Revert "Add "Unlocked device required" parameter to keys"
This reverts commit efc3f16be7.
Reason for revert: Regression in creating auth-bound keys
Bug: 73773914
Bug: 67752510
Change-Id: Ic3886ceb3c3c0c4274682ed9f5f2bfbf8fdd71b9
This commit is contained in:
Brian Young
@@ -38445,7 +38445,6 @@ package android.security.keystore {
|
||||
method public boolean isRandomizedEncryptionRequired();
|
||||
method public boolean isStrongBoxBacked();
|
||||
method public boolean isTrustedUserPresenceRequired();
|
||||
method public boolean isUnlockedDeviceRequired();
|
||||
method public boolean isUserAuthenticationRequired();
|
||||
method public boolean isUserAuthenticationValidWhileOnBody();
|
||||
method public boolean isUserConfirmationRequired();
|
||||
@@ -38473,7 +38472,6 @@ package android.security.keystore {
|
||||
method public android.security.keystore.KeyGenParameterSpec.Builder setRandomizedEncryptionRequired(boolean);
|
||||
method public android.security.keystore.KeyGenParameterSpec.Builder setSignaturePaddings(java.lang.String...);
|
||||
method public android.security.keystore.KeyGenParameterSpec.Builder setTrustedUserPresenceRequired(boolean);
|
||||
method public android.security.keystore.KeyGenParameterSpec.Builder setUnlockedDeviceRequired(boolean);
|
||||
method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationRequired(boolean);
|
||||
method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidWhileOnBody(boolean);
|
||||
method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidityDurationSeconds(int);
|
||||
@@ -38565,8 +38563,6 @@ package android.security.keystore {
|
||||
method public boolean isDigestsSpecified();
|
||||
method public boolean isInvalidatedByBiometricEnrollment();
|
||||
method public boolean isRandomizedEncryptionRequired();
|
||||
method public boolean isTrustedUserPresenceRequired();
|
||||
method public boolean isUnlockedDeviceRequired();
|
||||
method public boolean isUserAuthenticationRequired();
|
||||
method public boolean isUserAuthenticationValidWhileOnBody();
|
||||
method public boolean isUserConfirmationRequired();
|
||||
@@ -38585,8 +38581,6 @@ package android.security.keystore {
|
||||
method public android.security.keystore.KeyProtection.Builder setKeyValidityStart(java.util.Date);
|
||||
method public android.security.keystore.KeyProtection.Builder setRandomizedEncryptionRequired(boolean);
|
||||
method public android.security.keystore.KeyProtection.Builder setSignaturePaddings(java.lang.String...);
|
||||
method public android.security.keystore.KeyProtection.Builder setTrustedUserPresenceRequired(boolean);
|
||||
method public android.security.keystore.KeyProtection.Builder setUnlockedDeviceRequired(boolean);
|
||||
method public android.security.keystore.KeyProtection.Builder setUserAuthenticationRequired(boolean);
|
||||
method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidWhileOnBody(boolean);
|
||||
method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidityDurationSeconds(int);
|
||||
|
||||
@@ -75,7 +75,6 @@ public final class KeymasterDefs {
|
||||
public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506;
|
||||
public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507;
|
||||
public static final int KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508;
|
||||
public static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 509;
|
||||
|
||||
public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600;
|
||||
public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601;
|
||||
@@ -217,7 +216,6 @@ public final class KeymasterDefs {
|
||||
public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;
|
||||
public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;
|
||||
public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;
|
||||
public static final int KM_ERROR_DEVICE_LOCKED = -72;
|
||||
public static final int KM_ERROR_UNIMPLEMENTED = -100;
|
||||
public static final int KM_ERROR_VERSION_MISMATCH = -101;
|
||||
public static final int KM_ERROR_UNKNOWN_ERROR = -1000;
|
||||
@@ -264,7 +262,6 @@ public final class KeymasterDefs {
|
||||
sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,
|
||||
"Invalid MAC or authentication tag length");
|
||||
sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");
|
||||
sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked");
|
||||
sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");
|
||||
sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");
|
||||
}
|
||||
|
||||
@@ -545,9 +545,7 @@ public class KeyStore {
|
||||
try {
|
||||
args = args != null ? args : new KeymasterArguments();
|
||||
entropy = entropy != null ? entropy : new byte[0];
|
||||
OperationResult res = mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);
|
||||
// This result is -26 (KEY_USER_NOT_AUTHENTICATED) but why??
