diff options
Diffstat (limited to 'keystore')
19 files changed, 459 insertions, 61 deletions
diff --git a/keystore/java/android/security/KeyStoreSecurityLevel.java b/keystore/java/android/security/KeyStoreSecurityLevel.java index 372add9b7ecb..d188b6525579 100644 --- a/keystore/java/android/security/KeyStoreSecurityLevel.java +++ b/keystore/java/android/security/KeyStoreSecurityLevel.java @@ -190,7 +190,7 @@ public class KeyStoreSecurityLevel { keyDescriptor.blob = wrappedKey; keyDescriptor.domain = wrappedKeyDescriptor.domain; - return handleExceptions(() -> mSecurityLevel.importWrappedKey(wrappedKeyDescriptor, + return handleExceptions(() -> mSecurityLevel.importWrappedKey(keyDescriptor, wrappingKeyDescriptor, maskingKey, args.toArray(new KeyParameter[args.size()]), authenticatorSpecs)); } diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java index 334b1110d651..988838b46334 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java @@ -17,6 +17,7 @@ package android.security.keystore; import android.annotation.Nullable; +import android.content.Context; import android.os.Build; import android.security.Credentials; import android.security.KeyPairGeneratorSpec; @@ -25,6 +26,8 @@ import android.security.keymaster.KeyCharacteristics; import android.security.keymaster.KeymasterArguments; import android.security.keymaster.KeymasterCertificateChain; import android.security.keymaster.KeymasterDefs; +import android.telephony.TelephonyManager; +import android.util.ArraySet; import com.android.internal.org.bouncycastle.asn1.ASN1EncodableVector; import com.android.internal.org.bouncycastle.asn1.ASN1InputStream; @@ -477,11 +480,11 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato success = true; return keyPair; - } catch (ProviderException e) { + } catch (ProviderException | IllegalArgumentException | DeviceIdAttestationException e) { if ((mSpec.getPurposes() & KeyProperties.PURPOSE_WRAP_KEY) != 0) { throw new SecureKeyImportUnavailableException(e); } else { - throw e; + throw new ProviderException(e); } } finally { if (!success) { @@ -491,7 +494,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato } private Iterable<byte[]> createCertificateChain(final String privateKeyAlias, KeyPair keyPair) - throws ProviderException { + throws ProviderException, DeviceIdAttestationException { byte[] challenge = mSpec.getAttestationChallenge(); if (challenge != null) { KeymasterArguments args = new KeymasterArguments(); @@ -510,6 +513,60 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato Build.MODEL.getBytes(StandardCharsets.UTF_8)); } + int[] idTypes = mSpec.getAttestationIds(); + if (idTypes != null) { + final Set<Integer> idTypesSet = new ArraySet<>(idTypes.length); + for (int idType : idTypes) { + idTypesSet.add(idType); + } + TelephonyManager telephonyService = null; + if (idTypesSet.contains(AttestationUtils.ID_TYPE_IMEI) + || idTypesSet.contains(AttestationUtils.ID_TYPE_MEID)) { + telephonyService = + (TelephonyManager) KeyStore.getApplicationContext().getSystemService( + Context.TELEPHONY_SERVICE); + if (telephonyService == null) { + throw new DeviceIdAttestationException( + "Unable to access telephony service"); + } + } + for (final Integer idType : idTypesSet) { + switch (idType) { + case AttestationUtils.ID_TYPE_SERIAL: + args.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_SERIAL, + Build.getSerial().getBytes(StandardCharsets.UTF_8) + ); + break; + case AttestationUtils.ID_TYPE_IMEI: { + final String imei = telephonyService.getImei(0); + if (imei == null) { + throw new DeviceIdAttestationException("Unable to retrieve IMEI"); + } + args.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_IMEI, + imei.getBytes(StandardCharsets.UTF_8) + ); + break; + } + case AttestationUtils.ID_TYPE_MEID: { + final String meid = telephonyService.getMeid(0); + if (meid == null) { + throw new DeviceIdAttestationException("Unable to retrieve MEID"); + } + args.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_MEID, + meid.getBytes(StandardCharsets.UTF_8) + ); + break; + } + case AttestationUtils.USE_INDIVIDUAL_ATTESTATION: { + args.addBoolean(KeymasterDefs.KM_TAG_DEVICE_UNIQUE_ATTESTATION); + break; + } + default: + throw new IllegalArgumentException("Unknown device ID type " + idType); + } + } + } + return getAttestationChain(privateKeyAlias, keyPair, args); } @@ -547,7 +604,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato } } - private KeymasterArguments constructKeyGenerationArguments() { + private KeymasterArguments constructKeyGenerationArguments() + throws IllegalArgumentException, DeviceIdAttestationException { KeymasterArguments args = new KeymasterArguments(); args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits); args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, mKeymasterAlgorithm); @@ -565,9 +623,9 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato mSpec.getKeyValidityForConsumptionEnd()); addAlgorithmSpecificParameters(args); - if (mSpec.isUniqueIdIncluded()) + if (mSpec.isUniqueIdIncluded()) { args.addBoolean(KeymasterDefs.KM_TAG_INCLUDE_UNIQUE_ID); - + } return args; } diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java index b1b6306e0cf6..087151711138 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java @@ -23,7 +23,6 @@ import android.security.KeyStore; import android.security.keymaster.ExportResult; import android.security.keymaster.KeyCharacteristics; import android.security.keymaster.KeymasterDefs; -import android.sysprop.Keystore2Properties; import java.io.IOException; import java.security.KeyFactory; @@ -117,8 +116,6 @@ public