationScheduler = tertiaryKeyRotationScheduler;
+    }
+
+    /**
+     * Returns either the previously used tertiary key, or a new tertiary key if there was no
+     * previous key or it needed to be rotated.
+     */
+    public SecretKey getKey()
+            throws InvalidKeyException, IOException, IllegalBlockSizeException,
+                    NoSuchPaddingException, NoSuchAlgorithmException,
+                    InvalidAlgorithmParameterException {
+        init();
+        return mTertiaryKey;
+    }
+
+    /** Returns the key given by {@link #getKey()} wrapped by the secondary key. */
+    public WrappedKeyProto.WrappedKey getWrappedKey()
+            throws InvalidKeyException, IOException, IllegalBlockSizeException,
+                    NoSuchPaddingException, NoSuchAlgorithmException,
+                    InvalidAlgorithmParameterException {
+        init();
+        return KeyWrapUtils.wrap(mSecondaryKey.getSecretKey(), mTertiaryKey);
+    }
+
+    /**
+     * Returns {@code true} if a new tertiary key was generated at the start of this session,
+     * otherwise {@code false}.
+     */
+    public boolean wasKeyRotated()
+            throws InvalidKeyException, IllegalBlockSizeException, IOException,
+                    NoSuchPaddingException, NoSuchAlgorithmException,
+                    InvalidAlgorithmParameterException {
+        init();
+        return mKeyRotated;
+    }
+
+    private void init()
+            throws IllegalBlockSizeException, InvalidKeyException, IOException,
+                    NoSuchAlgorithmException, NoSuchPaddingException,
+                    InvalidAlgorithmParameterException {
+        if (mTertiaryKey != null) {
+            return;
+        }
+
+        Optional<SecretKey> key = getExistingKeyIfNotRotated();
+
+        if (!key.isPresent()) {
+            Slog.d(TAG, "Generating new tertiary key for " + mPackageName);
+
+            key = Optional.of(mKeyGenerator.generate());
+            mKeyRotated = true;
+            mTertiaryKeyRotationScheduler.recordKeyRotation(mPackageName);
+            mKeyStore.save(mPackageName, key.get());
+        }
+
+        mTertiaryKey = key.get();
+
+        mTertiaryKeyRotationScheduler.recordBackup(mPackageName);
+    }
+
+    private Optional<SecretKey> getExistingKeyIfNotRotated()
+            throws InvalidKeyException, IOException, InvalidAlgorithmParameterException,
+                    NoSuchAlgorithmException, NoSuchPaddingException {
+        if (mTertiaryKeyRotationScheduler.isKeyRotationDue(mPackageName)) {
+            Slog.i(TAG, "Tertiary key rotation was required for " + mPackageName);
+            return Optional.empty();
+        } else {
+            Slog.i(TAG, "Tertiary key rotation was not required");
+            return mKeyStore.load(mPackageName);
+        }
+    }
+}

packages/BackupEncryption/test/robolectric/src/com/android/server/backup/encryption/keys/TertiaryKeyManagerTest.java

@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.backup.encryption.keys;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.inOrder;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.reset;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import static org.robolectric.RuntimeEnvironment.application;
+
+import android.security.keystore.recovery.RecoveryController;
+
+import com.android.server.backup.encryption.protos.nano.WrappedKeyProto;
+import com.android.server.testing.shadows.ShadowRecoveryController;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InOrder;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.robolectric.RobolectricTestRunner;
+import org.robolectric.annotation.Config;
+
+import java.security.SecureRandom;
+
+import javax.crypto.SecretKey;
+
+@RunWith(RobolectricTestRunner.class)
+@Config(shadows = ShadowRecoveryController.class)
+public class TertiaryKeyManagerTest {
+
+    private static final String TEST_PACKAGE_1 = "com.example.app1";
+    private static final String TEST_PACKAGE_2 = "com.example.app2";
+
+    private SecureRandom mSecureRandom;
+    private RecoverableKeyStoreSecondaryKey mSecondaryKey;
+
+    @Mock private TertiaryKeyRotationScheduler mTertiaryKeyRotationScheduler;
+
+    @Before
+    public void setUp() throws Exception {
+        MockitoAnnotations.initMocks(this);
+
+        mSecureRandom = new SecureRandom();
+        mSecondaryKey =
