This replaces int-based enums from KeyStoreKeyConstraints with
String values commonly used in JCA API.
As part of under the hood refactoring:
* KeyStoreKeyCharacteristics and KeyStoreKeyConstraints have been
merged into KeyStoreKeyProperties.
* KeymasterUtils methods operating on KeymasterArguments and
KeymasterCharacteristics have been moved to their respective
classes.
Bug: 18088752
Change-Id: I9c8b984cb3c28184adb617e34d87f2837bd1d3a1
This makes the new AndroidKeyStore API conform with the latest
Keymaster API changes as well as the latest Android framework API
design guidelines.
Keymaster changes:
* Multiple paddings, block modes, and digests can be set on a key.
* "max uses per boot" and "min seconds between use" restrictions will
not be exposed in the framework API.
* Padding scheme ZERO will not be exposed.
Changes due to Android framework design guidelines:
* Sets of enum values have been replaced with bitsets represented as
ints.
* Integer has been replaced with int, with null being represented
with a special value (e.g., -1 or 0) where possible.
Bug: 18088752
Change-Id: Ib21739aa9b42d48895cb7a681e836a5c6d972ac6
generateKey and begin can now optionally take an array of bytes to add
to the rng entropy of the device before the operation. If entropy is
specified and the device does not support add_rng_entropy or the call
fails then that device will not be used, leading to fallback or error
depending on the situation.
Change-Id: Id7d33e3cc959594dfa5483d002993ba35c1fb134
Now that the libcore's NetworkSecurityPolicy abstraction is in place,
the framework version of the abstraction should delegate to the
libcore one, to avoid them getting out of sync.
Bug: 19215516
Change-Id: Ic57341d703a13e0fb100dc414958e8fd54e03816
This is a follow-up to
https://android-review.googlesource.com/#/c/131920/, addressing some
outstanding comments.
This CL also switches the source file to the correct indentation.
Bug: 19215516
Change-Id: Ia48455ab351081e11619afcccadb8fa90340391d
Having it as a raw byte[] caused issues in keystore because keymaster
handles a null blob differently than a blob with null contents. Make
this explicit in the API.
Change-Id: Ifcf550f438608b8f09fc589d00d06fffa6ee463b
Some authorization code needs to know the actual underlying operation
handle, not simply a reference to it, so return it in case it is needed.
Note that the handle cannot be used by the application to reference an
operation.
Change-Id: I4c883dde17168b7f6c1643d81741a4c2686d3159
The initial purpose of the NetworkSecurityPolicy class is to provide a
way for network libraries to check whether cleartext network traffic
(e.g., HTTP, WebSockets, XMPP, IMAP, SMTP) should be blocked from this
process.
The policy is set declaratively by the app developer in the app's
manifest and can be queried from ApplicationInfo.flags. Unfortunately,
several network stacks (bundled and unbundled) do not have a reference
to ApplicationInfo or Context.
Alternatives:
* Keep this API hidden (and thus potentially move it from framework to
libcore), thus precluding unbundled HTTP stacks from using the API.
* Introduce a new java.lang.System property instead of this API.
However, such properties are a mess and not as powerful/extensible
as a public class.
Bug: 19215516
Change-Id: If22056a74d257bf1d805ebb4fc284240b3d338f1
Add methods for sending an auth token to keystore and to query the
authorization state of a given operation.
Change-Id: I223df5c56ae2a251ef31cfe60f06c046c12a5cd8
This adds the classes for creating and serializing arguments and results
from keymaster as well as the enum values from
hardware/libhardware/include/hardware/keymaster_defs.h which will be
needed for argument creation as well as converting keymaster error
codes into Java exceptions.
Change-Id: I61046756361d43d9f02eea370c2cbd07c3638ea3
This replaces IKeystoreService.java with IKeystoreService.aidl and
changes the methods that passed down a byte[][] to instead pass down a
KeystoreArguments which is currently a thin parcelable wrapper around a byte[][].
Change-Id: I6367bcf57562f41a27aab14f1903b74995cb65c2
Fixes setting a keyguard password for keystore in a multi-user setup
while we're at it.
Bug: 16233206.
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
Before there was only one key type supported, so we didn't need to query
a key type. Now there is DSA, EC, and RSA, so there needs to be another
argument.
Bug: 10600582
Change-Id: I9fe9e46b9ec9cfb2f1246179b2c396216b2c1fdb
In order to let apps use keystore more productively, make the blob
encryption optional. As more hardware-assisted keystores (i.e., hardware
that has a Keymaster HAL) come around, encrypting blobs start to make
less sense since the thing it's encrypting is usually a token and not
any raw key material.
Bug: 8122243
Change-Id: If9af0d992d68edec006e630c687df3d03a7c9608
Add a hook into PackageManagerService so that when app IDs are
completely removed, we erase all entries from keystore for those UIDs
that have gone away.
(cherry picked from commit 95e3ee3971)
Bug: 3020069
Change-Id: I374258ccc103f8cb3e238f2bf0d1afda0659db94
