When an auth-bound key is used after the screen lock has been removed by
the user, KeyStore.begin retruns UNINITIALIZED.
This patch adds handling for this error code, indicating that the key
that was to be used was permanently invalidated.
Bug: 65200397
Test: CtsVerifier ScreenLockBoundKeysTest:
1. Run test
2. with CtsVerifier in the background remove the screen lock
through the settings dialog
3. Select VtsVerifier in 'recents'
4. Run test again
Change-Id: If68ba0eb2f9c04655fe8c9eea28c4491eae8e92f
(cherry picked from commit d07d3384279c0c07c5c6747ea8d0c5684264c9d0)
Keystore stores key blobs in with filenames that include the symbolic
name and the uid of the owner. This behaviour should have been
completely opaque to the user keystore. However, the granting mechanism,
by which an app can allow another app to use one of its keys, leaked the
internal structure in that the grantee had to specify the key name with
the granter's uid prefix in order to use the granted key. This in turn
collided with prefix handling in other parts of the framework.
This patch refurbishes the granting mechanism such that keystore can
choose a name for the grant. It uses the original symbolic key name as
prefix and appends _KEYSTOREGRANT_<grant_no> where the grant_no is
chosen as first free slot starting from 0. Each uid has its own grant_no
space.
This changes the grant call such that it now returns a string, which is
the alias name of the newly created grant. The string is empty if the
grant operation failed.
As before apps can still mask granted keys by importing a key with the
exact same name including the added suffix. But everybody deserves the
right to shoot themselves in the foot if they really want to.
Bug: 37264540
Bug: 62237038
Test: run cts-dev --module CtsDevicePolicyManagerTestCases --test
com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement
because it grants a key
Merged-In: I047512ba345c25e6e691e78f7a37fc3f97b95d32
Change-Id: I047512ba345c25e6e691e78f7a37fc3f97b95d32
Needed to revert the CL's base CL, which tracks the revert
of the corrsponding conscrypt CL.
This reverts commit 91abf9f6e2c60b05377b2b82ea2a09fc25476e56.
This is a clean revert. The upload hook to fix lint errors was not run
(this CL was uploaded with --no-verify).
Test: Treehugger
Test: make droid cts
Bug: 62424503
Change-Id: Ic7a3a5550b1e2bdfec98acd986a6a4e84eef41ea
Keystore stores key blobs in with filenames that include the symbolic
name and the uid of the owner. This behaviour should have been
completely opaque to the user keystore. However, the granting mechanism,
by which an app can allow another app to use one of its keys, leaked the
internal structure in that the grantee had to specify the key name with
the granter's uid prefix in order to use the granted key. This in turn
collided with prefix handling in other parts of the framework.
This patch refurbishes the granting mechanism such that keystore can
choose a name for the grant. It uses the original symbolic key name as
prefix and appends _KEYSTOREGRANT_<grant_no> where the grant_no is
chosen as first free slot starting from 0. Each uid has its own grant_no
space.
This changes the grant call such that it now returns a string, which is
the alias name of the newly created grant. The string is empty if the
grant operation failed.
As before apps can still mask granted keys by importing a key with the
exact same name including the added suffix. But everybody deserves the
right to shoot themselves in the foot if they really want to.
Bug: 37264540
Bug: 62237038
Test: run cts-dev --module CtsDevicePolicyManagerTestCases --test
com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement
because it grants a key
Change-Id: I047512ba345c25e6e691e78f7a37fc3f97b95d32
Cherry-pick note:
testCACertLoader() was flaky, so this cherry-pick contains
two attempted fixes and a CL that disables the test. The original commit
messages of the squashed CLs are below.
Merged-In: I3b9cc3d85c9f49d0a892613b63d1fba184ab647e
Implement CACert queries in SecurityController
Queries are run (on a AsyncTask) when user is switched and when
ACTION_TRUST_STORE_CHANGED is broadcasted. Otherwise, the result is cached
in the SecurityController.
