Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 50c96d39029506442a06f8d4055d67a7736fd654 / . / core / java / android / security / recoverablekeystore / RecoverableKeyStoreLoader.java
blob: b5ec79567734d1c6fc0fba0599ad71ad0c973784 [file] [log] [blame]
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]1/*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.security.recoverablekeystore;
18
19import android.annotation.NonNull;
20import android.annotation.Nullable;
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]21import android.app.PendingIntent;
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]22import android.content.pm.PackageManager.NameNotFoundException;
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]23import android.os.RemoteException;
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]24import android.os.ServiceManager;
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]25import android.os.ServiceSpecificException;
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]26import android.security.KeyStore;
27import android.util.AndroidException;
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]28
29import com.android.internal.widget.ILockSettings;
30
31import java.util.List;
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]32import java.util.Map;
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]33
34/**
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]35 * A wrapper around KeyStore which lets key be exported to trusted hardware on server side and
36 * recovered later.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]37 *
38 * @hide
39 */
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]40public class RecoverableKeyStoreLoader {
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]41
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]42 public static final String PERMISSION_RECOVER_KEYSTORE = "android.permission.RECOVER_KEYSTORE";
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]43
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]44 public static final int NO_ERROR = KeyStore.NO_ERROR;
45 public static final int SYSTEM_ERROR = KeyStore.SYSTEM_ERROR;
Robert Berry97e55582018-01-05 12:43:13 +0000[diff] [blame]46
47 /**
48 * Failed because the loader has not been initialized with a recovery public key yet.
49 */
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]50 public static final int ERROR_UNINITIALIZED_RECOVERY_PUBLIC_KEY = 20;
Robert Berry97e55582018-01-05 12:43:13 +0000[diff] [blame]51
52 /**
53 * Failed because no snapshot is yet pending to be synced for the user.
54 */
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]55 public static final int ERROR_NO_SNAPSHOT_PENDING = 21;
Robert Berry97e55582018-01-05 12:43:13 +0000[diff] [blame]56
57 /**
58 * Failed due to an error internal to AndroidKeyStore.
59 */
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]60 public static final int ERROR_KEYSTORE_INTERNAL_ERROR = 22;
Robert Berry97e55582018-01-05 12:43:13 +0000[diff] [blame]61
62 /**
63 * Failed because the user does not have a lock screen set.
64 */
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]65 public static final int ERROR_INSECURE_USER = 24;
Robert Berrybd086f12017-12-27 13:29:39 +0000[diff] [blame]66
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]67 /**
Robert Berry97e55582018-01-05 12:43:13 +0000[diff] [blame]68 * Failed because of an internal database error.
69 */
70 public static final int ERROR_DATABASE_ERROR = 25;
71
72 /**
73 * Failed because the provided certificate was not a valid X509 certificate.
74 */
75 public static final int ERROR_BAD_X509_CERTIFICATE = 26;
76
77 /**
78 * Should never be thrown - some algorithm that all AOSP implementations must support is
79 * not available.
80 */
81 public static final int ERROR_UNEXPECTED_MISSING_ALGORITHM = 27;
82
83 /**
84 * The caller is attempting to perform an operation that is not yet fully supported in the API.
85 */
86 public static final int ERROR_NOT_YET_SUPPORTED = 28;
87
88 /**
89 * Error thrown if decryption failed. This might be because the tag is wrong, the key is wrong,
90 * the data has become corrupted, the data has been tampered with, etc.
91 */
92 public static final int ERROR_DECRYPTION_FAILED = 29;
93
94 /**
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]95 * Rate limit is enforced to prevent using too many trusted remote devices, since each device
96 * can have its own number of user secret guesses allowed.
97 *
98 * @hide
99 */
Robert Berry97e55582018-01-05 12:43:13 +0000[diff] [blame]100 public static final int ERROR_RATE_LIMIT_EXCEEDED = 30;
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]101
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]102 /** Key has been successfully synced. */
103 public static final int RECOVERY_STATUS_SYNCED = 0;
104 /** Waiting for recovery agent to sync the key. */
105 public static final int RECOVERY_STATUS_SYNC_IN_PROGRESS = 1;
106 /** Recovery account is not available. */
107 public static final int RECOVERY_STATUS_MISSING_ACCOUNT = 2;
108 /** Key cannot be synced. */
109 public static final int RECOVERY_STATUS_PERMANENT_FAILURE = 3;
110
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]111 private final ILockSettings mBinder;
112
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]113 private RecoverableKeyStoreLoader(ILockSettings binder) {
114 mBinder = binder;
115 }
116
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]117 /** @hide */
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]118 public static RecoverableKeyStoreLoader getInstance() {
119 ILockSettings lockSettings =
120 ILockSettings.Stub.asInterface(ServiceManager.getService("lock_settings"));
121 return new RecoverableKeyStoreLoader(lockSettings);
122 }
123
124 /**
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]125 * Exceptions returned by {@link RecoverableKeyStoreLoader}.
