diff options
| author | Janis Danisevskis <jdanis@google.com> | 2018-11-09 13:21:46 -0800 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2018-11-09 13:21:46 -0800 |
| commit | 3a72e2b08e2590c28ce84c36c7b0b35d4da28bb5 (patch) | |
| tree | fc2e67da775661c612a89c14195bc096616d0950 /keystore/java/android/security/KeyStore.java | |
| parent | 5efda82dada66d807133ae9303a1cf4bb415696e (diff) | |
| parent | 5c5fe83c4dd9a8c82e725ef1fa84165cca37d8ed (diff) | |
Remove legacy functions form IKeystoreService.aidl am: 1864c95616 am: 036229c8df
am: 5c5fe83c4d
Change-Id: Id2fa59fcbe111a968abef088b76fb97dbe2e369e
Diffstat (limited to 'keystore/java/android/security/KeyStore.java')
| -rw-r--r-- | keystore/java/android/security/KeyStore.java | 131 |
1 files changed, 68 insertions, 63 deletions
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java index 0a4ac8cc5fec..6985ca511ba7 100644 --- a/keystore/java/android/security/KeyStore.java +++ b/keystore/java/android/security/KeyStore.java @@ -30,6 +30,7 @@ import android.os.Process; import android.os.RemoteException; import android.os.ServiceManager; import android.os.UserHandle; +import android.security.KeyStoreException; import android.security.keymaster.ExportResult; import android.security.keymaster.KeyCharacteristics; import android.security.keymaster.KeymasterArguments; @@ -40,14 +41,21 @@ import android.security.keymaster.OperationResult; import android.security.keystore.KeyExpiredException; import android.security.keystore.KeyNotYetValidException; import android.security.keystore.KeyPermanentlyInvalidatedException; +import android.security.keystore.KeyProperties; +import android.security.keystore.KeyProtection; import android.security.keystore.StrongBoxUnavailableException; import android.security.keystore.UserNotAuthenticatedException; import android.util.Log; - +import com.android.org.bouncycastle.asn1.ASN1InputStream; +import com.android.org.bouncycastle.asn1.pkcs.PrivateKeyInfo; import java.math.BigInteger; +import java.io.ByteArrayInputStream; +import java.io.IOException; import java.security.InvalidKeyException; import java.util.List; import java.util.Locale; +import sun.security.util.ObjectIdentifier; +import sun.security.x509.AlgorithmId; /** * @hide This should not be made public in its present form because it @@ -366,53 +374,6 @@ public class KeyStore { return isEmpty(UserHandle.myUserId()); } - public boolean generate(String key, int uid, int keyType, int keySize, int flags, - byte[][] args) { - try { - return mBinder.generate(key, uid, keyType, keySize, flags, - new KeystoreArguments(args)) == NO_ERROR; - } catch (RemoteException e) { - Log.w(TAG, "Cannot connect to keystore", e); - return false; - } - } - - public boolean importKey(String keyName, byte[] key, int uid, int flags) { - try { - return mBinder.import_key(keyName, key, uid, flags) == NO_ERROR; - } catch (RemoteException e) { - Log.w(TAG, "Cannot connect to keystore", e); - return false; - } - } - - public byte[] sign(String key, byte[] data) { - try { - return mBinder.sign(key, data); - } catch (RemoteException e) { - Log.w(TAG, "Cannot connect to keystore", e); - return null; - } catch (android.os.ServiceSpecificException e) { - Log.w(TAG, "KeyStore exception", e); - return null; - } - - } - - public boolean verify(String key, byte[] data, byte[] signature) { - try { - signature = signature != null ? signature : new byte[0]; - return mBinder.verify(key, data, signature) == NO_ERROR; - } catch (RemoteException e) { - Log.w(TAG, "Cannot connect to keystore", e); - return false; - } catch (android.os.ServiceSpecificException e) { - Log.w(TAG, "KeyStore exception", e); - return false; - } - - } - public String grant(String key, int uid) { try { String grantAlias = mBinder.grant(key, uid); @@ -541,6 +502,65 @@ public class KeyStore { return