Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.server.locksettings.recoverablekeystore; |
| 18 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 19 | import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 20 | |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 21 | import android.annotation.Nullable; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 22 | import android.content.Context; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 23 | import android.security.Scrypt; |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 24 | import android.security.keystore.recovery.KeyChainProtectionParams; |
| 25 | import android.security.keystore.recovery.KeyChainSnapshot; |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 26 | import android.security.keystore.recovery.KeyDerivationParams; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 27 | import android.security.keystore.recovery.WrappedApplicationKey; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 28 | import android.util.Log; |
| 29 | |
| 30 | import com.android.internal.annotations.VisibleForTesting; |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 31 | import com.android.internal.util.ArrayUtils; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 32 | import com.android.internal.widget.LockPatternUtils; |
| 33 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 34 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 35 | |
| 36 | import java.nio.ByteBuffer; |
| 37 | import java.nio.ByteOrder; |
| 38 | import java.nio.charset.StandardCharsets; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 39 | import java.security.GeneralSecurityException; |
Robert Berry | 26cbb6b | 2018-01-22 21:59:30 +0000 | [diff] [blame] | 40 | import java.security.InvalidAlgorithmParameterException; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 41 | import java.security.InvalidKeyException; |
| 42 | import java.security.KeyStoreException; |
| 43 | import java.security.MessageDigest; |
| 44 | import java.security.NoSuchAlgorithmException; |
| 45 | import java.security.PublicKey; |
| 46 | import java.security.SecureRandom; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 47 | import java.security.UnrecoverableKeyException; |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 48 | import java.security.cert.CertPath; |
Bo Zhu | 6361080 | 2018-03-09 12:32:13 -0800 | [diff] [blame] | 49 | import java.security.cert.CertificateException; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 50 | import java.util.ArrayList; |
| 51 | import java.util.List; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 52 | import java.util.Map; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 53 | |
| 54 | import javax.crypto.KeyGenerator; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 55 | import javax.crypto.NoSuchPaddingException; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 56 | import javax.crypto.SecretKey; |
| 57 | |
| 58 | /** |
| 59 | * Task to sync application keys to a remote vault service. |
| 60 | * |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 61 | * @hide |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 62 | */ |
| 63 | public class KeySyncTask implements Runnable { |
| 64 | private static final String TAG = "KeySyncTask"; |
| 65 | |
| 66 | private static final String RECOVERY_KEY_ALGORITHM = "AES"; |
| 67 | private static final int RECOVERY_KEY_SIZE_BITS = 256; |
| 68 | private static final int SALT_LENGTH_BYTES = 16; |
| 69 | private static final int LENGTH_PREFIX_BYTES = Integer.BYTES; |
| 70 | private static final String LOCK_SCREEN_HASH_ALGORITHM = "SHA-256"; |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 71 | private static final int TRUSTED_HARDWARE_MAX_ATTEMPTS = 10; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 72 | |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 73 | @VisibleForTesting |
| 74 | static final int SCRYPT_PARAM_N = 4096; |
| 75 | @VisibleForTesting |
| 76 | static final int SCRYPT_PARAM_R = 8; |
| 77 | @VisibleForTesting |
| 78 | static final int SCRYPT_PARAM_P = 1; |
| 79 | @VisibleForTesting |
| 80 | static final int SCRYPT_PARAM_OUTLEN_BYTES = 32; |
| 81 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 82 | private final RecoverableKeyStoreDb mRecoverableKeyStoreDb; |
| 83 | private final int mUserId; |
| 84 | private final int mCredentialType; |
