This patch evolves the Crypto SPI to use the new Keystore 2.0 shim.
The main changes are:
* The SPI uses the AIDL defined KeyParameter instead of
KeymasterArguments.
* Operations are created directly from the KeystoreSecurityLevel that
is part of the AndroidKeyStoreKey object.
Also this patch deletes the DeletatingX509Certificate class. This is no
longer needed, because public key operations are no longer performed by
Keystore 2.0. We can delegate public certificate operations simply by
wrapping such certificates into public keys that are understood by other
providers, such as BouncyCastle.
Bug: 159476414
Test: None
Change-Id: Ice874a8121d80bf788da059b4e8420c7dd799d81
The wire type for key parameters is now generated from AIDL rather than
the hand written parcelable KeymasterArguments. So we need some of the
utilities for creating key parameters that the latter provided.
We also nicked some utility function from KeymasterUtils.
Bug: 159476414
Test: None
Change-Id: I12c674b6a00dd3abbed4972d80ceb766a73881e8
This patch makes the chunked streamer observe the simplified
Keystore 2.0 operation interface. Keystore is now required to consume
all supplied data or reject data outright if too much (more than 32KiB)
is supplied in a single transaction. This allows for a simplified
streamer logic and a simplified interface. We also no longer send
entropy to Keystore. This will be handled by the Keystore 2.0 daemon.
Test: None
Bug: 159476414
Change-Id: Ie75d10fd5d5ac0da60e23e35467d0a7873230dea
Keystore 2.0 does no longer report an error code if an operation
requires user authorization. Instead this is indicated by sending us
an operation challenge. In that case we have to check if the
authorization can possibly succeed. We changed the utility class by
adding a predicate function that checks exactly that, and we handle
other errors separately instead of having one exception handling path
that does all.
Test: None
Bug: 159476414
Change-Id: I9a373cf8f0a0b181df54c26fe314d71b6835bb97
KeyStoreKeys can now be constructed from key entry metadata and key
descriptors as defined by the new Keystore AIDL spec.
AndroidKeystorePublicKey can now create the private key proxy.
KeyStoreKeys also cache the key characteristic, which should drastically
reduce the frequency by which the SPI has to call into the Keystore 2.0
daemon.
Test: None
Bug: 159476414
Change-Id: Ia0a7841582621897760be49d39dd5442b70b3aa0
This patch adds a shim around the Keystore 2.0 AIDL spec. The new shim
is modularized like the AIDL spec into the base Keystore module
Keystore2, the security level specific interface KeystoreSecurityLevel,
and the operation specific interface KeystoreOperation.
Other system maintenance specific interfaces have yet to be added.
Bug: 159476414
Bug: 171305684
Test: None
Change-Id: I070f73739e4b37ce10568939ac666e40b14a52a8
This patch copies the relevant portion of the Keystore SPI to the new
package name android.security.keystore2. The purpose of this is to
illustrate the evolution from the existing Keystore SPI to the
Keystore 2.0 SPI while keeping the existing Keystore SPI intact.
Reviewers are advised to check the equivalence of this code to the
corresponding files in
android/security/keystore (<-- no 2 here).
Subsequent patches can them be reviewed as evolution towards the new SPI
rather than completely new code.
Test: None. When the evolution is complete, Keystore CTS tests can be
used to check for regressions.
Bug: 159476414
Change-Id: I21a01a679e789868ce820b5f73221e616a456a61
This patch adds a forEach function for int arrays to
android.security.keystore.ArrayUtils. A utility function with the
intendet use in Keystore 2.0 Key paramter handling.
Test: None
Change-Id: I2c02b300ee68fcd548c128deb0266fe603226807
This patch adds set/getSecurityLevel to KeyInfo and KeyGenParameterSpec
and it deprecates the superseded function isInSecureHardware.
It also deprecates the system API set/getUid and replaces it with the
more generic set/getNamespace.
Test: None
Change-Id: Id2f54596510954862b5077a935f3daf07211f29c
In anticipation of the new Keystore 2.0 SPI we made this nested class
public (like its siblings) so that the new SPI which resides in a
different package may access it. It is hidden though because it does not
constitute public API surface.
Test: None
Bug: 171305684
Change-Id: I1dbe3d02c03f97f843813c26c16aaef7152ca478
This patch adds the SecurityLevelEnum to KeyProperties. This enum can be
used by the public API surface to express levels of enforcements of key
properties. And to select a designated residence for a newly generated
or imported key.
The values UNKNOWN and UNKNOWN_SECURE are used to convey to older target
APIs API levels that have not been defined when they where published.
Test: None
Change-Id: I88681f21b8a8ea9a383d32ba99f3ab7d7c8909c3
These are APIs that have @UnsupportedAppUsage but for which we don't
have any evidence of them currently being used, so should be safe to
remove from the unsupported list.
Bug: 170729553
Test: Treehugger
Merged-In: I626caf7c1fe46c5ab1f39c2895b42a34319f771a
Change-Id: I54e5ecd11e76ca1de3c5893e3a98b0108e735413
The encryption-required flag is only available in already deprecated
API KeyPairGeneratorSpec and KeyStoreParameter will be ignored from
Android S. Keys are and have been encrypted by default for a long time
and if additional binding to the LSKF is desired it can be requested
by KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean).
Test: None
Change-Id: I5bd4acb4bba276decd1930ae2e96a55f95627e10
Keystore 2.0 will no longer support free form blobs. Certificates and
certificate chains will have types fields associated with an alias.
Other free form blobs will need to be migrated to a different key value
store.