|
||||
return res;
|
||||
return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);
|
||||
} catch (RemoteException e) {
|
||||
Log.w(TAG, "Cannot connect to keystore", e);
|
||||
return null;
|
||||
@@ -565,8 +563,7 @@ public class KeyStore {
|
||||
try {
|
||||
arguments = arguments != null ? arguments : new KeymasterArguments();
|
||||
input = input != null ? input : new byte[0];
|
||||
OperationResult res = mBinder.update(token, arguments, input);
|
||||
return res;
|
||||
return mBinder.update(token, arguments, input);
|
||||
} catch (RemoteException e) {
|
||||
Log.w(TAG, "Cannot connect to keystore", e);
|
||||
return null;
|
||||
@@ -621,9 +618,9 @@ public class KeyStore {
|
||||
* @return {@code KeyStore.NO_ERROR} on success, otherwise an error value corresponding to
|
||||
* a {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode.
|
||||
*/
|
||||
public int addAuthToken(byte[] authToken, int userId) {
|
||||
public int addAuthToken(byte[] authToken) {
|
||||
try {
|
||||
return mBinder.addAuthToken(authToken, userId);
|
||||
return mBinder.addAuthToken(authToken);
|
||||
} catch (RemoteException e) {
|
||||
Log.w(TAG, "Cannot connect to keystore", e);
|
||||
return SYSTEM_ERROR;
|
||||
@@ -835,14 +832,14 @@ public class KeyStore {
|
||||
public InvalidKeyException getInvalidKeyException(
|
||||
String keystoreKeyAlias, int uid, KeyStoreException e) {
|
||||
switch (e.getErrorCode()) {
|
||||
case LOCKED: // 2
|
||||
case LOCKED:
|
||||
return new UserNotAuthenticatedException();
|
||||
case KeymasterDefs.KM_ERROR_KEY_EXPIRED: // -25
|
||||
case KeymasterDefs.KM_ERROR_KEY_EXPIRED:
|
||||
return new KeyExpiredException();
|
||||
case KeymasterDefs.KM_ERROR_KEY_NOT_YET_VALID: // -2
|
||||
case KeymasterDefs.KM_ERROR_KEY_NOT_YET_VALID:
|
||||
return new KeyNotYetValidException();
|
||||
case KeymasterDefs.KM_ERROR_KEY_USER_NOT_AUTHENTICATED: // -26
|
||||
case OP_AUTH_NEEDED: // 15
|
||||
case KeymasterDefs.KM_ERROR_KEY_USER_NOT_AUTHENTICATED:
|
||||
case OP_AUTH_NEEDED:
|
||||
{
|
||||
// We now need to determine whether the key/operation can become usable if user
|
||||
// authentication is performed, or whether it can never become usable again.
|
||||
@@ -882,7 +879,7 @@ public class KeyStore {
|
||||
// None of the key's SIDs can ever be authenticated
|
||||
return new KeyPermanentlyInvalidatedException();
|
||||
}
|
||||
case UNINITIALIZED: // 3
|
||||
case UNINITIALIZED:
|
||||
return new KeyPermanentlyInvalidatedException();
|
||||
default:
|
||||
return new InvalidKeyException("Keystore operation failed", e);
|
||||
|
||||
@@ -243,7 +243,13 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
|
||||
// Check that user authentication related parameters are acceptable. This method
|
||||
// will throw an IllegalStateException if there are issues (e.g., secure lock screen
|
||||
// not set up).
|
||||
KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), spec);
|
||||
KeymasterUtils.addUserAuthArgs(new KeymasterArguments(),
|
||||
spec.isUserAuthenticationRequired(),
|
||||
spec.getUserAuthenticationValidityDurationSeconds(),
|
||||
spec.isUserAuthenticationValidWhileOnBody(),
|
||||
spec.isInvalidatedByBiometricEnrollment(),
|
||||
GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */,
|
||||
spec.isUserConfirmationRequired());
|
||||
} catch (IllegalStateException | IllegalArgumentException e) {
|
||||
throw new InvalidAlgorithmParameterException(e);
|
||||
}
|
||||
@@ -279,7 +285,16 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
|
||||
args.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes);
|
||||
args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterPaddings);
|
||||
args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests);
|
||||
KeymasterUtils.addUserAuthArgs(args, spec);
|
||||
KeymasterUtils.addUserAuthArgs(args,
|
||||
spec.isUserAuthenticationRequired(),
|
||||
spec.getUserAuthenticationValidityDurationSeconds(),
|
||||
spec.isUserAuthenticationValidWhileOnBody(),
|
||||
spec.isInvalidatedByBiometricEnrollment(),
|
||||
GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */,
|
||||
spec.isUserConfirmationRequired());
|
||||
if (spec.isTrustedUserPresenceRequired()) {
|
||||
args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);
|
||||
}
|
||||
KeymasterUtils.addMinMacLengthAuthorizationIfNecessary(
|
||||
args,
|
||||
mKeymasterAlgorithm,
|
||||
|
||||
@@ -344,7 +344,13 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
// Check that user authentication related parameters are acceptable. This method
|
||||
// will throw an IllegalStateException if there are issues (e.g., secure lock screen
|
||||
// not set up).
