diff options
| author | Alex Klyubin <klyubin@google.com> | 2015-04-28 14:21:01 -0700 |
|---|---|---|
| committer | Alex Klyubin <klyubin@google.com> | 2015-04-28 17:39:30 -0700 |
| commit | 1eda77ae2122e2b85084eb429fbeecec0b9962e5 (patch) | |
| tree | a10b902dce083a2899ab2445b4c5047ee492b321 /keystore/java/android/security/AndroidKeyStore.java | |
| parent | 2301174eb3598a3290b5c56aae36b19b2c6743ac (diff) | |
Align AndroidKeyStore API with user auth API.
This simplifies the AndroidKeyStore API around user authentication: no
more explicit control over which user authenticators are bound to
which keys.
User-authenticated keys with timeout are unlocked by whatever unlocks
the secure lock screen (currently, password/PIN/pattern or
fingerprint). User-authenticated keys that need authentication for
every use are unlocked by fingerprint only.
Bug: 20526234
Bug: 20642549
Change-Id: I1e5e6c988f32657d820797ad5696797477a9ebe9
Diffstat (limited to 'keystore/java/android/security/AndroidKeyStore.java')
| -rw-r--r-- | keystore/java/android/security/AndroidKeyStore.java | 25 |
1 files changed, 4 insertions, 21 deletions
diff --git a/keystore/java/android/security/AndroidKeyStore.java b/keystore/java/android/security/AndroidKeyStore.java index c259c25b0e5c..ed91d7080054 100644 --- a/keystore/java/android/security/AndroidKeyStore.java +++ b/keystore/java/android/security/AndroidKeyStore.java @@ -529,27 +529,10 @@ public class AndroidKeyStore extends KeyStoreSpi { KeymasterUtils.getKeymasterPaddingsFromJcaSignaturePaddings( params.getSignaturePaddings())); args.addInts(KeymasterDefs.KM_TAG_PADDING, keymasterPaddings); - if (params.getUserAuthenticators() == 0) { - args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); - } else { - args.addInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, - KeyStoreKeyProperties.UserAuthenticator.allToKeymaster( - params.getUserAuthenticators())); - long secureUserId = GateKeeper.getSecureUserId(); - if (secureUserId == 0) { - throw new IllegalStateException("Secure lock screen must be enabled" - + " to import keys requiring user authentication"); - } - args.addLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, secureUserId); - } - if (params.isInvalidatedOnNewFingerprintEnrolled()) { - // TODO: Add the invalidate on fingerprint enrolled constraint once Keymaster supports - // that. - } - if (params.getUserAuthenticationValidityDurationSeconds() != -1) { - args.addInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT, - params.getUserAuthenticationValidityDurationSeconds()); - } + KeymasterUtils.addUserAuthArgs(args, + params.getContext(), + params.isUserAuthenticationRequired(), + params.getUserAuthenticationValidityDurationSeconds()); args.addDate(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, (params.getKeyValidityStart() != null) ? params.getKeyValidityStart() : new Date(0)); |