| 85 | private final String mCredential; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 86 | private final boolean mCredentialUpdated; |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 87 | private final PlatformKeyManager mPlatformKeyManager; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 88 | private final RecoverySnapshotStorage mRecoverySnapshotStorage; |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 89 | private final RecoverySnapshotListenersStorage mSnapshotListenersStorage; |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 90 | private final TestOnlyInsecureCertificateHelper mTestOnlyInsecureCertificateHelper; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 91 | private final Scrypt mScrypt; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 92 | |
| 93 | public static KeySyncTask newInstance( |
| 94 | Context context, |
| 95 | RecoverableKeyStoreDb recoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 96 | RecoverySnapshotStorage snapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 97 | RecoverySnapshotListenersStorage recoverySnapshotListenersStorage, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 98 | int userId, |
| 99 | int credentialType, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 100 | String credential, |
| 101 | boolean credentialUpdated |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 102 | ) throws NoSuchAlgorithmException, KeyStoreException, InsecureUserException { |
| 103 | return new KeySyncTask( |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 104 | recoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 105 | snapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 106 | recoverySnapshotListenersStorage, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 107 | userId, |
| 108 | credentialType, |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 109 | credential, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 110 | credentialUpdated, |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 111 | PlatformKeyManager.getInstance(context, recoverableKeyStoreDb), |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 112 | new TestOnlyInsecureCertificateHelper(), |
| 113 | new Scrypt()); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 114 | } |
| 115 | |
| 116 | /** |
| 117 | * A new task. |
| 118 | * |
| 119 | * @param recoverableKeyStoreDb Database where the keys are stored. |
| 120 | * @param userId The uid of the user whose profile has been unlocked. |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 121 | * @param credentialType The type of credential as defined in {@code LockPatternUtils} |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 122 | * @param credential The credential, encoded as a {@link String}. |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 123 | * @param credentialUpdated signals weather credentials were updated. |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 124 | * @param platformKeyManager platform key manager |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 125 | * @param testOnlyInsecureCertificateHelper utility class used for end-to-end tests |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 126 | */ |
| 127 | @VisibleForTesting |
| 128 | KeySyncTask( |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 129 | RecoverableKeyStoreDb recoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 130 | RecoverySnapshotStorage snapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 131 | RecoverySnapshotListenersStorage recoverySnapshotListenersStorage, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 132 | int userId, |
| 133 | int credentialType, |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 134 | String credential, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 135 | boolean credentialUpdated, |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 136 | PlatformKeyManager platformKeyManager, |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 137 | TestOnlyInsecureCertificateHelper testOnlyInsecureCertificateHelper, |
| 138 | Scrypt scrypt) { |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 139 | mSnapshotListenersStorage = recoverySnapshotListenersStorage; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 140 | mRecoverableKeyStoreDb = recoverableKeyStoreDb; |
| 141 | mUserId = userId; |
| 142 | mCredentialType = credentialType; |