|
||||
KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), mSpec);
|
||||
KeymasterUtils.addUserAuthArgs(new KeymasterArguments(),
|
||||
mSpec.isUserAuthenticationRequired(),
|
||||
mSpec.getUserAuthenticationValidityDurationSeconds(),
|
||||
mSpec.isUserAuthenticationValidWhileOnBody(),
|
||||
mSpec.isInvalidatedByBiometricEnrollment(),
|
||||
GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */,
|
||||
mSpec.isUserConfirmationRequired());
|
||||
} catch (IllegalArgumentException | IllegalStateException e) {
|
||||
throw new InvalidAlgorithmParameterException(e);
|
||||
}
|
||||
@@ -535,7 +541,13 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterSignaturePaddings);
|
||||
args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests);
|
||||
|
||||
KeymasterUtils.addUserAuthArgs(args, mSpec);
|
||||
KeymasterUtils.addUserAuthArgs(args,
|
||||
mSpec.isUserAuthenticationRequired(),
|
||||
mSpec.getUserAuthenticationValidityDurationSeconds(),
|
||||
mSpec.isUserAuthenticationValidWhileOnBody(),
|
||||
mSpec.isInvalidatedByBiometricEnrollment(),
|
||||
GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */,
|
||||
mSpec.isUserConfirmationRequired());
|
||||
args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, mSpec.getKeyValidityStart());
|
||||
args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
|
||||
mSpec.getKeyValidityForOriginationEnd());
|
||||
|
||||
@@ -497,7 +497,13 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {
|
||||
importArgs.addEnums(KeymasterDefs.KM_TAG_PADDING, keymasterEncryptionPaddings);
|
||||
importArgs.addEnums(KeymasterDefs.KM_TAG_PADDING,
|
||||
KeyProperties.SignaturePadding.allToKeymaster(spec.getSignaturePaddings()));
|
||||
KeymasterUtils.addUserAuthArgs(importArgs, spec);
|
||||
KeymasterUtils.addUserAuthArgs(importArgs,
|
||||
spec.isUserAuthenticationRequired(),
|
||||
spec.getUserAuthenticationValidityDurationSeconds(),
|
||||
spec.isUserAuthenticationValidWhileOnBody(),
|
||||
spec.isInvalidatedByBiometricEnrollment(),
|
||||
spec.getBoundToSpecificSecureUserId(),
|
||||
spec.isUserConfirmationRequired());
|
||||
importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME,
|
||||
spec.getKeyValidityStart());
|
||||
importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
|
||||
@@ -694,7 +700,13 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {
|
||||
int[] keymasterPaddings = KeyProperties.EncryptionPadding.allToKeymaster(
|
||||
params.getEncryptionPaddings());
|
||||
args.addEnums(KeymasterDefs.KM_TAG_PADDING, keymasterPaddings);
|
||||
KeymasterUtils.addUserAuthArgs(args, params);
|
||||
KeymasterUtils.addUserAuthArgs(args,
|
||||
params.isUserAuthenticationRequired(),
|
||||
params.getUserAuthenticationValidityDurationSeconds(),
|
||||
params.isUserAuthenticationValidWhileOnBody(),
|
||||
params.isInvalidatedByBiometricEnrollment(),
|
||||
params.getBoundToSpecificSecureUserId(),
|
||||
params.isUserConfirmationRequired());
|
||||
KeymasterUtils.addMinMacLengthAuthorizationIfNecessary(
|
||||
args,
|
||||
keymasterAlgorithm,
|
||||
|
||||
@@ -21,7 +21,6 @@ import android.annotation.NonNull;
|
||||
import android.annotation.Nullable;
|
||||
import android.app.KeyguardManager;
|
||||
import android.hardware.fingerprint.FingerprintManager;
|
||||
import android.security.GateKeeper;
|
||||
import android.security.KeyStore;
|
||||
import android.text.TextUtils;
|
||||
|
||||
@@ -233,7 +232,7 @@ import javax.security.auth.x500.X500Principal;
|
||||
* key = (SecretKey) keyStore.getKey("key2", null);
|
||||
* }</pre>
|
||||
*/
|
||||
