From 2528438731f14a9a5a09e15f6ed661ba47a8a1b9 Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Sun, 18 Oct 2020 17:15:36 -0700 Subject: Keystore 2.0: Deprecate Credential prefixes. Keystore 2.0 will no longer support free form blobs. Certificates and certificate chains will have types fields associated with an alias. Other free form blobs will need to be migrated to a different key value store. Bug: 171305684 Test: None Change-Id: I93270f0086329229dc36c2b14c88f229351e6560 --- keystore/java/android/security/Credentials.java | 42 ++++++++++++++++++++----- 1 file changed, 35 insertions(+), 7 deletions(-) (limited to 'keystore/java') diff --git a/keystore/java/android/security/Credentials.java b/keystore/java/android/security/Credentials.java index f53a7dc922f0..2162b8ac4885 100644 --- a/keystore/java/android/security/Credentials.java +++ b/keystore/java/android/security/Credentials.java @@ -48,18 +48,38 @@ public class Credentials { public static final String INSTALL_AS_USER_ACTION = "android.credentials.INSTALL_AS_USER"; - /** Key prefix for CA certificates. */ + /** + * Key prefix for CA certificates. + * + * @deprecated Keystore no longer supports unstructured blobs. Public certificates are + * stored in typed slots associated with a given alias. + */ + @Deprecated public static final String CA_CERTIFICATE = "CACERT_"; - /** Key prefix for user certificates. */ + /** + * Key prefix for user certificates. + * + * @deprecated Keystore no longer supports unstructured blobs. Public certificates are + * stored in typed slots associated with a given alias. + */ + @Deprecated public static final String USER_CERTIFICATE = "USRCERT_"; - /** Key prefix for user private and secret keys. */ + /** + * Key prefix for user private and secret keys. + * + * @deprecated Keystore no longer uses alias prefixes to discriminate between entry types. + */ + @Deprecated public static final String USER_PRIVATE_KEY = "USRPKEY_"; - /** Key prefix for user secret keys. - * @deprecated use {@code USER_PRIVATE_KEY} for this category instead. + /** + * Key prefix for user secret keys. + * + * @deprecated use {@code USER_PRIVATE_KEY} for this category instead. */ + @Deprecated public static final String USER_SECRET_KEY = "USRSKEY_"; /** Key prefix for VPN. */ @@ -71,7 +91,13 @@ public class Credentials { /** Key prefix for WIFI. */ public static final String WIFI = "WIFI_"; - /** Key prefix for App Source certificates. */ + /** + * Key prefix for App Source certificates. + * + * @deprecated This was intended for FS-verity but never used. FS-verity is not + * going to use this constant moving forward. + */ + @Deprecated public static final String APP_SOURCE_CERTIFICATE = "FSV_"; /** Key containing suffix of lockdown VPN profile. */ @@ -149,6 +175,7 @@ public class Credentials { pw.close(); return bao.toByteArray(); } + /** * Convert objects from PEM format, which is used for * CA_CERTIFICATE and USER_CERTIFICATE entries. @@ -166,7 +193,8 @@ public class Credentials { PemObject o; while ((o = pr.readPemObject()) != null) { if (o.getType().equals("CERTIFICATE")) { - Certificate c = cf.generateCertificate(new ByteArrayInputStream(o.getContent())); + Certificate c = cf.generateCertificate( + new ByteArrayInputStream(o.getContent())); result.add((X509Certificate) c); } else { throw new IllegalArgumentException("Unknown type " + o.getType()); -- cgit v1.2.3-59-g8ed1b From 26c878fb66bd104dc7f6eb7d8e18284bdedfd4d2 Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Sun, 18 Oct 2020 18:18:21 -0700 Subject: Keystore SPI: Deprecate encryption flag. The encryption-required flag is only available in already deprecated API KeyPairGeneratorSpec and KeyStoreParameter will be ignored from Android S. Keys are and have been encrypted by default for a long time and if additional binding to the LSKF is desired it can be requested by KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean). Test: None Change-Id: I5bd4acb4bba276decd1930ae2e96a55f95627e10 --- .../android/security/KeyPairGeneratorSpec.java | 26 ++++++++++++-------- .../java/android/security/KeyStoreParameter.java | 28 ++++++++++++---------- 2 files changed, 32 insertions(+), 22 deletions(-) (limited to 'keystore/java') diff --git a/keystore/java/android/security/KeyPairGeneratorSpec.java b/keystore/java/android/security/KeyPairGeneratorSpec.java index d5b34c432e79..1c1c2eeee794 100644 --- a/keystore/java/android/security/KeyPairGeneratorSpec.java +++ b/keystore/java/android/security/KeyPairGeneratorSpec.java @@ -16,9 +16,9 @@ package android.security; -import