| 143 | mCredential = credential; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 144 | mCredentialUpdated = credentialUpdated; |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 145 | mPlatformKeyManager = platformKeyManager; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 146 | mRecoverySnapshotStorage = snapshotStorage; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 147 | mTestOnlyInsecureCertificateHelper = testOnlyInsecureCertificateHelper; |
| 148 | mScrypt = scrypt; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 149 | } |
| 150 | |
| 151 | @Override |
| 152 | public void run() { |
| 153 | try { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 154 | // Only one task is active If user unlocks phone many times in a short time interval. |
| 155 | synchronized(KeySyncTask.class) { |
| 156 | syncKeys(); |
| 157 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 158 | } catch (Exception e) { |
| 159 | Log.e(TAG, "Unexpected exception thrown during KeySyncTask", e); |
| 160 | } |
| 161 | } |
| 162 | |
| 163 | private void syncKeys() { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 164 | if (mCredentialType == LockPatternUtils.CREDENTIAL_TYPE_NONE) { |
| 165 | // Application keys for the user will not be available for sync. |
| 166 | Log.w(TAG, "Credentials are not set for user " + mUserId); |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 167 | int generation = mPlatformKeyManager.getGenerationId(mUserId); |
| 168 | mPlatformKeyManager.invalidatePlatformKey(mUserId, generation); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 169 | return; |
| 170 | } |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 171 | if (isCustomLockScreen()) { |
| 172 | Log.w(TAG, "Unsupported credential type " + mCredentialType + "for user " + mUserId); |
| 173 | mRecoverableKeyStoreDb.invalidateKeysForUserIdOnCustomScreenLock(mUserId); |
| 174 | return; |
| 175 | } |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 176 | |
| 177 | List<Integer> recoveryAgents = mRecoverableKeyStoreDb.getRecoveryAgents(mUserId); |
| 178 | for (int uid : recoveryAgents) { |
| 179 | syncKeysForAgent(uid); |
| 180 | } |
| 181 | if (recoveryAgents.isEmpty()) { |
| 182 | Log.w(TAG, "No recovery agent initialized for user " + mUserId); |
| 183 | } |
| 184 | } |
| 185 | |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 186 | private boolean isCustomLockScreen() { |
| 187 | return mCredentialType != LockPatternUtils.CREDENTIAL_TYPE_NONE |
| 188 | && mCredentialType != LockPatternUtils.CREDENTIAL_TYPE_PATTERN |
| 189 | && mCredentialType != LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; |
| 190 | } |
| 191 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 192 | private void syncKeysForAgent(int recoveryAgentUid) { |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 193 | boolean recreateCurrentVersion = false; |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 194 | if (!shouldCreateSnapshot(recoveryAgentUid)) { |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 195 | recreateCurrentVersion = |
| 196 | (mRecoverableKeyStoreDb.getSnapshotVersion(mUserId, recoveryAgentUid) != null) |
| 197 | && (mRecoverySnapshotStorage.get(recoveryAgentUid) == null); |
| 198 | if (recreateCurrentVersion) { |
| 199 | Log.d(TAG, "Recreating most recent snapshot"); |
| 200 | } else { |
| 201 | Log.d(TAG, "Key sync not needed."); |
| 202 | return; |
| 203 | } |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 204 | } |
| 205 | |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 206 | PublicKey publicKey; |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 207 | String rootCertAlias = |
| 208 | mRecoverableKeyStoreDb.getActiveRootOfTrust(mUserId, recoveryAgentUid); |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 209 | rootCertAlias = mTestOnlyInsecureCertificateHelper |
| 210 | .getDefaultCertificateAliasIfEmpty(rootCertAlias); |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 211 | |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 212 | CertPath certPath = mRecoverableKeyStoreDb.getRecoveryServiceCertPath(mUserId, |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 213 | recoveryAgentUid, rootCertAlias); |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 214 | if (certPath != null) { |
| 215 | Log.d(TAG, "Using the public key in stored CertPath for syncing"); |
| 216 | publicKey = certPath.getCertificates().get(0).getPublicKey(); |
| 217 | } else { |
| 218 | Log.d(TAG, "Using the stored raw public key for syncing"); |
| 219 | publicKey = mRecoverableKeyStoreDb.getRecoveryServicePublicKey(mUserId, |
