diff options
9 files changed, 13 insertions, 104 deletions
diff --git a/core/java/android/security/keystore/RecoveryController.java b/core/java/android/security/keystore/RecoveryController.java index d50424db4e56..741af1297763 100644 --- a/core/java/android/security/keystore/RecoveryController.java +++ b/core/java/android/security/keystore/RecoveryController.java @@ -443,16 +443,7 @@ public class RecoveryController { */ public byte[] generateAndStoreKey(@NonNull String alias) throws InternalRecoveryServiceException, LockScreenRequiredException { - try { - return mBinder.generateAndStoreKey(alias); - } catch (RemoteException e) { - throw e.rethrowFromSystemServer(); - } catch (ServiceSpecificException e) { - if (e.errorCode == ERROR_INSECURE_USER) { - throw new LockScreenRequiredException(e.getMessage()); - } - throw wrapUnexpectedServiceSpecificException(e); - } + throw new UnsupportedOperationException(); } /** diff --git a/core/java/android/security/keystore/recovery/KeyChainSnapshot.java b/core/java/android/security/keystore/recovery/KeyChainSnapshot.java index e46c34c85d55..9334aa99c86c 100644 --- a/core/java/android/security/keystore/recovery/KeyChainSnapshot.java +++ b/core/java/android/security/keystore/recovery/KeyChainSnapshot.java @@ -78,23 +78,8 @@ public final class KeyChainSnapshot implements Parcelable { private byte[] mEncryptedRecoveryKeyBlob; /** - * @hide - * Deprecated, consider using builder. + * Use builder to create an instance of the class. */ - public KeyChainSnapshot( - int snapshotVersion, - @NonNull List<KeyChainProtectionParams> keyChainProtectionParams, - @NonNull List<WrappedApplicationKey> wrappedApplicationKeys, - @NonNull byte[] encryptedRecoveryKeyBlob) { - mSnapshotVersion = snapshotVersion; - mKeyChainProtectionParams = - Preconditions.checkCollectionElementsNotNull(keyChainProtectionParams, - "KeyChainProtectionParams"); - mEntryRecoveryData = Preconditions.checkCollectionElementsNotNull(wrappedApplicationKeys, - "wrappedApplicationKeys"); - mEncryptedRecoveryKeyBlob = Preconditions.checkNotNull(encryptedRecoveryKeyBlob); - } - private KeyChainSnapshot() { } @@ -108,7 +93,7 @@ public final class KeyChainSnapshot implements Parcelable { } /** - * Number of user secret guesses allowed during Keychain recovery. + * Number of user secret guesses allowed during KeyChain recovery. */ public int getMaxAttempts() { return mMaxAttempts; diff --git a/core/java/android/security/keystore/recovery/KeyDerivationParams.java b/core/java/android/security/keystore/recovery/KeyDerivationParams.java index fd80bb0bbe57..5165f0c30a36 100644 --- a/core/java/android/security/keystore/recovery/KeyDerivationParams.java +++ b/core/java/android/security/keystore/recovery/KeyDerivationParams.java @@ -106,7 +106,7 @@ public final class KeyDerivationParams implements Parcelable { /** * @hide */ - KeyDerivationParams(@KeyDerivationAlgorithm int algorithm, @NonNull byte[] salt, + private KeyDerivationParams(@KeyDerivationAlgorithm int algorithm, @NonNull byte[] salt, int memoryDifficulty) { mAlgorithm = algorithm; mSalt = Preconditions.checkNotNull(salt); diff --git a/core/java/android/security/keystore/recovery/RecoveryController.java b/core/java/android/security/keystore/recovery/RecoveryController.java index ca5f967237e8..a006fa6ab2ef 100644 --- a/core/java/android/security/keystore/recovery/RecoveryController.java +++ b/core/java/android/security/keystore/recovery/RecoveryController.java @@ -577,16 +577,7 @@ public class RecoveryController { @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) public byte[] generateAndStoreKey(@NonNull String alias, byte[] account) throws InternalRecoveryServiceException, LockScreenRequiredException { - try { - return mBinder.generateAndStoreKey(alias); - } catch (RemoteException e) { - throw