+                new RecoverableKeyStoreSecondaryKeyManager(
+                                RecoveryController.getInstance(application), mSecureRandom)
+                        .generate();
+        ShadowRecoveryController.reset();
+    }
+
+    private TertiaryKeyManager createNewManager(String packageName) {
+        return new TertiaryKeyManager(
+                application,
+                mSecureRandom,
+                mTertiaryKeyRotationScheduler,
+                mSecondaryKey,
+                packageName);
+    }
+
+    @Test
+    public void getKey_noExistingKey_returnsNewKey() throws Exception {
+        assertThat(createNewManager(TEST_PACKAGE_1).getKey()).isNotNull();
+    }
+
+    @Test
+    public void getKey_noExistingKey_recordsIncrementalBackup() throws Exception {
+        createNewManager(TEST_PACKAGE_1).getKey();
+        verify(mTertiaryKeyRotationScheduler).recordBackup(TEST_PACKAGE_1);
+    }
+
+    @Test
+    public void getKey_existingKey_returnsExistingKey() throws Exception {
+        TertiaryKeyManager manager = createNewManager(TEST_PACKAGE_1);
+        SecretKey existingKey = manager.getKey();
+
+        assertThat(manager.getKey()).isEqualTo(existingKey);
+    }
+
+    @Test
+    public void getKey_existingKey_recordsBackupButNotRotation() throws Exception {
+        createNewManager(TEST_PACKAGE_1).getKey();
+        reset(mTertiaryKeyRotationScheduler);
+
+        createNewManager(TEST_PACKAGE_1).getKey();
+
+        verify(mTertiaryKeyRotationScheduler).recordBackup(TEST_PACKAGE_1);
+        verify(mTertiaryKeyRotationScheduler, never()).recordKeyRotation(any());
+    }
+
+    @Test
+    public void getKey_existingKeyButRotationRequired_returnsNewKey() throws Exception {
+        SecretKey firstKey = createNewManager(TEST_PACKAGE_1).getKey();
+        when(mTertiaryKeyRotationScheduler.isKeyRotationDue(TEST_PACKAGE_1)).thenReturn(true);
+
+        SecretKey secondKey = createNewManager(TEST_PACKAGE_1).getKey();
+
+        assertThat(secondKey).isNotEqualTo(firstKey);
+    }
+
+    @Test
+    public void getKey_existingKeyButRotationRequired_recordsKeyRotationAndBackup()
+            throws Exception {
+        when(mTertiaryKeyRotationScheduler.isKeyRotationDue(TEST_PACKAGE_1)).thenReturn(true);
+        createNewManager(TEST_PACKAGE_1).getKey();
+
+        InOrder inOrder = inOrder(mTertiaryKeyRotationScheduler);
+        inOrder.verify(mTertiaryKeyRotationScheduler).recordKeyRotation(TEST_PACKAGE_1);
+        inOrder.verify(mTertiaryKeyRotationScheduler).recordBackup(TEST_PACKAGE_1);
+    }
+
+    @Test
+    public void getKey_twoApps_returnsDifferentKeys() throws Exception {
+        TertiaryKeyManager firstManager = createNewManager(TEST_PACKAGE_1);
+        TertiaryKeyManager secondManager = createNewManager(TEST_PACKAGE_2);
+        SecretKey firstKey = firstManager.getKey();
+
+        assertThat(secondManager.getKey()).isNotEqualTo(firstKey);
+    }
+
+    @Test
+    public void getWrappedKey_noExistingKey_returnsWrappedNewKey() throws Exception {
+        TertiaryKeyManager manager = createNewManager(TEST_PACKAGE_1);
+        SecretKey unwrappedKey = manager.getKey();
+        WrappedKeyProto.WrappedKey wrappedKey = manager.getWrappedKey();
+
+        SecretKey expectedUnwrappedKey =
+                KeyWrapUtils.unwrap(mSecondaryKey.getSecretKey(), wrappedKey);
+        assertThat(unwrappedKey).isEqualTo(expectedUnwrappedKey);
+    }
+
+    @Test
+    public void getWrappedKey_existingKey_returnsWrappedExistingKey() throws Exception {
+        TertiaryKeyManager manager = createNewManager(TEST_PACKAGE_1);
+        WrappedKeyProto.WrappedKey wrappedKey = manager.getWrappedKey();
+        SecretKey unwrappedKey = manager.getKey();
+
+        SecretKey expectedUnwrappedKey =
+                KeyWrapUtils.unwrap(mSecondaryKey.getSecretKey(), wrappedKey);
+        assertThat(unwrappedKey).isEqualTo(expectedUnwrappedKey);
+    }
+
+    @Test
+    public void wasKeyRotated_noExistingKey_returnsTrue() throws Exception {
+        TertiaryKeyManager manager = createNewManager(TEST_PACKAGE_1);
+        assertThat(manager.wasKeyRotated()).isTrue();
+    }
+
+    @Test
+    public void wasKeyRotated_existingKey_returnsFalse() throws Exception {
+        createNewManager(TEST_PACKAGE_1).getKey();
+        assertThat(createNewManager(TEST_PACKAGE_1).wasKeyRotated()).isFalse();
+    }
+}