frameworks_base

Android/frameworks_base

Fork 0

Commit Graph

Author	SHA1	Message	Date
Eran Messeri	e7a65b65e5	AttestedKeyPair: Address API review comments Make AttestedKeyPair c'tor accept a List<Certificate> rather than Certificate[] to match the getter method on this class. To make it easier to use this class from other framework code I've re-instantiated the c'tor with a certificate array which will convert the array to a list. Bug: 139092002 Test: cts-tradefed run commandAndExit cts-dev -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement Change-Id: Ie80dcb28f112efa89d3cc6fdceb1b9e5e26c58b1	2019-08-23 15:33:16 +01:00
Eran Messeri	390539d11b	Make AttestedKeyPair constructable Make the constructor for AttestedKeyPair public so instances of it can be created for testing. Bug: 138409426 Test: That it compiles Change-Id: Iab8fbf1ad2293a91347701eb67631a8f3a3bd3fa	2019-08-06 15:55:17 +01:00
Eran Messeri	852c8f121f	DevicePolicyManager: Add key generation functionality. This is the crux of the Verified Access feature implementation: Adding the ability to generate KeyChain keys directly by the secure hardware, rather than installing software-generated keys into KeyChain. Add generateKeyPair to the DevicePolicyManager, which delegates key generation (via the DevicePolicyManagerService) to the KeyChainService. Design highlights: * The key generation is delegated via the DevicePolicyManagerService to check that only authorized callers request key generation in KeyChain. * KeyChainService performs the actual key generation so it owns the key in Keystore outright. * DevicePolicyManagerService then grants the calling app access to the Keystore key, so it can actually be used. * Loading the public/private key pair, as well as attestation certificate chain, is done in the client code (DevicePolicyManager) to save parceling / unparceling those objects across process boundaries twice (for no good reason). NOTE: The key attestation functionality (that includes Device ID) is missing/untested. Will be added in a follow-up CL as this one is quite big already. HIGHLIGHT FOR REVIEWERS: * API: New API in DevicePolicyManager. Bug: 63388672 Test: cts-tradefed run commandAndExit cts-dev -a armeabi-v7a -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement -l DEBUG; adb shell am instrument 'android.security.tests/android.support.test.runner.AndroidJUnitRunner' (After building the KeystoreTests target and installing the apk) Change-Id: I73762c9123f32a94d454ba4f8b533883b55c44cc	2017-12-07 15:12:30 +00:00

Author

SHA1

Message

Date

Eran Messeri

e7a65b65e5

AttestedKeyPair: Address API review comments

Make AttestedKeyPair c'tor accept a List<Certificate> rather than
Certificate[] to match the getter method on this class.

To make it easier to use this class from other framework code I've
re-instantiated the c'tor with a certificate array which will
convert the array to a list.

Bug: 139092002
Test: cts-tradefed run commandAndExit cts-dev -m CtsDevicePolicyManagerTestCases -t  com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement
Change-Id: Ie80dcb28f112efa89d3cc6fdceb1b9e5e26c58b1

2019-08-23 15:33:16 +01:00

Eran Messeri

390539d11b

Make AttestedKeyPair constructable

Make the constructor for AttestedKeyPair public so instances of it can
be created for testing.

Bug: 138409426
Test: That it compiles
Change-Id: Iab8fbf1ad2293a91347701eb67631a8f3a3bd3fa

2019-08-06 15:55:17 +01:00

Eran Messeri

852c8f121f

DevicePolicyManager: Add key generation functionality.

This is the crux of the Verified Access feature implementation:
Adding the ability to generate KeyChain keys directly by the
secure hardware, rather than installing software-generated keys
into KeyChain.

Add generateKeyPair to the DevicePolicyManager, which delegates key
generation (via the DevicePolicyManagerService) to the KeyChainService.

Design highlights:
* The key generation is delegated via the DevicePolicyManagerService to
check that only authorized callers request key generation in KeyChain.
* KeyChainService performs the actual key generation so it owns the key
in Keystore outright.
* DevicePolicyManagerService then grants the calling app access to the
Keystore key, so it can actually be used.
* Loading the public/private key pair, as well as attestation
certificate chain, is done in the client code (DevicePolicyManager)
to save parceling / unparceling those objects across process
boundaries twice (for no good reason).

NOTE: The key attestation functionality (that includes Device ID) is
missing/untested. Will be added in a follow-up CL as this one is quite
big already.

HIGHLIGHT FOR REVIEWERS:
* API: New API in DevicePolicyManager.

Bug: 63388672
Test: cts-tradefed run commandAndExit cts-dev -a armeabi-v7a -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement -l DEBUG; adb shell am instrument 'android.security.tests/android.support.test.runner.AndroidJUnitRunner' (After building the KeystoreTests target and installing the apk)
Change-Id: I73762c9123f32a94d454ba4f8b533883b55c44cc

2017-12-07 15:12:30 +00:00

3 Commits