diff options
| author | Eran Messeri <eranm@google.com> | 2017-11-15 05:55:52 +0000 |
|---|---|---|
| committer | Eran Messeri <eranm@google.com> | 2017-12-07 15:12:30 +0000 |
| commit | 852c8f121f2e502e1e8503bfc230dccb81b681d4 (patch) | |
| tree | 27c90a754791b77990afbcb369cac3fad401a3bf /keystore/java/android/security/IKeyChainService.aidl | |
| parent | d52efa56adaca0bc70fb72082c7c663adcb669cc (diff) | |
DevicePolicyManager: Add key generation functionality.
This is the crux of the Verified Access feature implementation:
Adding the ability to generate KeyChain keys directly by the
secure hardware, rather than installing software-generated keys
into KeyChain.
Add generateKeyPair to the DevicePolicyManager, which delegates key
generation (via the DevicePolicyManagerService) to the KeyChainService.
Design highlights:
* The key generation is delegated via the DevicePolicyManagerService to
check that only authorized callers request key generation in KeyChain.
* KeyChainService performs the actual key generation so it owns the key
in Keystore outright.
* DevicePolicyManagerService then grants the calling app access to the
Keystore key, so it can actually be used.
* Loading the public/private key pair, as well as attestation
certificate chain, is done in the client code (DevicePolicyManager)
to save parceling / unparceling those objects across process
boundaries twice (for no good reason).
NOTE: The key attestation functionality (that includes Device ID) is
missing/untested. Will be added in a follow-up CL as this one is quite
big already.
HIGHLIGHT FOR REVIEWERS:
* API: New API in DevicePolicyManager.
Bug: 63388672
Test: cts-tradefed run commandAndExit cts-dev -a armeabi-v7a -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement -l DEBUG; adb shell am instrument 'android.security.tests/android.support.test.runner.AndroidJUnitRunner' (After building the KeystoreTests target and installing the apk)
Change-Id: I73762c9123f32a94d454ba4f8b533883b55c44cc
Diffstat (limited to 'keystore/java/android/security/IKeyChainService.aidl')
| -rw-r--r-- | keystore/java/android/security/IKeyChainService.aidl | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/keystore/java/android/security/IKeyChainService.aidl b/keystore/java/android/security/IKeyChainService.aidl index 635432da7942..b4331b21cf13 100644 --- a/keystore/java/android/security/IKeyChainService.aidl +++ b/keystore/java/android/security/IKeyChainService.aidl @@ -16,6 +16,7 @@ package android.security; import android.content.pm.StringParceledListSlice; +import android.security.keystore.ParcelableKeyGenParameterSpec; /** * Caller is required to ensure that {@link KeyStore#unlock @@ -31,6 +32,8 @@ interface IKeyChainService { boolean isUserSelectable(String alias); void setUserSelectable(String alias, boolean isUserSelectable); + boolean generateKeyPair(in String algorithm, in ParcelableKeyGenParameterSpec spec); + // APIs used by CertInstaller and DevicePolicyManager String installCaCertificate(in byte[] caCertificate); |