Bug: 171305684
Test: None
Change-Id: I93270f0086329229dc36c2b14c88f229351e6560
A normal synchronous binder call would not be influenced by an
interrupted thread. With the move to asynchronous keystore IPC we wait
on a future which can throw an interrupted exception. The Java crypto
API does not expect the implementation to throw interrupted exceptions
though. So to preserve the expected behavior we wrap the Future.get()
calls in a loop that handles the interrupted exception and sets the
interrupted state after the get completed successfully.
Bug: 147398412
Bug: 155254932
Test: atest android.keystore.cts.CipherTest#testEncryptsAndDecryptsInterrupted
Change-Id: I066180e8028cc426fa1b3739fa007faa17c8c012
Merged-In: I066180e8028cc426fa1b3739fa007faa17c8c012
Update the KeyChain.createInstallIntent method documentation to reflect
the change where CA certificates can no longer be installed using
this intent.
Bug: 156941631
Test: m docs
Change-Id: I3cf2c677c4c772698c8df5f25224dd67d12b5606
Add API to allow inclusion of device base properties to the
attestation certificate generated with a Key in Keystore.
Test: atest KeyAttestationTest
Bug: 152945378
Change-Id: Iaf282709f800501aa4c988ebf51cf3238583f9b6
The getKeyInfo check was not updated to use the new integer representing
an auth per operation key.
Bug: 152618140
Test: atest AuthBoundKeyTest
Change-Id: Ifa6d37ac878ba267761ed7ae32c544cd4b662d25
Update keyguard locked state from TrustManagerService
TrustManagerService holds the ground truth about whether a user is
locked or not, so update keystore using the information there,
instead of doing it from KeyguardStateMonitor. This fixes the issue
of work profile locked state not being correctly pushed to keystore.
Note: since this change is likely to be backported as a security
patch, I'm refraining from doing major refactoring right now.
Bug: 141329041
Bug: 144430870
Test: manually with KeyPairSampleApp
Change-Id: I3472ece73d573a775345ebcceeeb2cc460374c9b
(cherry picked from commit f9418dbb2c)
SIDs were not being properly applied to key parameters under the new
authentication rework. Now that biometric/credential unlocks are valid
for either auth-per-op or timeout auth bound keys, the SIDs need to be
tacked on appropriately in each authentication flow.
Bug: 148425329
Test: CtsVerifier
Change-Id: I73733b00d2da5ac78db6d77c53de144f4473bb54
The default timeout and authentication type is being updated to offer a
correct default that matches the old behavior.
Bug: 148425329
Bug: 149931201
Test: CtsVerifier
Test: atest KeyguardLockedTests
Change-Id: Id20097b04ce881e7028609d2ba1c30c26ba3c8cf
This is a completely new API so callers can follow the new pattern of
using 0 to require auth for every use of the key.
Supporting both -1 and 0 to require auth for every use of the key
increases CtsVerifier complexity exponentially (strongbox,
invalidated by enrollment, etc).
Fixes: 150823346
Test: builds
Change-Id: Ieef53a8b50f5119c5e52656e930bf16b1e8e3d89
The default timeout and authentication type is being updated to offer a
correct default that matches the old behavior.
Bug: 149931201
Test: CtsVerifier
Change-Id: I3f3d4f8d5b02455c285a882933fd6c37739ee44a
Fix the documentation for USE_INDIVIDUAL_ATTESTATION which was
copy-pasted from another attestation ID type.
Bug: 149475774
Test: That it compiles.
Change-Id: I9366870c8875997321c93fe1db216e91f374b1db
1) BiometricService / AuthService always need to be started, since on
Android 11 and later, the public credential auth API comes through this
path.
2) Consolidate getAuthenticatorId() and expose via AuthService. This is
used only by the platform during key generation. Instead of asking
each individual service, AuthService will return a list of IDs for
sensors which are enrolled and meet the required strength.
Test: atest com.android.server.biometrics
Test: fingerprint device, CtsVerifier biometric section
Test: face unlock device, CtsVerifier biometric section
Test: remove biometrics from device, CtsVerifier biometric section
Bug: 148419762
Bug: 149795050
Change-Id: I2c5385b1cd4f343fabb0010e1fe6fb1ea8283391
This stops KeyChain from throwing AssertionError when binding to
service fails due to user being locked, which would have crashed
the entire system server.
Bug: 149912024
Test: atest KeyChainTests
Change-Id: Ie110a4210e157cc9b111d845478bdf21e948ba4f
Previously, auth per operation keystore keys could only be authorized
with biometrics. There is no reason to restrict this functionality to
biometrics. This change slightly refactors the key parameter builder
interface to allow the caller to specify which authentication types
should be allowed for an auth per op key.
Bug: 147693375
Bug: 140256692
Test: atest keystore
Change-Id: I5cbf3d4e3f0e84d577dbf6b4cb356b1010100925
Mirror KeyProtection.setCriticalToDeviceEncryption so
the flag can also be set on keys generated by keystore.
Bug: 72178550
Test: atest android.security.keystore.KeyGenParameterSpecTest
Test: atest android.security.ParcelableKeyGenParameterSpecTest
Change-Id: I7f102c82e60f211028c694d499ffd2838b89bb2b
Existing annotations in libcore/ and frameworks/ will deleted after the migration. This also means that any java library that compiles @UnsupportedAppUsage requires a direct dependency on "unsupportedappusage" java_library.
Bug: 145132366
Test: m && diff unsupportedappusage_index.csv
Change-Id: I4bc8c9482e4bb1af21363f951affff7ee3fefeab
Merged-In: I4bc8c9482e4bb1af21363f951affff7ee3fefeab