class AndroidKeyStoreProvider extends Provider { putSecretKeyFactoryImpl("HmacSHA512"); } - private static boolean sKeystore2Enabled; - /** * This function indicates whether or not Keystore 2.0 is enabled. Some parts of the * Keystore SPI must behave subtly differently when Keystore 2.0 is enabled. However, @@ -133,10 +130,9 @@ public class AndroidKeyStoreProvider extends Provider { * @hide */ public static boolean isKeystore2Enabled() { - return sKeystore2Enabled; + return android.security.keystore2.AndroidKeyStoreProvider.isInstalled(); } - /** * Installs a new instance of this provider (and the * {@link AndroidKeyStoreBCWorkaroundProvider}). @@ -164,11 +160,6 @@ public class AndroidKeyStoreProvider extends Provider { // priority. Security.addProvider(workaroundProvider); } - - // {@code install()} is run by zygote when this property is still accessible. We store its - // value so that the Keystore SPI can act accordingly without having to access an internal - // property. - sKeystore2Enabled = Keystore2Properties.keystore2_enabled().orElse(false); } private void putSecretKeyFactoryImpl(String algorithm) { @@ -443,14 +434,16 @@ public class AndroidKeyStoreProvider extends Provider { @NonNull public static java.security.KeyStore getKeyStoreForUid(int uid) throws KeyStoreException, NoSuchProviderException { - String providerName = PROVIDER_NAME; + final java.security.KeyStore.LoadStoreParameter loadParameter; if (android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) { - providerName = "AndroidKeyStoreLegacy"; + loadParameter = new android.security.keystore2.AndroidKeyStoreLoadStoreParameter( + KeyProperties.legacyUidToNamespace(uid)); + } else { + loadParameter = new AndroidKeyStoreLoadStoreParameter(uid); } - java.security.KeyStore result = - java.security.KeyStore.getInstance(providerName); + java.security.KeyStore result = java.security.KeyStore.getInstance(PROVIDER_NAME); try { - result.load(new AndroidKeyStoreLoadStoreParameter(uid)); + result.load(loadParameter); } catch (NoSuchAlgorithmException | CertificateException | IOException e) { throw new KeyStoreException( "Failed to load AndroidKeyStore KeyStore for UID " + uid, e); diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java index 3694d635422f..d2678c71813c 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java @@ -215,7 +215,8 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { // Keystore 1.0 does not tell us the exact security level of the key // so we report an unknown but secure security level. insideSecureHardware ? KeyProperties.SECURITY_LEVEL_UNKNOWN_SECURE - : KeyProperties.SECURITY_LEVEL_SOFTWARE); + : KeyProperties.SECURITY_LEVEL_SOFTWARE, + KeyProperties.UNRESTRICTED_USAGE_COUNT); } private static BigInteger getGateKeeperSecureUserId() throws ProviderException { diff --git a/keystore/java/android/security/keystore/ArrayUtils.java b/keystore/java/android/security/keystore/ArrayUtils.java index c8c1de4a5e83..f22b6041800f 100644 --- a/keystore/java/android/security/keystore/ArrayUtils.java +++ b/keystore/java/android/security/keystore/ArrayUtils.java @@ -34,6 +34,14 @@ public abstract class ArrayUtils { return ((array != null) && (array.length > 0)) ? array.clone() : array; } + /** + * Clones an array if it is not null and has a length greater than 0. Otherwise, returns the + * array. + */ + public static int[] cloneIfNotEmpty(int[] array) { + return ((array != null) && (array.length > 0)) ? array.clone() : array; + } + public static byte[] cloneIfNotEmpty(byte[] array) { return ((array != null) && (array.length > 0)) ? array.clone() : array; } diff --git a/keystore/java/android/security/keystore/KeyGenParameterSpec.java b/keystore/java/android/security/keystore/KeyGenParameterSpec.java index e9aac7ddb56d..e92eaca2b6e9 100644 --- a/keystore/java/android/security/keystore/KeyGenParameterSpec.java +++ b/keystore/java/android/security/keystore/KeyGenParameterSpec.java @@ -267,6 +267,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu private final boolean mUserPresenceRequired; private final byte[] mAttestationChallenge; private final boolean mDevicePropertiesAttestationIncluded; + private final int[] mAttestationIds; private final boolean mUniqueIdIncluded; private final boolean mUserAuthenticationValidWhileOnBody; private final boolean mInvalidatedByBiometricEnrollment; @@ -274,6 +275,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu private final boolean mUserConfirmationRequired; private final boolean mUnlockedDeviceRequired; private final boolean mCriticalToDeviceEncryption; + private final int mMaxUsageCount; /* * ***NOTE***: All new fields MUST also be added to the following: * ParcelableKeyGenParameterSpec class. @@ -307,13 +309,15 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu boolean userPresenceRequired, byte[] attestationChallenge, boolean devicePropertiesAttestationIncluded, + int[] attestationIds, boolean uniqueIdIncluded, boolean userAuthenticationValidWhileOnBody, boolean invalidatedByBiometricEnrollment, boolean isStrongBoxBacked, boolean userConfirmationRequired, boolean unlockedDeviceRequired, - boolean criticalToDeviceEncryption) { + boolean criticalToDeviceEncryption, + int maxUsageCount) { if (TextUtils.isEmpty(keyStoreAlias)) { throw new IllegalArgumentException("keyStoreAlias must not be empty"); } @@ -359,6 +363,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu mUserAuthenticationType = userAuthenticationType; mAttestationChallenge = Utils.cloneIfNotNull(attestationChallenge); mDevicePropertiesAttestationIncluded = devicePropertiesAttestationIncluded; + mAttestationIds = attestationIds; mUniqueIdIncluded = uniqueIdIncluded; mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody; mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment; @@ -366,6 +371,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu mUserConfirmationRequired = userConfirmationRequired; mUnlockedDeviceRequired = unlockedDeviceRequired; mCriticalToDeviceEncryption = criticalToDeviceEncryption; + mMaxUsageCount = maxUsageCount; } /** @@ -717,6 +723,25 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu } /** + * @hide + * Allows the caller to specify device IDs to be attested to in the certificate for the + * generated key pair. These values are the enums specified in + * {@link android.security.keystore.AttestationUtils} + * + * @see android.security.keystore.AttestationUtils#ID_TYPE_SERIAL + * @see android.security.keystore.AttestationUtils#ID_TYPE_IMEI + * @see android.security.keystore.AttestationUtils#ID_TYPE_MEID + * @see android.security.keystore.AttestationUtils#USE_INDIVIDUAL_ATTESTATION + * + * @return integer array representing the requested device IDs to attest. + */ + @SystemApi + @Nullable + public int[] getAttestationIds() { + return Utils.cloneIfNotNull(mAttestationIds); + } + + /** * @hide This is a system-only API * * Returns {@code true} if the attestation certificate will contain a unique ID field. @@ -782,7 +807,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu } /** - * Return whether this key is critical to the device encryption flow. + * Returns whether this key is critical to the device encryption flow. * * @see android.security.KeyStore#FLAG_CRITICAL_TO_DEVICE_ENCRYPTION * @hide @@ -792,6 +817,17 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu } /** + * Returns the maximum number of times the limited use key is allowed to be used or + * {@link KeyProperties#UNRESTRICTED_USAGE_COUNT} if there’s no restriction on the number of + * times the key can be used. + * + * @see Builder#setMaxUsageCount(int) + */ + public int getMaxUsageCount() { + return mMaxUsageCount; + } + + /** * Builder of {@link KeyGenParameterSpec} instances. */ public final static class Builder { @@ -820,6 +856,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu private boolean mUserPresenceRequired = false; private byte[] mAttestationChallenge = null; private boolean mDevicePropertiesAttestationIncluded = false; + private int[] mAttestationIds = null; private boolean mUniqueIdIncluded = false; private boolean mUserAuthenticationValidWhileOnBody; private boolean mInvalidatedByBiometricEnrollment = true; @@ -827,6 +864,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu private boolean mUserConfirmationRequired; private boolean mUnlockedDeviceRequired = false; private boolean mCriticalToDeviceEncryption = false; + private int mMaxUsageCount = KeyProperties.UNRESTRICTED_USAGE_COUNT; /** * Creates a new instance of the {@code Builder}. @@ -887,6 +925,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu mAttestationChallenge = sourceSpec.getAttestationChallenge(); mDevicePropertiesAttestationIncluded = sourceSpec.isDevicePropertiesAttestationIncluded(); + mAttestationIds = sourceSpec.getAttestationIds(); mUniqueIdIncluded = sourceSpec.isUniqueIdIncluded(); mUserAuthenticationValidWhileOnBody = sourceSpec.isUserAuthenticationValidWhileOnBody(); mInvalidatedByBiometricEnrollment = sourceSpec.isInvalidatedByBiometricEnrollment(); @@ -894,6 +933,7 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu mUserConfirmationRequired = sourceSpec.isUserConfirmationRequired(); mUnlockedDeviceRequired = sourceSpec.isUnlockedDeviceRequired(); mCriticalToDeviceEncryption = sourceSpec.isCriticalToDeviceEncryption(); + mMaxUsageCount = sourceSpec.getMaxUsageCount(); } /** @@ -1457,6 +1497,26 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu } /** + * @hide + * Sets which IDs to attest in the attestation certificate for the key. The acceptable + * values in this integer array are the enums specified in + * {@link android.security.keystore.AttestationUtils} + * + * @param attestationIds the array of ID types to attest to in the certificate. + * + * @see android.security.keystore.AttestationUtils#ID_TYPE_SERIAL + * @see android.security.keystore.AttestationUtils#ID_TYPE_IMEI + * @see android.security.keystore.AttestationUtils#ID_TYPE_MEID + * @see android.security.keystore.AttestationUtils#USE_INDIVIDUAL_ATTESTATION + */ + @SystemApi + @NonNull + public Builder setAttestationIds(@NonNull int[] attestationIds) { + mAttestationIds = attestationIds; + return this; + } + + /** * @hide Only system apps can use this method. * * Sets whether to include a temporary unique ID field in the attestation certificate. @@ -1553,6 +1613,47 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu } /** + * Sets the maximum number of times the key is allowed to be used. After every use of the + * key, the use counter will decrease. This authorization applies only to secret key and + * private key operations. Public key operations are not restricted. For example, after + * successfully encrypting and decrypting data using methods such as + * {@link Cipher#doFinal()}, the use counter of the secret key will decrease. After + * successfully signing data using methods such as {@link Signature#sign()}, the use + * counter of the private key will decrease. + * + * When the use counter is depleted, the key will be marked for deletion by Android + * Keystore and any subsequent attempt to use the key will throw + * {@link KeyPermanentlyInvalidatedException}. There is no key to be loaded from the + * Android