From 10a9f1786b32f1642f10243f60b3bc4a62d95ea4 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 16 Apr 2015 13:41:19 -0700
Subject: Set Secure User ID from app level.

When AndroidKeyStore keys require used authentication, they need to be
bound to a Keymaster's Secure User ID. This ID will be set by keystore
soon. Until then, set it from the framework level (i.e., from apps
which use AndroidKeyStore).

NOTE: Accessing gatekeeper to obtain the Secure User ID will be
blocked by SELinux policy. To test this code, disable SELinux
enforcing mode.

Bug: 18088752
Change-Id: I7a3315eb52f0fc978d14d5d0e9613f2f36c6c01e
---
 keystore/java/android/security/AndroidKeyStore.java | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'keystore/java/android/security/AndroidKeyStore.java')

diff --git a/keystore/java/android/security/AndroidKeyStore.java b/keystore/java/android/security/AndroidKeyStore.java
index 1c068be7fc8f..c259c25b0e5c 100644
--- a/keystore/java/android/security/AndroidKeyStore.java
+++ b/keystore/java/android/security/AndroidKeyStore.java
@@ -535,6 +535,12 @@ public class AndroidKeyStore extends KeyStoreSpi {
             args.addInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE,
                     KeyStoreKeyProperties.UserAuthenticator.allToKeymaster(
                             params.getUserAuthenticators()));
+            long secureUserId = GateKeeper.getSecureUserId();
+            if (secureUserId == 0) {
+                throw new IllegalStateException("Secure lock screen must be enabled"
+                        + " to import keys requiring user authentication");
+            }
+            args.addLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, secureUserId);
         }
         if (params.isInvalidatedOnNewFingerprintEnrolled()) {
             // TODO: Add the invalidate on fingerprint enrolled constraint once Keymaster supports
-- 
cgit v1.2.3