1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
|
/*
* Copyright (C) 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.security.keystore2;
import android.annotation.NonNull;
import android.hardware.biometrics.BiometricManager;
import android.hardware.security.keymint.KeyParameter;
import android.hardware.security.keymint.KeyParameterValue;
import android.hardware.security.keymint.SecurityLevel;
import android.hardware.security.keymint.Tag;
import android.security.GateKeeper;
import android.security.keymaster.KeymasterDefs;
import android.security.keystore.KeyProperties;
import android.security.keystore.UserAuthArgs;
import android.system.keystore2.Authorization;
import java.math.BigInteger;
import java.security.ProviderException;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import java.util.function.Consumer;
/**
* @hide
*/
public abstract class KeyStore2ParameterUtils {
/**
* This function constructs a {@link KeyParameter} expressing a boolean value.
* @param tag Must be KeyMint tag with the associated type BOOL.
* @return An instance of {@link KeyParameter}.
* @hide
*/
static @NonNull KeyParameter makeBool(int tag) {
int type = KeymasterDefs.getTagType(tag);
if (type != KeymasterDefs.KM_BOOL) {
throw new IllegalArgumentException("Not a boolean tag: " + tag);
}
KeyParameter p = new KeyParameter();
p.tag = tag;
p.value = KeyParameterValue.boolValue(true);
return p;
}
/**
* This function constructs a {@link KeyParameter} expressing an enum value.
* @param tag Must be KeyMint tag with the associated type ENUM or ENUM_REP.
* @param v A 32bit integer.
* @return An instance of {@link KeyParameter}.
* @hide
*/
static @NonNull KeyParameter makeEnum(int tag, int v) {
KeyParameter kp = new KeyParameter();
kp.tag = tag;
switch (tag) {
case Tag.PURPOSE:
kp.value = KeyParameterValue.keyPurpose(v);
break;
case Tag.ALGORITHM:
kp.value = KeyParameterValue.algorithm(v);
break;
case Tag.BLOCK_MODE:
kp.value = KeyParameterValue.blockMode(v);
break;
case Tag.DIGEST:
case Tag.RSA_OAEP_MGF_DIGEST:
kp.value = KeyParameterValue.digest(v);
break;
case Tag.EC_CURVE:
kp.value = KeyParameterValue.ecCurve(v);
break;
case Tag.ORIGIN:
kp.value = KeyParameterValue.origin(v);
break;
case Tag.PADDING:
kp.value = KeyParameterValue.paddingMode(v);
break;
case Tag.USER_AUTH_TYPE:
kp.value = KeyParameterValue.hardwareAuthenticatorType(v);
break;
case Tag.HARDWARE_TYPE:
kp.value = KeyParameterValue.securityLevel(v);
break;
default:
throw new IllegalArgumentException("Not an enum or repeatable enum tag: " + tag);
}
return kp;
}
/**
* This function constructs a {@link KeyParameter} expressing an integer value.
* @param tag Must be KeyMint tag with the associated type UINT or UINT_REP.
* @param v A 32bit integer.
* @return An instance of {@link KeyParameter}.
* @hide
*/
static @NonNull KeyParameter makeInt(int tag, int v) {
int type = KeymasterDefs.getTagType(tag);
if (type != KeymasterDefs.KM_UINT && type != KeymasterDefs.KM_UINT_REP) {
throw new IllegalArgumentException("Not an int or repeatable int tag: " + tag);
}
KeyParameter p = new KeyParameter();
p.tag = tag;
p.value = KeyParameterValue.integer(v);
return p;
}
/**
* This function constructs a {@link KeyParameter} expressing a long integer value.
* @param tag Must be KeyMint tag with the associated type ULONG or ULONG_REP.
* @param v A 64bit integer.
* @return An instance of {@link KeyParameter}.
* @hide
*/
static @NonNull KeyParameter makeLong(int tag, long v) {
int type = KeymasterDefs.getTagType(tag);
if (type != KeymasterDefs.KM_ULONG && type != KeymasterDefs.KM_ULONG_REP) {
throw new IllegalArgumentException("Not a long or repeatable long tag: " + tag);
}
KeyParameter p = new KeyParameter();
p.tag = tag;
p.value = KeyParameterValue.longInteger(v);
return p;
}
/**
* This function constructs a {@link KeyParameter} expressing a blob.
