Keymaster key validity dates are optional.
This CL makes Android Keystore framework code add
KM_TAG_ACTIVE_DATETIME, KM_TAG_ORIGINATION_EXPIRE_DATETIME, and
KM_TAG_USAGE_EXPIRE_DATETIME tags to the authorizations set only
if the corresponding time instants were specified through the
framework-level API. This is fine because these tags are optional as
it turns out.
Bug: 18088752
Change-Id: I6a5ae4cadb441e61576231815e6bec6e9248bc72
diff --git a/core/java/android/security/keymaster/KeymasterArguments.java b/core/java/android/security/keymaster/KeymasterArguments.java
index 82f65c7..363376c 100644
--- a/core/java/android/security/keymaster/KeymasterArguments.java
+++ b/core/java/android/security/keymaster/KeymasterArguments.java
@@ -85,6 +85,12 @@
mArguments.add(new KeymasterDateArgument(tag, value));
}
+ public void addDateIfNotNull(int tag, Date value) {
+ if (value != null) {
+ mArguments.add(new KeymasterDateArgument(tag, value));
+ }
+ }
+
private KeymasterArgument getArgumentByTag(int tag) {
for (KeymasterArgument arg : mArguments) {
if (arg.tag == tag) {
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
index 688936c..66509e2 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
@@ -31,7 +31,6 @@
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Arrays;
-import java.util.Date;
import javax.crypto.KeyGeneratorSpi;
import javax.crypto.SecretKey;
@@ -278,15 +277,11 @@
KeymasterUtils.addUserAuthArgs(args,
spec.isUserAuthenticationRequired(),
spec.getUserAuthenticationValidityDurationSeconds());
- args.addDate(KeymasterDefs.KM_TAG_ACTIVE_DATETIME,
- (spec.getKeyValidityStart() != null)
- ? spec.getKeyValidityStart() : new Date(0));
- args.addDate(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
- (spec.getKeyValidityForOriginationEnd() != null)
- ? spec.getKeyValidityForOriginationEnd() : new Date(Long.MAX_VALUE));
- args.addDate(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME,
- (spec.getKeyValidityForConsumptionEnd() != null)
- ? spec.getKeyValidityForConsumptionEnd() : new Date(Long.MAX_VALUE));
+ args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, spec.getKeyValidityStart());
+ args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
+ spec.getKeyValidityForOriginationEnd());
+ args.addDateIfNotNull(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME,
+ spec.getKeyValidityForConsumptionEnd());
if (((spec.getPurposes() & KeyProperties.PURPOSE_ENCRYPT) != 0)
&& (!spec.isRandomizedEncryptionRequired())) {
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
index f7ff07f..532b330 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
@@ -415,15 +415,11 @@
KeymasterUtils.addUserAuthArgs(args,
mSpec.isUserAuthenticationRequired(),
mSpec.getUserAuthenticationValidityDurationSeconds());
- args.addDate(KeymasterDefs.KM_TAG_ACTIVE_DATETIME,
- (mSpec.getKeyValidityStart() != null)
- ? mSpec.getKeyValidityStart() : new Date(0));
- args.addDate(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
- (mSpec.getKeyValidityForOriginationEnd() != null)
- ? mSpec.getKeyValidityForOriginationEnd() : new Date(Long.MAX_VALUE));
- args.addDate(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME,
- (mSpec.getKeyValidityForConsumptionEnd() != null)
- ? mSpec.getKeyValidityForConsumptionEnd() : new Date(Long.MAX_VALUE));
+ args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, mSpec.getKeyValidityStart());
+ args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
+ mSpec.getKeyValidityForOriginationEnd());
+ args.addDateIfNotNull(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME,
+ mSpec.getKeyValidityForConsumptionEnd());
addAlgorithmSpecificParameters(args);
byte[] additionalEntropy =
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java
index 8b00821..7887923 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreSecretKeyFactorySpi.java
@@ -147,21 +147,10 @@
}
Date keyValidityStart = keyCharacteristics.getDate(KeymasterDefs.KM_TAG_ACTIVE_DATETIME);
- if ((keyValidityStart != null) && (keyValidityStart.getTime() <= 0)) {
- keyValidityStart = null;
- }
Date keyValidityForOriginationEnd =
keyCharacteristics.getDate(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME);
- if ((keyValidityForOriginationEnd != null)
- && (keyValidityForOriginationEnd.getTime() == Long.MAX_VALUE)) {
- keyValidityForOriginationEnd = null;
- }
Date keyValidityForConsumptionEnd =
keyCharacteristics.getDate(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME);
- if ((keyValidityForConsumptionEnd != null)
- && (keyValidityForConsumptionEnd.getTime() == Long.MAX_VALUE)) {
- keyValidityForConsumptionEnd = null;
- }
boolean userAuthenticationRequired =
!keyCharacteristics.getBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);
int userAuthenticationValidityDurationSeconds =
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java
index 5fb589e..084e30e 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java
@@ -435,17 +435,12 @@
KeymasterUtils.addUserAuthArgs(importArgs,
spec.isUserAuthenticationRequired(),
spec.getUserAuthenticationValidityDurationSeconds());
- importArgs.addDate(KeymasterDefs.KM_TAG_ACTIVE_DATETIME,
- (spec.getKeyValidityStart() != null)
- ? spec.getKeyValidityStart() : new Date(0));
- importArgs.addDate(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
- (spec.getKeyValidityForOriginationEnd() != null)
- ? spec.getKeyValidityForOriginationEnd()
- : new Date(Long.MAX_VALUE));
- importArgs.addDate(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME,
- (spec.getKeyValidityForConsumptionEnd() != null)
- ? spec.getKeyValidityForConsumptionEnd()
- : new Date(Long.MAX_VALUE));
+ importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME,
+ spec.getKeyValidityStart());
+ importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
+ spec.getKeyValidityForOriginationEnd());
+ importArgs.addDateIfNotNull(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME,
+ spec.getKeyValidityForConsumptionEnd());
} catch (IllegalArgumentException e) {
throw new KeyStoreException("Invalid parameter", e);
}
@@ -646,15 +641,11 @@
KeymasterUtils.addUserAuthArgs(args,
params.isUserAuthenticationRequired(),
params.getUserAuthenticationValidityDurationSeconds());
- args.addDate(KeymasterDefs.KM_TAG_ACTIVE_DATETIME,
- (params.getKeyValidityStart() != null)
- ? params.getKeyValidityStart() : new Date(0));
- args.addDate(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
- (params.getKeyValidityForOriginationEnd() != null)
- ? params.getKeyValidityForOriginationEnd() : new Date(Long.MAX_VALUE));
- args.addDate(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME,
- (params.getKeyValidityForConsumptionEnd() != null)
- ? params.getKeyValidityForConsumptionEnd() : new Date(Long.MAX_VALUE));
+ args.addDateIfNotNull(KeymasterDefs.KM_TAG_ACTIVE_DATETIME, params.getKeyValidityStart());
+ args.addDateIfNotNull(KeymasterDefs.KM_TAG_ORIGINATION_EXPIRE_DATETIME,
+ params.getKeyValidityForOriginationEnd());
+ args.addDateIfNotNull(KeymasterDefs.KM_TAG_USAGE_EXPIRE_DATETIME,
+ params.getKeyValidityForConsumptionEnd());
if (((purposes & KeyProperties.PURPOSE_ENCRYPT) != 0)
&& (!params.isRandomizedEncryptionRequired())) {