Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.server.locksettings.recoverablekeystore; |
| 18 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 19 | import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 20 | |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 21 | import android.annotation.Nullable; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 22 | import android.content.Context; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 23 | import android.security.Scrypt; |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 24 | import android.security.keystore.recovery.KeyChainProtectionParams; |
| 25 | import android.security.keystore.recovery.KeyChainSnapshot; |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 26 | import android.security.keystore.recovery.KeyDerivationParams; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 27 | import android.security.keystore.recovery.WrappedApplicationKey; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 28 | import android.util.Log; |
| 29 | |
| 30 | import com.android.internal.annotations.VisibleForTesting; |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 31 | import com.android.internal.util.ArrayUtils; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 32 | import com.android.internal.widget.LockPatternUtils; |
| 33 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 34 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 35 | |
| 36 | import java.nio.ByteBuffer; |
| 37 | import java.nio.ByteOrder; |
| 38 | import java.nio.charset.StandardCharsets; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 39 | import java.security.GeneralSecurityException; |
Robert Berry | 26cbb6b | 2018-01-22 21:59:30 +0000 | [diff] [blame] | 40 | import java.security.InvalidAlgorithmParameterException; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 41 | import java.security.InvalidKeyException; |
| 42 | import java.security.KeyStoreException; |
| 43 | import java.security.MessageDigest; |
| 44 | import java.security.NoSuchAlgorithmException; |
| 45 | import java.security.PublicKey; |
| 46 | import java.security.SecureRandom; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 47 | import java.security.UnrecoverableKeyException; |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 48 | import java.security.cert.CertPath; |
Bo Zhu | 6361080 | 2018-03-09 12:32:13 -0800 | [diff] [blame] | 49 | import java.security.cert.CertificateException; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 50 | import java.util.ArrayList; |
| 51 | import java.util.List; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 52 | import java.util.Map; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 53 | |
| 54 | import javax.crypto.KeyGenerator; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 55 | import javax.crypto.NoSuchPaddingException; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 56 | import javax.crypto.SecretKey; |
| 57 | |
| 58 | /** |
| 59 | * Task to sync application keys to a remote vault service. |
| 60 | * |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 61 | * @hide |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 62 | */ |
| 63 | public class KeySyncTask implements Runnable { |
| 64 | private static final String TAG = "KeySyncTask"; |
| 65 | |
| 66 | private static final String RECOVERY_KEY_ALGORITHM = "AES"; |
| 67 | private static final int RECOVERY_KEY_SIZE_BITS = 256; |
| 68 | private static final int SALT_LENGTH_BYTES = 16; |
| 69 | private static final int LENGTH_PREFIX_BYTES = Integer.BYTES; |
| 70 | private static final String LOCK_SCREEN_HASH_ALGORITHM = "SHA-256"; |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 71 | private static final int TRUSTED_HARDWARE_MAX_ATTEMPTS = 10; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 72 | |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 73 | // TODO: Reduce the minimal length once all other components are updated |
| 74 | private static final int MIN_CREDENTIAL_LEN_TO_USE_SCRYPT = 24; |
| 75 | @VisibleForTesting |
| 76 | static final int SCRYPT_PARAM_N = 4096; |
| 77 | @VisibleForTesting |
| 78 | static final int SCRYPT_PARAM_R = 8; |
| 79 | @VisibleForTesting |
| 80 | static final int SCRYPT_PARAM_P = 1; |
| 81 | @VisibleForTesting |
| 82 | static final int SCRYPT_PARAM_OUTLEN_BYTES = 32; |
| 83 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 84 | private final RecoverableKeyStoreDb mRecoverableKeyStoreDb; |
| 85 | private final int mUserId; |
| 86 | private final int mCredentialType; |