126 *
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]127 * @hide
128 */
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]129 public static class RecoverableKeyStoreLoaderException extends AndroidException {
130 private int mErrorCode;
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]131
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]132 /**
133 * Creates new {@link #RecoverableKeyStoreLoaderException} instance from the error code.
134 *
Robert Berry97e55582018-01-05 12:43:13 +0000[diff] [blame]135 * @param errorCode An error code, as listed at the top of this file.
136 * @param message The associated error message.
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]137 * @hide
138 */
Robert Berry97e55582018-01-05 12:43:13 +0000[diff] [blame]139 public static RecoverableKeyStoreLoaderException fromErrorCode(
140 int errorCode, String message) {
141 return new RecoverableKeyStoreLoaderException(errorCode, message);
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]142 }
143
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]144 /**
145 * Creates new {@link #RecoverableKeyStoreLoaderException} from {@link
146 * ServiceSpecificException}.
147 *
148 * @param e exception thrown on service side.
149 * @hide
150 */
151 static RecoverableKeyStoreLoaderException fromServiceSpecificException(
152 ServiceSpecificException e) throws RecoverableKeyStoreLoaderException {
Robert Berry97e55582018-01-05 12:43:13 +0000[diff] [blame]153 throw RecoverableKeyStoreLoaderException.fromErrorCode(e.errorCode, e.getMessage());
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]154 }
155
156 private RecoverableKeyStoreLoaderException(int errorCode, String message) {
157 super(message);
Robert Berry97e55582018-01-05 12:43:13 +0000[diff] [blame]158 mErrorCode = errorCode;
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]159 }
160
161 /** Returns errorCode. */
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]162 public int getErrorCode() {
163 return mErrorCode;
164 }
165 }
166
167 /**
168 * Initializes key recovery service for the calling application. RecoverableKeyStoreLoader
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]169 * randomly chooses one of the keys from the list and keeps it to use for future key export
170 * operations. Collection of all keys in the list must be signed by the provided {@code
171 * rootCertificateAlias}, which must also be present in the list of root certificates
172 * preinstalled on the device. The random selection allows RecoverableKeyStoreLoader to select
173 * which of a set of remote recovery service devices will be used.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]174 *
175 * <p>In addition, RecoverableKeyStoreLoader enforces a delay of three months between
176 * consecutive initialization attempts, to limit the ability of an attacker to often switch
177 * remote recovery devices and significantly increase number of recovery attempts.
178 *
179 * @param rootCertificateAlias alias of a root certificate preinstalled on the device
180 * @param signedPublicKeyList binary blob a list of X509 certificates and signature
181 * @throws RecoverableKeyStoreLoaderException if signature is invalid, or key rotation was rate
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]182 * limited.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]183 * @hide
184 */
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]185 public void initRecoveryService(
186 @NonNull String rootCertificateAlias, @NonNull byte[] signedPublicKeyList)
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]187 throws RecoverableKeyStoreLoaderException {
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]188 try {
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]189 mBinder.initRecoveryService(rootCertificateAlias, signedPublicKeyList);
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]190 } catch (RemoteException e) {
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]191 throw e.rethrowFromSystemServer();
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]192 } catch (ServiceSpecificException e) {
193 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
194 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]195 }
196
197 /**
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]198 * Returns data necessary to store all recoverable keys for given account. Key material is
199 * encrypted with user secret and recovery public key.
200 *
201 * @param account specific to Recovery agent.
202 * @return Data necessary to recover keystore.
