From d2c944bc4d057a48840a8ece436e4c43d569e90b Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Mon, 5 Oct 2020 14:33:34 -0700 Subject: Keystore SPI: Add SecurityLevelEnum to KeyProperties This patch adds the SecurityLevelEnum to KeyProperties. This enum can be used by the public API surface to express levels of enforcements of key properties. And to select a designated residence for a newly generated or imported key. The values UNKNOWN and UNKNOWN_SECURE are used to convey to older target APIs API levels that have not been defined when they where published. Test: None Change-Id: I88681f21b8a8ea9a383d32ba99f3ab7d7c8909c3 --- .../android/security/keystore/KeyProperties.java | 80 ++++++++++++++++++++++ 1 file changed, 80 insertions(+) (limited to 'keystore/java') diff --git a/keystore/java/android/security/keystore/KeyProperties.java b/keystore/java/android/security/keystore/KeyProperties.java index c58a1236d475..63ff866e7a06 100644 --- a/keystore/java/android/security/keystore/KeyProperties.java +++ b/keystore/java/android/security/keystore/KeyProperties.java @@ -771,4 +771,84 @@ public abstract class KeyProperties { } return result; } + + /** + * @hide + */ + @Retention(RetentionPolicy.SOURCE) + @IntDef(prefix = { "SECURITY_LEVEL_" }, value = { + SECURITY_LEVEL_UNKNOWN, + SECURITY_LEVEL_UNKNOWN_SECURE, + SECURITY_LEVEL_SOFTWARE, + SECURITY_LEVEL_TRUSTED_ENVIRONMENT, + SECURITY_LEVEL_STRONGBOX, + }) + public @interface SecurityLevelEnum {} + + /** + * This security level indicates that no assumptions can be made about the security level of the + * respective key. + */ + public static final int SECURITY_LEVEL_UNKNOWN = -2; + /** + * This security level indicates that due to the target API level of the caller no exact + * statement can be made about the security level of the key, however, the security level + * can be considered is at least equivalent to {@link #SECURITY_LEVEL_TRUSTED_ENVIRONMENT}. + */ + public static final int SECURITY_LEVEL_UNKNOWN_SECURE = -1; + + /** Indicates enforcement by system software. */ + public static final int SECURITY_LEVEL_SOFTWARE = 0; + + /** Indicates enforcement by a trusted execution environment. */ + public static final int SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1; + + /** + * Indicates enforcement by environment meeting the Strongbox security profile, + * such as a secure element. + */ + public static final int SECURITY_LEVEL_STRONGBOX = 2; + + /** + * @hide + */ + public abstract static class SecurityLevel { + private SecurityLevel() {} + + /** + * @hide + */ + public static int toKeymaster(int securityLevel) { + switch (securityLevel) { + case SECURITY_LEVEL_SOFTWARE: + return KeymasterDefs.KM_SECURITY_LEVEL_SOFTWARE; + case SECURITY_LEVEL_TRUSTED_ENVIRONMENT: + return KeymasterDefs.KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT; + case SECURITY_LEVEL_STRONGBOX: + return KeymasterDefs.KM_SECURITY_LEVEL_STRONGBOX; + default: + throw new IllegalArgumentException("Unsupported security level: " + + securityLevel); + } + } + + /** + * @hide + */ + @NonNull + public static int fromKeymaster(int securityLevel) { + switch (securityLevel) { + case KeymasterDefs.KM_SECURITY_LEVEL_SOFTWARE: + return SECURITY_LEVEL_SOFTWARE; + case KeymasterDefs.KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT: + return SECURITY_LEVEL_TRUSTED_ENVIRONMENT; + case KeymasterDefs.KM_SECURITY_LEVEL_STRONGBOX: + return SECURITY_LEVEL_STRONGBOX; + default: + throw new IllegalArgumentException("Unsupported security level: " + + securityLevel); + } + } + } + } -- cgit v1.2.3-59-g8ed1b