Keystore once the exhausted key is permanently deleted, as if the key never + * existed before. + * + * <p>By default, there is no restriction on the usage of key. + * + * <p>Some secure hardware may not support this feature at all, in which case it will + * be enforced in software, some secure hardware may support it but only with + * maxUsageCount = 1, and some secure hardware may support it with larger value + * of maxUsageCount. + * + * <p>The PackageManger feature flags: + * {@link android.content.pm.PackageManager#FEATURE_KEYSTORE_SINGLE_USE_KEY} and + * {@link android.content.pm.PackageManager#FEATURE_KEYSTORE_LIMITED_USE_KEY} can be used + * to check whether the secure hardware cannot enforce this feature, can only enforce it + * with maxUsageCount = 1, or can enforce it with larger value of maxUsageCount. + * + * @param maxUsageCount maximum number of times the key is allowed to be used or + * {@link KeyProperties#UNRESTRICTED_USAGE_COUNT} if there is no restriction on the + * usage. + */ + @NonNull + public Builder setMaxUsageCount(int maxUsageCount) { + if (maxUsageCount == KeyProperties.UNRESTRICTED_USAGE_COUNT || maxUsageCount > 0) { + mMaxUsageCount = maxUsageCount; + return this; + } + throw new IllegalArgumentException("maxUsageCount is not valid"); + } + + /** * Builds an instance of {@code KeyGenParameterSpec}. */ @NonNull @@ -1581,13 +1682,15 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu mUserPresenceRequired, mAttestationChallenge, mDevicePropertiesAttestationIncluded, + mAttestationIds, mUniqueIdIncluded, mUserAuthenticationValidWhileOnBody, mInvalidatedByBiometricEnrollment, mIsStrongBoxBacked, mUserConfirmationRequired, mUnlockedDeviceRequired, - mCriticalToDeviceEncryption); + mCriticalToDeviceEncryption, + mMaxUsageCount); } } } diff --git a/keystore/java/android/security/keystore/KeyInfo.java b/keystore/java/android/security/keystore/KeyInfo.java index 7158d0cf248e..f50efd2c3328 100644 --- a/keystore/java/android/security/keystore/KeyInfo.java +++ b/keystore/java/android/security/keystore/KeyInfo.java @@ -85,6 +85,7 @@ public class KeyInfo implements KeySpec { private final boolean mInvalidatedByBiometricEnrollment; private final boolean mUserConfirmationRequired; private final @KeyProperties.SecurityLevelEnum int mSecurityLevel; + private final int mRemainingUsageCount; /** * @hide @@ -109,7 +110,8 @@ public class KeyInfo implements KeySpec { boolean trustedUserPresenceRequired, boolean invalidatedByBiometricEnrollment, boolean userConfirmationRequired, - @KeyProperties.SecurityLevelEnum int securityLevel) { + @KeyProperties.SecurityLevelEnum int securityLevel, + int remainingUsageCount) { mKeystoreAlias = keystoreKeyAlias; mInsideSecureHardware = insideSecureHardware; mOrigin = origin; @@ -134,6 +136,7 @@ public class KeyInfo implements KeySpec { mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment; mUserConfirmationRequired = userConfirmationRequired; mSecurityLevel = securityLevel; + mRemainingUsageCount = remainingUsageCount; } /** @@ -374,4 +377,15 @@ public class KeyInfo implements KeySpec { public @KeyProperties.SecurityLevelEnum int getSecurityLevel() { return mSecurityLevel; } + + /** + * Returns the remaining number of times the key is allowed to be used or + * {@link KeyProperties#UNRESTRICTED_USAGE_COUNT} if there's no restriction on the number of + * times the key can be used. Note that this gives a best effort count and need not be + * accurate (as there might be usages happening in parallel and the count maintained here need + * not be in sync with the usage). + */ + public int getRemainingUsageCount() { + return mRemainingUsageCount; + } } diff --git a/keystore/java/android/security/keystore/KeyProperties.java b/keystore/java/android/security/keystore/KeyProperties.java index 014d6882be8d..3ebca6ad302d 100644 --- a/keystore/java/android/security/keystore/KeyProperties.java +++ b/keystore/java/android/security/keystore/KeyProperties.java @@ -20,6 +20,8 @@ import android.annotation.IntDef; import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.StringDef; +import android.annotation.SystemApi; +import android.os.Process; import android.security.KeyStore; import android.security.keymaster.KeymasterDefs; @@ -874,9 +876,18 @@ public abstract class KeyProperties { * which it must be configured in SEPolicy. * @hide */ + @SystemApi public static final int NAMESPACE_APPLICATION = -1; /** + * The namespace identifier for the WIFI Keystore namespace. + * This must be kept in sync with system/sepolicy/private/keystore2_key_contexts + * @hide + */ + @SystemApi + public static final int NAMESPACE_WIFI = 102; + + /** * For legacy support, translate namespaces into known UIDs. * @hide */ @@ -884,6 +895,8 @@ public abstract class KeyProperties { switch (namespace) { case NAMESPACE_APPLICATION: return KeyStore.UID_SELF; + case NAMESPACE_WIFI: + return Process.WIFI_UID; // TODO Translate WIFI and VPN UIDs once the namespaces are defined. // b/171305388 and b/171305607 default: @@ -900,6 +913,8 @@ public abstract class KeyProperties { switch (uid) { case KeyStore.UID_SELF: return NAMESPACE_APPLICATION; + case Process.WIFI_UID: + return NAMESPACE_WIFI; // TODO Translate WIFI and VPN UIDs once the namespaces are defined. // b/171305388 and b/171305607 default: @@ -907,4 +922,9 @@ public abstract class KeyProperties { + uid); } } + + /** + * This value indicates that there is no restriction on the number of times the key can be used. + */ + public static final int UNRESTRICTED_USAGE_COUNT = -1; } diff --git a/keystore/java/android/security/keystore/KeyProtection.java