203 * @hide
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]204 */
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]205 public @NonNull KeyStoreRecoveryData getRecoveryData(@NonNull byte[] account)
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]206 throws RecoverableKeyStoreLoaderException {
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]207 try {
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]208 KeyStoreRecoveryData recoveryData = mBinder.getRecoveryData(account);
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]209 return recoveryData;
210 } catch (RemoteException e) {
211 throw e.rethrowFromSystemServer();
212 } catch (ServiceSpecificException e) {
213 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
214 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]215 }
216
217 /**
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]218 * Sets a listener which notifies recovery agent that new recovery snapshot is available. {@link
219 * #getRecoveryData} can be used to get the snapshot. Note that every recovery agent can have at
220 * most one registered listener at any time.
221 *
222 * @param intent triggered when new snapshot is available. Unregisters listener if the value is
223 * {@code null}.
224 * @hide
225 */
226 public void setSnapshotCreatedPendingIntent(@Nullable PendingIntent intent)
227 throws RecoverableKeyStoreLoaderException {
228 try {
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]229 mBinder.setSnapshotCreatedPendingIntent(intent);
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]230 } catch (RemoteException e) {
231 throw e.rethrowFromSystemServer();
232 } catch (ServiceSpecificException e) {
233 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
234 }
235 }
236
237 /**
238 * Returns a map from recovery agent accounts to corresponding KeyStore recovery snapshot
239 * version. Version zero is used, if no snapshots were created for the account.
240 *
241 * @return Map from recovery agent accounts to snapshot versions.
Bo Zhu584b923f2017-12-22 16:05:15 -0800[diff] [blame]242 * @see KeyStoreRecoveryData#getSnapshotVersion
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]243 * @hide
244 */
245 public @NonNull Map<byte[], Integer> getRecoverySnapshotVersions()
246 throws RecoverableKeyStoreLoaderException {
247 try {
248 // IPC doesn't support generic Maps.
249 @SuppressWarnings("unchecked")
250 Map<byte[], Integer> result =
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]251 (Map<byte[], Integer>) mBinder.getRecoverySnapshotVersions();
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]252 return result;
253 } catch (RemoteException e) {
254 throw e.rethrowFromSystemServer();
255 } catch (ServiceSpecificException e) {
256 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
257 }
258 }
259
260 /**
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]261 * Server parameters used to generate new recovery key blobs. This value will be included in
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]262 * {@code KeyStoreRecoveryData.getEncryptedRecoveryKeyBlob()}. The same value must be included
Bo Zhu584b923f2017-12-22 16:05:15 -0800[diff] [blame]263 * in vaultParams {@link #startRecoverySession}
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]264 *
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]265 * @param serverParameters included in recovery key blob.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]266 * @see #getRecoveryData
267 * @throws RecoverableKeyStoreLoaderException If parameters rotation is rate limited.
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]268 * @hide
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]269 */
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]270 public void setServerParameters(long serverParameters)
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]271 throws RecoverableKeyStoreLoaderException {
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]272 try {
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]273 mBinder.setServerParameters(serverParameters);
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]274 } catch (RemoteException e) {
275 throw e.rethrowFromSystemServer();
276 } catch (ServiceSpecificException e) {
277 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
278 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]279 }
280
281 /**
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]282 * Updates recovery status for given keys. It is used to notify keystore that key was
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]283 * successfully stored on the server or there were an error. Application can check this value
284 * using {@code getRecoveyStatus}.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]285 *
286 * @param packageName Application whose recoverable keys' statuses are to be updated.
287 * @param aliases List of application-specific key aliases. If the array is empty, updates the
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]288 * status for all existing recoverable keys.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]289 * @param status Status specific to recovery agent.
290 */
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]291 public void setRecoveryStatus(
292 @NonNull String packageName, @Nullable String[] aliases, int status)
293 throws NameNotFoundException, RecoverableKeyStoreLoaderException {
294 try {
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]295 mBinder.setRecoveryStatus(packageName, aliases, status);
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]296 } catch (RemoteException e) {
297 throw e.rethrowFromSystemServer();
298 } catch (ServiceSpecificException e) {
299 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
300 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]301 }
302
303 /**
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]304 * Returns a {@code Map} from Application's KeyStore key aliases to their recovery status.
