Keystore stores key blobs in with filenames that include the symbolic
name and the uid of the owner. This behaviour should have been
completely opaque to the user keystore. However, the granting mechanism,
by which an app can allow another app to use one of its keys, leaked the
internal structure in that the grantee had to specify the key name with
the granter's uid prefix in order to use the granted key. This in turn
collided with prefix handling in other parts of the framework.
This patch refurbishes the granting mechanism such that keystore can
choose a name for the grant. It uses the original symbolic key name as
prefix and appends _KEYSTOREGRANT_<grant_no> where the grant_no is
chosen as first free slot starting from 0. Each uid has its own grant_no
space.
This changes the grant call such that it now returns a string, which is
the alias name of the newly created grant. The string is empty if the
grant operation failed.
As before apps can still mask granted keys by importing a key with the
exact same name including the added suffix. But everybody deserves the
right to shoot themselves in the foot if they really want to.
Bug: 37264540
Bug: 62237038
Test: run cts-dev --module CtsDevicePolicyManagerTestCases --test
com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement
because it grants a key
Merged-In: I047512ba345c25e6e691e78f7a37fc3f97b95d32
Change-Id: I047512ba345c25e6e691e78f7a37fc3f97b95d32
Device ID attestation consists of three steps:
* Generate a temporary key
* Attest the key and desired device IDs
* Delete the temporary key
Rather than being spread over three keymaster APIs, these operations
should happen automatically in a single keymaster method.
Bug: 34734938
Test: GTS com.google.android.gts.security.DeviceIdAttestationHostTest
Change-Id: Ifabb5163b9e4d12cb309a6b0ca8e5f2f92d212f4
Discussions have shown that in addition to brand, device and product,
we should also allow devices to attest their manufacturer and model.
Bug: 36433192
Test: GTS com.google.android.gts.security.DeviceIdAttestationHostTest
Change-Id: Idd48929d6a0c9fe6656c6d2656e2c3f6f370a21e
This reverts commit eb30e64f3f.
Reason for revert: Remove partial support for wrapped key import
Test: CTS tested
Change-Id: I8008494860534257fa983e1a5169d0ed034621f7
The new attribute allows both ephemeral and non-ephemeral apps to
opt into a new, tighter security model.
Test: Manual; built app w/ targetSandboxVersion and verified the security domain
Change-Id: I8fcaf84e25f0519b438ba51302f79790e680e025
This adds a new public API for attesting the device's hardware ids
(e.g. serial number and IMEI).
Bug: 34597337
Test: CTS CtsKeystoreTestCases and GTS DeviceIdAttestationHostTest
Change-Id: I2e9c1b4f8eb24afa4a09c71c137ce33a6b87eb27
This is necessary for allowing the KeyStore to lock keys that remain
authorized as long as the device is on-body.
Bug 28911985
Change-Id: If50bc84d5a1cb23f9b01b1950c3676d1519cc4f5
Skip certificates in a DirectoryCertificateSource that cannot be read to
due IOExceptions or CertificateExceptions, this prevents a NPE but
connections will still fail due to the certificate being unusable and no
valid trust-anchor existing.
This also logs the error since this really shouldn't happen.
Bug: 29997695
Change-Id: I9f7327efc302a259fb951f1f61f7fc4d647821fa
Add getKeyAttestationApplicationId and the Parcelables
KeyAttestationPackageInfo and KeyAttestationApplicationId,
needed by keystore.
Bug: 22914603
Change-Id: I89a88cd9cd80e9b132ca67fc452e9cae8b8ad241
This CL flushes the trusted cert cache of all active Network Security
Configs and their TrustManagers. Previously CA addition mostly worked
however removed CAs would remain cached in the X509TrustManager causing
the removed CA to still be trusted.
Change-Id: I0f5fd39932f8f8ed3ec5dfd088a82e982b366c43
getApplicationConfigForPackage will be used by system components that
need to make connections for apps, e.g. DownloadManager, so that their
secure connections have the same configuration as those from the app
itself.
Bug: 29505888
Change-Id: Idf1cac6307431911eda34529d3fd50f9ca0da314
The static instances of SystemCertificateSource and
UserCertificateSource depend on the current user, avoid triggering their
static initializer when preloaded.
Bug: 29258379
Change-Id: I5088366ae67145b8bc928d6c04118529c82a7fc3
ApplicationInfo is mutable and unfortunately some apps do actually
modify the flags. Due to the lazy loading nature of the network security
config this may lead to issues. Instead cache the needed flags and
resources at application startup.
Bug: 29063413
(cherry picked from commit 276ee969be)
Change-Id: If638a716fd903b4e9dbabcbecb38bd4e26fef08c
Originally we went with the meta-data approach to make unbundling
easier, however with the amount of platform changes that the config
ended up relying on it would be better to focus on exposing it through
the platform.
Bug:28763009
Change-Id: Iaf80001b1980220cd2e1e05faf2dc86af41700e1
Check if the CA is in the user store directly instead of delegating to
the TrustManager. This removes one more reflection dependency between
X509TrustManagerExtensions and the default X509TrustManager.
Bug: 28138736
Change-Id: I16c17bf6230becdc0a1948b1d184212f83ee25f0
Move the X509TrustManagers for the Network Security Config from
X509TrustManagers to X509ExtendedTrustManagers.
Bug: 27271561
Change-Id: I084a6c6022fe69730192d2bdcbabaf58e8f92f04
This pruns all the stored trusted issuers so that changes to the system
or user CA store are detected. Currently this is only exposed as a
TestApi, but it can be hooked up to the trusted storage change event
in a future commit.
Bug: 27526668
Change-Id: Ic426254babab9a3177c968bc05b45e95eaac1fdd
Domain entries can contain whitespace (or newlines) which should be
ignored to avoid unexpectedly failing to match a domain.
Bug: 27816377
Change-Id: I3691aa4abd409e7be97ad0cf1eb0195725e1b0ab
An application can specify its debug-overrides in an extra resource with
the same name suffixed with "_debug" (e.g. res/xml/security_config.xml and
res/xml/security_config_debug.xml).
By specifying the debug-overrides in an extra file release builds can
strip out the file (and any certificate resources that the
debug-overrides depend on) to prevent including testing configuration
information in the release build of an application.
Bug: 27418003
Change-Id: Ibfebc376360ca474fc0f9f2fd565faa0cffd9549
Android's security model is such that the applications data is secure by
default unless the application specifically grants access to it.
Application data in transit should have similar security properties.
Bug: 27301579
Change-Id: I72f106aefecccd6edfcc1d3ae10131ad2f69a559
Delegating to the TrustManagerImpl doesn't work correctly with
getAcceptedIssuers, do it in NetworkSecurityTrustManager instead.
Bug: 27124116
Change-Id: Ie527d63aaa115e6137396e07c7d134b1c42bfe87
This allows services which make network connections on behalf of
applications to honor the application's network security policy.
Change-Id: I562b7bd0eb20f2f8c9f8342c211166d4e3397780