b/keystore/java/android/security/keystore/KeyProtection.java index 2e793dea3e05..76ce23efd05b 100644 --- a/keystore/java/android/security/keystore/KeyProtection.java +++ b/keystore/java/android/security/keystore/KeyProtection.java @@ -235,6 +235,7 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { private final boolean mUserConfirmationRequired; private final boolean mUnlockedDeviceRequired; private final boolean mIsStrongBoxBacked; + private final int mMaxUsageCount; private KeyProtection( Date keyValidityStart, @@ -256,7 +257,8 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { boolean criticalToDeviceEncryption, boolean userConfirmationRequired, boolean unlockedDeviceRequired, - boolean isStrongBoxBacked) { + boolean isStrongBoxBacked, + int maxUsageCount) { mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart); mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd); mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd); @@ -279,6 +281,7 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { mUserConfirmationRequired = userConfirmationRequired; mUnlockedDeviceRequired = unlockedDeviceRequired; mIsStrongBoxBacked = isStrongBoxBacked; + mMaxUsageCount = maxUsageCount; } /** @@ -548,6 +551,17 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { } /** + * Returns the maximum number of times the limited use key is allowed to be used or + * {@link KeyProperties#UNRESTRICTED_USAGE_COUNT} if there’s no restriction on the number of + * times the key can be used. + * + * @see Builder#setMaxUsageCount(int) + */ + public int getMaxUsageCount() { + return mMaxUsageCount; + } + + /** * Builder of {@link KeyProtection} instances. */ public final static class Builder { @@ -574,6 +588,7 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID; private boolean mCriticalToDeviceEncryption = false; private boolean mIsStrongBoxBacked = false; + private int mMaxUsageCount = KeyProperties.UNRESTRICTED_USAGE_COUNT; /** * Creates a new instance of the {@code Builder}. @@ -1040,6 +1055,47 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { } /** + * Sets the maximum number of times the key is allowed to be used. After every use of the + * key, the use counter will decrease. This authorization applies only to secret key and + * private key operations. Public key operations are not restricted. For example, after + * successfully encrypting and decrypting data using methods such as + * {@link Cipher#doFinal()}, the use counter of the secret key will decrease. After + * successfully signing data using methods such as {@link Signature#sign()}, the use + * counter of the private key will decrease. + * + * When the use counter is depleted, the key will be marked for deletion by Android + * Keystore and any subsequent attempt to use the key will throw + * {@link KeyPermanentlyInvalidatedException}. There is no key to be loaded from the + * Android Keystore once the exhausted key is permanently deleted, as if the key never + * existed before. + * + * <p>By default, there is no restriction on the usage of key. + * + * <p>Some secure hardware may not support this feature at all, in which case it will + * be enforced in software, some secure hardware may support it but only with + * maxUsageCount = 1, and some secure hardware may support it with larger value + * of maxUsageCount. + * + * <p>The PackageManger feature flags: + * {@link android.content.pm.PackageManager#FEATURE_KEYSTORE_SINGLE_USE_KEY} and + * {@link android.content.pm.PackageManager#FEATURE_KEYSTORE_LIMITED_USE_KEY} can be used + * to check whether the secure hardware cannot enforce this feature, can only enforce it + * with maxUsageCount = 1, or can enforce it with larger value of maxUsageCount. + * + * @param maxUsageCount maximum number of times the key is allowed to be used or + * {@link KeyProperties#UNRESTRICTED_USAGE_COUNT} if there is no restriction on the + * usage. + */ + @NonNull + public Builder setMaxUsageCount(int maxUsageCount) { + if (maxUsageCount == KeyProperties.UNRESTRICTED_USAGE_COUNT || maxUsageCount > 0) { + mMaxUsageCount = maxUsageCount; + return this; + } + throw new IllegalArgumentException("maxUsageCount is not valid"); + } + + /** * Builds an instance of {@link KeyProtection}. * * @throws IllegalArgumentException if a required field is missing @@ -1066,7 +1122,8 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { mCriticalToDeviceEncryption, mUserConfirmationRequired, mUnlockedDeviceRequired, - mIsStrongBoxBacked); + mIsStrongBoxBacked, + mMaxUsageCount); } } } diff --git a/keystore/java/android/security/keystore/ParcelableKeyGenParameterSpec.java b/keystore/java/android/security/keystore/ParcelableKeyGenParameterSpec.java index 69c15cca68bf..1f2f853b67a8 100644 --- a/keystore/java/android/security/keystore/ParcelableKeyGenParameterSpec.java +++ b/keystore/java/android/security/keystore/ParcelableKeyGenParameterSpec.java @@ -101,6 +101,7 @@ public final class ParcelableKeyGenParameterSpec implements Parcelable { out.writeBoolean(mSpec.isUserPresenceRequired()); out.writeByteArray(mSpec.getAttestationChallenge()); out.writeBoolean(mSpec.isDevicePropertiesAttestationIncluded()); + out.writeIntArray(mSpec.getAttestationIds()); out.writeBoolean(mSpec.isUniqueIdIncluded()); out.writeBoolean(mSpec.isUserAuthenticationValidWhileOnBody()); out.writeBoolean(mSpec.isInvalidatedByBiometricEnrollment()); @@ -108,6 +109,7 @@ public final class ParcelableKeyGenParameterSpec implements Parcelable { out.writeBoolean(mSpec.isUserConfirmationRequired()); out.writeBoolean(mSpec.isUnlockedDeviceRequired()); out.writeBoolean(mSpec.isCriticalToDeviceEncryption()); + out.writeInt(mSpec.getMaxUsageCount()); } private static Date readDateOrNull(Parcel in) { @@ -159,6 +161,7 @@ public final class ParcelableKeyGenParameterSpec implements Parcelable { final boolean userPresenceRequired = in.readBoolean(); final byte[] attestationChallenge = in.createByteArray(); final boolean devicePropertiesAttestationIncluded = in.readBoolean(); + final int[] attestationIds = in.createIntArray(); final boolean uniqueIdIncluded = in.readBoolean(); final boolean userAuthenticationValidWhileOnBody = in.readBoolean(); final boolean invalidatedByBiometricEnrollment = in.readBoolean(); @@ -166,6 +169,7 @@ public final class ParcelableKeyGenParameterSpec implements Parcelable { final boolean userConfirmationRequired = in.readBoolean(); final boolean unlockedDeviceRequired = in.readBoolean(); final boolean criticalToDeviceEncryption = in.readBoolean(); + final int maxUsageCount = in.readInt(); // The KeyGenParameterSpec is intentionally not constructed using a Builder here: // The intention is for this class to break if new parameters are added to the // KeyGenParameterSpec constructor (whereas using a builder would silently drop them). @@ -193,13 +197,15 @@ public final class ParcelableKeyGenParameterSpec implements Parcelable { userPresenceRequired, attestationChallenge, devicePropertiesAttestationIncluded, + attestationIds, uniqueIdIncluded, userAuthenticationValidWhileOnBody, invalidatedByBiometricEnrollment, isStrongBoxBacked, userConfirmationRequired, unlockedDeviceRequired, - criticalToDeviceEncryption); + criticalToDeviceEncryption, + maxUsageCount); } public static final @android.annotation.NonNull Creator<ParcelableKeyGenParameterSpec> CREATOR = new Creator<ParcelableKeyGenParameterSpec>() { diff --git a/keystore/java/android/security/keystore/Utils.java b/keystore/java/android/security/keystore/Utils.java index 5722c7b53ef4..e58b1ccb5370 100644 --- a/keystore/java/android/security/keystore/Utils.java +++ b/keystore/java/android/security/keystore/Utils.java @@ -33,4 +33,8 @@ abstract class Utils { static byte[] cloneIfNotNull(byte[] value) { return (value != null) ? value.clone() : null; } + + static int[] cloneIfNotNull(int[] value) { + return (value != null) ? value.clone() : null; + } } diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreHmacSpi.java b/keystore/java/android/security/keystore2/AndroidKeyStoreHmacSpi.java index 8475ad9fd57b..0f777495a3fe 100644 --- a/keystore/java/android/security/keystore2/AndroidKeyStoreHmacSpi.java +++ b/keystore/java/android/security/keystore2/AndroidKeyStoreHmacSpi.java @@ -164,6 +164,9 @@ public abstract class AndroidKeyStoreHmacSpi extends MacSpi implements KeyStoreC List<KeyParameter> parameters = new ArrayList<>(); parameters.add(KeyStore2ParameterUtils.makeEnum( + KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_SIGN + )); + parameters.add(KeyStore2ParameterUtils.makeEnum( KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_HMAC )); parameters.add(KeyStore2ParameterUtils.makeEnum( diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreKey.java b/keystore/java/android/security/keystore2/AndroidKeyStoreKey.java index 32650aeda1b1..5619585d9c3c 100644 --- a/keystore/java/android/security/keystore2/AndroidKeyStoreKey.java +++ b/keystore/java/android/security/keystore2/AndroidKeyStoreKey.java @@ -21,7 +21,6 @@ import android.security.KeyStoreSecurityLevel; import android.system.keystore2.Authorization; import android.system.keystore2.Domain; import android.system.keystore2.KeyDescriptor; -import android.util.Log; import java.security.Key; @@ -127,15 +126,6 @@ public class AndroidKeyStoreKey implements Key { return false; } - // If the key ids are equal and the class matches all the other fields cannot differ - // unless we have a bug. - if (!mAlgorithm.equals(other.mAlgorithm) - || !mAuthorizations.equals(other.mAuthorizations) - || !mDescriptor.equals(other.mDescriptor)) { - Log.e("AndroidKeyStoreKey", "Bug: key ids are identical, but key metadata" - + "differs."); - return false; - } return true; } } diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/keystore2/AndroidKeyStoreKeyGeneratorSpi.java index 233f352989ab..1575bb411562 100644 --- a/keystore/java/android/security/keystore2/AndroidKeyStoreKeyGeneratorSpi.java +++ b/keystore/java/android/security/keystore2/AndroidKeyStoreKeyGeneratorSpi.java @@ -366,6 +366,13 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { )); } + if (spec.getMaxUsageCount() != KeyProperties.UNRESTRICTED_USAGE_COUNT) { + params.add(KeyStore2ParameterUtils.makeInt( + KeymasterDefs.KM_TAG_USAGE_COUNT_LIMIT, + spec.getMaxUsageCount() + )); + } + byte[] additionalEntropy = KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng( mRng, (mKeySizeBits + 7) / 8); diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java index df0e1462a492..4d27c3454a84 100644 --- a/keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java +++ b/keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java @@ -18,16 +18,20 @@ package android.security.keystore2; import android.annotation.NonNull; import android.annotation.Nullable; +import android.content.Context; import android.hardware.security.keymint.KeyParameter; import android.hardware.security.keymint.SecurityLevel; import android.os.Build; import android.security.KeyPairGeneratorSpec; +import android.security.KeyStore; import android.security.KeyStore2; import android.security.KeyStoreException; import android.security.KeyStoreSecurityLevel; import android.security.keymaster.KeymasterArguments; import