305 * Negative status values are reserved for recovery agent specific codes. List of common codes:
306 *
307 * <ul>
308 * <li>{@link #RECOVERY_STATUS_SYNCED}
309 * <li>{@link #RECOVERY_STATUS_SYNC_IN_PROGRESS}
310 * <li>{@link #RECOVERY_STATUS_MISSING_ACCOUNT}
311 * <li>{@link #RECOVERY_STATUS_PERMANENT_FAILURE}
312 * </ul>
313 *
314 * @param packageName Application whose recoverable keys' statuses are to be retrieved. if
315 * {@code null} caller's package will be used.
316 * @return {@code Map} from KeyStore alias to recovery status.
317 * @see #setRecoveryStatus
318 * @hide
319 */
320 public Map<String, Integer> getRecoveryStatus(@Nullable String packageName)
321 throws RecoverableKeyStoreLoaderException {
322 try {
323 // IPC doesn't support generic Maps.
324 @SuppressWarnings("unchecked")
325 Map<String, Integer> result =
326 (Map<String, Integer>)
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]327 mBinder.getRecoveryStatus(packageName);
Dmitry Dementyevb8b030b2017-12-19 11:02:54 -0800[diff] [blame]328 return result;
329 } catch (RemoteException e) {
330 throw e.rethrowFromSystemServer();
331 } catch (ServiceSpecificException e) {
332 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
333 }
334 }
335
336 /**
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]337 * Specifies a set of secret types used for end-to-end keystore encryption. Knowing all of them
338 * is necessary to recover data.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]339 *
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]340 * @param secretTypes {@link KeyStoreRecoveryMetadata#TYPE_LOCKSCREEN} or {@link
341 * KeyStoreRecoveryMetadata#TYPE_CUSTOM_PASSWORD}
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]342 */
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]343 public void setRecoverySecretTypes(
344 @NonNull @KeyStoreRecoveryMetadata.UserSecretType int[] secretTypes)
345 throws RecoverableKeyStoreLoaderException {
346 try {
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]347 mBinder.setRecoverySecretTypes(secretTypes);
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]348 } catch (RemoteException e) {
349 throw e.rethrowFromSystemServer();
350 } catch (ServiceSpecificException e) {
351 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
352 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]353 }
354
355 /**
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]356 * Defines a set of secret types used for end-to-end keystore encryption. Knowing all of them is
357 * necessary to generate KeyStoreRecoveryData.
358 *
359 * @return list of recovery secret types
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]360 * @see KeyStoreRecoveryData
361 */
362 public @NonNull @KeyStoreRecoveryMetadata.UserSecretType int[] getRecoverySecretTypes()
363 throws RecoverableKeyStoreLoaderException {
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]364 try {
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]365 return mBinder.getRecoverySecretTypes();
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]366 } catch (RemoteException e) {
367 throw e.rethrowFromSystemServer();
368 } catch (ServiceSpecificException e) {
369 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
370 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]371 }
372
373 /**
374 * Returns a list of recovery secret types, necessary to create a pending recovery snapshot.
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]375 * When user enters a secret of a pending type {@link #recoverySecretAvailable} should be
376 * called.
377 *
378 * @return list of recovery secret types
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]379 */
380 public @NonNull @KeyStoreRecoveryMetadata.UserSecretType int[] getPendingRecoverySecretTypes()
381 throws RecoverableKeyStoreLoaderException {
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]382 try {
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]383 return mBinder.getPendingRecoverySecretTypes();
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]384 } catch (RemoteException e) {
385 throw e.rethrowFromSystemServer();
386 } catch (ServiceSpecificException e) {
387 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
388 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]389 }
390
391 /**
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]392 * Method notifies KeyStore that a user-generated secret is available. This method generates a
393 * symmetric session key which a trusted remote device can use to return a recovery key. Caller
394 * should use {@link KeyStoreRecoveryMetadata#clearSecret} to override the secret value in
395 * memory.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]396 *
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]397 * @param recoverySecret user generated secret together with parameters necessary to regenerate
398 * it on a new device.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]399 */
400 public void recoverySecretAvailable(@NonNull KeyStoreRecoveryMetadata recoverySecret)
401 throws RecoverableKeyStoreLoaderException {
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]402 try {
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]403 mBinder.recoverySecretAvailable(recoverySecret);
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]404 } catch (RemoteException e) {
405 throw e.rethrowFromSystemServer();
406 } catch (ServiceSpecificException e) {
407 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
408 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]409 }
410
411 /**
412 * Initializes recovery session and returns a blob with proof of recovery secrets possession.