e.rethrowFromSystemServer(); - } catch (ServiceSpecificException e) { - if (e.errorCode == ERROR_INSECURE_USER) { - throw new LockScreenRequiredException(e.getMessage()); - } - throw wrapUnexpectedServiceSpecificException(e); - } + throw new UnsupportedOperationException("Operation is not supported, use generateKey"); } /** diff --git a/core/java/android/security/keystore/recovery/RecoverySession.java b/core/java/android/security/keystore/recovery/RecoverySession.java index 0690bd5fb612..80845d9e0491 100644 --- a/core/java/android/security/keystore/recovery/RecoverySession.java +++ b/core/java/android/security/keystore/recovery/RecoverySession.java @@ -157,8 +157,8 @@ public class RecoverySession implements AutoCloseable { * @param vaultChallenge Data passed from server for this recovery session and used to prevent * replay attacks. * @param secrets Secrets provided by user, the method only uses type and secret fields. - * @return The recovery claim. Claim provides a b binary blob with recovery claim. It is - * encrypted with verifierPublicKey and contains a proof of user secrets, session symmetric + * @return The binary blob with recovery claim. It is encrypted with verifierPublicKey + * and contains a proof of user secrets possession, session symmetric * key and parameters necessary to identify the counter with the number of failed recovery * attempts. * @throws CertificateException if the {@code verifierCertPath} is invalid. @@ -228,7 +228,8 @@ public class RecoverySession implements AutoCloseable { * * @param recoveryKeyBlob Recovery blob encrypted by symmetric key generated for this session. * @param applicationKeys Application keys. Key material can be decrypted using recoveryKeyBlob - * and session. + * and session key generated by {@link #start}. + * @return {@code Map} from recovered keys aliases to their references. * @throws SessionExpiredException if {@code session} has since been closed. * @throws DecryptionFailedException if unable to decrypt the snapshot. * @throws InternalRecoveryServiceException if an error occurs internal to the recovery service. @@ -288,8 +289,7 @@ public class RecoverySession implements AutoCloseable { } /** - * Deletes all data associated with {@code session}. Should not be invoked directly but via - * {@link RecoverySession#close()}. + * Deletes all data associated with {@code session}. */ @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) @Override diff --git a/core/java/com/android/internal/widget/ILockSettings.aidl b/core/java/com/android/internal/widget/ILockSettings.aidl index 59b14f18eb07..ae7ba1948c00 100644 --- a/core/java/com/android/internal/widget/ILockSettings.aidl +++ b/core/java/com/android/internal/widget/ILockSettings.aidl @@ -61,7 +61,6 @@ interface ILockSettings { void initRecoveryServiceWithSigFile(in String rootCertificateAlias, in byte[] recoveryServiceCertFile, in byte[] recoveryServiceSigFile); KeyChainSnapshot getKeyChainSnapshot(); - byte[] generateAndStoreKey(String alias); String generateKey(String alias); String importKey(String alias, in byte[] keyBytes); String getKey(String alias); diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java index f617964481bf..4b58d537e844 100644 --- a/services/core/java/com/android/server/locksettings/LockSettingsService.java +++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java @@ -2079,11 +2079,6 @@ public class LockSettingsService extends ILockSettings.Stub { } @Override - public byte[] generateAndStoreKey(@NonNull String alias) throws RemoteException { - return mRecoverableKeyStoreManager.generateAndStoreKey(alias); - } - - @Override public @Nullable String generateKey(@NonNull String alias) throws RemoteException { return mRecoverableKeyStoreManager.generateKey(alias); } diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java index 1dab5920288b..ff4c6782accb 