* @param tag Must be KeyMint tag with the associated type BYTES.
* @param b A byte array to be stored in the new key parameter.
* @return An instance of {@link KeyParameter}.
* @hide
*/
static @NonNull KeyParameter makeBytes(int tag, @NonNull byte[] b) {
if (KeymasterDefs.getTagType(tag) != KeymasterDefs.KM_BYTES) {
throw new IllegalArgumentException("Not a bytes tag: " + tag);
}
KeyParameter p = new KeyParameter();
p.tag = tag;
p.value = KeyParameterValue.blob(b);
return p;
}
/**
* This function constructs a {@link KeyParameter} expressing a Bignum.
* @param tag Must be KeyMint tag with the associated type BIGNUM.
* @param b A BitInteger to be stored in the new key parameter.
* @return An instance of {@link KeyParameter}.
* @hide
*/
static @NonNull KeyParameter makeBignum(int tag, @NonNull BigInteger b) {
if (KeymasterDefs.getTagType(tag) != KeymasterDefs.KM_BIGNUM) {
throw new IllegalArgumentException("Not a bignum tag: " + tag);
}
KeyParameter p = new KeyParameter();
p.tag = tag;
p.value = KeyParameterValue.blob(b.toByteArray());
return p;
}
/**
* This function constructs a {@link KeyParameter} expressing date.
* @param tag Must be KeyMint tag with the associated type DATE.
* @param date A date
* @return An instance of {@link KeyParameter}.
* @hide
*/
static @NonNull KeyParameter makeDate(int tag, @NonNull Date date) {
if (KeymasterDefs.getTagType(tag) != KeymasterDefs.KM_DATE) {
throw new IllegalArgumentException("Not a date tag: " + tag);
}
KeyParameter p = new KeyParameter();
p.tag = tag;
p.value = KeyParameterValue.dateTime(date.getTime());
return p;
}
/**
* Returns true if the given security level is TEE or Strongbox.
*
* @param securityLevel the security level to query
* @return truw if the given security level is TEE or Strongbox.
*/
static boolean isSecureHardware(@SecurityLevel int securityLevel) {
return securityLevel == SecurityLevel.TRUSTED_ENVIRONMENT
|| securityLevel == SecurityLevel.STRONGBOX;
}
static long getUnsignedInt(@NonNull Authorization param) {
if (KeymasterDefs.getTagType(param.keyParameter.tag) != KeymasterDefs.KM_UINT) {
throw new IllegalArgumentException("Not an int tag: " + param.keyParameter.tag);
}
// KM_UINT is 32 bits wide so we must suppress sign extension.
return ((long) param.keyParameter.value.getInteger()) & 0xffffffffL;
}
static @NonNull Date getDate(@NonNull Authorization param) {
if (KeymasterDefs.getTagType(param.keyParameter.tag) != KeymasterDefs.KM_DATE) {
throw new IllegalArgumentException("Not a date tag: " + param.keyParameter.tag);
}
if (param.keyParameter.value.getDateTime() < 0) {
throw new IllegalArgumentException("Date Value too large: "
+ param.keyParameter.value.getDateTime());
}
return new Date(param.keyParameter.value.getDateTime());
}
static void forEachSetFlag(int flags, Consumer<Integer> consumer) {
int offset = 0;
while (flags != 0) {
if ((flags & 1) == 1) {
consumer.accept(1 << offset);
}
offset += 1;
flags >>>= 1;
}
}
private static long getRootSid() {
long rootSid = GateKeeper.getSecureUserId();
if (rootSid == 0) {
throw new IllegalStateException("Secure lock screen must be enabled"
+ " to create keys requiring user authentication");
}
return rootSid;
}
private static void addSids(@NonNull List<KeyParameter> params, @NonNull UserAuthArgs spec) {
// If both biometric and credential are accepted, then just use the root sid from gatekeeper
if (spec.getUserAuthenticationType() == (KeyProperties.AUTH_BIOMETRIC_STRONG
| KeyProperties.AUTH_DEVICE_CREDENTIAL)) {
if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) {
params.add(makeLong(
KeymasterDefs.KM_TAG_USER_SECURE_ID,
spec.getBoundToSpecificSecureUserId()
));
} else {
// The key is authorized for use for the specified amount of time after the user has
// authenticated. Whatever unlocks the secure lock screen should authorize this key.
