Add an optional metadata blob for recoverable application keys
This metadata, if present, will be authenticated (but unencrypted)
together with the application key material.
Bug: 112191661
Test: atest FrameworksCoreTests:android.security.keystore.recovery
atest FrameworksServicesTests:com.android.server.locksettings.recoverablekeystore
atest -m RecoveryControllerHostTest RecoverableKeyStoreEndtoEndHostTest RecoverySessionHostTest
Change-Id: I2846952758a2c1a7b1f0849e1adda1f05a3e305e
diff --git a/core/java/android/security/keystore/recovery/WrappedApplicationKey.java b/core/java/android/security/keystore/recovery/WrappedApplicationKey.java
index ae4448f..dbfd655 100644
--- a/core/java/android/security/keystore/recovery/WrappedApplicationKey.java
+++ b/core/java/android/security/keystore/recovery/WrappedApplicationKey.java
@@ -17,6 +17,7 @@
package android.security.keystore.recovery;
import android.annotation.NonNull;
+import android.annotation.Nullable;
import android.annotation.SystemApi;
import android.os.Parcel;
import android.os.Parcelable;
@@ -41,6 +42,8 @@
private String mAlias;
// The only supported format is AES-256 symmetric key.
private byte[] mEncryptedKeyMaterial;
+ // The optional metadata that's authenticated (but unencrypted) with the key material.
+ private byte[] mMetadata;
// IMPORTANT! PLEASE READ!
// -----------------------
@@ -80,13 +83,23 @@
* @param encryptedKeyMaterial The key material
* @return This builder
*/
-
public Builder setEncryptedKeyMaterial(@NonNull byte[] encryptedKeyMaterial) {
mInstance.mEncryptedKeyMaterial = encryptedKeyMaterial;
return this;
}
/**
+ * Sets the metadata that is authenticated (but unecrypted) with the key material.
+ *
+ * @param metadata The metadata
+ * @return This builder
+ */
+ public Builder setMetadata(@Nullable byte[] metadata) {
+ mInstance.mMetadata = metadata;
+ return this;
+ }
+
+ /**
* Creates a new {@link WrappedApplicationKey} instance.
*
* @return new instance
@@ -102,9 +115,10 @@
private WrappedApplicationKey() { }
/**
- * Deprecated - consider using Builder.
+ * @deprecated Use the builder instead.
* @hide
*/
+ @Deprecated
public WrappedApplicationKey(@NonNull String alias, @NonNull byte[] encryptedKeyMaterial) {
mAlias = Preconditions.checkNotNull(alias);
mEncryptedKeyMaterial = Preconditions.checkNotNull(encryptedKeyMaterial);
@@ -124,6 +138,11 @@
return mEncryptedKeyMaterial;
}
+ /** The metadata with the key. */
+ public @Nullable byte[] getMetadata() {
+ return mMetadata;
+ }
+
public static final Parcelable.Creator<WrappedApplicationKey> CREATOR =
new Parcelable.Creator<WrappedApplicationKey>() {
public WrappedApplicationKey createFromParcel(Parcel in) {
@@ -139,6 +158,7 @@
public void writeToParcel(Parcel out, int flags) {
out.writeString(mAlias);
out.writeByteArray(mEncryptedKeyMaterial);
+ out.writeByteArray(mMetadata);
}
/**
@@ -147,6 +167,10 @@
protected WrappedApplicationKey(Parcel in) {
mAlias = in.readString();
mEncryptedKeyMaterial = in.createByteArray();
+ // Check if there is still data to be read.
+ if (in.dataAvail() > 0) {
+ mMetadata = in.createByteArray();
+ }
}
@Override