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]413 * The method generates symmetric key for a session, which trusted remote device can use to
414 * return recovery key.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]415 *
416 * @param sessionId ID for recovery session.
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]417 * @param verifierPublicKey Certificate with Public key used to create the recovery blob on the
418 * source device. Keystore will verify the certificate using root of trust.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]419 * @param vaultParams Must match the parameters in the corresponding field in the recovery blob.
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]420 * Used to limit number of guesses.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]421 * @param vaultChallenge Data passed from server for this recovery session and used to prevent
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]422 * replay attacks
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]423 * @param secrets Secrets provided by user, the method only uses type and secret fields.
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]424 * @return Binary blob with recovery claim. It is encrypted with verifierPublicKey and contains
425 * a proof of user secrets, session symmetric key and parameters necessary to identify the
426 * counter with the number of failed recovery attempts.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]427 */
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]428 public @NonNull byte[] startRecoverySession(
429 @NonNull String sessionId,
430 @NonNull byte[] verifierPublicKey,
431 @NonNull byte[] vaultParams,
432 @NonNull byte[] vaultChallenge,
433 @NonNull List<KeyStoreRecoveryMetadata> secrets)
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]434 throws RecoverableKeyStoreLoaderException {
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]435 try {
436 byte[] recoveryClaim =
437 mBinder.startRecoverySession(
438 sessionId,
439 verifierPublicKey,
440 vaultParams,
441 vaultChallenge,
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]442 secrets);
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]443 return recoveryClaim;
444 } catch (RemoteException e) {
445 throw e.rethrowFromSystemServer();
446 } catch (ServiceSpecificException e) {
447 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
448 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]449 }
450
451 /**
452 * Imports keys.
453 *
Robert Berrybd4c43c2017-12-22 11:35:14 +0000[diff] [blame]454 * @param sessionId Id for recovery session, same as in
Bo Zhu57e77f72018-01-03 14:49:43 -0800[diff] [blame]455 * {@link #startRecoverySession(String, byte[], byte[], byte[], List)}.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]456 * @param recoveryKeyBlob Recovery blob encrypted by symmetric key generated for this session.
457 * @param applicationKeys Application keys. Key material can be decrypted using recoveryKeyBlob
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]458 * and session. KeyStore only uses package names from the application info in {@link
459 * KeyEntryRecoveryData}. Caller is responsibility to perform certificates check.
Robert Berrybd4c43c2017-12-22 11:35:14 +0000[diff] [blame]460 * @return Map from alias to raw key material.
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]461 */
Robert Berrybd4c43c2017-12-22 11:35:14 +0000[diff] [blame]462 public Map<String, byte[]> recoverKeys(
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]463 @NonNull String sessionId,
464 @NonNull byte[] recoveryKeyBlob,
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]465 @NonNull List<KeyEntryRecoveryData> applicationKeys)
466 throws RecoverableKeyStoreLoaderException {
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]467 try {
Robert Berrybd4c43c2017-12-22 11:35:14 +0000[diff] [blame]468 return (Map<String, byte[]>) mBinder.recoverKeys(
Dmitry Dementyev14298312018-01-04 15:19:19 -0800[diff] [blame]469 sessionId, recoveryKeyBlob, applicationKeys);
Dmitry Dementyev1aa96132017-12-11 11:33:12 -0800[diff] [blame]470 } catch (RemoteException e) {
471 throw e.rethrowFromSystemServer();
472 } catch (ServiceSpecificException e) {
473 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
474 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]475 }
Robert Berrycfc990a2017-12-22 15:54:30 +0000[diff] [blame]476
477 /**
478 * Generates a key called {@code alias} and loads it into the recoverable key store. Returns the
479 * raw material of the key.
480 *
481 * @throws RecoverableKeyStoreLoaderException if an error occurred generating and storing the
482 * key.
483 */
484 public byte[] generateAndStoreKey(String alias) throws RecoverableKeyStoreLoaderException {
485 try {
486 return mBinder.generateAndStoreKey(alias);
487 } catch (RemoteException e) {
488 throw e.rethrowFromSystemServer();
489 } catch (ServiceSpecificException e) {
490 throw RecoverableKeyStoreLoaderException.fromServiceSpecificException(e);
491 }
492 }
Dmitry Dementyev8eaf6072017-12-06 19:05:33 -0800[diff] [blame]493}