diff --git a/api/current.txt b/api/current.txt index 2336c161a4267..042360e6ff1b2 100644 --- a/api/current.txt +++ b/api/current.txt @@ -38445,7 +38445,6 @@ package android.security.keystore { method public boolean isRandomizedEncryptionRequired(); method public boolean isStrongBoxBacked(); method public boolean isTrustedUserPresenceRequired(); - method public boolean isUnlockedDeviceRequired(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationValidWhileOnBody(); method public boolean isUserConfirmationRequired(); @@ -38473,7 +38472,6 @@ package android.security.keystore { method public android.security.keystore.KeyGenParameterSpec.Builder setRandomizedEncryptionRequired(boolean); method public android.security.keystore.KeyGenParameterSpec.Builder setSignaturePaddings(java.lang.String...); method public android.security.keystore.KeyGenParameterSpec.Builder setTrustedUserPresenceRequired(boolean); - method public android.security.keystore.KeyGenParameterSpec.Builder setUnlockedDeviceRequired(boolean); method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationRequired(boolean); method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidWhileOnBody(boolean); method public android.security.keystore.KeyGenParameterSpec.Builder setUserAuthenticationValidityDurationSeconds(int); @@ -38565,8 +38563,6 @@ package android.security.keystore { method public boolean isDigestsSpecified(); method public boolean isInvalidatedByBiometricEnrollment(); method public boolean isRandomizedEncryptionRequired(); - method public boolean isTrustedUserPresenceRequired(); - method public boolean isUnlockedDeviceRequired(); method public boolean isUserAuthenticationRequired(); method public boolean isUserAuthenticationValidWhileOnBody(); method public boolean isUserConfirmationRequired(); @@ -38585,8 +38581,6 @@ package android.security.keystore { method public android.security.keystore.KeyProtection.Builder setKeyValidityStart(java.util.Date); method public android.security.keystore.KeyProtection.Builder setRandomizedEncryptionRequired(boolean); method public android.security.keystore.KeyProtection.Builder setSignaturePaddings(java.lang.String...); - method public android.security.keystore.KeyProtection.Builder setTrustedUserPresenceRequired(boolean); - method public android.security.keystore.KeyProtection.Builder setUnlockedDeviceRequired(boolean); method public android.security.keystore.KeyProtection.Builder setUserAuthenticationRequired(boolean); method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidWhileOnBody(boolean); method public android.security.keystore.KeyProtection.Builder setUserAuthenticationValidityDurationSeconds(int); diff --git a/core/java/android/security/keymaster/KeymasterDefs.java b/core/java/android/security/keymaster/KeymasterDefs.java index f4dcce1e7e58f..1d13335043508 100644 --- a/core/java/android/security/keymaster/KeymasterDefs.java +++ b/core/java/android/security/keymaster/KeymasterDefs.java @@ -75,7 +75,6 @@ public final class KeymasterDefs { public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506; public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507; public static final int KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508; - public static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 509; public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600; public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601; @@ -217,7 +216,6 @@ public final class KeymasterDefs { public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58; public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59; public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66; - public static final int KM_ERROR_DEVICE_LOCKED = -72; public static final int KM_ERROR_UNIMPLEMENTED = -100; public static final int KM_ERROR_VERSION_MISMATCH = -101; public static final int KM_ERROR_UNKNOWN_ERROR = -1000; @@ -264,7 +262,6 @@ public final class KeymasterDefs { sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH, "Invalid MAC or authentication tag length"); sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids"); - sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked"); sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented"); sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error"); } diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java index e2aba04010360..ded427eb244a2 100644 --- a/keystore/java/android/security/KeyStore.java +++ b/keystore/java/android/security/KeyStore.java @@ -545,9 +545,7 @@ public class KeyStore { try { args = args != null ? args : new KeymasterArguments(); entropy = entropy != null ? entropy : new byte[0]; - OperationResult res = mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid); - // This result is -26 (KEY_USER_NOT_AUTHENTICATED) but why?? - return res; + return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid); } catch (RemoteException e) { Log.w(TAG, "Cannot connect to keystore", e); return null; @@ -565,8 +563,7 @@ public class KeyStore { try { arguments = arguments != null ? arguments : new KeymasterArguments(); input = input != null ? input : new byte[0]; - OperationResult res = mBinder.update(token, arguments, input); - return res; + return mBinder.update(token, arguments, input); } catch (RemoteException e) { Log.w(TAG, "Cannot connect to keystore", e); return null; @@ -621,9 +618,9 @@ public class KeyStore { * @return {@code KeyStore.NO_ERROR} on success, otherwise an error value corresponding to * a {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode. */ - public int addAuthToken(byte[] authToken, int userId) { + public int addAuthToken(byte[] authToken) { try { - return mBinder.addAuthToken(authToken, userId); + return mBinder.addAuthToken(authToken); } catch (RemoteException e) { Log.w(TAG, "Cannot connect to keystore", e); return SYSTEM_ERROR; @@ -835,14 +832,14 @@ public class KeyStore { public InvalidKeyException getInvalidKeyException( String keystoreKeyAlias, int uid, KeyStoreException e) { switch (e.getErrorCode()) { - case LOCKED: // 2 + case LOCKED: return new UserNotAuthenticatedException(); - case KeymasterDefs.KM_ERROR_KEY_EXPIRED: // -25 + case KeymasterDefs.KM_ERROR_KEY_EXPIRED: return new KeyExpiredException(); - case KeymasterDefs.KM_ERROR_KEY_NOT_YET_VALID: // -2 + case KeymasterDefs.KM_ERROR_KEY_NOT_YET_VALID: return new KeyNotYetValidException(); - case KeymasterDefs.KM_ERROR_KEY_USER_NOT_AUTHENTICATED: // -26 - case OP_AUTH_NEEDED: // 15 + case KeymasterDefs.KM_ERROR_KEY_USER_NOT_AUTHENTICATED: + case OP_AUTH_NEEDED: { // We now need to determine whether the key/operation can become usable if user // authentication is performed, or whether it can never become usable again. @@ -882,7 +879,7 @@ public class KeyStore { // None of the key's SIDs can ever be authenticated return new KeyPermanentlyInvalidatedException(); } - case UNINITIALIZED: // 3 + case UNINITIALIZED: return new KeyPermanentlyInvalidatedException(); default: return new InvalidKeyException("Keystore operation failed", e); diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java index 419eb24e1cc1c..09b3b9b523b42 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java @@ -243,7 +243,13 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { // Check that user authentication related parameters are acceptable. This method // will throw an IllegalStateException if there are issues (e.g., secure lock screen // not set up). - KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), spec); + KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), + spec.isUserAuthenticationRequired(), + spec.getUserAuthenticationValidityDurationSeconds(), + spec.isUserAuthenticationValidWhileOnBody(), + spec.isInvalidatedByBiometricEnrollment(), + GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */, + spec.isUserConfirmationRequired()); } catch (IllegalStateException | IllegalArgumentException e) { throw new InvalidAlgorithmParameterException(e); } @@ -279,7 +285,16 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { args.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes); args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterPaddings); args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests); - KeymasterUtils.addUserAuthArgs(args, spec); + KeymasterUtils.addUserAuthArgs(args, + spec.isUserAuthenticationRequired(), + spec.getUserAuthenticationValidityDurationSeconds(), + spec.isUserAuthenticationValidWhileOnBody(), + spec.isInvalidatedByBiometricEnrollment(), + GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */, + spec.isUserConfirmationRequired()); + if (spec.isTrustedUserPresenceRequired()) { + args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED); + } KeymasterUtils.addMinMacLengthAuthorizationIfNecessary( args, mKeymasterAlgorithm, diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java index d68a33de2c611..e33e3cd4e92b3 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java @@ -344,7 +344,13 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato // Check that user authentication related parameters are acceptable. This method // will throw an IllegalStateException if there are issues (e.g., secure lock screen // not set up). - KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), mSpec); + KeymasterUtils.addUserAuthArgs(new