Remove "encrypt at rest" flag from new AndroidKeyStore API.
This flag causes issues such as being unable to generate, import, or
use keys when the user/profile secure lock screen credential hasn't
yet been entered after boot.
Bug: 18088752
Change-Id: I992f6dfdc945bcb83e341356a40dfa7d7bc143d8
diff --git a/api/current.txt b/api/current.txt
index 27f3eff..9fbdfdb 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -28421,7 +28421,6 @@
method public java.lang.String[] getSignaturePaddings();
method public int getUserAuthenticationValidityDurationSeconds();
method public boolean isDigestsSpecified();
- method public boolean isEncryptionAtRestRequired();
method public boolean isRandomizedEncryptionRequired();
method public boolean isUserAuthenticationRequired();
}
@@ -28436,7 +28435,6 @@
method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSerialNumber(java.math.BigInteger);
method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSubject(javax.security.auth.x500.X500Principal);
method public android.security.keystore.KeyGenParameterSpec.Builder setDigests(java.lang.String...);
- method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionAtRestRequired(boolean);
method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionPaddings(java.lang.String...);
method public android.security.keystore.KeyGenParameterSpec.Builder setKeySize(int);
method public android.security.keystore.KeyGenParameterSpec.Builder setKeyValidityEnd(java.util.Date);
@@ -28525,7 +28523,6 @@
method public java.lang.String[] getSignaturePaddings();
method public int getUserAuthenticationValidityDurationSeconds();
method public boolean isDigestsSpecified();
- method public boolean isEncryptionAtRestRequired();
method public boolean isRandomizedEncryptionRequired();
method public boolean isUserAuthenticationRequired();
}
@@ -28535,7 +28532,6 @@
method public android.security.keystore.KeyProtection build();
method public android.security.keystore.KeyProtection.Builder setBlockModes(java.lang.String...);
method public android.security.keystore.KeyProtection.Builder setDigests(java.lang.String...);
- method public android.security.keystore.KeyProtection.Builder setEncryptionAtRestRequired(boolean);
method public android.security.keystore.KeyProtection.Builder setEncryptionPaddings(java.lang.String...);
method public android.security.keystore.KeyProtection.Builder setKeyValidityEnd(java.util.Date);
method public android.security.keystore.KeyProtection.Builder setKeyValidityForConsumptionEnd(java.util.Date);
diff --git a/api/system-current.txt b/api/system-current.txt
index ff42705c..ed57594 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -30449,7 +30449,6 @@
method public java.lang.String[] getSignaturePaddings();
method public int getUserAuthenticationValidityDurationSeconds();
method public boolean isDigestsSpecified();
- method public boolean isEncryptionAtRestRequired();
method public boolean isRandomizedEncryptionRequired();
method public boolean isUserAuthenticationRequired();
}
@@ -30464,7 +30463,6 @@
method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSerialNumber(java.math.BigInteger);
method public android.security.keystore.KeyGenParameterSpec.Builder setCertificateSubject(javax.security.auth.x500.X500Principal);
method public android.security.keystore.KeyGenParameterSpec.Builder setDigests(java.lang.String...);
- method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionAtRestRequired(boolean);
method public android.security.keystore.KeyGenParameterSpec.Builder setEncryptionPaddings(java.lang.String...);
method public android.security.keystore.KeyGenParameterSpec.Builder setKeySize(int);
method public android.security.keystore.KeyGenParameterSpec.Builder setKeyValidityEnd(java.util.Date);
@@ -30553,7 +30551,6 @@
method public java.lang.String[] getSignaturePaddings();
method public int getUserAuthenticationValidityDurationSeconds();
method public boolean isDigestsSpecified();
- method public boolean isEncryptionAtRestRequired();
method public boolean isRandomizedEncryptionRequired();
method public boolean isUserAuthenticationRequired();
}
@@ -30563,7 +30560,6 @@
method public android.security.keystore.KeyProtection build();
method public android.security.keystore.KeyProtection.Builder setBlockModes(java.lang.String...);
method public android.security.keystore.KeyProtection.Builder setDigests(java.lang.String...);
- method public android.security.keystore.KeyProtection.Builder setEncryptionAtRestRequired(boolean);
method public android.security.keystore.KeyProtection.Builder setEncryptionPaddings(java.lang.String...);
method public android.security.keystore.KeyProtection.Builder setKeyValidityEnd(java.util.Date);
method public android.security.keystore.KeyProtection.Builder setKeyValidityForConsumptionEnd(java.util.Date);
diff --git a/keystore/java/android/security/keystore/AndroidKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyPairGeneratorSpi.java
index 8d3b421..2c393fd 100644