Bug: 37535489
Test: runtest --path frameworks/base/packages/SystemUI/tests/src/com/android/systemui/statusbar/policy/SecurityControllerTest.java
Change-Id: I3b9cc3d85c9f49d0a892613b63d1fba184ab647e
Increase timeout for flaky testCACertLoader()
Bug: 37535489
Bug: 38045871
Test: runtest --path frameworks/base/packages/SystemUI/tests/src/com/android/systemui/statusbar/policy/SecurityControllerTest.java
Change-Id: I5778082973af7c6d4d719b83e334fec552b0a89e
Fix flaky SecurityControllerTest.testCaCertLoader
Fixes: 38108698
Test: runtest -c .statusbar.policy.SecurityControllerTest systemui
Change-Id: I6029a09984b72599622f0df57187a20aba4dab30
Disable flaky test
Test: treehugger
Bug: 38118260
Change-Id: I05c6504acee6a787e1cc5071bed0118388963212
(cherry picked from commit e375fc441cc889890d1cff5bc771039bb65f08ef)
Queries are run (on a AsyncTask) when user is switched and when
ACTION_TRUST_STORE_CHANGED is broadcasted. Otherwise, the result is cached
in the SecurityController.
Bug: 37535489
Test: runtest --path frameworks/base/packages/SystemUI/tests/src/com/android/systemui/statusbar/policy/SecurityControllerTest.java
Change-Id: I3b9cc3d85c9f49d0a892613b63d1fba184ab647e
These depended on internal implementation details of Conscrypt that are
changing. Delete these tests since they're not included in builds any
more.
Test: make checkbuild
Change-Id: I6ddf832c30bcf49e940c55aa81534c3d987393fb
Device ID attestation consists of three steps:
* Generate a temporary key
* Attest the key and desired device IDs
* Delete the temporary key
Rather than being spread over three keymaster APIs, these operations
should happen automatically in a single keymaster method.
Bug: 34734938
Test: GTS com.google.android.gts.security.DeviceIdAttestationHostTest
Change-Id: Ifabb5163b9e4d12cb309a6b0ca8e5f2f92d212f4
Add missing API annotations for permissions and SdkConstants, and
invoke doclava with new "-android" flag.
Test: make -j32 offline-sdk-docs
Bug: 37526420
Change-Id: I970bb2655eb568fd25004636f134c794663a6c33
This flag is used by system server to mark keys used during the
synthetic password auth flow. keys marked with this flag will not
be super encrypted because super encryption requires knowledge of
the synthetic password, causing a chicken-and-egg problem.
Bug: 35849499
Bug: 34600579
Test: cts-tradefed run cts-dev -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.MixedProfileOwnerTest#testResetPasswordWithToken
Change-Id: I474822f2e026f24ce6f6de1aa58b5012922f7b13
Add support for AnyThread, CallSuper, and UiThread.
Another related CL started documenting @RequiresPermission, so remove
duplicated information in existing APIs.
Suppress auto-doc on a handful of classes that are already
well-documented.
Test: make -j32 offline-sdk-docs
Bug: 37526420
Change-Id: I791437dccec0f11d5349a23b982ba098cb551af8
Discussions have shown that in addition to brand, device and product,
we should also allow devices to attest their manufacturer and model.
Bug: 36433192
Test: GTS com.google.android.gts.security.DeviceIdAttestationHostTest
Change-Id: Idd48929d6a0c9fe6656c6d2656e2c3f6f370a21e
With this API, the system can determine whether a CA cert was
installed by the user or the user's DO/PO.
Bug: 32692748
Test: unit tests (see DevicePolicyManagerTest.java for invocation)
Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases
Change-Id: I3bcae5ac18ec2b110154184fc515df804fd73da6
This reverts commit eb30e64f3fac192404a6ae3c162a0770201a7dc2.
Reason for revert: Remove partial support for wrapped key import
Test: CTS tested
Change-Id: I8008494860534257fa983e1a5169d0ed034621f7
Both inherit from package private BaseParceledListSlice.
This is still bad, but it's not as bad. The existing code that uses
this can just do Foo.bar().getList() now instead of having to marshal
to and from an oddball type at either end as well.
In the longer term ParceledListSlice<> should be eliminated, but it's
not clear how far into the future that is going to happen.
Test: runtest -x services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
Test: runtest -x core/tests/coretests/src/android/content/pm/ParceledListSliceTest.java
Change-Id: Ie69b96b5215d6e04990f6d31345772cdfee21d78
So it can be sent from devicepolicymanager (system_server) to keychain
(a system_app) without waiting on the response and having to do
everything in a background thread.