android.security.keymaster.KeymasterDefs; import android.security.keystore.ArrayUtils; +import android.security.keystore.AttestationUtils; +import android.security.keystore.DeviceIdAttestationException; import android.security.keystore.KeyGenParameterSpec; import android.security.keystore.KeyProperties; import android.security.keystore.KeymasterUtils; @@ -38,6 +42,8 @@ import android.system.keystore2.IKeystoreSecurityLevel; import android.system.keystore2.KeyDescriptor; import android.system.keystore2.KeyMetadata; import android.system.keystore2.ResponseCode; +import android.telephony.TelephonyManager; +import android.util.ArraySet; import android.util.Log; import libcore.util.EmptyArray; @@ -478,7 +484,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato } throw p; } - } catch (UnrecoverableKeyException e) { + } catch (UnrecoverableKeyException | IllegalArgumentException + | DeviceIdAttestationException e) { throw new ProviderException( "Failed to construct key object from newly generated key pair.", e); } finally { @@ -496,7 +503,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato } private void addAttestationParameters(@NonNull List<KeyParameter> params) - throws ProviderException { + throws ProviderException, IllegalArgumentException, DeviceIdAttestationException { byte[] challenge = mSpec.getAttestationChallenge(); if (challenge != null) { @@ -526,15 +533,69 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato Build.MODEL.getBytes(StandardCharsets.UTF_8) )); } - } else { - if (mSpec.isDevicePropertiesAttestationIncluded()) { - throw new ProviderException("An attestation challenge must be provided when " - + "requesting device properties attestation."); + + int[] idTypes = mSpec.getAttestationIds(); + if (idTypes == null) { + return; + } + final Set<Integer> idTypesSet = new ArraySet<>(idTypes.length); + for (int idType : idTypes) { + idTypesSet.add(idType); + } + TelephonyManager telephonyService = null; + if (idTypesSet.contains(AttestationUtils.ID_TYPE_IMEI) + || idTypesSet.contains(AttestationUtils.ID_TYPE_MEID)) { + telephonyService = + (TelephonyManager) KeyStore.getApplicationContext().getSystemService( + Context.TELEPHONY_SERVICE); + if (telephonyService == null) { + throw new DeviceIdAttestationException("Unable to access telephony service"); + } + } + for (final Integer idType : idTypesSet) { + switch (idType) { + case AttestationUtils.ID_TYPE_SERIAL: + params.add(KeyStore2ParameterUtils.makeBytes( + KeymasterDefs.KM_TAG_ATTESTATION_ID_SERIAL, + Build.getSerial().getBytes(StandardCharsets.UTF_8) + )); + break; + case AttestationUtils.ID_TYPE_IMEI: { + final String imei = telephonyService.getImei(0); + if (imei == null) { + throw new DeviceIdAttestationException("Unable to retrieve IMEI"); + } + params.add(KeyStore2ParameterUtils.makeBytes( + KeymasterDefs.KM_TAG_ATTESTATION_ID_IMEI, + imei.getBytes(StandardCharsets.UTF_8) + )); + break; + } + case AttestationUtils.ID_TYPE_MEID: { + final String meid = telephonyService.getMeid(0); + if (meid == null) { + throw new DeviceIdAttestationException("Unable to retrieve MEID"); + } + params.add(KeyStore2ParameterUtils.makeBytes( + KeymasterDefs.KM_TAG_ATTESTATION_ID_MEID, + meid.getBytes(StandardCharsets.UTF_8) + )); + break; + } + case AttestationUtils.USE_INDIVIDUAL_ATTESTATION: { + params.add(KeyStore2ParameterUtils.makeBool( + KeymasterDefs.KM_TAG_DEVICE_UNIQUE_ATTESTATION)); + break; + } + default: + throw new IllegalArgumentException("Unknown device ID type " + idType); + } } } } - private Collection<KeyParameter> constructKeyGenerationArguments() { + private Collection<KeyParameter> constructKeyGenerationArguments() + throws DeviceIdAttestationException, IllegalArgumentException { List<KeyParameter> params = new ArrayList<>(); params.add(KeyStore2ParameterUtils.makeInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits)); params.add(KeyStore2ParameterUtils.makeEnum( @@ -585,6 +646,37 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato mSpec.getKeyValidityForConsumptionEnd() )); } + if (mSpec.getCertificateNotAfter() != null) { + params.add(KeyStore2ParameterUtils.makeDate( + KeymasterDefs.KM_TAG_CERTIFICATE_NOT_AFTER, + mSpec.getCertificateNotAfter() + )); + } + if (mSpec.getCertificateNotBefore() != null) { + params.add(KeyStore2ParameterUtils.makeDate( + KeymasterDefs.KM_TAG_CERTIFICATE_NOT_BEFORE, + mSpec.getCertificateNotBefore() + )); + } + if (mSpec.getCertificateSerialNumber() != null) { + params.add(KeyStore2ParameterUtils.makeBignum( + KeymasterDefs.KM_TAG_CERTIFICATE_SERIAL, + mSpec.getCertificateSerialNumber() + )); + } + if (mSpec.getCertificateSubject() != null) { + params.add(KeyStore2ParameterUtils.makeBytes( + KeymasterDefs.KM_TAG_CERTIFICATE_SUBJECT, + mSpec.getCertificateSubject().getEncoded() + )); + } + + if (mSpec.getMaxUsageCount() != KeyProperties.UNRESTRICTED_USAGE_COUNT) { + params.add(KeyStore2ParameterUtils.makeInt( + KeymasterDefs.KM_TAG_USAGE_COUNT_LIMIT, + mSpec.getMaxUsageCount() + )); + } addAlgorithmSpecificParameters(params); diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java b/keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java index 75ac61a22cab..e1011155248e 100644 --- a/keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java +++ b/keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java @@ -352,14 +352,17 @@ public class AndroidKeyStoreProvider extends Provider { try { response = keyStore.getKeyEntry(descriptor); } catch (android.security.KeyStoreException e) { - if (e.getErrorCode() == ResponseCode.KEY_PERMANENTLY_INVALIDATED) { - throw