Merge "Set Secure User ID from app level."
diff --git a/keystore/java/android/security/AndroidKeyStore.java b/keystore/java/android/security/AndroidKeyStore.java
index 1c068be..c259c25 100644
--- a/keystore/java/android/security/AndroidKeyStore.java
+++ b/keystore/java/android/security/AndroidKeyStore.java
@@ -535,6 +535,12 @@
args.addInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE,
KeyStoreKeyProperties.UserAuthenticator.allToKeymaster(
params.getUserAuthenticators()));
+ long secureUserId = GateKeeper.getSecureUserId();
+ if (secureUserId == 0) {
+ throw new IllegalStateException("Secure lock screen must be enabled"
+ + " to import keys requiring user authentication");
+ }
+ args.addLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, secureUserId);
}
if (params.isInvalidatedOnNewFingerprintEnrolled()) {
// TODO: Add the invalidate on fingerprint enrolled constraint once Keymaster supports
diff --git a/keystore/java/android/security/GateKeeper.java b/keystore/java/android/security/GateKeeper.java
new file mode 100644
index 0000000..c9f06e9
--- /dev/null
+++ b/keystore/java/android/security/GateKeeper.java
@@ -0,0 +1,30 @@
+package android.security;
+
+import android.os.RemoteException;
+import android.os.ServiceManager;
+import android.os.UserHandle;
+import android.service.gatekeeper.IGateKeeperService;
+
+/**
+ * Convenience class for accessing the gatekeeper service.
+ *
+ * @hide
+ */
+public abstract class GateKeeper {
+
+ private GateKeeper() {}
+
+ public static IGateKeeperService getService() {
+ return IGateKeeperService.Stub.asInterface(
+ ServiceManager.getService("android.service.gatekeeper.IGateKeeperService"));
+ }
+
+ public static long getSecureUserId() throws IllegalStateException {
+ try {
+ return GateKeeper.getService().getSecureUserId(UserHandle.myUserId());
+ } catch (RemoteException e) {
+ throw new IllegalStateException(
+ "Failed to obtain secure user ID from gatekeeper", e);
+ }
+ }
+}
diff --git a/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java
index 72c485a..d1abe12 100644
--- a/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java
+++ b/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java
@@ -167,6 +167,12 @@
args.addInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE,
KeyStoreKeyProperties.UserAuthenticator.allToKeymaster(
spec.getUserAuthenticators()));
+ long secureUserId = GateKeeper.getSecureUserId();
+ if (secureUserId == 0) {
+ throw new IllegalStateException("Secure lock screen must be enabled"
+ + " to generate keys requiring user authentication");
+ }
+ args.addLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, secureUserId);
}
if (spec.isInvalidatedOnNewFingerprintEnrolled()) {
// TODO: Add the invalidate on fingerprint enrolled constraint once Keymaster supports