| 220 | recoveryAgentUid); |
| 221 | } |
Robert Berry | aa3f4ca | 2017-12-27 10:53:58 +0000 | [diff] [blame] | 222 | if (publicKey == null) { |
| 223 | Log.w(TAG, "Not initialized for KeySync: no public key set. Cancelling task."); |
| 224 | return; |
| 225 | } |
| 226 | |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 227 | byte[] vaultHandle = mRecoverableKeyStoreDb.getServerParams(mUserId, recoveryAgentUid); |
| 228 | if (vaultHandle == null) { |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 229 | Log.w(TAG, "No device ID set for user " + mUserId); |
| 230 | return; |
| 231 | } |
| 232 | |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 233 | if (mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(rootCertAlias)) { |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 234 | Log.w(TAG, "Insecure root certificate is used by recovery agent " |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 235 | + recoveryAgentUid); |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 236 | if (mTestOnlyInsecureCertificateHelper.doesCredentialSupportInsecureMode( |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 237 | mCredentialType, mCredential)) { |
| 238 | Log.w(TAG, "Whitelisted credential is used to generate snapshot by " |
| 239 | + "recovery agent "+ recoveryAgentUid); |
| 240 | } else { |
| 241 | Log.w(TAG, "Non whitelisted credential is used to generate recovery snapshot by " |
| 242 | + recoveryAgentUid + " - ignore attempt."); |
| 243 | return; // User secret will not be used. |
| 244 | } |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 245 | } |
| 246 | |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 247 | boolean useScryptToHashCredential = shouldUseScryptToHashCredential(); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 248 | byte[] salt = generateSalt(); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 249 | byte[] localLskfHash; |
| 250 | if (useScryptToHashCredential) { |
| 251 | localLskfHash = hashCredentialsByScrypt(salt, mCredential); |
| 252 | } else { |
| 253 | localLskfHash = hashCredentialsBySaltedSha256(salt, mCredential); |
| 254 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 255 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 256 | Map<String, SecretKey> rawKeys; |
| 257 | try { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 258 | rawKeys = getKeysToSync(recoveryAgentUid); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 259 | } catch (GeneralSecurityException e) { |
| 260 | Log.e(TAG, "Failed to load recoverable keys for sync", e); |
| 261 | return; |
| 262 | } catch (InsecureUserException e) { |
| 263 | Log.wtf(TAG, "A screen unlock triggered the key sync flow, so user must have " |
| 264 | + "lock screen. This should be impossible.", e); |
| 265 | return; |
| 266 | } catch (BadPlatformKeyException e) { |
| 267 | Log.wtf(TAG, "Loaded keys for same generation ID as platform key, so " |
| 268 | + "BadPlatformKeyException should be impossible.", e); |
| 269 | return; |
| 270 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 271 | |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 272 | // Only include insecure key material for test |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 273 | if (mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(rootCertAlias)) { |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 274 | rawKeys = mTestOnlyInsecureCertificateHelper.keepOnlyWhitelistedInsecureKeys(rawKeys); |
| 275 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 276 | SecretKey recoveryKey; |
| 277 | try { |
| 278 | recoveryKey = generateRecoveryKey(); |
| 279 | } catch (NoSuchAlgorithmException e) { |
| 280 | Log.wtf("AES should never be unavailable", e); |
| 281 | return; |
| 282 | } |
| 283 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 284 | Map<String, byte[]> encryptedApplicationKeys; |
| 285 | try { |
| 286 | encryptedApplicationKeys = KeySyncUtils.encryptKeysWithRecoveryKey( |
| 287 | recoveryKey, rawKeys); |
| 288 | } catch (InvalidKeyException | NoSuchAlgorithmException e) { |
| 289 | Log.wtf(TAG, |
| 290 | "Should be impossible: could not encrypt application keys with random key", |
| 291 | e); |
| 292 | return; |
| 293 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 294 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 295 | Long counterId; |
| 296 | // counter id is generated exactly once for each credentials value. |
| 297 | if (mCredentialUpdated) { |