new KeyPermanentlyInvalidatedException( - "User changed or deleted their auth credentials", - e); - } else { - throw (UnrecoverableKeyException) - new UnrecoverableKeyException("Failed to obtain information about key") - .initCause(e); + switch (e.getErrorCode()) { + case ResponseCode.KEY_NOT_FOUND: + return null; + case ResponseCode.KEY_PERMANENTLY_INVALIDATED: + throw new KeyPermanentlyInvalidatedException( + "User changed or deleted their auth credentials", + e); + default: + throw (UnrecoverableKeyException) + new UnrecoverableKeyException("Failed to obtain information about key") + .initCause(e); } } diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreSecretKeyFactorySpi.java b/keystore/java/android/security/keystore2/AndroidKeyStoreSecretKeyFactorySpi.java index 74503e1eecfa..fe05989c3846 100644 --- a/keystore/java/android/security/keystore2/AndroidKeyStoreSecretKeyFactorySpi.java +++ b/keystore/java/android/security/keystore2/AndroidKeyStoreSecretKeyFactorySpi.java @@ -95,6 +95,7 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { boolean userAuthenticationValidWhileOnBody = false; boolean trustedUserPresenceRequired = false; boolean trustedUserConfirmationRequired = false; + int remainingUsageCount = KeyProperties.UNRESTRICTED_USAGE_COUNT; try { for (Authorization a : key.getAuthorizations()) { switch (a.keyParameter.tag) { @@ -195,6 +196,16 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { trustedUserConfirmationRequired = KeyStore2ParameterUtils.isSecureHardware(a.securityLevel); break; + case KeymasterDefs.KM_TAG_USAGE_COUNT_LIMIT: + long remainingUsageCountUnsigned = + KeyStore2ParameterUtils.getUnsignedInt(a); + if (remainingUsageCountUnsigned > Integer.MAX_VALUE) { + throw new ProviderException( + "Usage count of limited use key too long: " + + remainingUsageCountUnsigned); + } + remainingUsageCount = (int) remainingUsageCountUnsigned; + break; } } } catch (IllegalArgumentException e) { @@ -247,7 +258,8 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { trustedUserPresenceRequired, invalidatedByBiometricEnrollment, trustedUserConfirmationRequired, - securityLevel); + securityLevel, + remainingUsageCount); } private static BigInteger getGateKeeperSecureUserId() throws ProviderException { diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java b/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java index 07169cedc1d9..39607aeb3852 100644 --- a/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java +++ b/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java @@ -535,6 +535,12 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { spec.getKeyValidityForConsumptionEnd() )); } + if (spec.getMaxUsageCount() != KeyProperties.UNRESTRICTED_USAGE_COUNT) { + importArgs.add(KeyStore2ParameterUtils.makeInt( + KeymasterDefs.KM_TAG_USAGE_COUNT_LIMIT, + spec.getMaxUsageCount() + )); + } } catch (IllegalArgumentException | IllegalStateException e) { throw new KeyStoreException(e); } @@ -772,6 +778,12 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { params.getKeyValidityForConsumptionEnd() )); } + if (params.getMaxUsageCount() != KeyProperties.UNRESTRICTED_USAGE_COUNT) { + importArgs.add(KeyStore2ParameterUtils.makeInt( + KeymasterDefs.KM_TAG_USAGE_COUNT_LIMIT, + params.getMaxUsageCount() + )); + } } catch (IllegalArgumentException | IllegalStateException e) { throw new KeyStoreException(e); } @@ -854,7 +866,8 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { try { response = mKeyStore.getKeyEntry(wrappingkey); } catch (android.security.KeyStoreException e) { - throw new KeyStoreException("Failed to load wrapping key.", e); + throw new KeyStoreException("Failed to import wrapped key. Keystore error code: " + + e.getErrorCode(), e); } KeyDescriptor wrappedKey = makeKeyDescriptor(alias); diff --git a/keystore/java/android/security/keystore2/KeyStore2ParameterUtils.java b/keystore/java/android/security/keystore2/KeyStore2ParameterUtils.java index 4c8ab8d6c713..dcdd7defd752 100644 --- a/keystore/java/android/security/keystore2/KeyStore2ParameterUtils.java +++ b/keystore/java/android/security/keystore2/KeyStore2ParameterUtils.java @@ -28,6 +28,7 @@ import android.security.keystore.KeyProperties; import android.security.keystore.UserAuthArgs; import android.system.keystore2.Authorization; +import java.math.BigInteger; import java.security.ProviderException; import java.util.ArrayList; import java.util.Date; @@ -154,6 +155,23 @@ public abstract class KeyStore2ParameterUtils { } /** + * This function constructs a {@link KeyParameter} expressing a Bignum. + * @param tag Must be KeyMint tag with the associated type BIGNUM. + * @param b A BitInteger to be stored in the new key parameter. + * @return An instance of {@link KeyParameter}. + * @hide + */ + static @NonNull KeyParameter makeBignum(int tag, @NonNull BigInteger b) { + if (KeymasterDefs.getTagType(tag) != KeymasterDefs.KM_BIGNUM) { + throw new IllegalArgumentException("Not a bignum tag: " + tag); + } + KeyParameter p = new KeyParameter(); + p.tag = tag; + p.value = KeyParameterValue.blob(b.toByteArray()); + return p; + } + + /** * This function constructs a {@link KeyParameter} expressing date. * @param tag Must be KeyMint tag with the associated type DATE. * @param date A date @@ -167,10 +185,6 @@ public abstract class KeyStore2ParameterUtils { KeyParameter p = new KeyParameter(); p.tag = tag; p.value = KeyParameterValue.dateTime(date.getTime()); - if (p.value.getDateTime() < 0) { - throw new IllegalArgumentException("Date tag value out of range: " - + p.value.getDateTime()); - } return p; } /** |