importKey(alias, args, format, keyData, UID_SELF, flags, outCharacteristics); } + private String getAlgorithmFromPKCS8(byte[] keyData) { + try { + final ASN1InputStream bIn = new ASN1InputStream(new ByteArrayInputStream(keyData)); + final PrivateKeyInfo pki = PrivateKeyInfo.getInstance(bIn.readObject()); + final String algOid = pki.getPrivateKeyAlgorithm().getAlgorithm().getId(); + return new AlgorithmId(new ObjectIdentifier(algOid)).getName(); + } catch (IOException e) { + Log.e(TAG, "getAlgorithmFromPKCS8 Failed to parse key data"); + Log.e(TAG, Log.getStackTraceString(e)); + return null; + } + } + + private KeymasterArguments makeLegacyArguments(String algorithm) { + KeymasterArguments args = new KeymasterArguments(); + args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, + KeyProperties.KeyAlgorithm.toKeymasterAsymmetricKeyAlgorithm(algorithm)); + args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_SIGN); + args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_VERIFY); + args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); + args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); + args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); + if (algorithm.equalsIgnoreCase(KeyProperties.KEY_ALGORITHM_RSA)) { + args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_RSA_OAEP); + args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_ENCRYPT); + args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_SIGN); + args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_RSA_PSS); + } + args.addEnum(KeymasterDefs.KM_TAG_DIGEST, KeymasterDefs.KM_DIGEST_NONE); + args.addEnum(KeymasterDefs.KM_TAG_DIGEST, KeymasterDefs.KM_DIGEST_MD5); + args.addEnum(KeymasterDefs.KM_TAG_DIGEST, KeymasterDefs.KM_DIGEST_SHA1); + args.addEnum(KeymasterDefs.KM_TAG_DIGEST, KeymasterDefs.KM_DIGEST_SHA_2_224); + args.addEnum(KeymasterDefs.KM_TAG_DIGEST, KeymasterDefs.KM_DIGEST_SHA_2_256); + args.addEnum(KeymasterDefs.KM_TAG_DIGEST, KeymasterDefs.KM_DIGEST_SHA_2_384); + args.addEnum(KeymasterDefs.KM_TAG_DIGEST, KeymasterDefs.KM_DIGEST_SHA_2_512); + args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); + args.addUnsignedLong(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME, + KeymasterArguments.UINT64_MAX_VALUE); + args.addUnsignedLong(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME, + KeymasterArguments.UINT64_MAX_VALUE); + args.addUnsignedLong(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, BigInteger.ZERO); + return args; + } + + public boolean importKey(String alias, byte[] keyData, int uid, int flags) { + String algorithm = getAlgorithmFromPKCS8(keyData); + if (algorithm == null) return false; + KeymasterArguments args = makeLegacyArguments(algorithm); + KeyCharacteristics out = new KeyCharacteristics(); + int result = importKey(alias, args, KeymasterDefs.KM_KEY_FORMAT_PKCS8, keyData, uid, + flags, out); + if (result != NO_ERROR) { + Log.e(TAG, Log.getStackTraceString( + new KeyStoreException(result, "legacy key import failed"))); + return false; + } + return true; + } + public int importWrappedKey(String wrappedKeyAlias, byte[] wrappedKey, String wrappingKeyAlias, byte[] maskingKey, KeymasterArguments args, long rootSid, long fingerprintSid, int uid, @@ -627,21 +647,6 @@ public class KeyStore { } /** - * Check if the operation referenced by {@code token} is currently authorized. - * - * @param token An operation token returned by a call to - * {@link #begin(String, int, boolean, KeymasterArguments, byte[], KeymasterArguments) begin}. - */ - public boolean isOperationAuthorized(IBinder token) { - try { - return mBinder.isOperationAuthorized(token); - } catch (RemoteException e) { - Log.w(TAG, "Cannot connect to keystore", e); - return false; - } - } - - /** * Add an authentication record to the keystore authorization table. * * @param authToken The packed bytes of a hw_auth_token_t to be provided to keymaster. |