public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAuthArgs {
|
||||
public final class KeyGenParameterSpec implements AlgorithmParameterSpec {
|
||||
|
||||
private static final X500Principal DEFAULT_CERT_SUBJECT = new X500Principal("CN=fake");
|
||||
private static final BigInteger DEFAULT_CERT_SERIAL_NUMBER = new BigInteger("1");
|
||||
@@ -266,7 +265,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
|
||||
private final boolean mInvalidatedByBiometricEnrollment;
|
||||
private final boolean mIsStrongBoxBacked;
|
||||
private final boolean mUserConfirmationRequired;
|
||||
private final boolean mUnlockedDeviceRequired;
|
||||
|
||||
/**
|
||||
* @hide should be built with Builder
|
||||
@@ -297,8 +295,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
|
||||
boolean userAuthenticationValidWhileOnBody,
|
||||
boolean invalidatedByBiometricEnrollment,
|
||||
boolean isStrongBoxBacked,
|
||||
boolean userConfirmationRequired,
|
||||
boolean unlockedDeviceRequired) {
|
||||
boolean userConfirmationRequired) {
|
||||
if (TextUtils.isEmpty(keyStoreAlias)) {
|
||||
throw new IllegalArgumentException("keyStoreAlias must not be empty");
|
||||
}
|
||||
@@ -347,7 +344,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
|
||||
mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
|
||||
mIsStrongBoxBacked = isStrongBoxBacked;
|
||||
mUserConfirmationRequired = userConfirmationRequired;
|
||||
mUnlockedDeviceRequired = unlockedDeviceRequired;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -672,22 +668,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
|
||||
return mIsStrongBoxBacked;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns {@code true} if the key cannot be used unless the device screen is unlocked.
|
||||
*
|
||||
* @see Builder#SetUnlockedDeviceRequired(boolean)
|
||||
*/
|
||||
public boolean isUnlockedDeviceRequired() {
|
||||
return mUnlockedDeviceRequired;
|
||||
}
|
||||
|
||||
/**
|
||||
* @hide
|
||||
*/
|
||||
public long getBoundToSpecificSecureUserId() {
|
||||
return GateKeeper.INVALID_SECURE_USER_ID;
|
||||
}
|
||||
|
||||
/**
|
||||
* Builder of {@link KeyGenParameterSpec} instances.
|
||||
*/
|
||||
@@ -719,7 +699,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
|
||||
private boolean mInvalidatedByBiometricEnrollment = true;
|
||||
private boolean mIsStrongBoxBacked = false;
|
||||
private boolean mUserConfirmationRequired;
|
||||
private boolean mUnlockedDeviceRequired = false;
|
||||
|
||||
/**
|
||||
* Creates a new instance of the {@code Builder}.
|
||||
@@ -1287,18 +1266,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets whether the keystore requires the screen to be unlocked before allowing decryption
|
||||
* using this key. If this is set to {@code true}, any attempt to decrypt using this key
|
||||
* while the screen is locked will fail. A locked device requires a PIN, password,
|
||||
* fingerprint, or other trusted factor to access.
|
||||
*/
|
||||
@NonNull
|
||||
public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) {
|
||||
mUnlockedDeviceRequired = unlockedDeviceRequired;
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Builds an instance of {@code KeyGenParameterSpec}.
|
||||
*/
|
||||
@@ -1330,8 +1297,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
|
||||
mUserAuthenticationValidWhileOnBody,
|
||||
mInvalidatedByBiometricEnrollment,
|
||||
mIsStrongBoxBacked,
|
||||
mUserConfirmationRequired,
|
||||
mUnlockedDeviceRequired);
|
||||
mUserConfirmationRequired);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -212,7 +212,7 @@ import javax.crypto.Mac;
|
||||
* ...