KeymasterArguments(), + mSpec.isUserAuthenticationRequired(), + mSpec.getUserAuthenticationValidityDurationSeconds(), + mSpec.isUserAuthenticationValidWhileOnBody(), + mSpec.isInvalidatedByBiometricEnrollment(), + GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */, + mSpec.isUserConfirmationRequired()); } catch (IllegalArgumentException | IllegalStateException e) { throw new InvalidAlgorithmParameterException(e); } @@ -535,7 +541,13 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterSignaturePaddings); args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests); - KeymasterUtils.addUserAuthArgs(args, mSpec); + KeymasterUtils.addUserAuthArgs(args, + mSpec.isUserAuthenticationRequired(), + mSpec.getUserAuthenticationValidityDurationSeconds(), + mSpec.isUserAuthenticationValidWhileOnBody(), + mSpec.isInvalidatedByBiometricEnrollment(), + GateKeeper.INVALID_SECURE_USER_ID /* boundToSpecificSecureUserId */, + mSpec.isUserConfirmationRequired()); args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, mSpec.getKeyValidityStart()); args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME, mSpec.getKeyValidityForOriginationEnd()); diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java index fc86ca0443b01..05cc74a0bec95 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java @@ -497,7 +497,13 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { importArgs.addEnums(KeymasterDefs.KM_TAG_PADDING, keymasterEncryptionPaddings); importArgs.addEnums(KeymasterDefs.KM_TAG_PADDING, KeyProperties.SignaturePadding.allToKeymaster(spec.getSignaturePaddings())); - KeymasterUtils.addUserAuthArgs(importArgs, spec); + KeymasterUtils.addUserAuthArgs(importArgs, + spec.isUserAuthenticationRequired(), + spec.getUserAuthenticationValidityDurationSeconds(), + spec.isUserAuthenticationValidWhileOnBody(), + spec.isInvalidatedByBiometricEnrollment(), + spec.getBoundToSpecificSecureUserId(), + spec.isUserConfirmationRequired()); importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, spec.getKeyValidityStart()); importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME, @@ -694,7 +700,13 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { int[] keymasterPaddings = KeyProperties.EncryptionPadding.allToKeymaster( params.getEncryptionPaddings()); args.addEnums(KeymasterDefs.KM_TAG_PADDING, keymasterPaddings); - KeymasterUtils.addUserAuthArgs(args, params); + KeymasterUtils.addUserAuthArgs(args, + params.isUserAuthenticationRequired(), + params.getUserAuthenticationValidityDurationSeconds(), + params.isUserAuthenticationValidWhileOnBody(), + params.isInvalidatedByBiometricEnrollment(), + params.getBoundToSpecificSecureUserId(), + params.isUserConfirmationRequired()); KeymasterUtils.addMinMacLengthAuthorizationIfNecessary( args, keymasterAlgorithm, diff --git a/keystore/java/android/security/keystore/KeyGenParameterSpec.java b/keystore/java/android/security/keystore/KeyGenParameterSpec.java index d0814c6f2f933..da23c70f58bb7 100644 --- a/keystore/java/android/security/keystore/KeyGenParameterSpec.java +++ b/keystore/java/android/security/keystore/KeyGenParameterSpec.java @@ -21,7 +21,6 @@ import android.annotation.NonNull; import android.annotation.Nullable; import android.app.KeyguardManager; import android.hardware.fingerprint.FingerprintManager; -import android.security.GateKeeper; import android.security.KeyStore; import android.text.TextUtils; @@ -233,7 +232,7 @@ import javax.security.auth.x500.X500Principal; * key = (SecretKey) keyStore.getKey("key2", null); * } */ -public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAuthArgs { +public final class KeyGenParameterSpec implements AlgorithmParameterSpec { private static final X500Principal DEFAULT_CERT_SUBJECT = new X500Principal("CN=fake"); private static final BigInteger DEFAULT_CERT_SERIAL_NUMBER = new BigInteger("1"); @@ -266,7 +265,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu private final boolean mInvalidatedByBiometricEnrollment; private final boolean mIsStrongBoxBacked; private final boolean mUserConfirmationRequired; - private final boolean mUnlockedDeviceRequired; /** * @hide should be built with Builder @@ -297,8 +295,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu boolean userAuthenticationValidWhileOnBody, boolean invalidatedByBiometricEnrollment, boolean isStrongBoxBacked, - boolean userConfirmationRequired, - boolean unlockedDeviceRequired) { + boolean userConfirmationRequired) { if (TextUtils.isEmpty(keyStoreAlias)) { throw new IllegalArgumentException("keyStoreAlias must not be empty"); } @@ -347,7 +344,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment; mIsStrongBoxBacked = isStrongBoxBacked; mUserConfirmationRequired = userConfirmationRequired; - mUnlockedDeviceRequired = unlockedDeviceRequired; } /** @@ -672,22 +668,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu return mIsStrongBoxBacked; } - /** - * Returns {@code true} if the key cannot be used unless the device screen is unlocked. - * - * @see Builder#SetUnlockedDeviceRequired(boolean) - */ - public boolean isUnlockedDeviceRequired() { - return mUnlockedDeviceRequired; - } - - /** - * @hide - */ - public long getBoundToSpecificSecureUserId() { - return GateKeeper.INVALID_SECURE_USER_ID; - } - /** * Builder of {@link KeyGenParameterSpec} instances. */ @@ -719,7 +699,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu private boolean mInvalidatedByBiometricEnrollment = true; private boolean mIsStrongBoxBacked = false; private boolean mUserConfirmationRequired; - private boolean mUnlockedDeviceRequired = false; /** * Creates a new instance of the {@code Builder}. @@ -1287,18 +1266,6 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu return this; } - /** - * Sets whether the keystore requires the screen to be unlocked before allowing decryption - * using this key. If this is set to {@code true}, any attempt to decrypt using this key - * while the screen is locked will fail. A locked device requires a PIN, password, - * fingerprint, or other trusted factor to access. - */ - @NonNull - public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) { - mUnlockedDeviceRequired = unlockedDeviceRequired; - return this; - } - /** * Builds an instance of {@code KeyGenParameterSpec}. */ @@ -1330,8 +1297,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu mUserAuthenticationValidWhileOnBody, mInvalidatedByBiometricEnrollment, mIsStrongBoxBacked, - mUserConfirmationRequired, - mUnlockedDeviceRequired); + mUserConfirmationRequired); } } } diff --git a/keystore/java/android/security/keystore/KeyProtection.java b/keystore/java/android/security/keystore/KeyProtection.java index 7f8259b899628..b5b328192f211 100644 --- a/keystore/java/android/security/keystore/KeyProtection.java +++ b/keystore/java/android/security/keystore/KeyProtection.java @@ -212,7 +212,7 @@ import javax.crypto.Mac; * ... * } */ -public final class KeyProtection implements ProtectionParameter, UserAuthArgs { +public final class KeyProtection implements ProtectionParameter { private final Date mKeyValidityStart; private final Date mKeyValidityForOriginationEnd; private final Date mKeyValidityForConsumptionEnd; @@ -229,8 +229,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { private final long mBoundToSecureUserId; private final boolean mCriticalToDeviceEncryption; private final boolean mUserConfirmationRequired; - private final boolean mTrustedUserPresenceRequired; - private final boolean mUnlockedDeviceRequired; private KeyProtection( Date keyValidityStart, @@ -244,13 +242,11 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { boolean randomizedEncryptionRequired, boolean userAuthenticationRequired, int userAuthenticationValidityDurationSeconds, - boolean trustedUserPresenceRequired, boolean userAuthenticationValidWhileOnBody, boolean invalidatedByBiometricEnrollment, long boundToSecureUserId, boolean criticalToDeviceEncryption, - boolean userConfirmationRequired, - boolean unlockedDeviceRequired) { + boolean userConfirmationRequired) { mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart); mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd); mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd); @@ -269,8 +265,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { mBoundToSecureUserId = boundToSecureUserId; mCriticalToDeviceEncryption = criticalToDeviceEncryption; mUserConfirmationRequired = userConfirmationRequired; - mTrustedUserPresenceRequired = trustedUserPresenceRequired; - mUnlockedDeviceRequired = unlockedDeviceRequired; } /** @@ -442,14 +436,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { return mUserAuthenticationValidityDurationSeconds; } - /** - * Returns {@code true} if the key is authorized to be used only if a test of user presence has - * been performed between the {@code Signature.initSign()} and {@code Signature.sign()} calls. - */ - public boolean isTrustedUserPresenceRequired() { - return mTrustedUserPresenceRequired; - } - /** * Returns {@code true} if the key will be de-authorized when the device is removed from the * user's body. This option has no effect on keys that don't have an authentication validity @@ -507,15 +493,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { return mCriticalToDeviceEncryption; } - /** - * Returns {@code true} if the key cannot be used unless the device screen is unlocked. - * - * @see Builder#SetRequireDeviceUnlocked(boolean) - */ - public boolean isUnlockedDeviceRequired() { - return mUnlockedDeviceRequired; - } - /** * Builder of {@link