diff options
| author | Alex Klyubin <klyubin@google.com> | 2015-04-09 15:50:17 -0700 |
|---|---|---|
| committer | Alex Klyubin <klyubin@google.com> | 2015-04-09 15:50:17 -0700 |
| commit | b503c52f07ff658b9192411580151eb746408d5a (patch) | |
| tree | dab7859fc9aef20b3e4ad0365a6002b603b67ae8 /keystore | |
| parent | 1d3c77a21e9c8fc59200b42503d9f0effd3f1551 (diff) | |
| download | frameworks_base-b503c52f07ff658b9192411580151eb746408d5a.zip frameworks_base-b503c52f07ff658b9192411580151eb746408d5a.tar.gz frameworks_base-b503c52f07ff658b9192411580151eb746408d5a.tar.bz2 | |
Split key origin into TEE/not and generated/imported.
This is to match the upcoming changes in Keymaster HAL API.
Bug: 18088752
Change-Id: I602d56d1c29a839583be1d9efa681a6fab6642db
Diffstat (limited to 'keystore')
3 files changed, 29 insertions, 15 deletions
diff --git a/keystore/java/android/security/KeyStoreKeyCharacteristics.java b/keystore/java/android/security/KeyStoreKeyCharacteristics.java index 543b5d8..1f5d400 100644 --- a/keystore/java/android/security/KeyStoreKeyCharacteristics.java +++ b/keystore/java/android/security/KeyStoreKeyCharacteristics.java @@ -31,7 +31,7 @@ public abstract class KeyStoreKeyCharacteristics { private KeyStoreKeyCharacteristics() {} @Retention(RetentionPolicy.SOURCE) - @IntDef({Origin.GENERATED_INSIDE_TEE, Origin.GENERATED_OUTSIDE_OF_TEE, Origin.IMPORTED}) + @IntDef({Origin.GENERATED, Origin.IMPORTED}) public @interface OriginEnum {} /** @@ -40,14 +40,11 @@ public abstract class KeyStoreKeyCharacteristics { public static abstract class Origin { private Origin() {} - /** Key was generated inside a TEE. */ - public static final int GENERATED_INSIDE_TEE = 1; + /** Key was generated inside AndroidKeyStore. */ + public static final int GENERATED = 1 << 0; - /** Key was generated outside of a TEE. */ - public static final int GENERATED_OUTSIDE_OF_TEE = 2; - - /** Key was imported. */ - public static final int IMPORTED = 0; + /** Key was imported into AndroidKeyStore. */ + public static final int IMPORTED = 1 << 1; /** * @hide @@ -55,9 +52,7 @@ public abstract class KeyStoreKeyCharacteristics { public static @OriginEnum int fromKeymaster(int origin) { switch (origin) { case KeymasterDefs.KM_ORIGIN_HARDWARE: - return GENERATED_INSIDE_TEE; - case KeymasterDefs.KM_ORIGIN_SOFTWARE: - return GENERATED_OUTSIDE_OF_TEE; + return GENERATED; case KeymasterDefs.KM_ORIGIN_IMPORTED: return IMPORTED; default: diff --git a/keystore/java/android/security/KeyStoreKeySpec.java b/keystore/java/android/security/KeyStoreKeySpec.java index df4c958..27b444e 100644 --- a/keystore/java/android/security/KeyStoreKeySpec.java +++ b/keystore/java/android/security/KeyStoreKeySpec.java @@ -28,6 +28,7 @@ import java.util.Date; public class KeyStoreKeySpec implements KeySpec { private final String mKeystoreAlias; private final int mKeySize; + private final boolean mTeeBacked; private final @KeyStoreKeyCharacteristics.OriginEnum int mOrigin; private final Date mKeyValidityStart; private final Date mKeyValidityForOriginationEnd; @@ -46,6 +47,7 @@ public class KeyStoreKeySpec implements KeySpec { * @hide */ KeyStoreKeySpec(String keystoreKeyAlias, + boolean teeBacked, @KeyStoreKeyCharacteristics.OriginEnum int origin, int keySize, Date keyValidityStart, @@ -60,6 +62,7 @@ public class KeyStoreKeySpec implements KeySpec { @KeyStoreKeyConstraints.UserAuthenticatorEnum int teeEnforcedUserAuthenticators, int userAuthenticationValidityDurationSeconds) { mKeystoreAlias = keystoreKeyAlias; + mTeeBacked = teeBacked; mOrigin = origin; mKeySize = keySize; mKeyValidityStart = keyValidityStart; @@ -83,6 +86,14 @@ public class KeyStoreKeySpec implements KeySpec { } /** + * Returns {@code true} if the key is TEE-backed. Key material of TEE-backed keys is available + * in plaintext only inside the TEE. + */ + public boolean isTeeBacked() { + return mTeeBacked; + } + + /** * Gets the origin of the key. */ public @KeyStoreKeyCharacteristics.OriginEnum int getOrigin() { diff --git a/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java b/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java index 09f0b00..99a8168 100644 --- a/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java +++ b/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java @@ -70,7 +70,8 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { + " Keystore error: " + errorCode); } - @KeyStoreKeyCharacteristics.OriginEnum Integer origin; + boolean teeBacked; + @KeyStoreKeyCharacteristics.OriginEnum int origin; int keySize; @KeyStoreKeyConstraints.PurposeEnum int purposes; @KeyStoreKeyConstraints.AlgorithmEnum int algorithm; @@ -80,11 +81,17 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { @KeyStoreKeyConstraints.UserAuthenticatorEnum int userAuthenticators; @KeyStoreKeyConstraints.UserAuthenticatorEnum int teeEnforcedUserAuthenticators; try { - origin = KeymasterUtils.getInt(keyCharacteristics, KeymasterDefs.KM_TAG_ORIGIN); - if (origin == null) { + if (keyCharacteristics.hwEnforced.containsTag(KeymasterDefs.KM_TAG_ORIGIN)) { + teeBacked = true; + origin = KeyStoreKeyCharacteristics.Origin.fromKeymaster( + keyCharacteristics.hwEnforced.getInt(KeymasterDefs.KM_TAG_ORIGIN, -1)); + } else if (keyCharacteristics.swEnforced.containsTag(KeymasterDefs.KM_TAG_ORIGIN)) { + teeBacked = false; + origin = KeyStoreKeyCharacteristics.Origin.fromKeymaster( + keyCharacteristics.swEnforced.getInt(KeymasterDefs.KM_TAG_ORIGIN, -1)); + } else { throw new InvalidKeySpecException("Key origin not available"); } - origin = KeyStoreKeyCharacteristics.Origin.fromKeymaster(origin); Integer keySizeInteger = KeymasterUtils.getInt(keyCharacteristics, KeymasterDefs.KM_TAG_KEY_SIZE); if (keySizeInteger == null) { @@ -144,6 +151,7 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { KeymasterUtils.getInt(keyCharacteristics, KeymasterDefs.KM_TAG_AUTH_TIMEOUT); return new KeyStoreKeySpec(entryAlias, + teeBacked, origin, keySize, keyValidityStart, |