| 87 | private final String mCredential; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 88 | private final boolean mCredentialUpdated; |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 89 | private final PlatformKeyManager mPlatformKeyManager; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 90 | private final RecoverySnapshotStorage mRecoverySnapshotStorage; |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 91 | private final RecoverySnapshotListenersStorage mSnapshotListenersStorage; |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 92 | private final TestOnlyInsecureCertificateHelper mTestOnlyInsecureCertificateHelper; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 93 | private final Scrypt mScrypt; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 94 | |
| 95 | public static KeySyncTask newInstance( |
| 96 | Context context, |
| 97 | RecoverableKeyStoreDb recoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 98 | RecoverySnapshotStorage snapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 99 | RecoverySnapshotListenersStorage recoverySnapshotListenersStorage, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 100 | int userId, |
| 101 | int credentialType, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 102 | String credential, |
| 103 | boolean credentialUpdated |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 104 | ) throws NoSuchAlgorithmException, KeyStoreException, InsecureUserException { |
| 105 | return new KeySyncTask( |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 106 | recoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 107 | snapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 108 | recoverySnapshotListenersStorage, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 109 | userId, |
| 110 | credentialType, |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 111 | credential, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 112 | credentialUpdated, |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 113 | PlatformKeyManager.getInstance(context, recoverableKeyStoreDb), |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 114 | new TestOnlyInsecureCertificateHelper(), |
| 115 | new Scrypt()); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 116 | } |
| 117 | |
| 118 | /** |
| 119 | * A new task. |
| 120 | * |
| 121 | * @param recoverableKeyStoreDb Database where the keys are stored. |
| 122 | * @param userId The uid of the user whose profile has been unlocked. |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 123 | * @param credentialType The type of credential as defined in {@code LockPatternUtils} |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 124 | * @param credential The credential, encoded as a {@link String}. |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 125 | * @param credentialUpdated signals weather credentials were updated. |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 126 | * @param platformKeyManager platform key manager |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 127 | * @param testOnlyInsecureCertificateHelper utility class used for end-to-end tests |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 128 | */ |
| 129 | @VisibleForTesting |
| 130 | KeySyncTask( |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 131 | RecoverableKeyStoreDb recoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 132 | RecoverySnapshotStorage snapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 133 | RecoverySnapshotListenersStorage recoverySnapshotListenersStorage, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 134 | int userId, |
| 135 | int credentialType, |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 136 | String credential, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 137 | boolean credentialUpdated, |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 138 | PlatformKeyManager platformKeyManager, |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 139 | TestOnlyInsecureCertificateHelper testOnlyInsecureCertificateHelper, |
| 140 | Scrypt scrypt) { |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 141 | mSnapshotListenersStorage = recoverySnapshotListenersStorage; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 142 | mRecoverableKeyStoreDb = recoverableKeyStoreDb; |
| 143 | mUserId = userId; |
| 144 | mCredentialType = credentialType; |
