Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package android.security.keystore.recovery; |
| 18 | |
| 19 | import android.annotation.NonNull; |
| 20 | import android.annotation.Nullable; |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 21 | import android.annotation.RequiresPermission; |
Dmitry Dementyev | f8ae5de | 2018-01-08 18:08:23 -0800 | [diff] [blame] | 22 | import android.annotation.SystemApi; |
Bo Zhu | b95c90c | 2018-04-10 13:58:25 -0700 | [diff] [blame] | 23 | import android.app.KeyguardManager; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 24 | import android.app.PendingIntent; |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 25 | import android.content.Context; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 26 | import android.os.RemoteException; |
| 27 | import android.os.ServiceManager; |
| 28 | import android.os.ServiceSpecificException; |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 29 | import android.security.KeyStore; |
| 30 | import android.security.keystore.AndroidKeyStoreProvider; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 31 | |
| 32 | import com.android.internal.widget.ILockSettings; |
| 33 | |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 34 | import java.security.Key; |
| 35 | import java.security.UnrecoverableKeyException; |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 36 | import java.security.cert.CertPath; |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 37 | import java.security.cert.CertificateException; |
Robert Berry | 93d002c | 2018-03-21 21:57:07 +0000 | [diff] [blame] | 38 | import java.security.cert.X509Certificate; |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 39 | import java.util.ArrayList; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 40 | import java.util.List; |
| 41 | import java.util.Map; |
| 42 | |
| 43 | /** |
Robert Berry | 93f38d7 | 2018-03-29 17:19:38 +0100 | [diff] [blame] | 44 | * Backs up cryptographic keys to remote secure hardware, encrypted with the user's lock screen. |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 45 | * |
Bo Zhu | 41d2dd2 | 2018-03-30 12:20:06 -0700 | [diff] [blame] | 46 | * <p>A system app with the {@code android.permission.RECOVER_KEYSTORE} permission may generate or |
Robert Berry | 93f38d7 | 2018-03-29 17:19:38 +0100 | [diff] [blame] | 47 | * import recoverable keys using this class. To generate a key, the app must call |
| 48 | * {@link #generateKey(String)} with the desired alias for the key. This returns an AndroidKeyStore |
| 49 | * reference to a 256-bit {@link javax.crypto.SecretKey}, which can be used for AES/GCM/NoPadding. |
| 50 | * In order to get the same key again at a later time, the app can call {@link #getKey(String)} with |
| 51 | * the same alias. If a key is generated in this way the key's raw material is never directly |
| 52 | * exposed to the calling app. The system app may also import key material using |
| 53 | * {@link #importKey(String, byte[])}. The app may only generate and import keys for its own |
| 54 | * {@code uid}. |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 55 | * |
Robert Berry | 93f38d7 | 2018-03-29 17:19:38 +0100 | [diff] [blame] | 56 | * <p>The same system app must also register a Recovery Agent to manage syncing recoverable keys to |
| 57 | * remote secure hardware. The Recovery Agent is a service that registers itself with the controller |
| 58 | * as follows: |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 59 | * |
Robert Berry | 93f38d7 | 2018-03-29 17:19:38 +0100 | [diff] [blame] | 60 | * <ul> |
| 61 | * <li>Invokes {@link #initRecoveryService(String, byte[], byte[])} |
| 62 | * <ul> |
| 63 | * <li>The first argument is the alias of the root certificate used to verify trusted |
| 64 | * hardware modules. Each trusted hardware module must have a public key signed with this |
| 65 | * root of trust. Roots of trust must be shipped with the framework. The app can list all |
| 66 | * valid roots of trust by calling {@link #getRootCertificates()}. |
| 67 | * <li>The second argument is the UTF-8 bytes of the XML listing file. It lists the X509 |
| 68 | * certificates containing the public keys of all available remote trusted hardware modules. |
| 69 | * Each of the X509 certificates can be validated against the chosen root of trust. |
| 70 | * <li>The third argument is the UTF-8 bytes of the XML signing file. The file contains a |
