Import EncryptedBackupTask

Bug: 111386661
Test: make RunBackupEncryptionRoboTests
Change-Id: If45ef931006dc264726065dd9e06dcf230a8fbfc

2 files changed, 310 insertions, 0 deletions

diff --git a/packages/BackupEncryption/src/com/android/server/backup/encryption/client/CryptoBackupServer.java b/packages/BackupEncryption/src/com/android/server/backup/encryption/client/CryptoBackupServer.java
new file mode 100644
index 000000000000..d7f7dc7d0472
--- /dev/null
+++ b/packages/BackupEncryption/src/com/android/server/backup/encryption/client/CryptoBackupServer.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.backup.encryption.client;
+
+import com.android.server.backup.encryption.protos.nano.WrappedKeyProto;
+
+import java.util.Map;
+
+/**
+ * Contains methods for communicating with the parts of the backup server relevant to encryption.
+ */
+public interface CryptoBackupServer {
+    /**
+     * Uploads an incremental backup to the server.
+     *
+     * <p>Handles setting up and tearing down the connection.
+     *
+     * @param packageName the package to associate the data with
+     * @param oldDocId the id of the previous backup doc in Drive
+     * @param diffScript containing the actual backup data
+     * @param tertiaryKey the wrapped key used to encrypt this backup
+     * @return the id of the new backup doc in Drive.
+     */
+    String uploadIncrementalBackup(
+            String packageName,
+            String oldDocId,
+            byte[] diffScript,
+            WrappedKeyProto.WrappedKey tertiaryKey);
+
+    /**
+     * Uploads non-incremental backup to the server.
+     *
+     * <p>Handles setting up and tearing down the connection.
+     *
+     * @param packageName the package to associate the data with
+     * @param data the actual backup data
+     * @param tertiaryKey the wrapped key used to encrypt this backup
+     * @return the id of the new backup doc in Drive.
+     */
+    String uploadNonIncrementalBackup(
+            String packageName, byte[] data, WrappedKeyProto.WrappedKey tertiaryKey);
+
+    /**
+     * Sets the alias of the active secondary key. This is the alias used to refer to the key in the
+     * {@link java.security.KeyStore}. It is also used to key storage for tertiary keys on the
+     * backup server. Also has to upload all existing tertiary keys, wrapped with the new key.
+     *
+     * @param keyAlias The ID of the secondary key.
+     * @param tertiaryKeys The tertiary keys, wrapped with the new secondary key.
+     */
+    void setActiveSecondaryKeyAlias(
+            String keyAlias, Map<String, WrappedKeyProto.WrappedKey> tertiaryKeys);
+}
diff --git a/packages/BackupEncryption/src/com/android/server/backup/encryption/tasks/EncryptedBackupTask.java b/packages/BackupEncryption/src/com/android/server/backup/encryption/tasks/EncryptedBackupTask.java
new file mode 100644
index 000000000000..ef13f23e799d
--- /dev/null
+++ b/packages/BackupEncryption/src/com/android/server/backup/encryption/tasks/EncryptedBackupTask.java
@@ -0,0 +1,243 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.backup.encryption.tasks;
+
+import android.annotation.Nullable;
+import android.annotation.TargetApi;
+import android.os.Build.VERSION_CODES;
+import android.util.Slog;
+
+import com.android.server.backup.encryption.chunk.ChunkHash;
+import com.android.server.backup.encryption.chunking.BackupFileBuilder;
+import com.android.server.backup.encryption.chunking.EncryptedChunk;
+import com.android.server.backup.encryption.client.CryptoBackupServer;
+import com.android.server.backup.encryption.protos.nano.ChunksMetadataProto;
+import com.android.server.backup.encryption.protos.nano.WrappedKeyProto;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.CancellationException;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.ShortBufferException;
+import javax.crypto.spec.GCMParameterSpec;
+
+/**
+ * Task which reads encrypted chunks from a {@link BackupEncrypter}, builds a backup file and
+ * uploads it to the server.