| 145 | mCredential = credential; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 146 | mCredentialUpdated = credentialUpdated; |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 147 | mPlatformKeyManager = platformKeyManager; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 148 | mRecoverySnapshotStorage = snapshotStorage; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 149 | mTestOnlyInsecureCertificateHelper = testOnlyInsecureCertificateHelper; |
| 150 | mScrypt = scrypt; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 151 | } |
| 152 | |
| 153 | @Override |
| 154 | public void run() { |
| 155 | try { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 156 | // Only one task is active If user unlocks phone many times in a short time interval. |
| 157 | synchronized(KeySyncTask.class) { |
| 158 | syncKeys(); |
| 159 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 160 | } catch (Exception e) { |
| 161 | Log.e(TAG, "Unexpected exception thrown during KeySyncTask", e); |
| 162 | } |
| 163 | } |
| 164 | |
| 165 | private void syncKeys() { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 166 | if (mCredentialType == LockPatternUtils.CREDENTIAL_TYPE_NONE) { |
| 167 | // Application keys for the user will not be available for sync. |
| 168 | Log.w(TAG, "Credentials are not set for user " + mUserId); |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 169 | int generation = mPlatformKeyManager.getGenerationId(mUserId); |
| 170 | mPlatformKeyManager.invalidatePlatformKey(mUserId, generation); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 171 | return; |
| 172 | } |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 173 | if (isCustomLockScreen()) { |
| 174 | Log.w(TAG, "Unsupported credential type " + mCredentialType + "for user " + mUserId); |
| 175 | mRecoverableKeyStoreDb.invalidateKeysForUserIdOnCustomScreenLock(mUserId); |
| 176 | return; |
| 177 | } |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 178 | |
| 179 | List<Integer> recoveryAgents = mRecoverableKeyStoreDb.getRecoveryAgents(mUserId); |
| 180 | for (int uid : recoveryAgents) { |
| 181 | syncKeysForAgent(uid); |
| 182 | } |
| 183 | if (recoveryAgents.isEmpty()) { |
| 184 | Log.w(TAG, "No recovery agent initialized for user " + mUserId); |
| 185 | } |
| 186 | } |
| 187 | |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 188 | private boolean isCustomLockScreen() { |
| 189 | return mCredentialType != LockPatternUtils.CREDENTIAL_TYPE_NONE |
| 190 | && mCredentialType != LockPatternUtils.CREDENTIAL_TYPE_PATTERN |
| 191 | && mCredentialType != LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; |
| 192 | } |
| 193 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 194 | private void syncKeysForAgent(int recoveryAgentUid) { |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 195 | boolean recreateCurrentVersion = false; |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 196 | if (!shouldCreateSnapshot(recoveryAgentUid)) { |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 197 | recreateCurrentVersion = |
| 198 | (mRecoverableKeyStoreDb.getSnapshotVersion(mUserId, recoveryAgentUid) != null) |
| 199 | && (mRecoverySnapshotStorage.get(recoveryAgentUid) == null); |
| 200 | if (recreateCurrentVersion) { |
| 201 | Log.d(TAG, "Recreating most recent snapshot"); |
| 202 | } else { |
| 203 | Log.d(TAG, "Key sync not needed."); |
| 204 | return; |
| 205 | } |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 206 | } |
| 207 | |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 208 | PublicKey publicKey; |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 209 | String rootCertAlias = |
| 210 | mRecoverableKeyStoreDb.getActiveRootOfTrust(mUserId, recoveryAgentUid); |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 211 | rootCertAlias = mTestOnlyInsecureCertificateHelper |
| 212 | .getDefaultCertificateAliasIfEmpty(rootCertAlias); |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 213 | |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 214 | CertPath certPath = mRecoverableKeyStoreDb.getRecoveryServiceCertPath(mUserId, |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 215 | recoveryAgentUid, rootCertAlias); |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 216 | if (certPath != null) { |
| 217 | Log.d(TAG, "Using the public key in stored CertPath for syncing"); |
| 218 | publicKey = certPath.getCertificates().get(0).getPublicKey(); |
| 219 | } else { |
| 220 | Log.d(TAG, "Using the stored raw public key for syncing"); |
| 221 | publicKey = mRecoverableKeyStoreDb.getRecoveryServicePublicKey(mUserId, |