KeyProtection} instances. */ @@ -535,9 +512,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { private boolean mUserAuthenticationValidWhileOnBody; private boolean mInvalidatedByBiometricEnrollment = true; private boolean mUserConfirmationRequired; - private boolean mTrustedUserPresenceRequired = false; - private boolean mUnlockedDeviceRequired = false; - private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID; private boolean mCriticalToDeviceEncryption = false; @@ -836,16 +810,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { return this; } - /** - * Sets whether a test of user presence is required to be performed between the - * {@code Signature.initSign()} and {@code Signature.sign()} method calls. - */ - @NonNull - public Builder setTrustedUserPresenceRequired(boolean required) { - mTrustedUserPresenceRequired = required; - return this; - } - /** * Sets whether the key will remain authorized only until the device is removed from the * user's body up to the limit of the authentication validity period (see @@ -927,18 +891,6 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { return this; } - /** - * Sets whether the keystore requires the screen to be unlocked before allowing decryption - * using this key. If this is set to {@code true}, any attempt to decrypt using this key - * while the screen is locked will fail. A locked device requires a PIN, password, - * fingerprint, or other trusted factor to access. - */ - @NonNull - public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) { - mUnlockedDeviceRequired = unlockedDeviceRequired; - return this; - } - /** * Builds an instance of {@link KeyProtection}. * @@ -958,13 +910,11 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { mRandomizedEncryptionRequired, mUserAuthenticationRequired, mUserAuthenticationValidityDurationSeconds, - mTrustedUserPresenceRequired, mUserAuthenticationValidWhileOnBody, mInvalidatedByBiometricEnrollment, mBoundToSecureUserId, mCriticalToDeviceEncryption, - mUserConfirmationRequired, - mUnlockedDeviceRequired); + mUserConfirmationRequired); } } } diff --git a/keystore/java/android/security/keystore/KeymasterUtils.java b/keystore/java/android/security/keystore/KeymasterUtils.java index 5bd0e7406ff9b..4e28601f17a11 100644 --- a/keystore/java/android/security/keystore/KeymasterUtils.java +++ b/keystore/java/android/security/keystore/KeymasterUtils.java @@ -18,7 +18,6 @@ package android.security.keystore; import android.util.Log; import android.hardware.fingerprint.FingerprintManager; -import android.os.UserHandle; import android.security.GateKeeper; import android.security.KeyStore; import android.security.keymaster.KeymasterArguments; @@ -102,27 +101,22 @@ public abstract class KeymasterUtils { * require user authentication. */ public static void addUserAuthArgs(KeymasterArguments args, - UserAuthArgs spec) { - if (spec.isTrustedUserPresenceRequired()) { - args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED); - } - - if (spec.isUserConfirmationRequired()) { + boolean userAuthenticationRequired, + int userAuthenticationValidityDurationSeconds, + boolean userAuthenticationValidWhileOnBody, + boolean invalidatedByBiometricEnrollment, + long boundToSpecificSecureUserId, + boolean userConfirmationRequired) { + if (userConfirmationRequired) { args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED); } - if (spec.isUnlockedDeviceRequired()) { - args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED); - // Once keymaster is properly ignoring this tag, it should be added to every auth list - args.addUnsignedInt(KeymasterDefs.KM_TAG_USER_ID, UserHandle.getCallingUserId()); - } - - if (!spec.isUserAuthenticationRequired()) { + if (!userAuthenticationRequired) { args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); return; } - if (spec.getUserAuthenticationValidityDurationSeconds() == -1) { + if (userAuthenticationValidityDurationSeconds == -1) { // Every use of this key needs to be authorized by the user. This currently means // fingerprint-only auth. FingerprintManager fingerprintManager = @@ -138,9 +132,9 @@ public abstract class KeymasterUtils { } long sid; - if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) { - sid = spec.getBoundToSpecificSecureUserId(); - } else if (spec.isInvalidatedByBiometricEnrollment()) { + if (boundToSpecificSecureUserId != GateKeeper.INVALID_SECURE_USER_ID) { + sid = boundToSpecificSecureUserId; + } else if (invalidatedByBiometricEnrollment) { // The fingerprint-only SID will change on fingerprint enrollment or removal of all, // enrolled fingerprints, invalidating the key. sid = fingerprintOnlySid; @@ -153,14 +147,14 @@ public abstract class KeymasterUtils { args.addUnsignedLong( KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(sid)); args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, KeymasterDefs.HW_AUTH_FINGERPRINT); - if (spec.isUserAuthenticationValidWhileOnBody()) { + if (userAuthenticationValidWhileOnBody) { throw new ProviderException("Key validity extension while device is on-body is not " + "supported for keys requiring fingerprint authentication"); } } else { long sid; - if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) { - sid = spec.getBoundToSpecificSecureUserId(); + if (boundToSpecificSecureUserId != GateKeeper.INVALID_SECURE_USER_ID) { + sid = boundToSpecificSecureUserId; } else { // The key is authorized for use for the specified amount of time after the user has // authenticated. Whatever unlocks the secure lock screen should authorize this key. @@ -171,8 +165,8 @@ public abstract class KeymasterUtils { args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, KeymasterDefs.HW_AUTH_PASSWORD | KeymasterDefs.HW_AUTH_FINGERPRINT); args.addUnsignedInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT, - spec.getUserAuthenticationValidityDurationSeconds()); - if (spec.isUserAuthenticationValidWhileOnBody()) { + userAuthenticationValidityDurationSeconds); + if (userAuthenticationValidWhileOnBody) { args.addBoolean(KeymasterDefs.KM_TAG_ALLOW_WHILE_ON_BODY); } } diff --git a/keystore/java/android/security/keystore/UserAuthArgs.java b/keystore/java/android/security/keystore/UserAuthArgs.java deleted file mode 100644 index 3a7017ecaa88b..0000000000000 --- a/keystore/java/android/security/keystore/UserAuthArgs.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (C) 2017 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package android.security.keystore; - -/** - * @hide - * - * This is an interface to encapsulate the user authentication arguments that - * are passed to KeymasterUtils.addUserAuthArgs. Classes that represent - * authorization characteristics for new or imported keys can implement this - * interface to be passed to that method. - */ -public interface UserAuthArgs { - - boolean isUserAuthenticationRequired(); - int getUserAuthenticationValidityDurationSeconds(); - boolean isUserAuthenticationValidWhileOnBody(); - boolean isInvalidatedByBiometricEnrollment(); - boolean isTrustedUserPresenceRequired(); - boolean isUnlockedDeviceRequired(); - boolean isUserConfirmationRequired(); - long getBoundToSpecificSecureUserId(); - -} diff --git a/services/core/java/com/android/server/fingerprint/FingerprintService.java b/services/core/java/com/android/server/fingerprint/FingerprintService.java index 25a2100ff885e..b5f94b1ce384a 100644 --- a/services/core/java/com/android/server/fingerprint/FingerprintService.java +++ b/services/core/java/com/android/server/fingerprint/FingerprintService.java @@ -421,7 +421,7 @@ public class FingerprintService extends SystemService implements IHwBinder.Death byteToken[i] = token.get(i); } // Send to Keystore - KeyStore.getInstance().addAuthToken(byteToken, mCurrentUserId); + KeyStore.getInstance().addAuthToken(byteToken); } if (client != null && client.onAuthenticated(fingerId, groupId)) { removeClient(client); diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java index efcadadce3f91..941cd4441e23a 100644 --- a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java +++ b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java @@ -19,8 +19,6 @@ package com.android.server.policy.keyguard; import android.app.ActivityManager; import android.content.Context; import android.os.RemoteException; -import android.os.ServiceManager; -import android.security.IKeystoreService; import android.util.Slog; import com.android.internal.policy.IKeyguardService; @@ -53,16 +51,11 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub { private final LockPatternUtils mLockPatternUtils; private final StateCallback mCallback; - IKeystoreService mKeystoreService; - public KeyguardStateMonitor(Context context, IKeyguardService service, StateCallback callback) { mLockPatternUtils = new LockPatternUtils(context); mCurrentUserId = ActivityManager.getCurrentUser(); mCallback = callback; - mKeystoreService = IKeystoreService.Stub.asInterface(ServiceManager - .getService("android.security.keystore")); - try { service.addStateMonitorCallback(this); } catch (RemoteException e) { @@ -93,12 +86,6 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub { @Override // Binder interface public void onShowingStateChanged(boolean showing) { mIsShowing = showing; - - if (showing) try { - mKeystoreService.lock(mCurrentUserId); // as long as this doesn't recur... - } catch (RemoteException e) { - Slog.e(TAG, "Error locking keystore", e); - } } @Override // Binder interface