| 298 | counterId = generateAndStoreCounterId(recoveryAgentUid); |
| 299 | } else { |
| 300 | counterId = mRecoverableKeyStoreDb.getCounterId(mUserId, recoveryAgentUid); |
| 301 | if (counterId == null) { |
| 302 | counterId = generateAndStoreCounterId(recoveryAgentUid); |
| 303 | } |
| 304 | } |
Dmitry Dementyev | ae6ec6d | 2018-01-18 14:29:49 -0800 | [diff] [blame] | 305 | |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 306 | byte[] vaultParams = KeySyncUtils.packVaultParams( |
| 307 | publicKey, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 308 | counterId, |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 309 | TRUSTED_HARDWARE_MAX_ATTEMPTS, |
| 310 | vaultHandle); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 311 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 312 | byte[] encryptedRecoveryKey; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 313 | try { |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 314 | encryptedRecoveryKey = KeySyncUtils.thmEncryptRecoveryKey( |
Robert Berry | aa3f4ca | 2017-12-27 10:53:58 +0000 | [diff] [blame] | 315 | publicKey, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 316 | localLskfHash, |
| 317 | vaultParams, |
| 318 | recoveryKey); |
| 319 | } catch (NoSuchAlgorithmException e) { |
| 320 | Log.wtf(TAG, "SecureBox encrypt algorithms unavailable", e); |
| 321 | return; |
| 322 | } catch (InvalidKeyException e) { |
| 323 | Log.e(TAG,"Could not encrypt with recovery key", e); |
| 324 | return; |
| 325 | } |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 326 | KeyDerivationParams keyDerivationParams; |
| 327 | if (useScryptToHashCredential) { |
| 328 | keyDerivationParams = KeyDerivationParams.createScryptParams( |
| 329 | salt, /*memoryDifficulty=*/ SCRYPT_PARAM_N); |
| 330 | } else { |
| 331 | keyDerivationParams = KeyDerivationParams.createSha256Params(salt); |
| 332 | } |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 333 | KeyChainProtectionParams metadata = new KeyChainProtectionParams.Builder() |
| 334 | .setUserSecretType(TYPE_LOCKSCREEN) |
| 335 | .setLockScreenUiFormat(getUiFormat(mCredentialType, mCredential)) |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 336 | .setKeyDerivationParams(keyDerivationParams) |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 337 | .setSecret(new byte[0]) |
| 338 | .build(); |
| 339 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 340 | ArrayList<KeyChainProtectionParams> metadataList = new ArrayList<>(); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 341 | metadataList.add(metadata); |
| 342 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 343 | // If application keys are not updated, snapshot will not be created on next unlock. |
| 344 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(mUserId, recoveryAgentUid, false); |
| 345 | |
Bo Zhu | 6361080 | 2018-03-09 12:32:13 -0800 | [diff] [blame] | 346 | KeyChainSnapshot.Builder keyChainSnapshotBuilder = new KeyChainSnapshot.Builder() |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 347 | .setSnapshotVersion(getSnapshotVersion(recoveryAgentUid, recreateCurrentVersion)) |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 348 | .setMaxAttempts(TRUSTED_HARDWARE_MAX_ATTEMPTS) |
| 349 | .setCounterId(counterId) |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 350 | .setServerParams(vaultHandle) |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 351 | .setKeyChainProtectionParams(metadataList) |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 352 | .setWrappedApplicationKeys(createApplicationKeyEntries(encryptedApplicationKeys)) |
Bo Zhu | 6361080 | 2018-03-09 12:32:13 -0800 | [diff] [blame] | 353 | .setEncryptedRecoveryKeyBlob(encryptedRecoveryKey); |
| 354 | try { |
| 355 | keyChainSnapshotBuilder.setTrustedHardwareCertPath(certPath); |
| 356 | } catch(CertificateException e) { |
| 357 | // Should not happen, as it's just deserialized from bytes stored in the db |
| 358 | Log.wtf(TAG, "Cannot serialize CertPath when calling setTrustedHardwareCertPath", e); |
| 359 | return; |
| 360 | } |
| 361 | mRecoverySnapshotStorage.put(recoveryAgentUid, keyChainSnapshotBuilder.build()); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 362 | mSnapshotListenersStorage.recoverySnapshotAvailable(recoveryAgentUid); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 363 | } |
