This file was written on the assumption that bindService was
synchronous, which it isn't. This change adds a CountDownLatch to force
the class to wait for the binding to finish. If the relevant key
generation service is not present on the system, then this
functionality will just silently be skipped over.
Bug: 190222116
Test: atest RemoteProvisionerUnitTests
Change-Id: Ie34997a08aa743642c66a20c4b756cd47bff4af1
Merged-In: Ie34997a08aa743642c66a20c4b756cd47bff4af1
The KeyMint spec requires the specification of the EC_CURVE tag when
generating an EC key. This patch adds the correct curve tag parameter to
the parameter list.
Test: CtsVerifier Protected confirmation test.
Bug: 192908276
Change-Id: I2e7dd4868abda85d244e73592ff12d688f5c21fc
This file was written on the assumption that bindService was
synchronous, which it isn't. This change adds a CountDownLatch to force
the class to wait for the binding to finish.
Bug: 190222116
Test: atest RemoteProvisionerUnitTests
Change-Id: I917a61da612f21f9a0f783bea5d24270d4e1db42
Previous releases explicitly check for invalid inputs. These checks
were removed with the move to keystore2 -- add them back.
Remove old prepareAttestationArguments* methods, as they are no
longer referenced.
Fixes: 188741672
Test: com.google.android.gts.security.DeviceIdAttestationHostTest
Change-Id: I4eeec8367ebdfad527395206ab9e89b409e02631
getUniqueAliases may return a null if an error occurred. This would lead
to a NPE in engineAliases.
This patch makes getUniqueAliases return an empty HashSet instead.
Test: atest KeystoreTests
Change-Id: I387d90ea851a8b9c18bb2b20d1a0bfc1ab76c99f
Instead of always wrapping errors in a DeviceIdAttestationException,
check to see if the underlying cause was originally a
DeviceIdAttestationException. If so, unwrap the cause and just re-throw
that, preserving the original error.
Bug: 183827468
Test: GtsGmsCoreSecurityTestApp
Change-Id: Iab78ccaff91dd1de615e1d2b18f709027aecd59e
If biometric unlock is enabled, we tell keystore at lock time so that
a key can be set up in KM which unlocks UNLOCKED_DEVICE_REQUIRED keys
based on auth tokens carrying those SIDs. This also has the effect that
if there is no biometric unlock, UNLOCKED_DEVICE_REQUIRED keys have
full cryptographic protection, per NIAP requirements.
Test: aosp/1686345
Bug: 163866361
Change-Id: Ia4d01faa998c76b2b33ad3520730466ac59e6d8d
AndroidKeyStoreCipherSpiBase.engineDoFinal may get called with a null
input argument. In the case where we forward the operation to the
default provider doFinal() needs to be called instead of
doFinal(byte[], int, int).
Bug: 183913233
Test: atest android.keystore.cts.CipherTest#testEncryptsAndDecryptsUsingCipherStreams
Change-Id: Ia3afaf281be7c8e5493ac8e4155a7aa02d1d37f0
As a part of internal libcore API cleanup some of the functions
previously exposed are getting removed from public surface.
Math#randomLongInternal is a wrapper around java.util.Random and has no
specific implications so its usages are get refactored.
Bug: 154796679
Test: m droid
Change-Id: I29e0e9307fbaf9c1ac018b83014efb2d3dd74479
This namespace is required by LocksettingsService to protect the
synthetic password key from removal when the user removes the
credentials or wipes AID_SYSTEM app data.
Bug: 184664830
Test: N/A
Change-Id: Ie752a75d2cb2ebf1f4e5814bc2cbc807cc754c21
CryptoObject still called the legacy AndroidKeystoreProvider which did
not return the correct operation handle for per operation auth bound
keys.
Bug: 184804041
Bug: 185181377
Test: CtsVerifier->Security->Biometric Tests->2a Strong Biometrics +
Crypto
Merged-In: I0bceff0425e7ef32c394f33deda3c78f729c0c6c
Change-Id: I0bceff0425e7ef32c394f33deda3c78f729c0c6c
The key migration API is required by locksettingsservice to move the
synthetic password key out of AID_SYSTEM to protect it from deletion
when the user removes credentials from AID_SYSTEM.
Bug: 184664830
Test: N/A
Change-Id: I8d0ffb79870affc8ac055574b6f808a984aa5e52