+ */
+@TargetApi(VERSION_CODES.P)
+public class EncryptedBackupTask {
+    private static final String CIPHER_ALGORITHM = "AES/GCM/NoPadding";
+    private static final int GCM_NONCE_LENGTH_BYTES = 12;
+    private static final int GCM_TAG_LENGTH_BYTES = 16;
+    private static final int BITS_PER_BYTE = 8;
+
+    private static final String TAG = "EncryptedBackupTask";
+
+    private final CryptoBackupServer mCryptoBackupServer;
+    private final SecureRandom mSecureRandom;
+    private final String mPackageName;
+    private final ByteArrayOutputStream mBackupDataOutput;
+    private final BackupEncrypter mBackupEncrypter;
+    private final AtomicBoolean mCancelled;
+
+    /** Creates a new instance which reads data from the given input stream. */
+    public EncryptedBackupTask(
+            CryptoBackupServer cryptoBackupServer,
+            SecureRandom secureRandom,
+            String packageName,
+            BackupEncrypter backupEncrypter) {
+        mCryptoBackupServer = cryptoBackupServer;
+        mSecureRandom = secureRandom;
+        mPackageName = packageName;
+        mBackupEncrypter = backupEncrypter;
+
+        mBackupDataOutput = new ByteArrayOutputStream();
+        mCancelled = new AtomicBoolean(false);
+    }
+
+    /**
+     * Creates a non-incremental backup file and uploads it to the server.
+     *
+     * @param fingerprintMixerSalt Fingerprint mixer salt used for content-defined chunking during a
+     *     full backup. May be {@code null} for a key-value backup.
+     */
+    public ChunksMetadataProto.ChunkListing performNonIncrementalBackup(
+            SecretKey tertiaryKey,
+            WrappedKeyProto.WrappedKey wrappedTertiaryKey,
+            @Nullable byte[] fingerprintMixerSalt)
+            throws IOException, GeneralSecurityException {
+
+        ChunksMetadataProto.ChunkListing newChunkListing =
+                performBackup(
+                        tertiaryKey,
+                        fingerprintMixerSalt,
+                        BackupFileBuilder.createForNonIncremental(mBackupDataOutput),
+                        new HashSet<>());
+
+        throwIfCancelled();
+
+        newChunkListing.documentId =
+                mCryptoBackupServer.uploadNonIncrementalBackup(
+                        mPackageName, mBackupDataOutput.toByteArray(), wrappedTertiaryKey);
+
+        return newChunkListing;
+    }
+
+    /** Creates an incremental backup file and uploads it to the server. */
+    public ChunksMetadataProto.ChunkListing performIncrementalBackup(
+            SecretKey tertiaryKey,
+            WrappedKeyProto.WrappedKey wrappedTertiaryKey,
+            ChunksMetadataProto.ChunkListing oldChunkListing)
+            throws IOException, GeneralSecurityException {
+
+        ChunksMetadataProto.ChunkListing newChunkListing =
+                performBackup(
+                        tertiaryKey,
+                        oldChunkListing.fingerprintMixerSalt,
+                        BackupFileBuilder.createForIncremental(mBackupDataOutput, oldChunkListing),
+                        getChunkHashes(oldChunkListing));
+
+        throwIfCancelled();
+
+        String oldDocumentId = oldChunkListing.documentId;
+        Slog.v(TAG, "Old doc id: " + oldDocumentId);
+
+        newChunkListing.documentId =
+                mCryptoBackupServer.uploadIncrementalBackup(
+                        mPackageName,
+                        oldDocumentId,
+                        mBackupDataOutput.toByteArray(),
+                        wrappedTertiaryKey);
+        return newChunkListing;
+    }
+
+    /**
+     * Signals to the task that the backup has been cancelled. If the upload has not yet started
+     * then the task will not upload any data to the server or save the new chunk listing.