100644 --- a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java +++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java @@ -672,40 +672,6 @@ public class RecoverableKeyStoreManager { } /** - * Deprecated - * Generates a key named {@code alias} in the recoverable store for the calling uid. Then - * returns the raw key material. - * - * <p>TODO: Once AndroidKeyStore has added move api, do not return raw bytes. - * - * @deprecated - * @hide - */ - public byte[] generateAndStoreKey(@NonNull String alias) throws RemoteException { - checkRecoverKeyStorePermission(); - int uid = Binder.getCallingUid(); - int userId = UserHandle.getCallingUserId(); - - PlatformEncryptionKey encryptionKey; - try { - encryptionKey = mPlatformKeyManager.getEncryptKey(userId); - } catch (NoSuchAlgorithmException e) { - // Impossible: all algorithms must be supported by AOSP - throw new RuntimeException(e); - } catch (KeyStoreException | UnrecoverableKeyException e) { - throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); - } catch (InsecureUserException e) { - throw new ServiceSpecificException(ERROR_INSECURE_USER, e.getMessage()); - } - - try { - return mRecoverableKeyGenerator.generateAndStoreKey(encryptionKey, userId, uid, alias); - } catch (KeyStoreException | InvalidKeyException | RecoverableKeyStorageException e) { - throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage()); - } - } - - /** * Destroys the session with the given {@code sessionId}. */ public void closeSession(@NonNull String sessionId) throws RemoteException { diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java index a98e29137fb6..f4ec867333ad 100644 --- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java +++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java @@ -211,24 +211,6 @@ public class RecoverableKeyStoreManagerTest { } @Test - public void generateAndStoreKey_storesTheKey() throws Exception { - int uid = Binder.getCallingUid(); - int userId = UserHandle.getCallingUserId(); - - mRecoverableKeyStoreManager.generateAndStoreKey(TEST_ALIAS); - - assertThat(mRecoverableKeyStoreDb.getKey(uid, TEST_ALIAS)).isNotNull(); - - assertThat(mRecoverableKeyStoreDb.getShouldCreateSnapshot(userId, uid)).isTrue(); - } - - @Test - public void generateAndStoreKey_returnsAKeyOfAppropriateSize() throws Exception { - assertThat(mRecoverableKeyStoreManager.generateAndStoreKey(TEST_ALIAS)) - .hasLength(RECOVERABLE_KEY_SIZE_BYTES); - } - - @Test public void importKey_storesTheKey() throws Exception { int uid = Binder.getCallingUid(); int userId = UserHandle.getCallingUserId(); @@ -265,7 +247,7 @@ public class RecoverableKeyStoreManagerTest { @Test public void removeKey_removesAKey() throws Exception { int uid = Binder.getCallingUid(); - mRecoverableKeyStoreManager.generateAndStoreKey(TEST_ALIAS); + mRecoverableKeyStoreManager.generateKey(TEST_ALIAS); mRecoverableKeyStoreManager.removeKey(TEST_ALIAS); @@ -276,7 +258,7 @@ public class RecoverableKeyStoreManagerTest { public void removeKey_updatesShouldCreateSnapshot() throws Exception { int uid = Binder.getCallingUid(); int userId = UserHandle.getCallingUserId(); - mRecoverableKeyStoreManager.generateAndStoreKey(TEST_ALIAS); + mRecoverableKeyStoreManager.generateKey(TEST_ALIAS); // Pretend that key was synced mRecoverableKeyStoreDb.setShouldCreateSnapshot(userId, uid, false); @@ -1056,7 +1038,7 @@ public class RecoverableKeyStoreManagerTest { int userId = UserHandle.getCallingUserId(); mRecoverableKeyStoreManager.setRecoverySecretTypes(new int[] { 1 }); - mRecoverableKeyStoreManager.generateAndStoreKey(TEST_ALIAS); + mRecoverableKeyStoreManager.generateKey(TEST_ALIAS); // Pretend that key was synced mRecoverableKeyStoreDb.setShouldCreateSnapshot(userId, uid, false); mRecoverableKeyStoreManager.setRecoverySecretTypes(new int[] { 2 }); |