diff options
| author | 2018-01-12 19:14:07 -0800 | |
|---|---|---|
| committer | 2018-01-12 21:06:25 -0800 | |
| commit | 7d8c78a2c88a4898a63b918ab8b974aecd7b165b (patch) | |
| tree | a0e7eec253be95d22e94e1eafef6d36db2d84d21 | |
| parent | 66af0e8295812ed4f01ca3b61c502ddde5e5f8f9 (diff) | |
Refactor KeyStore Recovery Manager.
1) Parameters -> Params
2) Use byte[] for serivice parameters.
2) Move Exception into separate class.
Bug: 66499222
Test: adb shell am instrument -w -e package \
com.android.server.locksettings.recoverablekeystore \
com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Change-Id: I1b9a8748830f7deb9eeb57693f5a818a49a7aabe
18 files changed, 338 insertions, 302 deletions
diff --git a/core/java/android/security/keystore/KeyDerivationParameters.aidl b/core/java/android/security/keystore/KeyDerivationParams.aidl index 92316e531f9e..f39aa047adee 100644 --- a/core/java/android/security/keystore/KeyDerivationParameters.aidl +++ b/core/java/android/security/keystore/KeyDerivationParams.aidl @@ -17,4 +17,4 @@ package android.security.keystore; /* @hide */ -parcelable KeyDerivationParameters; +parcelable KeyDerivationParams; diff --git a/core/java/android/security/keystore/KeyDerivationParameters.java b/core/java/android/security/keystore/KeyDerivationParams.java index 762f62af0f32..b702accffba1 100644 --- a/core/java/android/security/keystore/KeyDerivationParameters.java +++ b/core/java/android/security/keystore/KeyDerivationParams.java @@ -28,27 +28,22 @@ import java.lang.annotation.RetentionPolicy; /** * Collection of parameters which define a key derivation function. - * Supports + * Currently only supports salted SHA-256 * - * <ul> - * <li>SHA256 - * <li>Argon2id - * </ul> * @hide */ -public final class KeyDerivationParameters implements Parcelable { +public final class KeyDerivationParams implements Parcelable { private final int mAlgorithm; private byte[] mSalt; /** @hide */ @Retention(RetentionPolicy.SOURCE) - @IntDef({ALGORITHM_SHA256, ALGORITHM_ARGON2ID}) + @IntDef(prefix = {"ALGORITHM_"}, value = {ALGORITHM_SHA256, ALGORITHM_ARGON2ID}) public @interface KeyDerivationAlgorithm { } /** * Salted SHA256 - * @hide */ public static final int ALGORITHM_SHA256 = 1; @@ -62,11 +57,11 @@ public final class KeyDerivationParameters implements Parcelable { /** * Creates instance of the class to to derive key using salted SHA256 hash. */ - public static KeyDerivationParameters createSha256Parameters(@NonNull byte[] salt) { - return new KeyDerivationParameters(ALGORITHM_SHA256, salt); + public static KeyDerivationParams createSha256Params(@NonNull byte[] salt) { + return new KeyDerivationParams(ALGORITHM_SHA256, salt); } - private KeyDerivationParameters(@KeyDerivationAlgorithm int algorithm, @NonNull byte[] salt) { + private KeyDerivationParams(@KeyDerivationAlgorithm int algorithm, @NonNull byte[] salt) { mAlgorithm = algorithm; mSalt = Preconditions.checkNotNull(salt); } @@ -85,14 +80,14 @@ public final class KeyDerivationParameters implements Parcelable { return mSalt; } - public static final Parcelable.Creator<KeyDerivationParameters> CREATOR = - new Parcelable.Creator<KeyDerivationParameters>() { - public KeyDerivationParameters createFromParcel(Parcel in) { - return new KeyDerivationParameters(in); + public static final Parcelable.Creator<KeyDerivationParams> CREATOR = + new Parcelable.Creator<KeyDerivationParams>() { + public KeyDerivationParams createFromParcel(Parcel in) { + return new KeyDerivationParams(in); } - public KeyDerivationParameters[] newArray(int length) { - return new KeyDerivationParameters[length]; + public KeyDerivationParams[] newArray(int length) { + return new KeyDerivationParams[length]; } }; @@ -108,7 +103,7 @@ public final class KeyDerivationParameters implements Parcelable { /** * @hide */ - protected KeyDerivationParameters(Parcel in) { + protected KeyDerivationParams(Parcel in) { mAlgorithm = in.readInt(); mSalt = in.createByteArray(); } diff --git a/core/java/android/security/keystore/RecoveryData.java b/core/java/android/security/keystore/RecoveryData.java index c717d9a26f77..897aa18a0e18 100644 --- a/core/java/android/security/keystore/RecoveryData.java +++ b/core/java/android/security/keystore/RecoveryData.java @@ -38,7 +38,7 @@ import java.util.List; * @hide */ public final class RecoveryData implements Parcelable { - private Integer mSnapshotVersion; + private int mSnapshotVersion; private List<RecoveryMetadata> mRecoveryMetadata; private List<EntryRecoveryData> mEntryRecoveryData; private byte[] mEncryptedRecoveryKeyBlob; @@ -163,7 +163,6 @@ public final class RecoveryData implements Parcelable { * @throws NullPointerException if some required fields were not set. */ public @NonNull RecoveryData build() { - Preconditions.checkNotNull(mInstance.mSnapshotVersion); Preconditions.checkCollectionElementsNotNull(mInstance.mRecoveryMetadata, "recoveryMetadata"); Preconditions.checkCollectionElementsNotNull(mInstance.mEntryRecoveryData, diff --git a/core/java/android/security/keystore/RecoveryManager.java b/core/java/android/security/keystore/RecoveryManager.java index d00f43f93808..99bd284e4d80 100644 --- a/core/java/android/security/keystore/RecoveryManager.java +++ b/core/java/android/security/keystore/RecoveryManager.java @@ -23,8 +23,6 @@ import android.content.pm.PackageManager.NameNotFoundException; import android.os.RemoteException; import android.os.ServiceManager; import android.os.ServiceSpecificException; -import android.security.KeyStore; -import android.util.AndroidException; import com.android.internal.widget.ILockSettings; @@ -39,64 +37,6 @@ import java.util.Map; */ public class RecoveryManager { - public static final int NO_ERROR = KeyStore.NO_ERROR; - public static final int SYSTEM_ERROR = KeyStore.SYSTEM_ERROR; - - /** - * Failed because the loader has not been initialized with a recovery public key yet. - */ - public static final int ERROR_UNINITIALIZED_RECOVERY_PUBLIC_KEY = 20; - - /** - * Failed because no snapshot is yet pending to be synced for the user. - */ - public static final int ERROR_NO_SNAPSHOT_PENDING = 21; - - /** - * Failed due to an error internal to AndroidKeyStore. - */ - public static final int