+     */
+    public void cancel() {
+        mCancelled.getAndSet(true);
+    }
+
+    private void throwIfCancelled() {
+        if (mCancelled.get()) {
+            throw new CancellationException("EncryptedBackupTask was cancelled");
+        }
+    }
+
+    private ChunksMetadataProto.ChunkListing performBackup(
+            SecretKey tertiaryKey,
+            @Nullable byte[] fingerprintMixerSalt,
+            BackupFileBuilder backupFileBuilder,
+            Set<ChunkHash> existingChunkHashes)
+            throws IOException, GeneralSecurityException {
+        BackupEncrypter.Result result =
+                mBackupEncrypter.backup(tertiaryKey, fingerprintMixerSalt, existingChunkHashes);
+        backupFileBuilder.writeChunks(result.getAllChunks(), buildChunkMap(result.getNewChunks()));
+
+        ChunksMetadataProto.ChunkOrdering chunkOrdering =
+                backupFileBuilder.getNewChunkOrdering(result.getDigest());
+        backupFileBuilder.finish(buildMetadata(tertiaryKey, chunkOrdering));
+
+        return backupFileBuilder.getNewChunkListing(fingerprintMixerSalt);
+    }
+
+    /** Returns a set containing the hashes of every chunk in the given listing. */
+    private static Set<ChunkHash> getChunkHashes(ChunksMetadataProto.ChunkListing chunkListing) {
+        Set<ChunkHash> hashes = new HashSet<>();
+        for (ChunksMetadataProto.Chunk chunk : chunkListing.chunks) {
+            hashes.add(new ChunkHash(chunk.hash));
+        }
+        return hashes;
+    }
+
+    /** Returns a map from chunk hash to chunk containing every chunk in the given list. */
+    private static Map<ChunkHash, EncryptedChunk> buildChunkMap(List<EncryptedChunk> chunks) {
+        Map<ChunkHash, EncryptedChunk> chunkMap = new HashMap<>();
+        for (EncryptedChunk chunk : chunks) {
+            chunkMap.put(chunk.key(), chunk);
+        }
+        return chunkMap;
+    }
+
+    private ChunksMetadataProto.ChunksMetadata buildMetadata(
+            SecretKey tertiaryKey, ChunksMetadataProto.ChunkOrdering chunkOrdering)
+            throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException,
+                    InvalidAlgorithmParameterException, NoSuchAlgorithmException,
+                    ShortBufferException, NoSuchPaddingException {
+        ChunksMetadataProto.ChunksMetadata metaData = new ChunksMetadataProto.ChunksMetadata();
+        metaData.cipherType = ChunksMetadataProto.AES_256_GCM;
+        metaData.checksumType = ChunksMetadataProto.SHA_256;
+        metaData.chunkOrdering = encryptChunkOrdering(tertiaryKey, chunkOrdering);
+        return metaData;
+    }
+
+    private byte[] encryptChunkOrdering(
+            SecretKey tertiaryKey, ChunksMetadataProto.ChunkOrdering chunkOrdering)
+            throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException,
+                    NoSuchPaddingException, NoSuchAlgorithmException,
+                    InvalidAlgorithmParameterException, ShortBufferException {
+        Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
+
+        byte[] nonce = generateNonce();
+
+        cipher.init(
+                Cipher.ENCRYPT_MODE,
+                tertiaryKey,
+                new GCMParameterSpec(GCM_TAG_LENGTH_BYTES * BITS_PER_BYTE, nonce));
+
+        byte[] orderingBytes = ChunksMetadataProto.ChunkOrdering.toByteArray(chunkOrdering);
+        // We prepend the nonce to the ordering.
+        byte[] output =
+                Arrays.copyOf(
+                        nonce,
+                        GCM_NONCE_LENGTH_BYTES + orderingBytes.length + GCM_TAG_LENGTH_BYTES);
+
+        cipher.doFinal(
+                orderingBytes,
+                /*inputOffset=*/ 0,
+                /*inputLen=*/ orderingBytes.length,
+                output,
+                /*outputOffset=*/ GCM_NONCE_LENGTH_BYTES);
+
+        return output;
+    }
+
+    private byte[] generateNonce() {
+        byte[] nonce = new byte[GCM_NONCE_LENGTH_BYTES];
+        mSecureRandom.nextBytes(nonce);
+        return nonce;
+    }
+}