| 222 | recoveryAgentUid); |
| 223 | } |
Robert Berry | aa3f4ca | 2017-12-27 10:53:58 +0000 | [diff] [blame] | 224 | if (publicKey == null) { |
| 225 | Log.w(TAG, "Not initialized for KeySync: no public key set. Cancelling task."); |
| 226 | return; |
| 227 | } |
| 228 | |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 229 | byte[] vaultHandle = mRecoverableKeyStoreDb.getServerParams(mUserId, recoveryAgentUid); |
| 230 | if (vaultHandle == null) { |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 231 | Log.w(TAG, "No device ID set for user " + mUserId); |
| 232 | return; |
| 233 | } |
| 234 | |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 235 | if (mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(rootCertAlias)) { |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 236 | Log.w(TAG, "Insecure root certificate is used by recovery agent " |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 237 | + recoveryAgentUid); |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 238 | if (mTestOnlyInsecureCertificateHelper.doesCredentialSupportInsecureMode( |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 239 | mCredentialType, mCredential)) { |
| 240 | Log.w(TAG, "Whitelisted credential is used to generate snapshot by " |
| 241 | + "recovery agent "+ recoveryAgentUid); |
| 242 | } else { |
| 243 | Log.w(TAG, "Non whitelisted credential is used to generate recovery snapshot by " |
| 244 | + recoveryAgentUid + " - ignore attempt."); |
| 245 | return; // User secret will not be used. |
| 246 | } |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 247 | } |
| 248 | |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 249 | boolean useScryptToHashCredential = shouldUseScryptToHashCredential(rootCertAlias); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 250 | byte[] salt = generateSalt(); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 251 | byte[] localLskfHash; |
| 252 | if (useScryptToHashCredential) { |
| 253 | localLskfHash = hashCredentialsByScrypt(salt, mCredential); |
| 254 | } else { |
| 255 | localLskfHash = hashCredentialsBySaltedSha256(salt, mCredential); |
| 256 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 257 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 258 | Map<String, SecretKey> rawKeys; |
| 259 | try { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 260 | rawKeys = getKeysToSync(recoveryAgentUid); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 261 | } catch (GeneralSecurityException e) { |
| 262 | Log.e(TAG, "Failed to load recoverable keys for sync", e); |
| 263 | return; |
| 264 | } catch (InsecureUserException e) { |
| 265 | Log.wtf(TAG, "A screen unlock triggered the key sync flow, so user must have " |
| 266 | + "lock screen. This should be impossible.", e); |
| 267 | return; |
| 268 | } catch (BadPlatformKeyException e) { |
| 269 | Log.wtf(TAG, "Loaded keys for same generation ID as platform key, so " |
| 270 | + "BadPlatformKeyException should be impossible.", e); |
| 271 | return; |
| 272 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 273 | |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 274 | // Only include insecure key material for test |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 275 | if (mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(rootCertAlias)) { |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 276 | rawKeys = mTestOnlyInsecureCertificateHelper.keepOnlyWhitelistedInsecureKeys(rawKeys); |
| 277 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 278 | SecretKey recoveryKey; |
| 279 | try { |
| 280 | recoveryKey = generateRecoveryKey(); |
| 281 | } catch (NoSuchAlgorithmException e) { |
| 282 | Log.wtf("AES should never be unavailable", e); |
| 283 | return; |
| 284 | } |
| 285 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 286 | Map<String, byte[]> encryptedApplicationKeys; |
| 287 | try { |
| 288 | encryptedApplicationKeys = KeySyncUtils.encryptKeysWithRecoveryKey( |
| 289 | recoveryKey, rawKeys); |
| 290 | } catch (InvalidKeyException | NoSuchAlgorithmException e) { |
| 291 | Log.wtf(TAG, |
| 292 | "Should be impossible: could not encrypt application keys with random key", |
| 293 | e); |
| 294 | return; |
| 295 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 296 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 297 | Long counterId; |
| 298 | // counter id is generated exactly once for each credentials value. |
| 299 | if (mCredentialUpdated) { |
| 300 | counterId = generateAndStoreCounterId(recoveryAgentUid); |
