keystore: Add flag for blobs to be unencrypted
In order to let apps use keystore more productively, make the blob
encryption optional. As more hardware-assisted keystores (i.e., hardware
that has a Keymaster HAL) come around, encrypting blobs start to make
less sense since the thing it's encrypting is usually a token and not
any raw key material.
(cherry picked from commit a3788b00bb221e20abdd42f747d2af419e0a088c)
Bug: 8122243
Change-Id: Ifc1c64743651b23a4eace208ade0176af47ea989
diff --git a/core/java/android/security/IKeystoreService.java b/core/java/android/security/IKeystoreService.java
index e1cc90e..3d75dc8 100644
--- a/core/java/android/security/IKeystoreService.java
+++ b/core/java/android/security/IKeystoreService.java
@@ -78,7 +78,7 @@
return _result;
}
- public int insert(String name, byte[] item, int uid) throws RemoteException {
+ public int insert(String name, byte[] item, int uid, int flags) throws RemoteException {
Parcel _data = Parcel.obtain();
Parcel _reply = Parcel.obtain();
int _result;
@@ -87,6 +87,7 @@
_data.writeString(name);
_data.writeByteArray(item);
_data.writeInt(uid);
+ _data.writeInt(flags);
mRemote.transact(Stub.TRANSACTION_insert, _data, _reply, 0);
_reply.readException();
_result = _reply.readInt();
@@ -243,7 +244,7 @@
return _result;
}
- public int generate(String name, int uid) throws RemoteException {
+ public int generate(String name, int uid, int flags) throws RemoteException {
Parcel _data = Parcel.obtain();
Parcel _reply = Parcel.obtain();
int _result;
@@ -251,6 +252,7 @@
_data.writeInterfaceToken(DESCRIPTOR);
_data.writeString(name);
_data.writeInt(uid);
+ _data.writeInt(flags);
mRemote.transact(Stub.TRANSACTION_generate, _data, _reply, 0);
_reply.readException();
_result = _reply.readInt();
@@ -261,7 +263,8 @@
return _result;
}
- public int import_key(String name, byte[] data, int uid) throws RemoteException {
+ public int import_key(String name, byte[] data, int uid, int flags)
+ throws RemoteException {
Parcel _data = Parcel.obtain();
Parcel _reply = Parcel.obtain();
int _result;
@@ -270,6 +273,7 @@
_data.writeString(name);
_data.writeByteArray(data);
_data.writeInt(uid);
+ _data.writeInt(flags);
mRemote.transact(Stub.TRANSACTION_import, _data, _reply, 0);
_reply.readException();
_result = _reply.readInt();
@@ -538,7 +542,7 @@
public byte[] get(String name) throws RemoteException;
- public int insert(String name, byte[] item, int uid) throws RemoteException;
+ public int insert(String name, byte[] item, int uid, int flags) throws RemoteException;
public int del(String name, int uid) throws RemoteException;
@@ -556,9 +560,9 @@
public int zero() throws RemoteException;
- public int generate(String name, int uid) throws RemoteException;
+ public int generate(String name, int uid, int flags) throws RemoteException;
- public int import_key(String name, byte[] data, int uid) throws RemoteException;
+ public int import_key(String name, byte[] data, int uid, int flags) throws RemoteException;
public byte[] sign(String name, byte[] data) throws RemoteException;
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index 852f0bb..309d3d3 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -40,6 +40,9 @@
public static final int UNDEFINED_ACTION = 9;
public static final int WRONG_PASSWORD = 10;
+ // Flags for "put" and "import"
+ public static final int FLAG_ENCRYPTED = 1;
+
// States
public enum State { UNLOCKED, LOCKED, UNINITIALIZED };
@@ -87,15 +90,19 @@
}
}
- public boolean put(String key, byte[] value, int uid) {
+ public boolean put(String key, byte[] value, int uid, int flags) {
try {
- return mBinder.insert(key, value, uid) == NO_ERROR;
+ return mBinder.insert(key, value, uid, flags) == NO_ERROR;
} catch (RemoteException e) {
Log.w(TAG, "Cannot connect to keystore", e);
return false;
}
}
+ public boolean put(String key, byte[] value, int uid) {
+ return put(key, value, uid, FLAG_ENCRYPTED);
+ }
+
public boolean put(String key, byte[] value) {
return put(key, value, -1);
}
@@ -185,28 +192,36 @@
}
}
- public boolean generate(String key, int uid) {
+ public boolean generate(String key, int uid, int flags) {
try {
- return mBinder.generate(key, uid) == NO_ERROR;
+ return mBinder.generate(key, uid, flags) == NO_ERROR;
} catch (RemoteException e) {
Log.w(TAG, "Cannot connect to keystore", e);
return false;
}
}
+ public boolean generate(String key, int uid) {
+ return generate(key, uid, FLAG_ENCRYPTED);
+ }
+
public boolean generate(String key) {
return generate(key, -1);
}
- public boolean importKey(String keyName, byte[] key, int uid) {
+ public boolean importKey(String keyName, byte[] key, int uid, int flags) {
try {
- return mBinder.import_key(keyName, key, uid) == NO_ERROR;
+ return mBinder.import_key(keyName, key, uid, flags) == NO_ERROR;
} catch (RemoteException e) {
Log.w(TAG, "Cannot connect to keystore", e);
return false;
}
}
+ public boolean importKey(String keyName, byte[] key, int uid) {
+ return importKey(keyName, key, uid, FLAG_ENCRYPTED);
+ }
+
public boolean importKey(String keyName, byte[] key) {
return importKey(keyName, key, -1);
}