ERROR_KEYSTORE_INTERNAL_ERROR = 22; - - /** - * Failed because the user does not have a lock screen set. - */ - public static final int ERROR_INSECURE_USER = 24; - - /** - * Failed because of an internal database error. - */ - public static final int ERROR_DATABASE_ERROR = 25; - - /** - * Failed because the provided certificate was not a valid X509 certificate. - */ - public static final int ERROR_BAD_X509_CERTIFICATE = 26; - - /** - * Should never be thrown - some algorithm that all AOSP implementations must support is - * not available. - */ - public static final int ERROR_UNEXPECTED_MISSING_ALGORITHM = 27; - - /** - * The caller is attempting to perform an operation that is not yet fully supported in the API. - */ - public static final int ERROR_NOT_YET_SUPPORTED = 28; - - /** - * Error thrown if decryption failed. This might be because the tag is wrong, the key is wrong, - * the data has become corrupted, the data has been tampered with, etc. - */ - public static final int ERROR_DECRYPTION_FAILED = 29; - - /** - * Rate limit is enforced to prevent using too many trusted remote devices, since each device - * can have its own number of user secret guesses allowed. - * - * @hide - */ - public static final int ERROR_RATE_LIMIT_EXCEEDED = 30; - /** Key has been successfully synced. */ public static final int RECOVERY_STATUS_SYNCED = 0; /** Waiting for recovery agent to sync the key. */ @@ -122,47 +62,6 @@ public class RecoveryManager { } /** - * Exceptions returned by {@link RecoveryManager}. - */ - public static class RecoveryManagerException extends AndroidException { - private int mErrorCode; - - /** - * Creates new {@link #RecoveryManagerException} instance from the error code. - * - * @param errorCode An error code, as listed at the top of this file. - * @param message The associated error message. - * @hide - */ - public static RecoveryManagerException fromErrorCode( - int errorCode, String message) { - return new RecoveryManagerException(errorCode, message); - } - - /** - * Creates new {@link #RecoveryManagerException} from {@link - * ServiceSpecificException}. - * - * @param e exception thrown on service side. - * @hide - */ - static RecoveryManagerException fromServiceSpecificException( - ServiceSpecificException e) throws RecoveryManagerException { - throw RecoveryManagerException.fromErrorCode(e.errorCode, e.getMessage()); - } - - private RecoveryManagerException(int errorCode, String message) { - super(message); - mErrorCode = errorCode; - } - - /** Returns errorCode. */ - public int getErrorCode() { - return mErrorCode; - } - } - - /** * Initializes key recovery service for the calling application. RecoveryManager * randomly chooses one of the keys from the list and keeps it to use for future key export * operations. Collection of all keys in the list must be signed by the provided {@code @@ -260,15 +159,14 @@ public class RecoveryManager { * {@code RecoveryData.getEncryptedRecoveryKeyBlob()}. The same value must be included * in vaultParams {@link #startRecoverySession} * - * @param serverParameters included in recovery key blob. + * @param serverParams included in recovery key blob. * @see #getRecoveryData * @throws RecoveryManagerException If parameters rotation is rate limited. * @hide */ - public void setServerParameters(long serverParameters) - throws RecoveryManagerException { + public void setServerParams(byte[] serverParams) throws RecoveryManagerException { try { - mBinder.setServerParameters(serverParameters); + mBinder.setServerParams(serverParams); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } catch (ServiceSpecificException e) { @@ -309,20 +207,17 @@ public class RecoveryManager { * <li>{@link #RECOVERY_STATUS_PERMANENT_FAILURE} * </ul> * - * @param packageName Application whose recoverable keys' statuses are to be retrieved. if - * {@code null} caller's package will be used. * @return {@code Map} from KeyStore alias to recovery status. * @see #setRecoveryStatus * @hide */ - public Map<String, Integer> getRecoveryStatus(@Nullable String packageName) + public Map<String, Integer> getRecoveryStatus() throws RecoveryManagerException { try { // IPC doesn't support generic Maps. @SuppressWarnings("unchecked") Map<String, Integer> result = - (Map<String, Integer>) - mBinder.getRecoveryStatus(packageName); + (Map<String, Integer>) mBinder.getRecoveryStatus(/*packageName=*/ null); return result; } catch (RemoteException e) { throw e.rethrowFromSystemServer(); @@ -414,8 +309,9 @@ public class RecoveryManager { * return recovery key. * * @param sessionId ID for recovery session. - * @param verifierPublicKey Certificate with Public key used to create the recovery blob on the - * source device. Keystore will verify the certificate using root of trust. + * @param verifierPublicKey Encoded {@code java.security.cert.X509Certificate} with Public key + * used to create the recovery blob on the source device. + * Keystore will verify the certificate using root of trust. * @param vaultParams Must match the parameters in the corresponding field in the recovery blob. * Used to limit number of guesses. * @param vaultChallenge Data passed from server for this recovery session and used to prevent diff --git a/core/java/android/security/keystore/RecoveryManagerException.java b/core/java/android/security/keystore/RecoveryManagerException.java new file mode 100644 index 000000000000..344718aa31d4 --- /dev/null +++ b/core/java/android/security/keystore/RecoveryManagerException.java @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2017 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.keystore; + +import android.os.ServiceSpecificException; + +/** + * Exception thrown by {@link RecoveryManager} methods. + * + * @hide + */ +public class RecoveryManagerException extends Exception { + /** + * Failed because the loader has not been initialized with a recovery public key yet. + */ + public static final int ERROR_UNINITIALIZED_RECOVERY_PUBLIC_KEY = 20; + + /** + * Failed because no snapshot is yet pending to be synced for the user. + */ + public static final int ERROR_NO_SNAPSHOT_PENDING = 21; + + /** + * Failed due to an error internal to AndroidKeyStore. + */ + public static final int ERROR_KEYSTORE_INTERNAL_ERROR = 22; + + /** + * Failed because the user does not have a lock screen set. + */ + public static final int ERROR_INSECURE_USER = 24; + + /** + * Failed because of an internal database error. + */ + public static final int ERROR_DATABASE_ERROR = 25; + + /** + * Failed because the provided certificate was not a valid X509 certificate. + */ + public static final int ERROR_BAD_X509_CERTIFICATE = 26; + + /** + * Should never be thrown - some algorithm that all AOSP implementations must support is + * not available. + */ + public static final int ERROR_UNEXPECTED_MISSING_ALGORITHM = 27; + + /** + * Error thrown if decryption failed. This might be because the tag is wrong, the key is wrong, + * the data has become corrupted, the data has been tampered with, etc. + */ + public static final int ERROR_DECRYPTION_FAILED = 28; + + /** + * Rate limit is enforced to prevent using too many trusted remote devices, since each device + * can have its own number of user secret guesses allowed. + * + * @hide + */ + public static final int ERROR_RATE_LIMIT_EXCEEDED = 29; + + private int mErrorCode; + + /** + * Creates new {@link #RecoveryManagerException} instance from the error code. + * + * @param errorCode An error code, as listed at the top of this file. + * @param message The associated error message. + * @hide + */ + public static RecoveryManagerException fromErrorCode( + int errorCode, String message) { + return new RecoveryManagerException(errorCode, message); + } + /** + * Creates new {@link #RecoveryManagerException} from {@link + * ServiceSpecificException}. + * + * @param e exception thrown on service side. + * @hide + */ + static RecoveryManagerException fromServiceSpecificException( + ServiceSpecificException e) throws RecoveryManagerException { + throw RecoveryManagerException.fromErrorCode(e.errorCode, e.getMessage()); + } + + private RecoveryManagerException(int errorCode, String message) { + super(message); + mErrorCode = errorCode; + } + + /** Returns errorCode. */ + public int getErrorCode() { + return mErrorCode; + } +} diff --git a/core/java/android/security/keystore/RecoveryMetadata.java b/core/java/android/security/keystore/RecoveryMetadata.java index bfd558eb8d80..3f0945557a5f 100644 --- a/core/java/android/security/keystore/RecoveryMetadata.java +++ b/core/java/android/security/keystore/RecoveryMetadata.java @@ -78,9 +78,9 @@ public final class RecoveryMetadata implements Parcelable { private Integer mLockScreenUiFormat; /** - * Parameters of key derivation function, including algorithm, difficulty, salt. + * Parameters of the key derivation function, including algorithm, difficulty, salt. */ - private KeyDerivationParameters mKeyDerivationParameters; + private KeyDerivationParams mKeyDerivationParams; private byte[] mSecret; // Derived from user secret. The field must have limited visibility. /** @@ -90,11 +90,11 @@ public final class RecoveryMetadata implements Parcelable { */ public RecoveryMetadata(@UserSecretType int userSecretType, @LockScreenUiFormat int lockScreenUiFormat, - @NonNull KeyDerivationParameters keyDerivationParameters, + @NonNull KeyDerivationParams keyDerivationParams, @NonNull byte[] secret) { mUserSecretType = userSecretType; mLockScreenUiFormat = lockScreenUiFormat; - mKeyDerivationParameters = Preconditions.checkNotNull(keyDerivationParameters); + mKeyDerivationParams = Preconditions.checkNotNull(keyDerivationParams); mSecret = Preconditions.checkNotNull(secret); } @@ -126,8 +126,8 @@ public final class RecoveryMetadata implements Parcelable { * Specifies function used to derive symmetric key from user input * Format is defined in separate util class. */ - public @NonNull KeyDerivationParameters getKeyDerivationParameters() { - return mKeyDerivationParameters; + public @NonNull KeyDerivationParams getKeyDerivationParams() { + return mKeyDerivationParams; } /** @@ -176,12 +176,12 @@ public final class RecoveryMetadata implements Parcelable { /** * Sets parameters of the key derivation function. * - * @param keyDerivationParameters Key derivation parameters + * @param keyDerivationParams Key derivation Params * @return This builder. */ - public Builder setKeyDerivationParameters(@NonNull KeyDerivationParameters - keyDerivationParameters) { - mInstance.mKeyDerivationParameters = keyDerivationParameters; + public Builder setKeyDerivationParams(@NonNull KeyDerivationParams + keyDerivationParams) { + mInstance.mKeyDerivationParams = keyDerivationParams; return this; } @@ -210,7 +210,7 @@ public final class RecoveryMetadata implements Parcelable { mInstance.mUserSecretType = TYPE_LOCKSCREEN; } Preconditions.checkNotNull(mInstance.mLockScreenUiFormat); - Preconditions.checkNotNull(mInstance.mKeyDerivationParameters); + Preconditions.checkNotNull(mInstance.mKeyDerivationParams); if (mInstance.mSecret == null) { mInstance.mSecret = new byte[]{}; } @@ -253,7 +253,7 @@ public final class RecoveryMetadata implements Parcelable { public void writeToParcel(Parcel out, int flags) { out.writeInt(mUserSecretType); out.writeInt(mLockScreenUiFormat); - out.writeTypedObject(mKeyDerivationParameters, flags); + out.writeTypedObject(mKeyDerivationParams, flags); out.writeByteArray(mSecret); } @@ -263,7 +263,7 @@ public final class RecoveryMetadata implements Parcelable { protected RecoveryMetadata(Parcel in) { mUserSecretType = in.readInt(); mLockScreenUiFormat = in.readInt(); - mKeyDerivationParameters = in.readTypedObject(KeyDerivationParameters.CREATOR); + mKeyDerivationParams = in.readTypedObject(KeyDerivationParams.CREATOR); mSecret = in.createByteArray(); } diff --git a/core/java/com/android/internal/widget/ILockSettings.aidl b/core/java/com/android/internal/widget/ILockSettings.aidl index c668e3de7e00..31d22e0f92fd 100644 --- a/core/java/com/android/internal/widget/ILockSettings.aidl +++ b/core/java/com/android/internal/widget/ILockSettings.aidl @@ -69,7 +69,7 @@ interface ILockSettings { void removeKey(String alias); void setSnapshotCreatedPendingIntent(in PendingIntent intent); Map getRecoverySnapshotVersions(); - void setServerParameters(long serverParameters); + void setServerParams(in byte[] serverParams); void