--- a/keystore/java/android/security/keystore/AndroidKeyPairGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyPairGeneratorSpi.java
@@ -89,6 +89,7 @@
private KeyStore mKeyStore;
private KeyGenParameterSpec mSpec;
+ private boolean mEncryptionAtRestRequired;
private @KeyProperties.KeyAlgorithmEnum String mKeyAlgorithm;
private int mKeyType;
private int mKeySize;
@@ -123,7 +124,7 @@
}
- final int flags = mSpec.getFlags();
+ final int flags = (mEncryptionAtRestRequired) ? KeyStore.FLAG_ENCRYPTED : 0;
if (((flags & KeyStore.FLAG_ENCRYPTED) != 0)
&& (mKeyStore.state() != KeyStore.State.UNLOCKED)) {
throw new IllegalStateException(
@@ -296,6 +297,7 @@
String keyAlgorithm;
KeyGenParameterSpec spec;
+ boolean encryptionAtRestRequired = false;
if (params instanceof KeyPairGeneratorSpec) {
KeyPairGeneratorSpec legacySpec = (KeyPairGeneratorSpec) params;
try {
@@ -353,7 +355,7 @@
specBuilder.setCertificateSerialNumber(legacySpec.getSerialNumber());
specBuilder.setCertificateNotBefore(legacySpec.getStartDate());
specBuilder.setCertificateNotAfter(legacySpec.getEndDate());
- specBuilder.setEncryptionAtRestRequired(legacySpec.isEncryptionRequired());
+ encryptionAtRestRequired = legacySpec.isEncryptionRequired();
specBuilder.setUserAuthenticationRequired(false);
spec = specBuilder.build();
@@ -390,6 +392,7 @@
mKeyType = keyType;
mKeySize = keySize;
mSpec = spec;
+ mEncryptionAtRestRequired = encryptionAtRestRequired;
mKeyStore = KeyStore.getInstance();
}
}
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
index 0821bf5..dc4c8a3 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
@@ -264,13 +264,6 @@
throw new IllegalStateException("Not initialized");
}
- if ((spec.isEncryptionAtRestRequired())
- && (mKeyStore.state() != KeyStore.State.UNLOCKED)) {
- throw new IllegalStateException(
- "Requested to import a key which must be encrypted at rest using secure lock"
- + " screen credential, but the credential hasn't yet been entered by the user");
- }
-
KeymasterArguments args = new KeymasterArguments();
args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits);
args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, mKeymasterAlgorithm);
@@ -300,7 +293,7 @@
byte[] additionalEntropy =
KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng(
mRng, (mKeySizeBits + 7) / 8);
- int flags = spec.getFlags();
+ int flags = 0;
String keyAliasInKeystore = Credentials.USER_SECRET_KEY + spec.getKeystoreAlias();
KeyCharacteristics resultingKeyCharacteristics = new KeyCharacteristics();
int errorCode = mKeyStore.generateKey(
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java
index d6145a3..f159c30 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java
@@ -274,6 +274,7 @@
private void setPrivateKeyEntry(String alias, PrivateKey key, Certificate[] chain,
java.security.KeyStore.ProtectionParameter param) throws KeyStoreException {
+ int flags = 0;
KeyProtection spec;
if (param instanceof KeyStoreParameter) {
KeyStoreParameter legacySpec = (KeyStoreParameter) param;
@@ -319,7 +320,9 @@
} else {
throw new KeyStoreException("Unsupported key algorithm: " + keyAlgorithm);
}
- specBuilder.setEncryptionAtRestRequired(legacySpec.isEncryptionRequired());
+ if (legacySpec.isEncryptionRequired()) {
+ flags = android.security.KeyStore.FLAG_ENCRYPTED;
+ }
specBuilder.setUserAuthenticationRequired(false);
spec = specBuilder.build();
@@ -449,8 +452,6 @@
Credentials.deleteSecretKeyTypeForAlias(mKeyStore, alias);
}
- final int flags = (spec == null) ? 0 : spec.getFlags();
-
if (shouldReplacePrivateKey
&& !mKeyStore.importKey(Credentials.USER_PRIVATE_KEY + alias, keyBytes,
android.security.KeyStore.UID_SELF, flags)) {
@@ -636,7 +637,7 @@
args,
KeymasterDefs.KM_KEY_FORMAT_RAW,
keyMaterial,
- params.getFlags(),
+ 0, // flags
new KeyCharacteristics());
if (errorCode != android.security.KeyStore.NO_ERROR) {
throw new KeyStoreException("Failed to import secret key. Keystore error code: "
diff --git a/keystore/java/android/security/keystore/KeyGenParameterSpec.java b/keystore/java/android/security/keystore/KeyGenParameterSpec.java
index f598482..1d4c188 100644
--- a/keystore/java/android/security/keystore/KeyGenParameterSpec.java
+++ b/keystore/java/android/security/keystore/KeyGenParameterSpec.java
@@ -16,12 +16,10 @@
package android.security.keystore;
-import android.app.KeyguardManager;
import android.annotation.IntRange;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.text.TextUtils;
-import android.security.KeyStore;
import java.math.BigInteger;
import java.security.KeyPairGenerator;
@@ -37,8 +35,8 @@
* {@link AlgorithmParameterSpec} for initializing a {@link KeyPairGenerator} or a
* {@link KeyGenerator} of the <a href="{@docRoot}training/articles/keystore.html">Android Keystore
* system</a>. The spec determines whether user authentication is required for using the key, what
- * uses the key is authorized for (e.g., only for signing -- decryption not permitted), whether the
- * key should be encrypted at rest, the key's and validity start and end dates.