| 364 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 365 | @VisibleForTesting |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 366 | int getSnapshotVersion(int recoveryAgentUid, boolean recreateCurrentVersion) { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 367 | Long snapshotVersion = mRecoverableKeyStoreDb.getSnapshotVersion(mUserId, recoveryAgentUid); |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 368 | if (recreateCurrentVersion) { |
| 369 | // version shouldn't be null at this moment. |
| 370 | snapshotVersion = snapshotVersion == null ? 1 : snapshotVersion; |
| 371 | } else { |
| 372 | snapshotVersion = snapshotVersion == null ? 1 : snapshotVersion + 1; |
| 373 | } |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 374 | mRecoverableKeyStoreDb.setSnapshotVersion(mUserId, recoveryAgentUid, snapshotVersion); |
| 375 | |
| 376 | return snapshotVersion.intValue(); |
| 377 | } |
| 378 | |
| 379 | private long generateAndStoreCounterId(int recoveryAgentUid) { |
| 380 | long counter = new SecureRandom().nextLong(); |
| 381 | mRecoverableKeyStoreDb.setCounterId(mUserId, recoveryAgentUid, counter); |
| 382 | return counter; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 383 | } |
| 384 | |
| 385 | /** |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 386 | * Returns all of the recoverable keys for the user. |
| 387 | */ |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 388 | private Map<String, SecretKey> getKeysToSync(int recoveryAgentUid) |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 389 | throws InsecureUserException, KeyStoreException, UnrecoverableKeyException, |
Robert Berry | 26cbb6b | 2018-01-22 21:59:30 +0000 | [diff] [blame] | 390 | NoSuchAlgorithmException, NoSuchPaddingException, BadPlatformKeyException, |
| 391 | InvalidKeyException, InvalidAlgorithmParameterException { |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 392 | PlatformDecryptionKey decryptKey = mPlatformKeyManager.getDecryptKey(mUserId);; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 393 | Map<String, WrappedKey> wrappedKeys = mRecoverableKeyStoreDb.getAllKeys( |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 394 | mUserId, recoveryAgentUid, decryptKey.getGenerationId()); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 395 | return WrappedKey.unwrapKeys(decryptKey, wrappedKeys); |
| 396 | } |
| 397 | |
| 398 | /** |
| 399 | * Returns {@code true} if a sync is pending. |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 400 | * @param recoveryAgentUid uid of the recovery agent. |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 401 | */ |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 402 | private boolean shouldCreateSnapshot(int recoveryAgentUid) { |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 403 | int[] types = mRecoverableKeyStoreDb.getRecoverySecretTypes(mUserId, recoveryAgentUid); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 404 | if (!ArrayUtils.contains(types, KeyChainProtectionParams.TYPE_LOCKSCREEN)) { |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 405 | // Only lockscreen type is supported. |
| 406 | // We will need to pass extra argument to KeySyncTask to support custom pass phrase. |
| 407 | return false; |
| 408 | } |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 409 | if (mCredentialUpdated) { |
| 410 | // Sync credential if at least one snapshot was created. |
| 411 | if (mRecoverableKeyStoreDb.getSnapshotVersion(mUserId, recoveryAgentUid) != null) { |
| 412 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(mUserId, recoveryAgentUid, true); |
| 413 | return true; |
| 414 | } |
| 415 | } |
| 416 | |
| 417 | return mRecoverableKeyStoreDb.getShouldCreateSnapshot(mUserId, recoveryAgentUid); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 418 | } |
| 419 | |
| 420 | /** |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 421 | * The UI best suited to entering the given lock screen. This is synced with the vault so the |
| 422 | * user can be shown the same UI when recovering the vault on another device. |
| 423 | * |
| 424 | * @return The format - either pattern, pin, or password. |
| 425 | */ |
| 426 | @VisibleForTesting |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 427 | @KeyChainProtectionParams.LockScreenUiFormat static int getUiFormat( |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 428 | int credentialType, String credential) { |