setRecoveryStatus(in String packageName, in String[] aliases, int status); Map getRecoveryStatus(in String packageName); void setRecoverySecretTypes(in int[] secretTypes); diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java index 5a8005cc27bb..ee08c3874028 100644 --- a/services/core/java/com/android/server/locksettings/LockSettingsService.java +++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java @@ -82,7 +82,7 @@ import android.security.keystore.UserNotAuthenticatedException; import android.security.keystore.EntryRecoveryData; import android.security.keystore.RecoveryData; import android.security.keystore.RecoveryMetadata; -import android.security.keystore.RecoveryManager.RecoveryManagerException; +import android.security.keystore.RecoveryManagerException; import android.service.gatekeeper.GateKeeperResponse; import android.service.gatekeeper.IGateKeeperService; import android.text.TextUtils; @@ -1982,8 +1982,8 @@ public class LockSettingsService extends ILockSettings.Stub { } @Override - public void setServerParameters(long serverParameters) throws RemoteException { - mRecoverableKeyStoreManager.setServerParameters(serverParameters); + public void setServerParams(byte[] serverParams) throws RemoteException { + mRecoverableKeyStoreManager.setServerParams(serverParams); } @Override diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java index 57d00410cfd7..5fe11b11fa5a 100644 --- a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java +++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java @@ -21,7 +21,7 @@ import static android.security.keystore.RecoveryMetadata.TYPE_LOCKSCREEN; import android.annotation.NonNull; import android.annotation.Nullable; import android.content.Context; -import android.security.keystore.KeyDerivationParameters; +import android.security.keystore.KeyDerivationParams; import android.security.keystore.EntryRecoveryData; import android.security.keystore.RecoveryData; import android.security.keystore.RecoveryMetadata; @@ -175,7 +175,7 @@ public class KeySyncTask implements Runnable { return; } - Long deviceId = mRecoverableKeyStoreDb.getServerParameters(mUserId, recoveryAgentUid); + byte[] deviceId = mRecoverableKeyStoreDb.getServerParams(mUserId, recoveryAgentUid); if (deviceId == null) { Log.w(TAG, "No device ID set for user " + mUserId); return; @@ -232,8 +232,8 @@ public class KeySyncTask implements Runnable { byte[] vaultParams = KeySyncUtils.packVaultParams( publicKey, counterId, - TRUSTED_HARDWARE_MAX_ATTEMPTS, - deviceId); + deviceId, + TRUSTED_HARDWARE_MAX_ATTEMPTS); byte[] encryptedRecoveryKey; try { @@ -254,7 +254,7 @@ public class KeySyncTask implements Runnable { RecoveryMetadata metadata = new RecoveryMetadata( /*userSecretType=*/ TYPE_LOCKSCREEN, /*lockScreenUiFormat=*/ getUiFormat(mCredentialType, mCredential), - /*keyDerivationParameters=*/ KeyDerivationParameters.createSha256Parameters(salt), + /*keyDerivationParams=*/ KeyDerivationParams.createSha256Params(salt), /*secret=*/ new byte[0]); ArrayList<RecoveryMetadata> metadataList = new ArrayList<>(); metadataList.add(metadata); diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncUtils.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncUtils.java index 0ab8dc5872f8..b4bef170e2bc 100644 --- a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncUtils.java +++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncUtils.java @@ -287,17 +287,17 @@ public class KeySyncUtils { * * @param thmPublicKey Public key of the trusted hardware module. * @param counterId ID referring to the specific counter in the hardware module. - * @param maxAttempts Maximum allowed guesses before trusted hardware wipes key. * @param deviceId ID of the device. + * @param maxAttempts Maximum allowed guesses before trusted hardware wipes key. * @return The binary vault params, ready for sync. */ public static byte[] packVaultParams( - PublicKey thmPublicKey, long counterId, int maxAttempts, long deviceId) { + PublicKey thmPublicKey, long counterId, byte[] deviceId, int maxAttempts) { return ByteBuffer.allocate(VAULT_PARAMS_LENGTH_BYTES) .order(ByteOrder.LITTLE_ENDIAN) .put(SecureBox.encodePublicKey(thmPublicKey)) .putLong(counterId) - .putLong(deviceId) + .putLong(0L) // TODO: replace with device Id. .putInt(maxAttempts) .array(); } diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java index 0e93f947c1bf..7658178d43da 100644 --- a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java +++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java @@ -16,13 +16,13 @@ package com.android.server.locksettings.recoverablekeystore; -import static android.security.keystore.RecoveryManager.ERROR_BAD_X509_CERTIFICATE; -import static android.security.keystore.RecoveryManager.ERROR_DATABASE_ERROR; -import static android.security.keystore.RecoveryManager.ERROR_DECRYPTION_FAILED; -import static android.security.keystore.RecoveryManager.ERROR_INSECURE_USER; -import static android.security.keystore.RecoveryManager.ERROR_KEYSTORE_INTERNAL_ERROR; -import static android.security.keystore.RecoveryManager.ERROR_NOT_YET_SUPPORTED; -import static android.security.keystore.RecoveryManager.ERROR_UNEXPECTED_MISSING_ALGORITHM; +import static android.security.keystore.RecoveryManagerException.ERROR_BAD_X509_CERTIFICATE; +import static android.security.keystore.RecoveryManagerException.ERROR_DATABASE_ERROR; +import static android.security.keystore.RecoveryManagerException.ERROR_DECRYPTION_FAILED; +import static android.security.keystore.RecoveryManagerException.ERROR_INSECURE_USER; +import static android.security.keystore.RecoveryManagerException.ERROR_KEYSTORE_INTERNAL_ERROR; +import static android.security.keystore.RecoveryManagerException.ERROR_UNEXPECTED_MISSING_ALGORITHM; +import static android.security.keystore.RecoveryManagerException.ERROR_NO_SNAPSHOT_PENDING; import android.annotation.NonNull; import android.annotation.Nullable; @@ -177,7 +177,7 @@ public class RecoverableKeyStoreManager { int uid = Binder.getCallingUid(); RecoveryData snapshot = mSnapshotStorage.get(uid); if (snapshot == null) { - throw new ServiceSpecificException(RecoveryManager.ERROR_NO_SNAPSHOT_PENDING); + throw