From 058de02073a129301d391c22b050f2d65adadb0f Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Wed, 29 Apr 2015 17:32:00 -0700 Subject: Enable per-use user authenticated keys to be used. This makes symmetric Cipher and Mac implementations backed by AndroidKeyStore succeed in their initialization when the key is configured to require user authentication for every use. Users of such keys should obtain an instance of Cipher or Mac, initialize it with the key, and then authorize the operation by passing this Cipher or Mac instance to FingerprintManager.authenticate. Bug: 18088752 Change-Id: Ia15a1e5f8274c3623f665dae1f400ff539639ab1 --- keystore/java/android/security/KeyStoreCipherSpi.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'keystore/java/android/security/KeyStoreCipherSpi.java') diff --git a/keystore/java/android/security/KeyStoreCipherSpi.java b/keystore/java/android/security/KeyStoreCipherSpi.java index 9393e32..125ca41 100644 --- a/keystore/java/android/security/KeyStoreCipherSpi.java +++ b/keystore/java/android/security/KeyStoreCipherSpi.java @@ -298,7 +298,8 @@ public abstract class KeyStoreCipherSpi extends CipherSpi implements KeyStoreCry mAdditionalEntropyForBegin = null; if (opResult == null) { throw new KeyStoreConnectException(); - } else if (opResult.resultCode != KeyStore.NO_ERROR) { + } else if ((opResult.resultCode != KeyStore.NO_ERROR) + && (opResult.resultCode != KeyStore.OP_AUTH_NEEDED)) { switch (opResult.resultCode) { case KeymasterDefs.KM_ERROR_INVALID_NONCE: throw new InvalidAlgorithmParameterException("Invalid IV"); @@ -309,6 +310,8 @@ public abstract class KeyStoreCipherSpi extends CipherSpi implements KeyStoreCry if (opResult.token == null) { throw new IllegalStateException("Keystore returned null operation token"); } + // The operation handle/token is now either valid for use immediately or needs to be + // authorized through user authentication (if the error code was OP_AUTH_NEEDED). mOperationToken = opResult.token; mOperationHandle = opResult.operationHandle; loadAlgorithmSpecificParametersFromBeginResult(keymasterOutputArgs); -- cgit v1.1