| 301 | } else { |
| 302 | counterId = mRecoverableKeyStoreDb.getCounterId(mUserId, recoveryAgentUid); |
| 303 | if (counterId == null) { |
| 304 | counterId = generateAndStoreCounterId(recoveryAgentUid); |
| 305 | } |
| 306 | } |
Dmitry Dementyev | ae6ec6d | 2018-01-18 14:29:49 -0800 | [diff] [blame] | 307 | |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 308 | byte[] vaultParams = KeySyncUtils.packVaultParams( |
| 309 | publicKey, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 310 | counterId, |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 311 | TRUSTED_HARDWARE_MAX_ATTEMPTS, |
| 312 | vaultHandle); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 313 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 314 | byte[] encryptedRecoveryKey; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 315 | try { |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 316 | encryptedRecoveryKey = KeySyncUtils.thmEncryptRecoveryKey( |
Robert Berry | aa3f4ca | 2017-12-27 10:53:58 +0000 | [diff] [blame] | 317 | publicKey, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 318 | localLskfHash, |
| 319 | vaultParams, |
| 320 | recoveryKey); |
| 321 | } catch (NoSuchAlgorithmException e) { |
| 322 | Log.wtf(TAG, "SecureBox encrypt algorithms unavailable", e); |
| 323 | return; |
| 324 | } catch (InvalidKeyException e) { |
| 325 | Log.e(TAG,"Could not encrypt with recovery key", e); |
| 326 | return; |
| 327 | } |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 328 | KeyDerivationParams keyDerivationParams; |
| 329 | if (useScryptToHashCredential) { |
| 330 | keyDerivationParams = KeyDerivationParams.createScryptParams( |
| 331 | salt, /*memoryDifficulty=*/ SCRYPT_PARAM_N); |
| 332 | } else { |
| 333 | keyDerivationParams = KeyDerivationParams.createSha256Params(salt); |
| 334 | } |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 335 | KeyChainProtectionParams metadata = new KeyChainProtectionParams.Builder() |
| 336 | .setUserSecretType(TYPE_LOCKSCREEN) |
| 337 | .setLockScreenUiFormat(getUiFormat(mCredentialType, mCredential)) |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 338 | .setKeyDerivationParams(keyDerivationParams) |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 339 | .setSecret(new byte[0]) |
| 340 | .build(); |
| 341 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 342 | ArrayList<KeyChainProtectionParams> metadataList = new ArrayList<>(); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 343 | metadataList.add(metadata); |
| 344 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 345 | // If application keys are not updated, snapshot will not be created on next unlock. |
| 346 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(mUserId, recoveryAgentUid, false); |
| 347 | |
Bo Zhu | 6361080 | 2018-03-09 12:32:13 -0800 | [diff] [blame] | 348 | KeyChainSnapshot.Builder keyChainSnapshotBuilder = new KeyChainSnapshot.Builder() |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 349 | .setSnapshotVersion(getSnapshotVersion(recoveryAgentUid, recreateCurrentVersion)) |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 350 | .setMaxAttempts(TRUSTED_HARDWARE_MAX_ATTEMPTS) |
| 351 | .setCounterId(counterId) |
| 352 | .setTrustedHardwarePublicKey(SecureBox.encodePublicKey(publicKey)) |
| 353 | .setServerParams(vaultHandle) |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 354 | .setKeyChainProtectionParams(metadataList) |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 355 | .setWrappedApplicationKeys(createApplicationKeyEntries(encryptedApplicationKeys)) |
Bo Zhu | 6361080 | 2018-03-09 12:32:13 -0800 | [diff] [blame] | 356 | .setEncryptedRecoveryKeyBlob(encryptedRecoveryKey); |
| 357 | try { |
| 358 | keyChainSnapshotBuilder.setTrustedHardwareCertPath(certPath); |
| 359 | } catch(CertificateException e) { |
| 360 | // Should not happen, as it's just deserialized from bytes stored in the db |
| 361 | Log.wtf(TAG, "Cannot serialize CertPath when calling setTrustedHardwareCertPath", e); |
| 362 | return; |
| 363 | } |
| 364 | mRecoverySnapshotStorage.put(recoveryAgentUid, keyChainSnapshotBuilder.build()); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 365 | mSnapshotListenersStorage.recoverySnapshotAvailable(recoveryAgentUid); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 366 | } |