android.app.KeyguardManager; import android.annotation.NonNull; import android.annotation.Nullable; +import android.app.KeyguardManager; import android.content.Context; import android.security.keystore.KeyGenParameterSpec; import android.security.keystore.KeyProperties; @@ -78,8 +78,6 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { private final Date mEndDate; - private final int mFlags; - /** * Parameter specification for the "{@code AndroidKeyPairGenerator}" * instance of the {@link java.security.KeyPairGenerator} API. The @@ -144,7 +142,6 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { mSerialNumber = serialNumber; mStartDate = startDate; mEndDate = endDate; - mFlags = flags; } /** @@ -229,7 +226,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * @hide */ public int getFlags() { - return mFlags; + return 0; } /** @@ -243,9 +240,15 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * screen after boot. * * @see KeyguardManager#isDeviceSecure() + * + * @deprecated Encryption at rest is on by default. If extra binding to the lockscreen screen + * credential is desired use + * {@link KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean)}. + * This flag will be ignored from Android S. */ + @Deprecated public boolean isEncryptionRequired() { - return (mFlags & KeyStore.FLAG_ENCRYPTED) != 0; + return false; } /** @@ -292,8 +295,6 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { private Date mEndDate; - private int mFlags; - /** * Creates a new instance of the {@code Builder} with the given * {@code context}. The {@code context} passed in may be used to pop up @@ -431,10 +432,15 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * secure lock screen after boot. * * @see KeyguardManager#isDeviceSecure() + * + * @deprecated Data at rest encryption is enabled by default. If extra binding to the + * lockscreen credential is desired, use + * {@link KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean)}. + * This flag will be ignored from Android S. */ @NonNull + @Deprecated public Builder setEncryptionRequired() { - mFlags |= KeyStore.FLAG_ENCRYPTED; return this; } @@ -455,7 +461,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { mSerialNumber, mStartDate, mEndDate, - mFlags); + 0); } } } diff --git a/keystore/java/android/security/KeyStoreParameter.java b/keystore/java/android/security/KeyStoreParameter.java index 66c87ed2ec1e..51d29b13ce80 100644 --- a/keystore/java/android/security/KeyStoreParameter.java +++ b/keystore/java/android/security/KeyStoreParameter.java @@ -48,18 +48,16 @@ import java.security.KeyStore.ProtectionParameter; */ @Deprecated public final class KeyStoreParameter implements ProtectionParameter { - private final int mFlags; private KeyStoreParameter( int flags) { - mFlags = flags; } /** * @hide */ public int getFlags() { - return mFlags; + return 0; } /** @@ -74,9 +72,16 @@ public final class KeyStoreParameter implements ProtectionParameter { * screen after boot. * * @see KeyguardManager#isDeviceSecure() + * + * @deprecated Data at rest encryption is enabled by default. If extra binding to the + * lockscreen credential is desired, use + * {@link android.security.keystore.KeyGenParameterSpec + * .Builder#setUserAuthenticationRequired(boolean)}. + * This flag will be ignored from Android S. */ + @Deprecated public boolean isEncryptionRequired() { - return (mFlags & KeyStore.FLAG_ENCRYPTED) != 0; + return false; } /** @@ -100,7 +105,6 @@ public final class KeyStoreParameter implements ProtectionParameter { */ @Deprecated public final static class Builder { - private int mFlags; /** * Creates a new instance of the {@code Builder} with the given @@ -126,14 +130,15 @@ public final class KeyStoreParameter implements ProtectionParameter { * the user unlocks the secure lock screen after boot. * * @see KeyguardManager#isDeviceSecure() + * + * @deprecated Data at rest encryption is enabled by default. If extra binding to the + * lockscreen credential is desired, use + * {@link android.security.keystore.KeyGenParameterSpec + * .Builder#setUserAuthenticationRequired(boolean)}. + * This flag will be ignored from Android S. */ @NonNull public Builder setEncryptionRequired(boolean required) { - if (required) { - mFlags |= KeyStore.FLAG_ENCRYPTED; - } else { - mFlags &= ~KeyStore.FLAG_ENCRYPTED; - } return this; } @@ -145,8 +150,7 @@ public final class KeyStoreParameter implements ProtectionParameter { */ @NonNull public KeyStoreParameter build() { - return new KeyStoreParameter( - mFlags); + return new KeyStoreParameter(0 /* flags */); } } } -- cgit v1.2.3-59-g8ed1b