Side-effect: the regular keychain => app callback is slightly more
efficient now too. in case anyone particularly needs blazing fast
private key user selections.
Fix: 35675253
Test: cts-tradefed run cts --abi=arm64-v8a --skip-device-info --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement' </dev/null 2>&1
Change-Id: I6e9d96ca3c42e6489d879d8cfb0507eb94838bf1
Added a test to validate that it still works the way it should before
and after the change.
Bug: 33258404
Bug: 35196414
Fix: 35129745
Test: runtest -x services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
Test: also manual, instructions:
Test: (1) Disable software.device_admin from tablet_core_hardware, rebuild.
Test: (2) Install CA cert. Notification should appear.
Test: (3) Reboot. Notification should still be there.
Change-Id: Id992725c1844a2fffbde4d8acaba531e99f853ad
Allows the caller to specify which SID the given key
should be bound to, overriding the default rule of
binding to the current root/fingerprint SID.
This is a prerequsite for introducing synthetic password
based authentication flow.
Test: cts-tradefed run cts -m CtsKeystoreTestCases
Bug: 33126414
Change-Id: Ide03c0f4fd33ecca7a169ea763c3d4d0b173d1dd
This adds a new public API for attesting the device's hardware ids
(e.g. serial number and IMEI).
Bug: 34597337
Test: CTS CtsKeystoreTestCases and GTS DeviceIdAttestationHostTest
Change-Id: I2e9c1b4f8eb24afa4a09c71c137ce33a6b87eb27
In preparation for removing junit classes from the Android API
the legacy-test target will be removed from the
TARGET_DEFAULT_JAVA_LIBRARIES. This change adds explicit
dependencies on junit and/or legacy-android-test to ensure that
modules will compile properly once it is removed.
(cherry picked from 6387604f9e672ece85e07c4bcbd7be396867f06f)
Bug: 30188076
Test: make checkbuild
Merged-In: I13e88297731253420e4e5f5291d503f13a39a156
Change-Id: I58446eb8c45d8ac2bcdbc9fa40d1321e811bdd4b
In preparation for removing junit classes from the Android API
the legacy-test target will be removed from the
TARGET_DEFAULT_JAVA_LIBRARIES. This change adds explicit
dependencies on junit and/or legacy-android-test to ensure that
modules will compile properly once it is removed.
Bug: 30188076
Test: make checkbuild
Change-Id: I13e88297731253420e4e5f5291d503f13a39a156
In N, passing a null context to getPrivateKey provoked a
NullPointerException, which is validated by a CTS test. In commit
28d68b1 this behavior was changed (inadvertently, I believe) causing
getPrivateKey to wrap the NPE in a KeyChainException. This CL restores
the previous behavior, fixing the test and avoiding breaking any apps
that were catching the NPE.
Test: Fixing broken test
Change-Id: Icb0c75b03efc478b7310998cf3e7108a2c419107
To protect system stability, any Binder calls leaving the
system_server must carefully be performed using FLAG_ONEWAY (or
the 'oneway' verb in AIDL) which prevents the call from blocking
indefinitely on the remote process.
In this CL, the system_server uses the new Binder.setWarnOnBlocking()
method to enable detection by default for all remote Binder
interfaces. It can also use Binder.allowBlocking() to allow
blocking calls on certain remote interfaces that have been
determined to be safe.
This CL adds the 'oneway' verb to several interfaces and methods
where it should have been added, and marks a handful of system
ContentProviders as being safe to call into. Also, we assume that
any services obtained from ServiceManager are part of the core
OS, and are okay to make blocking calls to.
Test: builds, boots, runs with minimal logs triggered
Bug: 32715088
Change-Id: Ide476e120cb40436a94b7faf7615c943d691f4c0
This is necessary for allowing the KeyStore to lock keys that remain
authorized as long as the device is on-body.
Bug 28911985
Change-Id: If50bc84d5a1cb23f9b01b1950c3676d1519cc4f5
It's better to use an Application Context rather than hoping the
activity won't be destroyed in another thread (because it will).
Change-Id: I9bf842d0d7dbedcc509a4a314d23a9a6cfca4d48
Fix: 29873669
This leaves the binder connection open for far too long, which keeps
the keychain app alive longer than necessary.
Bug: 29873669
Change-Id: I037c2b91400202ba6a474819867df16b6342ec0d