| 429 | if (credentialType == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 430 | return KeyChainProtectionParams.UI_FORMAT_PATTERN; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 431 | } else if (isPin(credential)) { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 432 | return KeyChainProtectionParams.UI_FORMAT_PIN; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 433 | } else { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 434 | return KeyChainProtectionParams.UI_FORMAT_PASSWORD; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 435 | } |
| 436 | } |
| 437 | |
| 438 | /** |
| 439 | * Generates a salt to include with the lock screen hash. |
| 440 | * |
| 441 | * @return The salt. |
| 442 | */ |
| 443 | private byte[] generateSalt() { |
| 444 | byte[] salt = new byte[SALT_LENGTH_BYTES]; |
| 445 | new SecureRandom().nextBytes(salt); |
| 446 | return salt; |
| 447 | } |
| 448 | |
| 449 | /** |
| 450 | * Returns {@code true} if {@code credential} looks like a pin. |
| 451 | */ |
| 452 | @VisibleForTesting |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 453 | static boolean isPin(@Nullable String credential) { |
| 454 | if (credential == null) { |
| 455 | return false; |
| 456 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 457 | int length = credential.length(); |
| 458 | for (int i = 0; i < length; i++) { |
| 459 | if (!Character.isDigit(credential.charAt(i))) { |
| 460 | return false; |
| 461 | } |
| 462 | } |
| 463 | return true; |
| 464 | } |
| 465 | |
| 466 | /** |
| 467 | * Hashes {@code credentials} with the given {@code salt}. |
| 468 | * |
| 469 | * @return The SHA-256 hash. |
| 470 | */ |
| 471 | @VisibleForTesting |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 472 | static byte[] hashCredentialsBySaltedSha256(byte[] salt, String credentials) { |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 473 | byte[] credentialsBytes = credentials.getBytes(StandardCharsets.UTF_8); |
| 474 | ByteBuffer byteBuffer = ByteBuffer.allocate( |
| 475 | salt.length + credentialsBytes.length + LENGTH_PREFIX_BYTES * 2); |
| 476 | byteBuffer.order(ByteOrder.LITTLE_ENDIAN); |
| 477 | byteBuffer.putInt(salt.length); |
| 478 | byteBuffer.put(salt); |
| 479 | byteBuffer.putInt(credentialsBytes.length); |
| 480 | byteBuffer.put(credentialsBytes); |
| 481 | byte[] bytes = byteBuffer.array(); |
| 482 | |
| 483 | try { |
| 484 | return MessageDigest.getInstance(LOCK_SCREEN_HASH_ALGORITHM).digest(bytes); |
| 485 | } catch (NoSuchAlgorithmException e) { |
| 486 | // Impossible, SHA-256 must be supported on Android. |
| 487 | throw new RuntimeException(e); |
| 488 | } |
| 489 | } |
| 490 | |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 491 | private byte[] hashCredentialsByScrypt(byte[] salt, String credentials) { |
| 492 | return mScrypt.scrypt( |
| 493 | credentials.getBytes(StandardCharsets.UTF_8), salt, |
| 494 | SCRYPT_PARAM_N, SCRYPT_PARAM_R, SCRYPT_PARAM_P, SCRYPT_PARAM_OUTLEN_BYTES); |
| 495 | } |
| 496 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 497 | private static SecretKey generateRecoveryKey() throws NoSuchAlgorithmException { |
| 498 | KeyGenerator keyGenerator = KeyGenerator.getInstance(RECOVERY_KEY_ALGORITHM); |
| 499 | keyGenerator.init(RECOVERY_KEY_SIZE_BITS); |
| 500 | return keyGenerator.generateKey(); |
| 501 | } |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 502 | |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 503 | private static List<WrappedApplicationKey> createApplicationKeyEntries( |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 504 | Map<String, byte[]> encryptedApplicationKeys) { |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 505 | ArrayList<WrappedApplicationKey> keyEntries = new ArrayList<>(); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 506 | for (String alias : encryptedApplicationKeys.keySet()) { |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 507 | keyEntries.add(new WrappedApplicationKey.Builder() |
| 508 | .setAlias(alias) |
| 509 | .setEncryptedKeyMaterial(encryptedApplicationKeys.get(alias)) |
| 510 | .build()); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 511 | } |
| 512 | return keyEntries; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 513 | } |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 514 | |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 515 | private boolean shouldUseScryptToHashCredential() { |
| 516 | return mCredentialType == LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 517 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 518 | } |