diff options
| author | 2024-03-19 00:53:33 +0000 | |
|---|---|---|
| committer | 2024-03-19 00:53:33 +0000 | |
| commit | 73bb247ed453a6d810e8432b89bd3de5d2d1a86f (patch) | |
| tree | b180539a867a17882aeae8cc496e5fe06a93e816 | |
| parent | 4883dc2476986799b411d77f3f92a5aaea2bb4e2 (diff) | |
| parent | 8ec1eb1edb03235fb39cc905fa286aebca2afec0 (diff) | |
Merge changes from topic "offbody-key-expiration" into main am: 8ec1eb1edb
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/2974126
Change-Id: I09a109c5d1399a8b87b681ad6e66a75e912342c5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
4 files changed, 18 insertions, 39 deletions
diff --git a/keystore/java/android/security/AndroidKeyStoreMaintenance.java b/keystore/java/android/security/AndroidKeyStoreMaintenance.java index 2430e8d8e662..efbbfc23736f 100644 --- a/keystore/java/android/security/AndroidKeyStoreMaintenance.java +++ b/keystore/java/android/security/AndroidKeyStoreMaintenance.java @@ -175,20 +175,6 @@ public class AndroidKeyStoreMaintenance { } /** - * Informs Keystore 2.0 that an off body event was detected. - */ - public static void onDeviceOffBody() { - StrictMode.noteDiskWrite(); - try { - getService().onDeviceOffBody(); - } catch (Exception e) { - // TODO This fails open. This is not a regression with respect to keystore1 but it - // should get fixed. - Log.e(TAG, "Error while reporting device off body event.", e); - } - } - - /** * Migrates a key given by the source descriptor to the location designated by the destination * descriptor. * diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java index bd9abec22325..f105072a32bf 100644 --- a/keystore/java/android/security/KeyStore.java +++ b/keystore/java/android/security/KeyStore.java @@ -56,11 +56,4 @@ public class KeyStore { return Authorization.addAuthToken(authToken); } - - /** - * Notify keystore that the device went off-body. - */ - public void onDeviceOffBody() { - AndroidKeyStoreMaintenance.onDeviceOffBody(); - } } diff --git a/keystore/java/android/security/keystore/KeyGenParameterSpec.java b/keystore/java/android/security/keystore/KeyGenParameterSpec.java index 9ba5a81dbb71..d359a9050a0f 100644 --- a/keystore/java/android/security/keystore/KeyGenParameterSpec.java +++ b/keystore/java/android/security/keystore/KeyGenParameterSpec.java @@ -1670,16 +1670,16 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu * {@link #setUserAuthenticationValidityDurationSeconds} and * {@link #setUserAuthenticationRequired}). Once the device has been removed from the * user's body, the key will be considered unauthorized and the user will need to - * re-authenticate to use it. For keys without an authentication validity period this - * parameter has no effect. - * - * <p>Similarly, on devices that do not have an on-body sensor, this parameter will have no - * effect; the device will always be considered to be "on-body" and the key will therefore - * remain authorized until the validity period ends. + * re-authenticate to use it. If the device does not have an on-body sensor or the key does + * not have an authentication validity period, this parameter has no effect. + * <p> + * Since Android 12 (API level 31), this parameter has no effect even on devices that have + * an on-body sensor. A future version of Android may restore enforcement of this parameter. + * Meanwhile, it is recommended to not use it. * - * @param remainsValid if {@code true}, and if the device supports on-body detection, key - * will be invalidated when the device is removed from the user's body or when the - * authentication validity expires, whichever occurs first. + * @param remainsValid if {@code true}, and if the device supports enforcement of this + * parameter, the key will be invalidated when the device is removed from the user's body or + * when the authentication validity expires, whichever occurs first. */ @NonNull public Builder setUserAuthenticationValidWhileOnBody(boolean remainsValid) { diff --git a/keystore/java/android/security/keystore/KeyProtection.java b/keystore/java/android/security/keystore/KeyProtection.java index 9b455f05b99c..8e5ac45d394d 100644 --- a/keystore/java/android/security/keystore/KeyProtection.java +++ b/keystore/java/android/security/keystore/KeyProtection.java @@ -1037,16 +1037,16 @@ public final class KeyProtection implements ProtectionParameter, UserAuthArgs { * {@link #setUserAuthenticationValidityDurationSeconds} and * {@link #setUserAuthenticationRequired}). Once the device has been removed from the * user's body, the key will be considered unauthorized and the user will need to - * re-authenticate to use it. For keys without an authentication validity period this - * parameter has no effect. - * - * <p>Similarly, on devices that do not have an on-body sensor, this parameter will have no - * effect; the device will always be considered to be "on-body" and the key will therefore - * remain authorized until the validity period ends. + * re-authenticate to use it. If the device does not have an on-body sensor or the key does + * not have an authentication validity period, this parameter has no effect. + * <p> + * Since Android 12 (API level 31), this parameter has no effect even on devices that have + * an on-body sensor. A future version of Android may restore enforcement of this parameter. + * Meanwhile, it is recommended to not use it. * - * @param remainsValid if {@code true}, and if the device supports on-body detection, key - * will be invalidated when the device is removed from the user's body or when the - * authentication validity expires, whichever occurs first. + * @param remainsValid if {@code true}, and if the device supports enforcement of this + * parameter, the key will be invalidated when the device is removed from the user's body or + * when the authentication validity expires, whichever occurs first. */ @NonNull public Builder setUserAuthenticationValidWhileOnBody(boolean remainsValid) { |