summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--keystore/java/android/security/KeyStoreKeyCharacteristics.java17
-rw-r--r--keystore/java/android/security/KeyStoreKeySpec.java11
-rw-r--r--keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java16
3 files changed, 29 insertions, 15 deletions
diff --git a/keystore/java/android/security/KeyStoreKeyCharacteristics.java b/keystore/java/android/security/KeyStoreKeyCharacteristics.java
index 543b5d8..1f5d400 100644
--- a/keystore/java/android/security/KeyStoreKeyCharacteristics.java
+++ b/keystore/java/android/security/KeyStoreKeyCharacteristics.java
@@ -31,7 +31,7 @@ public abstract class KeyStoreKeyCharacteristics {
private KeyStoreKeyCharacteristics() {}
@Retention(RetentionPolicy.SOURCE)
- @IntDef({Origin.GENERATED_INSIDE_TEE, Origin.GENERATED_OUTSIDE_OF_TEE, Origin.IMPORTED})
+ @IntDef({Origin.GENERATED, Origin.IMPORTED})
public @interface OriginEnum {}
/**
@@ -40,14 +40,11 @@ public abstract class KeyStoreKeyCharacteristics {
public static abstract class Origin {
private Origin() {}
- /** Key was generated inside a TEE. */
- public static final int GENERATED_INSIDE_TEE = 1;
+ /** Key was generated inside AndroidKeyStore. */
+ public static final int GENERATED = 1 << 0;
- /** Key was generated outside of a TEE. */
- public static final int GENERATED_OUTSIDE_OF_TEE = 2;
-
- /** Key was imported. */
- public static final int IMPORTED = 0;
+ /** Key was imported into AndroidKeyStore. */
+ public static final int IMPORTED = 1 << 1;
/**
* @hide
@@ -55,9 +52,7 @@ public abstract class KeyStoreKeyCharacteristics {
public static @OriginEnum int fromKeymaster(int origin) {
switch (origin) {
case KeymasterDefs.KM_ORIGIN_HARDWARE:
- return GENERATED_INSIDE_TEE;
- case KeymasterDefs.KM_ORIGIN_SOFTWARE:
- return GENERATED_OUTSIDE_OF_TEE;
+ return GENERATED;
case KeymasterDefs.KM_ORIGIN_IMPORTED:
return IMPORTED;
default:
diff --git a/keystore/java/android/security/KeyStoreKeySpec.java b/keystore/java/android/security/KeyStoreKeySpec.java
index 256d9b3..65bb236 100644
--- a/keystore/java/android/security/KeyStoreKeySpec.java
+++ b/keystore/java/android/security/KeyStoreKeySpec.java
@@ -28,6 +28,7 @@ import java.util.Date;
public class KeyStoreKeySpec implements KeySpec {
private final String mKeystoreAlias;
private final int mKeySize;
+ private final boolean mTeeBacked;
private final @KeyStoreKeyCharacteristics.OriginEnum int mOrigin;
private final Date mKeyValidityStart;
private final Date mKeyValidityForOriginationEnd;
@@ -46,6 +47,7 @@ public class KeyStoreKeySpec implements KeySpec {
* @hide
*/
KeyStoreKeySpec(String keystoreKeyAlias,
+ boolean teeBacked,
@KeyStoreKeyCharacteristics.OriginEnum int origin,
int keySize,
Date keyValidityStart,
@@ -61,6 +63,7 @@ public class KeyStoreKeySpec implements KeySpec {
int userAuthenticationValidityDurationSeconds,
boolean invalidatedOnNewFingerprintEnrolled) {
mKeystoreAlias = keystoreKeyAlias;
+ mTeeBacked = teeBacked;
mOrigin = origin;
mKeySize = keySize;
mKeyValidityStart = keyValidityStart;
@@ -85,6 +88,14 @@ public class KeyStoreKeySpec implements KeySpec {
}
/**
+ * Returns {@code true} if the key is TEE-backed. Key material of TEE-backed keys is available
+ * in plaintext only inside the TEE.
+ */
+ public boolean isTeeBacked() {
+ return mTeeBacked;
+ }
+
+ /**
* Gets the origin of the key.
*/
public @KeyStoreKeyCharacteristics.OriginEnum int getOrigin() {
diff --git a/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java b/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java
index 8bf228a..a5e87d1 100644
--- a/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java
+++ b/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java
@@ -70,7 +70,8 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi {
+ " Keystore error: " + errorCode);
}
- @KeyStoreKeyCharacteristics.OriginEnum Integer origin;
+ boolean teeBacked;
+ @KeyStoreKeyCharacteristics.OriginEnum int origin;
int keySize;
@KeyStoreKeyConstraints.PurposeEnum int purposes;
@KeyStoreKeyConstraints.AlgorithmEnum int algorithm;
@@ -80,11 +81,17 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi {
@KeyStoreKeyConstraints.UserAuthenticatorEnum int userAuthenticators;
@KeyStoreKeyConstraints.UserAuthenticatorEnum int teeEnforcedUserAuthenticators;
try {
- origin = KeymasterUtils.getInt(keyCharacteristics, KeymasterDefs.KM_TAG_ORIGIN);
- if (origin == null) {
+ if (keyCharacteristics.hwEnforced.containsTag(KeymasterDefs.KM_TAG_ORIGIN)) {
+ teeBacked = true;
+ origin = KeyStoreKeyCharacteristics.Origin.fromKeymaster(
+ keyCharacteristics.hwEnforced.getInt(KeymasterDefs.KM_TAG_ORIGIN, -1));
+ } else if (keyCharacteristics.swEnforced.containsTag(KeymasterDefs.KM_TAG_ORIGIN)) {
+ teeBacked = false;
+ origin = KeyStoreKeyCharacteristics.Origin.fromKeymaster(
+ keyCharacteristics.swEnforced.getInt(KeymasterDefs.KM_TAG_ORIGIN, -1));
+ } else {
throw new InvalidKeySpecException("Key origin not available");
}
- origin = KeyStoreKeyCharacteristics.Origin.fromKeymaster(origin);
Integer keySizeInteger =
KeymasterUtils.getInt(keyCharacteristics, KeymasterDefs.KM_TAG_KEY_SIZE);
if (keySizeInteger == null) {
@@ -147,6 +154,7 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi {
boolean invalidatedOnNewFingerprintEnrolled = false;
return new KeyStoreKeySpec(entryAlias,
+ teeBacked,
origin,
keySize,
keyValidityStart,
generated by cgit v1.1 at 2025-01-10 21:55:00 +0000