|
||||
* }</pre>
|
||||
*/
|
||||
public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
|
||||
public final class KeyProtection implements ProtectionParameter {
|
||||
private final Date mKeyValidityStart;
|
||||
private final Date mKeyValidityForOriginationEnd;
|
||||
private final Date mKeyValidityForConsumptionEnd;
|
||||
@@ -229,8 +229,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
|
||||
private final long mBoundToSecureUserId;
|
||||
private final boolean mCriticalToDeviceEncryption;
|
||||
private final boolean mUserConfirmationRequired;
|
||||
private final boolean mTrustedUserPresenceRequired;
|
||||
private final boolean mUnlockedDeviceRequired;
|
||||
|
||||
private KeyProtection(
|
||||
Date keyValidityStart,
|
||||
@@ -244,13 +242,11 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
|
||||
boolean randomizedEncryptionRequired,
|
||||
boolean userAuthenticationRequired,
|
||||
int userAuthenticationValidityDurationSeconds,
|
||||
boolean trustedUserPresenceRequired,
|
||||
boolean userAuthenticationValidWhileOnBody,
|
||||
boolean invalidatedByBiometricEnrollment,
|
||||
long boundToSecureUserId,
|
||||
boolean criticalToDeviceEncryption,
|
||||
boolean userConfirmationRequired,
|
||||
boolean unlockedDeviceRequired) {
|
||||
boolean userConfirmationRequired) {
|
||||
mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart);
|
||||
mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd);
|
||||
mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd);
|
||||
@@ -269,8 +265,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
|
||||
mBoundToSecureUserId = boundToSecureUserId;
|
||||
mCriticalToDeviceEncryption = criticalToDeviceEncryption;
|
||||
mUserConfirmationRequired = userConfirmationRequired;
|
||||
mTrustedUserPresenceRequired = trustedUserPresenceRequired;
|
||||
mUnlockedDeviceRequired = unlockedDeviceRequired;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -442,14 +436,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
|
||||
return mUserAuthenticationValidityDurationSeconds;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns {@code true} if the key is authorized to be used only if a test of user presence has
|
||||
* been performed between the {@code Signature.initSign()} and {@code Signature.sign()} calls.
|
||||
*/
|
||||
public boolean isTrustedUserPresenceRequired() {
|
||||
return mTrustedUserPresenceRequired;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns {@code true} if the key will be de-authorized when the device is removed from the
|
||||
* user's body. This option has no effect on keys that don't have an authentication validity
|
||||
@@ -507,15 +493,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
|
||||
return mCriticalToDeviceEncryption;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns {@code true} if the key cannot be used unless the device screen is unlocked.
|
||||
*
|
||||
* @see Builder#SetRequireDeviceUnlocked(boolean)
|
||||
*/
|
||||
public boolean isUnlockedDeviceRequired() {
|
||||
return mUnlockedDeviceRequired;
|
||||
}
|
||||
|
||||
/**
|
||||
* Builder of {@link KeyProtection} instances.
|
||||
*/
|
||||
@@ -535,9 +512,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
|
||||
private boolean mUserAuthenticationValidWhileOnBody;
|
||||
private boolean mInvalidatedByBiometricEnrollment = true;
|
||||
private boolean mUserConfirmationRequired;
|
||||
private boolean mTrustedUserPresenceRequired = false;
|
||||
private boolean mUnlockedDeviceRequired = false;
|
||||
|
||||
private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID;
|
||||
private boolean mCriticalToDeviceEncryption = false;
|
||||
|
||||
@@ -836,16 +810,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets whether a test of user presence is required to be performed between the
|
||||
* {@code Signature.initSign()} and {@code Signature.sign()} method calls.
|
||||
*/
|
||||
@NonNull
|
||||
public Builder setTrustedUserPresenceRequired(boolean required) {
|
||||
mTrustedUserPresenceRequired = required;
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets whether the key will remain authorized only until the device is removed from the
|
||||
* user's body up to the limit of the authentication validity period (see
|
||||
@@ -927,18 +891,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets whether the keystore requires the screen to be unlocked before allowing decryption
|
||||
* using this key. If this is set to {@code true}, any attempt to decrypt using this key
|
||||
* while the screen is locked will fail. A locked device requires a PIN, password,
|
||||
* fingerprint, or other trusted factor to access.