+ * uses the key is authorized for (e.g., only for signing -- decryption not permitted), the key's
+ * validity start and end dates.
*
* <p>To generate an asymmetric key pair or a symmetric key, create an instance of this class using
* the {@link Builder}, initialize a {@code KeyPairGenerator} or a {@code KeyGenerator} of the
@@ -127,7 +125,6 @@
private final BigInteger mCertificateSerialNumber;
private final Date mCertificateNotBefore;
private final Date mCertificateNotAfter;
- private final int mFlags;
private final Date mKeyValidityStart;
private final Date mKeyValidityForOriginationEnd;
private final Date mKeyValidityForConsumptionEnd;
@@ -151,7 +148,6 @@
BigInteger certificateSerialNumber,
Date certificateNotBefore,
Date certificateNotAfter,
- int flags,
Date keyValidityStart,
Date keyValidityForOriginationEnd,
Date keyValidityForConsumptionEnd,
@@ -195,7 +191,6 @@
mCertificateSerialNumber = certificateSerialNumber;
mCertificateNotBefore = certificateNotBefore;
mCertificateNotAfter = certificateNotAfter;
- mFlags = flags;
mKeyValidityStart = keyValidityStart;
mKeyValidityForOriginationEnd = keyValidityForOriginationEnd;
mKeyValidityForConsumptionEnd = keyValidityForConsumptionEnd;
@@ -271,29 +266,6 @@
}
/**
- * @hide
- */
- public int getFlags() {
- return mFlags;
- }
-
- /**
- * Returns {@code true} if the key must be encrypted at rest. This will protect the key with the
- * secure lock screen credential (e.g., password, PIN, or pattern).
- *
- * <p>Note that encrypting the key at rest requires that the secure lock screen (e.g., password,
- * PIN, pattern) is set up, otherwise key generation will fail. Moreover, this key will be
- * deleted when the secure lock screen is disabled or reset (e.g., by the user or a Device
- * Administrator). Finally, this key cannot be used until the user unlocks the secure lock
- * screen after boot.
- *
- * @see KeyguardManager#isDeviceSecure()
- */
- public boolean isEncryptionAtRestRequired() {
- return (mFlags & KeyStore.FLAG_ENCRYPTED) != 0;
- }
-
- /**
* Returns the time instant before which the key is not yet valid or {@code null} if not
* restricted.
*/
@@ -450,7 +422,6 @@
private BigInteger mCertificateSerialNumber;
private Date mCertificateNotBefore;
private Date mCertificateNotAfter;
- private int mFlags;
private Date mKeyValidityStart;
private Date mKeyValidityForOriginationEnd;
private Date mKeyValidityForConsumptionEnd;
@@ -576,28 +547,6 @@
}
/**
- * Sets whether this key pair or key must be encrypted at rest. This will protect the key
- * pair or key with the secure lock screen credential (e.g., password, PIN, or pattern).
- *
- * <p>Note that enabling this feature requires that the secure lock screen (e.g., password,
- * PIN, pattern) is set up, otherwise key generation will fail. Moreover, this key will be
- * deleted when the secure lock screen is disabled or reset (e.g., by the user or a Device
- * Administrator). Finally, this key cannot be used until the user unlocks the secure lock
- * screen after boot.
- *
- * @see KeyguardManager#isDeviceSecure()
- */
- @NonNull
- public Builder setEncryptionAtRestRequired(boolean required) {
- if (required) {
- mFlags |= KeyStore.FLAG_ENCRYPTED;
- } else {
- mFlags &= ~KeyStore.FLAG_ENCRYPTED;
- }
- return this;
- }
-
- /**
* Sets the time instant before which the key is not yet valid.
*
* <p>By default, the key is valid at any instant.