params.add(makeLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, getRootSid()));
}
} else {
List<Long> sids = new ArrayList<>();
if ((spec.getUserAuthenticationType() & KeyProperties.AUTH_BIOMETRIC_STRONG) != 0) {
final BiometricManager bm = android.app.AppGlobals.getInitialApplication()
.getSystemService(BiometricManager.class);
// TODO: Restore permission check in getAuthenticatorIds once the ID is no longer
// needed here.
final long[] biometricSids = bm.getAuthenticatorIds();
if (biometricSids.length == 0) {
throw new IllegalStateException(
"At least one biometric must be enrolled to create keys requiring user"
+ " authentication for every use");
}
if (spec.getBoundToSpecificSecureUserId() != GateKeeper.INVALID_SECURE_USER_ID) {
sids.add(spec.getBoundToSpecificSecureUserId());
} else if (spec.isInvalidatedByBiometricEnrollment()) {
// The biometric-only SIDs will change on biometric enrollment or removal of all
// enrolled templates, invalidating the key.
for (long sid : biometricSids) {
sids.add(sid);
}
} else {
// The root SID will *not* change on fingerprint enrollment, or removal of all
// enrolled fingerprints, allowing the key to remain valid.
sids.add(getRootSid());
}
} else if ((spec.getUserAuthenticationType() & KeyProperties.AUTH_DEVICE_CREDENTIAL)
!= 0) {
sids.add(getRootSid());
} else {
throw new IllegalStateException("Invalid or no authentication type specified.");
}
for (int i = 0; i < sids.size(); i++) {
params.add(makeLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, sids.get(i)));
}
}
}
/**
* Adds keymaster arguments to express the key's authorization policy supported by user
* authentication.
*
* @param args The arguments sent to keymaster that need to be populated from the spec
* @param spec The user authentication relevant portions of the spec passed in from the caller.
* This spec will be translated into the relevant keymaster tags to be loaded into args.
* @throws IllegalStateException if user authentication is required but the system is in a wrong
* state (e.g., secure lock screen not set up) for generating or importing keys that
* require user authentication.
*/
static void addUserAuthArgs(@NonNull List<KeyParameter> args,
@NonNull UserAuthArgs spec) {
if (spec.isUserConfirmationRequired()) {
args.add(KeyStore2ParameterUtils.makeBool(
KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED));
}
if (spec.isUserPresenceRequired()) {
args.add(KeyStore2ParameterUtils.makeBool(
KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED));
}
if (spec.isUnlockedDeviceRequired()) {
args.add(KeyStore2ParameterUtils.makeBool(
KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED));
}
if (!spec.isUserAuthenticationRequired()) {
args.add(KeyStore2ParameterUtils.makeBool(
KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED));
} else {
if (spec.getUserAuthenticationValidityDurationSeconds() == 0) {
// Every use of this key needs to be authorized by the user.
addSids(args, spec);
args.add(KeyStore2ParameterUtils.makeEnum(
KeymasterDefs.KM_TAG_USER_AUTH_TYPE, spec.getUserAuthenticationType()
));
if (spec.isUserAuthenticationValidWhileOnBody()) {
throw new ProviderException(
"Key validity extension while device is on-body is not "
+ "supported for keys requiring fingerprint authentication");
}
} else {
addSids(args, spec);
args.add(KeyStore2ParameterUtils.makeEnum(
KeymasterDefs.KM_TAG_USER_AUTH_TYPE, spec.getUserAuthenticationType()
));
args.add(KeyStore2ParameterUtils.makeInt(
KeymasterDefs.KM_TAG_AUTH_TIMEOUT,
spec.getUserAuthenticationValidityDurationSeconds()
));
if (spec.isUserAuthenticationValidWhileOnBody()) {
args.add(KeyStore2ParameterUtils.makeBool(
KeymasterDefs.KM_TAG_ALLOW_WHILE_ON_BODY
));
}
}
}
}
}
|