new ServiceSpecificException(ERROR_NO_SNAPSHOT_PENDING); } return snapshot; } @@ -201,11 +201,11 @@ public class RecoverableKeyStoreManager { throw new UnsupportedOperationException(); } - public void setServerParameters(long serverParameters) throws RemoteException { + public void setServerParams(byte[] serverParams) throws RemoteException { checkRecoverKeyStorePermission(); int userId = UserHandle.getCallingUserId(); int uid = Binder.getCallingUid(); - long updatedRows = mDatabase.setServerParameters(userId, uid, serverParameters); + long updatedRows = mDatabase.setServerParams(userId, uid, serverParams); if (updatedRows > 0) { mDatabase.setShouldCreateSnapshot(userId, uid, true); } @@ -326,10 +326,7 @@ public class RecoverableKeyStoreManager { int uid = Binder.getCallingUid(); if (secrets.size() != 1) { - // TODO: support multiple secrets - throw new ServiceSpecificException( - ERROR_NOT_YET_SUPPORTED, - "Only a single RecoveryMetadata is supported"); + throw new UnsupportedOperationException("Only a single RecoveryMetadata is supported"); } PublicKey publicKey; diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java index 8674330364be..eb2da8077b36 100644 --- a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java +++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java @@ -336,17 +336,8 @@ public class RecoverableKeyStoreDb { * @hide */ public long setRecoveryServicePublicKey(int userId, int uid, PublicKey publicKey) { - SQLiteDatabase db = mKeyStoreDbHelper.getWritableDatabase(); - ContentValues values = new ContentValues(); - values.put(RecoveryServiceMetadataEntry.COLUMN_NAME_PUBLIC_KEY, publicKey.getEncoded()); - String selection = - RecoveryServiceMetadataEntry.COLUMN_NAME_USER_ID + " = ? AND " - + RecoveryServiceMetadataEntry.COLUMN_NAME_UID + " = ?"; - String[] selectionArguments = {Integer.toString(userId), Integer.toString(uid)}; - - ensureRecoveryServiceMetadataEntryExists(userId, uid); - return db.update( - RecoveryServiceMetadataEntry.TABLE_NAME, values, selection, selectionArguments); + return setBytes(userId, uid, RecoveryServiceMetadataEntry.COLUMN_NAME_PUBLIC_KEY, + publicKey.getEncoded()); } /** @@ -393,56 +384,20 @@ public class RecoverableKeyStoreDb { */ @Nullable public PublicKey getRecoveryServicePublicKey(int userId, int uid) { - SQLiteDatabase db = mKeyStoreDbHelper.getReadableDatabase(); - - String[] projection = { - RecoveryServiceMetadataEntry._ID, - RecoveryServiceMetadataEntry.COLUMN_NAME_USER_ID, - RecoveryServiceMetadataEntry.COLUMN_NAME_UID, - RecoveryServiceMetadataEntry.COLUMN_NAME_PUBLIC_KEY}; - String selection = - RecoveryServiceMetadataEntry.COLUMN_NAME_USER_ID + " = ? AND " - + RecoveryServiceMetadataEntry.COLUMN_NAME_UID + " = ?"; - String[] selectionArguments = {Integer.toString(userId), Integer.toString(uid)}; - - try ( - Cursor cursor = db.query( - RecoveryServiceMetadataEntry.TABLE_NAME, - projection, - selection, - selectionArguments, - /*groupBy=*/ null, - /*having=*/ null, - /*orderBy=*/ null) - ) { - int count = cursor.getCount(); - if (count == 0) { - return null; - } - if (count > 1) { - Log.wtf(TAG, - String.format(Locale.US, - "%d PublicKey entries found for userId=%d uid=%d. " - + "Should only ever be 0 or 1.", count, userId, uid)); - return null; - } - cursor.moveToFirst(); - int idx = cursor.getColumnIndexOrThrow( - RecoveryServiceMetadataEntry.COLUMN_NAME_PUBLIC_KEY); - if (cursor.isNull(idx)) { - return null; - } - byte[] keyBytes = cursor.getBlob(idx); - try { - return decodeX509Key(keyBytes); - } catch (InvalidKeySpecException e) { - Log.wtf(TAG, - String.format(Locale.US, - "Recovery service public key entry cannot be decoded for " - + "userId=%d uid=%d.", - userId, uid)); - return null; - } + byte[] keyBytes = + getBytes(userId, uid, RecoveryServiceMetadataEntry.COLUMN_NAME_PUBLIC_KEY); + if (keyBytes == null) { + return null; + } + try { + return decodeX509Key(keyBytes); + } catch (InvalidKeySpecException e) { + Log.wtf(TAG, + String.format(Locale.US, + "Recovery service public key entry cannot be decoded for " + + "userId=%d uid=%d.", + userId, uid)); + return null; } } @@ -617,14 +572,14 @@ public class RecoverableKeyStoreDb { * * @param userId The userId of the profile the application is running under. * @param uid The uid of the application. - * @param serverParameters The server parameters. + * @param serverParams The server parameters. * @return The primary key of the inserted row, or -1 if failed. * * @hide */ - public long setServerParameters(int userId, int uid, long serverParameters) { - return setLong(userId, uid, - RecoveryServiceMetadataEntry.COLUMN_NAME_SERVER_PARAMETERS, serverParameters); + public long setServerParams(int userId, int uid, byte[] serverParams) { + return setBytes(userId, uid, + RecoveryServiceMetadataEntry.COLUMN_NAME_SERVER_PARAMS, serverParams); } /** @@ -638,9 +593,8 @@ public class RecoverableKeyStoreDb { * @hide */ @Nullable - public Long getServerParameters(int userId, int uid) { - return getLong(userId, uid, RecoveryServiceMetadataEntry.COLUMN_NAME_SERVER_PARAMETERS); - + public byte[] getServerParams(int userId, int uid) { + return getBytes(userId, uid, RecoveryServiceMetadataEntry.COLUMN_NAME_SERVER_PARAMS); } /** @@ -704,6 +658,7 @@ public class RecoverableKeyStoreDb { return res != null && res != 0L; } + /** * Returns given long value from the database. * @@ -785,6 +740,86 @@ public class RecoverableKeyStoreDb { } /** + * Returns given binary value from the database. + * + * @param userId The userId of the profile the application is running under. + * @param uid The uid of the application who initialized the local recovery components. + * @param key from {@code RecoveryServiceMetadataEntry} + * @return The value that were previously set, or null if there's none. + * + * @hide + */ + private byte[] getBytes(int userId, int uid, String key) { + SQLiteDatabase db = mKeyStoreDbHelper.getReadableDatabase(); + + String[] projection = { + RecoveryServiceMetadataEntry._ID, + RecoveryServiceMetadataEntry.COLUMN_NAME_USER_ID, + RecoveryServiceMetadataEntry.COLUMN_NAME_UID, + key}; + String selection = + RecoveryServiceMetadataEntry.COLUMN_NAME_USER_ID + " = ? AND " + + RecoveryServiceMetadataEntry.COLUMN_NAME_UID + " = ?"; + String[] selectionArguments = {Integer.toString(userId), Integer.toString(uid)}; + + try ( + Cursor cursor = db.query( + RecoveryServiceMetadataEntry.TABLE_NAME, + projection, + selection, + selectionArguments, + /*groupBy=*/ null, + /*having=*/ null, + /*orderBy=*/ null) + ) { + int count = cursor.getCount(); + if (count == 0) { + return null; + } + if (count > 1) { + Log.wtf(TAG, + String.format(Locale.US, + "%d entries found for userId=%d uid=%d. " + + "Should only ever be 0 or 1.", count, userId, uid)); + return null; + } + cursor.moveToFirst(); + int idx = cursor.getColumnIndexOrThrow(key); + if (cursor.isNull(idx)) { + return null; + } else { + return cursor.getBlob(idx); + } + } + } + + /** + * Sets a binary value in the database. + * + * @param userId The userId of the profile the application is running under. + * @param uid The uid of the application who initialized the local recovery components. + * @param key defined in {@code RecoveryServiceMetadataEntry} + * @param value new value. + * @return The primary key of the inserted row, or -1 if failed. + * + * @hide + */ + + private long setBytes(int userId, int uid, String key, byte[] value) { + SQLiteDatabase db = mKeyStoreDbHelper.getWritableDatabase(); + ContentValues values = new ContentValues(); + values.put(key, value); + String selection = + RecoveryServiceMetadataEntry.COLUMN_NAME_USER_ID + " = ? AND " + + RecoveryServiceMetadataEntry.COLUMN_NAME_UID + " = ?"; + String[] selectionArguments = {Integer.toString(userId), Integer.toString(uid)}; + + ensureRecoveryServiceMetadataEntryExists(userId, uid); + return db.update( + RecoveryServiceMetadataEntry.TABLE_NAME, values, selection, selectionArguments); + } + + /** * Creates an empty row in the recovery service metadata table if such a row doesn't exist for * the given userId and uid, so db.update will succeed. */ diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbContract.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbContract.java index a6d9bd41d7be..4ee282b6115e 100644 --- a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbContract.java +++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbContract.java @@ -130,6 +130,6 @@ class RecoverableKeyStoreDbContract { /** * The server parameters of the recovery service. */ - static final String COLUMN_NAME_SERVER_PARAMETERS = "server_parameters"; + static final String COLUMN_NAME_SERVER_PARAMS = "server_params"; } } diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbHelper.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbHelper.java index 6eb47ee44f24..d96671c5cd9d 100644 --- a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbHelper.java +++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbHelper.java @@ -61,7 +61,7 @@ class RecoverableKeyStoreDbHelper extends SQLiteOpenHelper { + RecoveryServiceMetadataEntry.COLUMN_NAME_PUBLIC_KEY + " BLOB," + RecoveryServiceMetadataEntry.COLUMN_NAME_SECRET_TYPES + " TEXT," + RecoveryServiceMetadataEntry.COLUMN_NAME_COUNTER_ID + " INTEGER," - + RecoveryServiceMetadataEntry.COLUMN_NAME_SERVER_PARAMETERS + " INTEGER," + + RecoveryServiceMetadataEntry.COLUMN_NAME_SERVER_PARAMS + " BLOB," + "UNIQUE(" + RecoveryServiceMetadataEntry.COLUMN_NAME_USER_ID + "," + RecoveryServiceMetadataEntry.COLUMN_NAME_UID + "))"; diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java index 75380795b829..9eb42e9db425 100644 --- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java +++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java @@ -40,7 +40,7 @@ import android.content.Context; import android.security.keystore.AndroidKeyStoreSecretKey; import android.security.keystore.KeyGenParameterSpec; import android.security.keystore.KeyProperties; -import android.security.keystore.KeyDerivationParameters; +import android.security.keystore.KeyDerivationParams; import android.security.keystore.EntryRecoveryData; import android.security.keystore.RecoveryData; import android.support.test.InstrumentationRegistry; @@ -77,7 +77,8 @@ public class KeySyncTaskTest { private static final int TEST_USER_ID = 1000; private static final int TEST_RECOVERY_AGENT_UID = 10009; private static final int TEST_RECOVERY_AGENT_UID2 = 10010; - private static final long TEST_DEVICE_ID = 13295035643L; + private static final byte[] TEST_DEVICE_ID = + new byte[]{1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2}; private static final String TEST_APP_KEY_ALIAS = "rcleaver"; private static final int TEST_GENERATION_ID = 2; private static final int TEST_CREDENTIAL_TYPE = CREDENTIAL_TYPE_PASSWORD; @@ -239,7 +240,7 @@ public class KeySyncTaskTest { @Test public void run_doesNotSendAnythingIfNoRecoveryAgentPendingIntentRegistered() throws Exception { SecretKey applicationKey = generateKey(); - mRecoverableKeyStoreDb.setServerParameters( + mRecoverableKeyStoreDb.setServerParams( TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_DEVICE_ID); mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); mRecoverableKeyStoreDb.insertKey( @@ -283,13 +284,13 @@ public class KeySyncTaskTest { mKeySyncTask.run(); RecoveryData recoveryData = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); - KeyDerivationParameters keyDerivationParameters = - recoveryData.getRecoveryMetadata().get(0).getKeyDerivationParameters(); - assertThat(keyDerivationParameters.getAlgorithm()).isEqualTo( - KeyDerivationParameters.ALGORITHM_SHA256); + KeyDerivationParams KeyDerivationParams = + recoveryData.getRecoveryMetadata().get(0).getKeyDerivationParams(); + assertThat(KeyDerivationParams.getAlgorithm()).isEqualTo( + KeyDerivationParams.ALGORITHM_SHA256); verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); byte[] lockScreenHash = KeySyncTask.hashCredentials( - keyDerivationParameters.getSalt(), + KeyDerivationParams.getSalt(), TEST_CREDENTIAL); Long counterId = mRecoverableKeyStoreDb.getCounterId(TEST_USER_ID, TEST_RECOVERY_AGENT_UID); assertThat(counterId).isNotNull(); @@ -299,8 +300,8 @@ public class KeySyncTaskTest { /*vaultParams=*/ KeySyncUtils.packVaultParams( mKeyPair.getPublic(), counterId, - /*maxAttempts=*/ 10, - TEST_DEVICE_ID)); + TEST_DEVICE_ID, + /*maxAttempts=*/ 