@@ -839,7 +788,6 @@
mCertificateSerialNumber,
mCertificateNotBefore,
mCertificateNotAfter,
- mFlags,
mKeyValidityStart,
mKeyValidityForOriginationEnd,
mKeyValidityForConsumptionEnd,
diff --git a/keystore/java/android/security/keystore/KeyProtection.java b/keystore/java/android/security/keystore/KeyProtection.java
index 48fdd98..f52a193 100644
--- a/keystore/java/android/security/keystore/KeyProtection.java
+++ b/keystore/java/android/security/keystore/KeyProtection.java
@@ -19,8 +19,6 @@
import android.annotation.IntRange;
import android.annotation.NonNull;
import android.annotation.Nullable;
-import android.app.KeyguardManager;
-import android.security.KeyStore;
import java.security.Key;
import java.security.KeyStore.ProtectionParameter;
@@ -34,8 +32,7 @@
* <a href="{@docRoot}training/articles/keystore.html">Android KeyStore facility</a>. This class
* specifies parameters such as whether user authentication is required for using the key, what uses
* the key is authorized for (e.g., only in {@code CTR} mode, or only for signing -- decryption not
- * permitted), whether the key should be encrypted at rest, the key's and validity start and end
- * dates.
+ * permitted), the key's and validity start and end dates.
*
* <p>To import a key or key pair into the Android KeyStore, create an instance of this class using
* the {@link Builder} and pass the instance into {@link java.security.KeyStore#setEntry(String, java.security.KeyStore.Entry, ProtectionParameter) KeyStore.setEntry}
@@ -101,7 +98,6 @@
* }</pre>
*/
public final class KeyProtection implements ProtectionParameter {
- private final int mFlags;
private final Date mKeyValidityStart;
private final Date mKeyValidityForOriginationEnd;
private final Date mKeyValidityForConsumptionEnd;
@@ -115,7 +111,6 @@
private final int mUserAuthenticationValidityDurationSeconds;
private KeyProtection(
- int flags,
Date keyValidityStart,
Date keyValidityForOriginationEnd,
Date keyValidityForConsumptionEnd,
@@ -133,7 +128,6 @@
"userAuthenticationValidityDurationSeconds must not be negative");
}
- mFlags = flags;
mKeyValidityStart = keyValidityStart;
mKeyValidityForOriginationEnd = keyValidityForOriginationEnd;
mKeyValidityForConsumptionEnd = keyValidityForConsumptionEnd;
@@ -150,22 +144,6 @@
}
/**
- * @hide
- */
- public int getFlags() {
- return mFlags;
- }
-
- /**
- * Returns {@code true} if the {@link java.security.KeyStore} entry must be encrypted at rest.
- * This will protect the entry with the secure lock screen credential (e.g., password, PIN, or
- * pattern).
- */
- public boolean isEncryptionAtRestRequired() {
- return (mFlags & KeyStore.FLAG_ENCRYPTED) != 0;
- }
-
- /**
* Gets the time instant before which the key is not yet valid.
*
* @return instant or {@code null} if not restricted.
@@ -310,7 +288,6 @@
public final static class Builder {
private @KeyProperties.PurposeEnum int mPurposes;
- private int mFlags;
private Date mKeyValidityStart;
private Date mKeyValidityForOriginationEnd;
private Date mKeyValidityForConsumptionEnd;
@@ -338,29 +315,6 @@
}
/**
- * Sets whether this {@link java.security.KeyStore} entry must be encrypted at rest.
- * Encryption at rest will protect the entry with the secure lock screen credential (e.g.,
- * password, PIN, or pattern).
- *
- * <p>Note that enabling this feature requires that the secure lock screen (e.g., password,
- * PIN, pattern) is set up, otherwise setting the {@code KeyStore} entry will fail.
- * Moreover, this entry will be deleted when the secure lock screen is disabled or reset
- * (e.g., by the user or a Device Administrator). Finally, this entry cannot be used until
- * the user unlocks the secure lock screen after boot.
- *
- * @see KeyguardManager#isDeviceSecure()
- */
- @NonNull
- public Builder setEncryptionAtRestRequired(boolean required) {
- if (required) {
- mFlags |= KeyStore.FLAG_ENCRYPTED;
- } else {
- mFlags &= ~KeyStore.FLAG_ENCRYPTED;
- }
- return this;
- }
-
- /**
* Sets the time instant before which the key is not yet valid.
*
* <p>By default, the key is valid at any instant.
@@ -589,7 +543,6 @@
@NonNull
public KeyProtection build() {
return new KeyProtection(
- mFlags,
mKeyValidityStart,
mKeyValidityForOriginationEnd,
mKeyValidityForConsumptionEnd,