94d5676124
Enable requesting inclusion of device identifiers in the attestation record issued for keys generated by generateKeyPair. This is done by passing an array of flags with values indicating which identifiers should be included. Since the attestation record will include sensitive identifiers, it can only be requested by the DPC in Device Owner mode or by the Delegated Cert Installer in Device Owner mode. Design note: DevicePolicyManager defines its own set of constants for the different identifier types (ID_TYPE_*) and prior to calling DevicePolicyManagerService it translates them to the values defined by AttestationUtils (which is not a public class). The reason is to allow re-use of code in AttestationUtils for preparing the attestation arguments. In theory, these constants could be moved from AttestationUtils to DevicePolicyManager, however that would create a dependency on DPM from Keystore, which logically does not make sense as Keystore is independent of the DPM (and in a lower level of the system, conceptually). Bug: 63388672 Test: cts-tradefed run commandAndExit cts-dev -a armeabi-v7a -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement; runtest frameworks-services -c com.android.server.devicepolicy.DevicePolicyManagerTest#testTranslationOfIdAttestationFlag Change-Id: Ifb42e8e813fa812a08203b4a81d15b1f91152354
61 lines
2.4 KiB
Plaintext
61 lines
2.4 KiB
Plaintext
/*
|
|
* Copyright (C) 2011 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
package android.security;
|
|
|
|
import android.content.pm.StringParceledListSlice;
|
|
import android.security.keymaster.KeymasterCertificateChain;
|
|
import android.security.keystore.ParcelableKeyGenParameterSpec;
|
|
|
|
/**
|
|
* Caller is required to ensure that {@link KeyStore#unlock
|
|
* KeyStore.unlock} was successful.
|
|
*
|
|
* @hide
|
|
*/
|
|
interface IKeyChainService {
|
|
// APIs used by KeyChain
|
|
String requestPrivateKey(String alias);
|
|
byte[] getCertificate(String alias);
|
|
byte[] getCaCertificates(String alias);
|
|
boolean isUserSelectable(String alias);
|
|
void setUserSelectable(String alias, boolean isUserSelectable);
|
|
|
|
boolean generateKeyPair(in String algorithm, in ParcelableKeyGenParameterSpec spec);
|
|
boolean attestKey(in String alias, in byte[] challenge, in int[] idAttestationFlags,
|
|
out KeymasterCertificateChain chain);
|
|
boolean setKeyPairCertificate(String alias, in byte[] userCert, in byte[] certChain);
|
|
|
|
// APIs used by CertInstaller and DevicePolicyManager
|
|
String installCaCertificate(in byte[] caCertificate);
|
|
|
|
// APIs used by DevicePolicyManager
|
|
boolean installKeyPair(in byte[] privateKey, in byte[] userCert, in byte[] certChain, String alias);
|
|
boolean removeKeyPair(String alias);
|
|
|
|
// APIs used by Settings
|
|
boolean deleteCaCertificate(String alias);
|
|
boolean reset();
|
|
StringParceledListSlice getUserCaAliases();
|
|
StringParceledListSlice getSystemCaAliases();
|
|
boolean containsCaAlias(String alias);
|
|
byte[] getEncodedCaCertificate(String alias, boolean includeDeletedSystem);
|
|
List<String> getCaCertificateChainAliases(String rootAlias, boolean includeDeletedSystem);
|
|
|
|
// APIs used by KeyChainActivity
|
|
void setGrant(int uid, String alias, boolean value);
|
|
boolean hasGrant(int uid, String alias);
|
|
}
|