10)); List<EntryRecoveryData> applicationKeys = recoveryData.getEntryRecoveryData(); assertThat(applicationKeys).hasSize(1); EntryRecoveryData keyData = applicationKeys.get(0); @@ -469,7 +470,7 @@ public class KeySyncTaskTest { private SecretKey addApplicationKey(int userId, int recoveryAgentUid, String alias) throws Exception{ SecretKey applicationKey = generateKey(); - mRecoverableKeyStoreDb.setServerParameters( + mRecoverableKeyStoreDb.setServerParams( userId, recoveryAgentUid, TEST_DEVICE_ID); mRecoverableKeyStoreDb.setPlatformKeyGenerationId(userId, TEST_GENERATION_ID); diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncUtilsTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncUtilsTest.java index 114da1aaebb5..3a9ff85520ff 100644 --- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncUtilsTest.java +++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncUtilsTest.java @@ -50,6 +50,8 @@ public class KeySyncUtilsTest { private static final int RECOVERY_KEY_LENGTH_BITS = 256; private static final int THM_KF_HASH_SIZE = 256; private static final int KEY_CLAIMANT_LENGTH_BYTES = 16; + private static final byte[] TEST_DEVICE_ID = + new byte[]{1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2}; private static final String SHA_256_ALGORITHM = "SHA-256"; private static final String APPLICATION_KEY_ALGORITHM = "AES"; private static final byte[] LOCK_SCREEN_HASH_1 = @@ -348,8 +350,8 @@ public class KeySyncUtilsTest { byte[] packedForm = KeySyncUtils.packVaultParams( thmPublicKey, /*counterId=*/ 1001L, - /*maxAttempts=*/ 10, - /*deviceId=*/ 1L); + TEST_DEVICE_ID, + /*maxAttempts=*/ 10); assertEquals(VAULT_PARAMS_LENGTH_BYTES, packedForm.length); } @@ -361,8 +363,8 @@ public class KeySyncUtilsTest { byte[] packedForm = KeySyncUtils.packVaultParams( thmPublicKey, /*counterId=*/ 1001L, - /*maxAttempts=*/ 10, - /*deviceId=*/ 1L); + TEST_DEVICE_ID, + /*maxAttempts=*/ 10); assertArrayEquals( SecureBox.encodePublicKey(thmPublicKey), @@ -376,8 +378,8 @@ public class KeySyncUtilsTest { byte[] packedForm = KeySyncUtils.packVaultParams( SecureBox.genKeyPair().getPublic(), counterId, - /*maxAttempts=*/ 10, - /*deviceId=*/ 1L); + TEST_DEVICE_ID, + /*maxAttempts=*/ 10); ByteBuffer byteBuffer = ByteBuffer.wrap(packedForm) .order(ByteOrder.LITTLE_ENDIAN); @@ -387,18 +389,17 @@ public class KeySyncUtilsTest { @Test public void packVaultParams_encodesDeviceIdAsThirdParam() throws Exception { - long deviceId = 102942158152L; byte[] packedForm = KeySyncUtils.packVaultParams( SecureBox.genKeyPair().getPublic(), /*counterId=*/ 10021L, - /*maxAttempts=*/ 10, - deviceId); + TEST_DEVICE_ID, + /*maxAttempts=*/ 10); ByteBuffer byteBuffer = ByteBuffer.wrap(packedForm) .order(ByteOrder.LITTLE_ENDIAN); byteBuffer.position(PUBLIC_KEY_LENGTH_BYTES + Long.BYTES); - assertEquals(deviceId, byteBuffer.getLong()); + assertEquals(/* default value*/0, byteBuffer.getLong()); } @Test @@ -408,11 +409,12 @@ public class KeySyncUtilsTest { byte[] packedForm = KeySyncUtils.packVaultParams( SecureBox.genKeyPair().getPublic(), /*counterId=*/ 1001L, - maxAttempts, - /*deviceId=*/ 1L); + TEST_DEVICE_ID, + maxAttempts); ByteBuffer byteBuffer = ByteBuffer.wrap(packedForm) .order(ByteOrder.LITTLE_ENDIAN); + // TODO: update position. byteBuffer.position(PUBLIC_KEY_LENGTH_BYTES + 2 * Long.BYTES); assertEquals(maxAttempts, byteBuffer.getInt()); } diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java index 0eddcf30f3f2..1bdcf478ce68 100644 --- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java +++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java @@ -42,7 +42,7 @@ import android.os.UserHandle; import android.security.keystore.AndroidKeyStoreSecretKey; import android.security.keystore.KeyGenParameterSpec; import android.security.keystore.KeyProperties; -import android.security.keystore.KeyDerivationParameters; +import android.security.keystore.KeyDerivationParams; import android.security.keystore.EntryRecoveryData; import android.security.keystore.RecoveryMetadata; import android.security.keystore.RecoveryManager; @@ -254,7 +254,7 @@ public class RecoverableKeyStoreManagerTest { new RecoveryMetadata( TYPE_LOCKSCREEN, TYPE_PASSWORD, - KeyDerivationParameters.createSha256Parameters(TEST_SALT), + KeyDerivationParams.createSha256Params(TEST_SALT), TEST_SECRET))); verify(mMockContext, times(1)) @@ -273,7 +273,7 @@ public class RecoverableKeyStoreManagerTest { new RecoveryMetadata( TYPE_LOCKSCREEN, TYPE_PASSWORD, - KeyDerivationParameters.createSha256Parameters(TEST_SALT), + KeyDerivationParams.createSha256Params(TEST_SALT), TEST_SECRET))); assertEquals(1, mRecoverySessionStorage.size()); @@ -311,7 +311,7 @@ public class RecoverableKeyStoreManagerTest { new RecoveryMetadata( TYPE_LOCKSCREEN, TYPE_PASSWORD, - KeyDerivationParameters.createSha256Parameters(TEST_SALT), + KeyDerivationParams.createSha256Params(TEST_SALT), TEST_SECRET))); fail("should have thrown"); } catch (ServiceSpecificException e) { @@ -333,7 +333,7 @@ public class RecoverableKeyStoreManagerTest { new RecoveryMetadata( TYPE_LOCKSCREEN, TYPE_PASSWORD, - KeyDerivationParameters.createSha256Parameters(TEST_SALT), + KeyDerivationParams.createSha256Params(TEST_SALT), TEST_SECRET))); fail("should have thrown"); } catch (ServiceSpecificException e) { @@ -366,7 +366,7 @@ public class RecoverableKeyStoreManagerTest { ImmutableList.of(new RecoveryMetadata( TYPE_LOCKSCREEN, TYPE_PASSWORD, - KeyDerivationParameters.createSha256Parameters(TEST_SALT), + KeyDerivationParams.createSha256Params(TEST_SALT), TEST_SECRET))); try { @@ -390,7 +390,7 @@ public class RecoverableKeyStoreManagerTest { ImmutableList.of(new RecoveryMetadata( TYPE_LOCKSCREEN, TYPE_PASSWORD, - KeyDerivationParameters.createSha256Parameters(TEST_SALT), + KeyDerivationParams.createSha256Params(TEST_SALT), TEST_SECRET))); byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID) .getKeyClaimant(); @@ -422,7 +422,7 @@ public class RecoverableKeyStoreManagerTest { ImmutableList.of(new RecoveryMetadata( TYPE_LOCKSCREEN, TYPE_PASSWORD, - KeyDerivationParameters.createSha256Parameters(TEST_SALT), + KeyDerivationParams.createSha256Params(TEST_SALT), TEST_SECRET))); byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID) .getKeyClaimant(); diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java