| 367 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 368 | @VisibleForTesting |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 369 | int getSnapshotVersion(int recoveryAgentUid, boolean recreateCurrentVersion) { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 370 | Long snapshotVersion = mRecoverableKeyStoreDb.getSnapshotVersion(mUserId, recoveryAgentUid); |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 371 | if (recreateCurrentVersion) { |
| 372 | // version shouldn't be null at this moment. |
| 373 | snapshotVersion = snapshotVersion == null ? 1 : snapshotVersion; |
| 374 | } else { |
| 375 | snapshotVersion = snapshotVersion == null ? 1 : snapshotVersion + 1; |
| 376 | } |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 377 | mRecoverableKeyStoreDb.setSnapshotVersion(mUserId, recoveryAgentUid, snapshotVersion); |
| 378 | |
| 379 | return snapshotVersion.intValue(); |
| 380 | } |
| 381 | |
| 382 | private long generateAndStoreCounterId(int recoveryAgentUid) { |
| 383 | long counter = new SecureRandom().nextLong(); |
| 384 | mRecoverableKeyStoreDb.setCounterId(mUserId, recoveryAgentUid, counter); |
| 385 | return counter; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 386 | } |
| 387 | |
| 388 | /** |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 389 | * Returns all of the recoverable keys for the user. |
| 390 | */ |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 391 | private Map<String, SecretKey> getKeysToSync(int recoveryAgentUid) |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 392 | throws InsecureUserException, KeyStoreException, UnrecoverableKeyException, |
Robert Berry | 26cbb6b | 2018-01-22 21:59:30 +0000 | [diff] [blame] | 393 | NoSuchAlgorithmException, NoSuchPaddingException, BadPlatformKeyException, |
| 394 | InvalidKeyException, InvalidAlgorithmParameterException { |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 395 | PlatformDecryptionKey decryptKey = mPlatformKeyManager.getDecryptKey(mUserId);; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 396 | Map<String, WrappedKey> wrappedKeys = mRecoverableKeyStoreDb.getAllKeys( |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 397 | mUserId, recoveryAgentUid, decryptKey.getGenerationId()); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 398 | return WrappedKey.unwrapKeys(decryptKey, wrappedKeys); |
| 399 | } |
| 400 | |
| 401 | /** |
| 402 | * Returns {@code true} if a sync is pending. |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 403 | * @param recoveryAgentUid uid of the recovery agent. |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 404 | */ |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 405 | private boolean shouldCreateSnapshot(int recoveryAgentUid) { |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 406 | int[] types = mRecoverableKeyStoreDb.getRecoverySecretTypes(mUserId, recoveryAgentUid); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 407 | if (!ArrayUtils.contains(types, KeyChainProtectionParams.TYPE_LOCKSCREEN)) { |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 408 | // Only lockscreen type is supported. |
| 409 | // We will need to pass extra argument to KeySyncTask to support custom pass phrase. |
| 410 | return false; |
| 411 | } |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 412 | if (mCredentialUpdated) { |
| 413 | // Sync credential if at least one snapshot was created. |
| 414 | if (mRecoverableKeyStoreDb.getSnapshotVersion(mUserId, recoveryAgentUid) != null) { |
| 415 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(mUserId, recoveryAgentUid, true); |
| 416 | return true; |
| 417 | } |
| 418 | } |
| 419 | |
| 420 | return mRecoverableKeyStoreDb.getShouldCreateSnapshot(mUserId, recoveryAgentUid); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 421 | } |
| 422 | |
| 423 | /** |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 424 | * The UI best suited to entering the given lock screen. This is synced with the vault so the |
| 425 | * user can be shown the same UI when recovering the vault on another device. |
| 426 | * |
| 427 | * @return The format - either pattern, pin, or password. |
| 428 | */ |
| 429 | @VisibleForTesting |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 430 | @KeyChainProtectionParams.LockScreenUiFormat static int getUiFormat( |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 431 | int credentialType, String credential) { |