|
||||
*/
|
||||
@NonNull
|
||||
public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) {
|
||||
mUnlockedDeviceRequired = unlockedDeviceRequired;
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Builds an instance of {@link KeyProtection}.
|
||||
*
|
||||
@@ -958,13 +910,11 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs {
|
||||
mRandomizedEncryptionRequired,
|
||||
mUserAuthenticationRequired,
|
||||
mUserAuthenticationValidityDurationSeconds,
|
||||
mTrustedUserPresenceRequired,
|
||||
mUserAuthenticationValidWhileOnBody,
|
||||
mInvalidatedByBiometricEnrollment,
|
||||
mBoundToSecureUserId,
|
||||
mCriticalToDeviceEncryption,
|
||||
mUserConfirmationRequired,
|
||||
mUnlockedDeviceRequired);
|
||||
mUserConfirmationRequired);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,7 +18,6 @@ package android.security.keystore;
|
||||
|
||||
import android.util.Log;
|
||||
import android.hardware.fingerprint.FingerprintManager;
|
||||
import android.os.UserHandle;
|
||||
import android.security.GateKeeper;
|
||||
import android.security.KeyStore;
|
||||
import android.security.keymaster.KeymasterArguments;
|
||||
@@ -102,27 +101,22 @@ public abstract class KeymasterUtils {
|
||||
* require user authentication.
|
||||
*/
|
||||
public static void addUserAuthArgs(KeymasterArguments args,
|
||||
UserAuthArgs spec) {
|
||||
if (spec.isTrustedUserPresenceRequired()) {
|
||||
args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);
|
||||
}
|
||||
|
||||
if (spec.isUserConfirmationRequired()) {
|
||||
boolean userAuthenticationRequired,
|
||||
int userAuthenticationValidityDurationSeconds,
|
||||
boolean userAuthenticationValidWhileOnBody,
|
||||
boolean invalidatedByBiometricEnrollment,
|
||||
long boundToSpecificSecureUserId,
|
||||
boolean userConfirmationRequired) {
|
||||
if (userConfirmationRequired) {
|
||||
args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);
|
||||
}
|
||||
|
||||
if (spec.isUnlockedDeviceRequired()) {
|
||||
args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED);
|
||||
// Once keymaster is properly ignoring this tag, it should be added to every auth list
|
||||
args.addUnsignedInt(KeymasterDefs.KM_TAG_USER_ID, UserHandle.getCallingUserId());
|
||||
}
|
||||
|
||||
if (!spec.isUserAuthenticationRequired()) {
|
||||
if (!userAuthenticationRequired) {
|
||||
args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);
|
||||
return;
|
||||
}
|
||||
|
||||
if (spec.getUserAuthenticationValidityDurationSeconds() == -1) {
|
||||
if (userAuthenticationValidityDurationSeconds == -1) {
|
||||
// Every use of this key needs to be authorized by the user. This currently means
|
||||
// fingerprint-only auth.
|
||||
FingerprintManager fingerprintManager =
|
||||
@@ -138,9 +132,9 @@ public abstract class KeymasterUtils {
|
||||
}
|
||||
|
||||
long sid;
|
||||
if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) {
|
||||
sid = spec.getBoundToSpecificSecureUserId();
|
||||
} else if (spec.isInvalidatedByBiometricEnrollment()) {
|
||||
if (boundToSpecificSecureUserId != GateKeeper.INVALID_SECURE_USER_ID) {
|
||||
sid = boundToSpecificSecureUserId;
|
||||
} else if (invalidatedByBiometricEnrollment) {
|
||||
// The fingerprint-only SID will change on fingerprint enrollment or removal of all,
|
||||
// enrolled fingerprints, invalidating the key.
|
||||
sid = fingerprintOnlySid;
|
||||
@@ -153,14 +147,14 @@ public abstract class KeymasterUtils {
|
||||
args.addUnsignedLong(
|
||||
KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(sid));
|
||||
args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, KeymasterDefs.HW_AUTH_FINGERPRINT);
|
||||
if (spec.isUserAuthenticationValidWhileOnBody()) {
|
||||
if (userAuthenticationValidWhileOnBody) {
|
||||
throw new ProviderException("Key validity extension while device is on-body is not "
|
||||
+ "supported for keys requiring fingerprint authentication");
|
||||
}
|
||||
} else {
|
||||
long sid;
|
||||
if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) {
|
||||
sid = spec.getBoundToSpecificSecureUserId();
|
||||
if (boundToSpecificSecureUserId != GateKeeper.INVALID_SECURE_USER_ID) {
|
||||
sid = boundToSpecificSecureUserId;
|
||||
} else {
|
||||
// The key is authorized for use for the specified amount of time after the user has
|
||||
// authenticated. Whatever unlocks the secure lock screen should authorize this key.