index 6d5e7408904d..5cb7b677dbbd 100644 --- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java +++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java @@ -51,6 +51,12 @@ public class RecoverableKeyStoreDbTest { private RecoverableKeyStoreDb mRecoverableKeyStoreDb; private File mDatabaseFile; + private static final byte[] SERVER_PARAMS = + new byte[]{1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2}; + + private static final byte[] SERVER_PARAMS2 = + new byte[]{1, 3, 3, 3, 3, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4}; + @Before public void setUp() { Context context = InstrumentationRegistry.getTargetContext(); @@ -328,8 +334,7 @@ public class RecoverableKeyStoreDbTest { int uid = 10009; assertThat(mRecoverableKeyStoreDb.getRecoveryServicePublicKey(userId, uid)).isNull(); - long serverParams = 123456L; - mRecoverableKeyStoreDb.setServerParameters(userId, uid, serverParams); + mRecoverableKeyStoreDb.setServerParams(userId, uid, SERVER_PARAMS); assertThat(mRecoverableKeyStoreDb.getRecoveryServicePublicKey(userId, uid)).isNull(); } @@ -437,32 +442,30 @@ public class RecoverableKeyStoreDbTest { PublicKey pubkey1 = genRandomPublicKey(); int[] types1 = new int[]{1}; - long serverParams1 = 111L; PublicKey pubkey2 = genRandomPublicKey(); int[] types2 = new int[]{2}; - long serverParams2 = 222L; mRecoverableKeyStoreDb.setRecoveryServicePublicKey(userId, uid, pubkey1); mRecoverableKeyStoreDb.setRecoverySecretTypes(userId, uid, types1); - mRecoverableKeyStoreDb.setServerParameters(userId, uid, serverParams1); + mRecoverableKeyStoreDb.setServerParams(userId, uid, SERVER_PARAMS); assertThat(mRecoverableKeyStoreDb.getRecoverySecretTypes(userId, uid)).isEqualTo( types1); - assertThat(mRecoverableKeyStoreDb.getServerParameters(userId, uid)).isEqualTo( - serverParams1); + assertThat(mRecoverableKeyStoreDb.getServerParams(userId, uid)).isEqualTo( + SERVER_PARAMS); assertThat(mRecoverableKeyStoreDb.getRecoveryServicePublicKey(userId, uid)).isEqualTo( pubkey1); // Check that the methods don't interfere with each other. mRecoverableKeyStoreDb.setRecoveryServicePublicKey(userId, uid, pubkey2); mRecoverableKeyStoreDb.setRecoverySecretTypes(userId, uid, types2); - mRecoverableKeyStoreDb.setServerParameters(userId, uid, serverParams2); + mRecoverableKeyStoreDb.setServerParams(userId, uid, SERVER_PARAMS2); assertThat(mRecoverableKeyStoreDb.getRecoverySecretTypes(userId, uid)).isEqualTo( types2); - assertThat(mRecoverableKeyStoreDb.getServerParameters(userId, uid)).isEqualTo( - serverParams2); + assertThat(mRecoverableKeyStoreDb.getServerParams(userId, uid)).isEqualTo( + SERVER_PARAMS2); assertThat(mRecoverableKeyStoreDb.getRecoveryServicePublicKey(userId, uid)).isEqualTo( pubkey2); } @@ -479,35 +482,33 @@ public class RecoverableKeyStoreDbTest { } @Test - public void setServerParameters_replaceOldValue() throws Exception { + public void setServerParams_replaceOldValue() throws Exception { int userId = 12; int uid = 10009; - long serverParams1 = 111L; - long serverParams2 = 222L; - mRecoverableKeyStoreDb.setServerParameters(userId, uid, serverParams1); - mRecoverableKeyStoreDb.setServerParameters(userId, uid, serverParams2); - assertThat(mRecoverableKeyStoreDb.getServerParameters(userId, uid)).isEqualTo( - serverParams2); + + mRecoverableKeyStoreDb.setServerParams(userId, uid, SERVER_PARAMS); + mRecoverableKeyStoreDb.setServerParams(userId, uid, SERVER_PARAMS2); + assertThat(mRecoverableKeyStoreDb.getServerParams(userId, uid)).isEqualTo( + SERVER_PARAMS2); } @Test - public void getServerParameters_returnsNullIfNoValue() throws Exception { + public void getServerParams_returnsNullIfNoValue() throws Exception { int userId = 12; int uid = 10009; - assertThat(mRecoverableKeyStoreDb.getServerParameters(userId, uid)).isNull(); + assertThat(mRecoverableKeyStoreDb.getServerParams(userId, uid)).isNull(); PublicKey pubkey = genRandomPublicKey(); mRecoverableKeyStoreDb.setRecoveryServicePublicKey(userId, uid, pubkey); - assertThat(mRecoverableKeyStoreDb.getServerParameters(userId, uid)).isNull(); + assertThat(mRecoverableKeyStoreDb.getServerParams(userId, uid)).isNull(); } @Test - public void getServerParameters_returnsInsertedValue() throws Exception { + public void getServerParams_returnsInsertedValue() throws Exception { int userId = 12; int uid = 10009; - long serverParams = 123456L; - mRecoverableKeyStoreDb.setServerParameters(userId, uid, serverParams); - assertThat(mRecoverableKeyStoreDb.getServerParameters(userId, uid)).isEqualTo(serverParams); + mRecoverableKeyStoreDb.setServerParams(userId, uid, SERVER_PARAMS); + assertThat(mRecoverableKeyStoreDb.getServerParams(userId, uid)).isEqualTo(SERVER_PARAMS); } @Test @@ -590,22 +591,21 @@ public class RecoverableKeyStoreDbTest { int uid = 10009; PublicKey pubkey1 = genRandomPublicKey(); PublicKey pubkey2 = genRandomPublicKey(); - long serverParams = 123456L; mRecoverableKeyStoreDb.setRecoveryServicePublicKey(userId, uid, pubkey1); assertThat(mRecoverableKeyStoreDb.getRecoveryServicePublicKey(userId, uid)).isEqualTo( pubkey1); - assertThat(mRecoverableKeyStoreDb.getServerParameters(userId, uid)).isNull(); + assertThat(mRecoverableKeyStoreDb.getServerParams(userId, uid)).isNull(); - mRecoverableKeyStoreDb.setServerParameters(userId, uid, serverParams); + mRecoverableKeyStoreDb.setServerParams(userId, uid, SERVER_PARAMS); assertThat(mRecoverableKeyStoreDb.getRecoveryServicePublicKey(userId, uid)).isEqualTo( pubkey1); - assertThat(mRecoverableKeyStoreDb.getServerParameters(userId, uid)).isEqualTo(serverParams); + assertThat(mRecoverableKeyStoreDb.getServerParams(userId, uid)).isEqualTo(SERVER_PARAMS); mRecoverableKeyStoreDb.setRecoveryServicePublicKey(userId, uid, pubkey2); assertThat(mRecoverableKeyStoreDb.getRecoveryServicePublicKey(userId, uid)).isEqualTo( pubkey2); - assertThat(mRecoverableKeyStoreDb.getServerParameters(userId, uid)).isEqualTo(serverParams); + assertThat(mRecoverableKeyStoreDb.getServerParams(userId, uid)).isEqualTo(SERVER_PARAMS); } private static byte[] getUtf8Bytes(String s) { |