| 432 | if (credentialType == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 433 | return KeyChainProtectionParams.UI_FORMAT_PATTERN; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 434 | } else if (isPin(credential)) { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 435 | return KeyChainProtectionParams.UI_FORMAT_PIN; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 436 | } else { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 437 | return KeyChainProtectionParams.UI_FORMAT_PASSWORD; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 438 | } |
| 439 | } |
| 440 | |
| 441 | /** |
| 442 | * Generates a salt to include with the lock screen hash. |
| 443 | * |
| 444 | * @return The salt. |
| 445 | */ |
| 446 | private byte[] generateSalt() { |
| 447 | byte[] salt = new byte[SALT_LENGTH_BYTES]; |
| 448 | new SecureRandom().nextBytes(salt); |
| 449 | return salt; |
| 450 | } |
| 451 | |
| 452 | /** |
| 453 | * Returns {@code true} if {@code credential} looks like a pin. |
| 454 | */ |
| 455 | @VisibleForTesting |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 456 | static boolean isPin(@Nullable String credential) { |
| 457 | if (credential == null) { |
| 458 | return false; |
| 459 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 460 | int length = credential.length(); |
| 461 | for (int i = 0; i < length; i++) { |
| 462 | if (!Character.isDigit(credential.charAt(i))) { |
| 463 | return false; |
| 464 | } |
| 465 | } |
| 466 | return true; |
| 467 | } |
| 468 | |
| 469 | /** |
| 470 | * Hashes {@code credentials} with the given {@code salt}. |
| 471 | * |
| 472 | * @return The SHA-256 hash. |
| 473 | */ |
| 474 | @VisibleForTesting |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 475 | static byte[] hashCredentialsBySaltedSha256(byte[] salt, String credentials) { |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 476 | byte[] credentialsBytes = credentials.getBytes(StandardCharsets.UTF_8); |
| 477 | ByteBuffer byteBuffer = ByteBuffer.allocate( |
| 478 | salt.length + credentialsBytes.length + LENGTH_PREFIX_BYTES * 2); |
| 479 | byteBuffer.order(ByteOrder.LITTLE_ENDIAN); |
| 480 | byteBuffer.putInt(salt.length); |
| 481 | byteBuffer.put(salt); |
| 482 | byteBuffer.putInt(credentialsBytes.length); |
| 483 | byteBuffer.put(credentialsBytes); |
| 484 | byte[] bytes = byteBuffer.array(); |
| 485 | |
| 486 | try { |
| 487 | return MessageDigest.getInstance(LOCK_SCREEN_HASH_ALGORITHM).digest(bytes); |
| 488 | } catch (NoSuchAlgorithmException e) { |
| 489 | // Impossible, SHA-256 must be supported on Android. |
| 490 | throw new RuntimeException(e); |
| 491 | } |
| 492 | } |
| 493 | |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 494 | private byte[] hashCredentialsByScrypt(byte[] salt, String credentials) { |
| 495 | return mScrypt.scrypt( |
| 496 | credentials.getBytes(StandardCharsets.UTF_8), salt, |
| 497 | SCRYPT_PARAM_N, SCRYPT_PARAM_R, SCRYPT_PARAM_P, SCRYPT_PARAM_OUTLEN_BYTES); |
| 498 | } |
| 499 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 500 | private static SecretKey generateRecoveryKey() throws NoSuchAlgorithmException { |
| 501 | KeyGenerator keyGenerator = KeyGenerator.getInstance(RECOVERY_KEY_ALGORITHM); |
| 502 | keyGenerator.init(RECOVERY_KEY_SIZE_BITS); |
| 503 | return keyGenerator.generateKey(); |
| 504 | } |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 505 | |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 506 | private static List<WrappedApplicationKey> createApplicationKeyEntries( |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 507 | Map<String, byte[]> encryptedApplicationKeys) { |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 508 | ArrayList<WrappedApplicationKey> keyEntries = new ArrayList<>(); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 509 | for (String alias : encryptedApplicationKeys.keySet()) { |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 510 | keyEntries.add(new WrappedApplicationKey.Builder() |
| 511 | .setAlias(alias) |
| 512 | .setEncryptedKeyMaterial(encryptedApplicationKeys.get(alias)) |
| 513 | .build()); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 514 | } |
| 515 | return keyEntries; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 516 | } |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 517 | |
| 518 | private boolean shouldUseScryptToHashCredential(String rootCertAlias) { |
| 519 | return mCredentialType == LockPatternUtils.CREDENTIAL_TYPE_PASSWORD |
| 520 | && mCredential.length() >= MIN_CREDENTIAL_LEN_TO_USE_SCRYPT |
| 521 | // TODO: Remove the test cert check once all other components are updated |
| 522 | && mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(rootCertAlias); |
| 523 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 524 | } |