Enable per-use user authenticated keys to be used.

This makes symmetric Cipher and Mac implementations backed by
AndroidKeyStore succeed in their initialization when the key is
configured to require user authentication for every use. Users
of such keys should obtain an instance of Cipher or Mac, initialize
it with the key, and then authorize the operation by passing this
Cipher or Mac instance to FingerprintManager.authenticate.

Bug: 18088752
Change-Id: Ia15a1e5f8274c3623f665dae1f400ff539639ab1

1 files changed, 4 insertions, 1 deletions

diff --git a/keystore/java/android/security/KeyStoreCipherSpi.java b/keystore/java/android/security/KeyStoreCipherSpi.java
index 9393e32..125ca41 100644
--- a/keystore/java/android/security/KeyStoreCipherSpi.java
+++ b/keystore/java/android/security/KeyStoreCipherSpi.java
@@ -298,7 +298,8 @@ public abstract class KeyStoreCipherSpi extends CipherSpi implements KeyStoreCry
         mAdditionalEntropyForBegin = null;
         if (opResult == null) {
             throw new KeyStoreConnectException();
-        } else if (opResult.resultCode != KeyStore.NO_ERROR) {
+        } else if ((opResult.resultCode != KeyStore.NO_ERROR)
+                && (opResult.resultCode != KeyStore.OP_AUTH_NEEDED)) {
             switch (opResult.resultCode) {
                 case KeymasterDefs.KM_ERROR_INVALID_NONCE:
                     throw new InvalidAlgorithmParameterException("Invalid IV");
@@ -309,6 +310,8 @@ public abstract class KeyStoreCipherSpi extends CipherSpi implements KeyStoreCry
         if (opResult.token == null) {
             throw new IllegalStateException("Keystore returned null operation token");
         }
+        // The operation handle/token is now either valid for use immediately or needs to be
+        // authorized through user authentication (if the error code was OP_AUTH_NEEDED).
         mOperationToken = opResult.token;
         mOperationHandle = opResult.operationHandle;
         loadAlgorithmSpecificParametersFromBeginResult(keymasterOutputArgs);