|
||||
@@ -171,8 +165,8 @@ public abstract class KeymasterUtils {
|
||||
args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE,
|
||||
KeymasterDefs.HW_AUTH_PASSWORD | KeymasterDefs.HW_AUTH_FINGERPRINT);
|
||||
args.addUnsignedInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT,
|
||||
spec.getUserAuthenticationValidityDurationSeconds());
|
||||
if (spec.isUserAuthenticationValidWhileOnBody()) {
|
||||
userAuthenticationValidityDurationSeconds);
|
||||
if (userAuthenticationValidWhileOnBody) {
|
||||
args.addBoolean(KeymasterDefs.KM_TAG_ALLOW_WHILE_ON_BODY);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,38 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2017 The Android Open Source Project
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package android.security.keystore;
|
||||
|
||||
/**
|
||||
* @hide
|
||||
*
|
||||
* This is an interface to encapsulate the user authentication arguments that
|
||||
* are passed to KeymasterUtils.addUserAuthArgs. Classes that represent
|
||||
* authorization characteristics for new or imported keys can implement this
|
||||
* interface to be passed to that method.
|
||||
*/
|
||||
public interface UserAuthArgs {
|
||||
|
||||
boolean isUserAuthenticationRequired();
|
||||
int getUserAuthenticationValidityDurationSeconds();
|
||||
boolean isUserAuthenticationValidWhileOnBody();
|
||||
boolean isInvalidatedByBiometricEnrollment();
|
||||
boolean isTrustedUserPresenceRequired();
|
||||
boolean isUnlockedDeviceRequired();
|
||||
boolean isUserConfirmationRequired();
|
||||
long getBoundToSpecificSecureUserId();
|
||||
|
||||
}
|
||||
@@ -421,7 +421,7 @@ public class FingerprintService extends SystemService implements IHwBinder.Death
|
||||
byteToken[i] = token.get(i);
|
||||
}
|
||||
// Send to Keystore
|
||||
KeyStore.getInstance().addAuthToken(byteToken, mCurrentUserId);
|
||||
KeyStore.getInstance().addAuthToken(byteToken);
|
||||
}
|
||||
if (client != null && client.onAuthenticated(fingerId, groupId)) {
|
||||
removeClient(client);
|
||||
|
||||
@@ -19,8 +19,6 @@ package com.android.server.policy.keyguard;
|
||||
import android.app.ActivityManager;
|
||||
import android.content.Context;
|
||||
import android.os.RemoteException;
|
||||
import android.os.ServiceManager;
|
||||
import android.security.IKeystoreService;
|
||||
import android.util.Slog;
|
||||
|
||||
import com.android.internal.policy.IKeyguardService;
|
||||
@@ -53,16 +51,11 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub {
|
||||
private final LockPatternUtils mLockPatternUtils;
|
||||
private final StateCallback mCallback;
|
||||
|
||||
IKeystoreService mKeystoreService;
|
||||
|
||||
public KeyguardStateMonitor(Context context, IKeyguardService service, StateCallback callback) {
|
||||
mLockPatternUtils = new LockPatternUtils(context);
|
||||
mCurrentUserId = ActivityManager.getCurrentUser();
|
||||
mCallback = callback;
|
||||
|
||||
mKeystoreService = IKeystoreService.Stub.asInterface(ServiceManager
|
||||
.getService("android.security.keystore"));
|
||||
|
||||
try {
|
||||
service.addStateMonitorCallback(this);
|
||||
} catch (RemoteException e) {
|
||||
@@ -93,12 +86,6 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub {
|
||||
@Override // Binder interface
|
||||
public void onShowingStateChanged(boolean showing) {
|
||||
mIsShowing = showing;
|
||||
|
||||
if (showing) try {
|
||||
mKeystoreService.lock(mCurrentUserId); // as long as this doesn't recur...
|
||||
} catch (RemoteException e) {
|
||||
Slog.e(TAG, "Error locking keystore", e);
|
||||
}
|
||||
}
|
||||
|
||||
@Override // Binder interface
|
||||
|
||||
Reference in New Issue
Block a user