keystore: Add flag for blobs to be unencrypted

In order to let apps use keystore more productively, make the blob encryption optional. As more hardware-assisted keystores (i.e., hardware that has a Keymaster HAL) come around, encrypting blobs start to make less sense since the thing it's encrypting is usually a token and not any raw key material. (cherry picked from commit a3788b00bb221e20abdd42f747d2af419e0a088c) Bug: 8122243 Change-Id: Ifc1c64743651b23a4eace208ade0176af47ea989
author: Kenny Root <kroot@google.com> 2013-04-10 10:37:55 -0700
committer: Kenny Root <kroot@google.com> 2013-04-15 11:09:29 -0700
commit: 4622351159b51bf072fe12833b574cf38f9400c8 (patch)
tree: e8c71ae1cd0293863d679d9700cba106bb5a089c
parent: 5678bacdffb6871b0d5b428548315cc3bba430bd (diff)
2 files changed, 31 insertions, 12 deletions
diff --git a/core/java/android/security/IKeystoreService.java b/core/java/android/security/IKeystoreService.java
index e1cc90e80cf0..3d75dc86a9a3 100644
--- a/core/java/android/security/IKeystoreService.java
+++ b/core/java/android/security/IKeystoreService.java
@@ -78,7 +78,7 @@ public interface IKeystoreService extends IInterface {
                 return _result;
             }
 
-            public int insert(String name, byte[] item, int uid) throws RemoteException {
+            public int insert(String name, byte[] item, int uid, int flags) throws RemoteException {
                 Parcel _data = Parcel.obtain();
                 Parcel _reply = Parcel.obtain();
                 int _result;
@@ -87,6 +87,7 @@ public interface IKeystoreService extends IInterface {
                     _data.writeString(name);
                     _data.writeByteArray(item);
                     _data.writeInt(uid);
+                    _data.writeInt(flags);
                     mRemote.transact(Stub.TRANSACTION_insert, _data, _reply, 0);
                     _reply.readException();
                     _result = _reply.readInt();
@@ -243,7 +244,7 @@ public interface IKeystoreService extends IInterface {
                 return _result;
             }
 
-            public int generate(String name, int uid) throws RemoteException {
+            public int generate(String name, int uid, int flags) throws RemoteException {
                 Parcel _data = Parcel.obtain();
                 Parcel _reply = Parcel.obtain();
                 int _result;
@@ -251,6 +252,7 @@ public interface IKeystoreService extends IInterface {
                     _data.writeInterfaceToken(DESCRIPTOR);
                     _data.writeString(name);
                     _data.writeInt(uid);
+                    _data.writeInt(flags);
                     mRemote.transact(Stub.TRANSACTION_generate, _data, _reply, 0);
                     _reply.readException();
                     _result = _reply.readInt();
@@ -261,7 +263,8 @@ public interface IKeystoreService extends IInterface {
                 return _result;
             }
 
-            public int import_key(String name, byte[] data, int uid) throws RemoteException {
+            public int import_key(String name, byte[] data, int uid, int flags)
+                    throws RemoteException {
                 Parcel _data = Parcel.obtain();
                 Parcel _reply = Parcel.obtain();
                 int _result;
@@ -270,6 +273,7 @@ public interface IKeystoreService extends IInterface {
                     _data.writeString(name);
                     _data.writeByteArray(data);
                     _data.writeInt(uid);
+                    _data.writeInt(flags);
                     mRemote.transact(Stub.TRANSACTION_import, _data, _reply, 0);
                     _reply.readException();
                     _result = _reply.readInt();
@@ -538,7 +542,7 @@ public interface IKeystoreService extends IInterface {
 
     public byte[] get(String name) throws RemoteException;
 
-    public int insert(String name, byte[] item, int uid) throws RemoteException;
+    public int insert(String name, byte[] item, int uid, int flags) throws RemoteException;
 
     public int del(String name, int uid) throws RemoteException;
 
@@ -556,9 +560,9 @@ public interface IKeystoreService extends IInterface {
 
     public int zero() throws RemoteException;
 
-    public int generate(String name, int uid) throws RemoteException;
+    public int generate(String name, int uid, int flags) throws RemoteException;
 
-    public int import_key(String name, byte[] data, int uid) throws RemoteException;
+    public int import_key(String name, byte[] data, int uid, int flags) throws RemoteException;
 
     public byte[] sign(String name, byte[] data) throws RemoteException;
 
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index 852f0bb4ea65..309d3d3c17ab 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -40,6 +40,9 @@ public class KeyStore {
     public static final int UNDEFINED_ACTION = 9;
     public static final int WRONG_PASSWORD = 10;
 
+    // Flags for "put" and "import"
+    public static final int FLAG_ENCRYPTED = 1;
+
     // States
     public enum State { UNLOCKED, LOCKED, UNINITIALIZED };
 
@@ -87,15 +90,19 @@ public class KeyStore {
         }
     }
 
-    public boolean put(String key, byte[] value, int uid) {
+    public boolean put(String key, byte[] value, int uid, int flags) {
         try {
-            return mBinder.insert(key, value, uid) == NO_ERROR;
+            return mBinder.insert(key, value, uid, flags) == NO_ERROR;
         } catch (RemoteException e) {
             Log.w(TAG, "Cannot connect to keystore", e);
             return false;
         }
     }
 
+    public boolean put(String key, byte[] value, int uid) {
+        return put(key, value, uid, FLAG_ENCRYPTED);
+    }
+
     public boolean put(String key, byte[] value) {
         return put(key, value, -1);
     }
@@ -185,28 +192,36 @@ public class KeyStore {
         }
     }
 
-    public boolean generate(String key, int uid) {
+    public boolean generate(String key, int uid, int flags) {
         try {
-            return mBinder.generate(key, uid) == NO_ERROR;
+            return mBinder.generate(key, uid, flags) == NO_ERROR;
         } catch (RemoteException e) {
             Log.w(TAG, "Cannot connect to keystore", e);
             return false;
         }
     }
 
+    public boolean generate(String key, int uid) {
+        return generate(key, uid, FLAG_ENCRYPTED);
+    }
+
     public boolean generate(String key) {
         return generate(key, -1);
     }
 
-    public boolean importKey(String keyName, byte[] key, int uid) {
+    public boolean importKey(String keyName, byte[] key, int uid, int flags) {
         try {
-            return mBinder.import_key(keyName, key, uid) == NO_ERROR;
+            return mBinder.import_key(keyName, key, uid, flags) == NO_ERROR;
         } catch (RemoteException e) {
             Log.w(TAG, "Cannot connect to keystore", e);
             return false;
         }
     }
 
+    public boolean importKey(String keyName, byte[] key, int uid) {
+        return importKey(keyName, key, uid, FLAG_ENCRYPTED);
+    }
+
     public boolean importKey(String keyName, byte[] key) {
         return importKey(keyName, key, -1);
     }
author	Kenny Root <kroot@google.com>	2013-04-10 10:37:55 -0700
committer	Kenny Root <kroot@google.com>	2013-04-15 11:09:29 -0700
commit	4622351159b51bf072fe12833b574cf38f9400c8 (patch)
tree	e8c71ae1cd0293863d679d9700cba106bb5a089c
parent	5678bacdffb6871b0d5b428548315cc3bba430bd (diff)