| 71 | * signature of the XML listing file. The signature can be validated against the chosen root |
| 72 | * of trust. |
| 73 | * </ul> |
| 74 | * <p>This will cause the controller to choose a random public key from the list. From then |
| 75 | * on the controller will attempt to sync the key chain with the trusted hardware module to whom |
| 76 | * that key belongs. |
| 77 | * <li>Invokes {@link #setServerParams(byte[])} with a byte string that identifies the device |
| 78 | * to a remote server. This server may act as the front-end to the trusted hardware modules. It |
| 79 | * is up to the Recovery Agent to decide how best to identify devices, but this could be, e.g., |
| 80 | * based on the <a href="https://developers.google.com/instance-id/">Instance ID</a> of the |
| 81 | * system app. |
| 82 | * <li>Invokes {@link #setRecoverySecretTypes(int[])} with a list of types of secret used to |
| 83 | * secure the recoverable key chain. For now only |
| 84 | * {@link KeyChainProtectionParams#TYPE_LOCKSCREEN} is supported. |
| 85 | * <li>Invokes {@link #setSnapshotCreatedPendingIntent(PendingIntent)} with a |
| 86 | * {@link PendingIntent} that is to be invoked whenever a new snapshot is created. Although the |
| 87 | * controller can create snapshots without the Recovery Agent registering this intent, it is a |
| 88 | * good idea to register the intent so that the Recovery Agent is able to sync this snapshot to |
| 89 | * the trusted hardware module as soon as it is available. |
| 90 | * </ul> |
| 91 | * |
| 92 | * <p>The trusted hardware module's public key MUST be generated on secure hardware with protections |
| 93 | * equivalent to those described in the |
| 94 | * <a href="https://developer.android.com/preview/features/security/ckv-whitepaper.html">Google |
| 95 | * Cloud Key Vault Service whitepaper</a>. The trusted hardware module itself must protect the key |
| 96 | * chain from brute-forcing using the methods also described in the whitepaper: i.e., it should |
| 97 | * limit the number of allowed attempts to enter the lock screen. If the number of attempts is |
| 98 | * exceeded the key material must no longer be recoverable. |
| 99 | * |
| 100 | * <p>A recoverable key chain snapshot is considered pending if any of the following conditions |
| 101 | * are met: |
| 102 | * |
| 103 | * <ul> |
| 104 | * <li>The system app mutates the key chain. i.e., generates, imports, or removes a key. |
| 105 | * <li>The user changes their lock screen. |
| 106 | * </ul> |
| 107 | * |
| 108 | * <p>Whenever the user unlocks their device, if a snapshot is pending, the Recovery Controller |
| 109 | * generates a new snapshot. It follows these steps to do so: |
| 110 | * |
| 111 | * <ul> |
| 112 | * <li>Generates a 256-bit AES key using {@link java.security.SecureRandom}. This is the |
| 113 | * Recovery Key. |
| 114 | * <li>Wraps the key material of all keys in the recoverable key chain with the Recovery Key. |
| 115 | * <li>Encrypts the Recovery Key with both the public key of the trusted hardware module and a |
| 116 | * symmetric key derived from the user's lock screen. |
| 117 | * </ul> |
| 118 | * |
| 119 | * <p>The controller then writes this snapshot to disk, and uses the {@link PendingIntent} that was |
| 120 | * set by the Recovery Agent during initialization to inform it that a new snapshot is available. |
| 121 | * The snapshot only contains keys for that Recovery Agent's {@code uid} - i.e., keys the agent's |
| 122 | * app itself generated. If multiple Recovery Agents exist on the device, each will be notified of |
| 123 | * their new snapshots, and each snapshots' keys will be only those belonging to the same |
| 124 | * {@code uid}. |
| 125 | * |
| 126 | * <p>The Recovery Agent retrieves its most recent snapshot by calling |
| 127 | * {@link #getKeyChainSnapshot()}. It syncs the snapshot to the remote server. The snapshot contains |
| 128 | * the public key used for encryption, which the server uses to forward the encrypted recovery key |
| 129 | * to the correct trusted hardware module. The snapshot also contains the server params, which are |
| 130 | * used to identify this device to the server. |
| 131 | * |
| 132 | * <p>The client uses the server params to identify a device whose key chain it wishes to restore. |
| 133 | * This may be on a different device to the device that originally synced the key chain. The client |
| 134 | * sends the server params identifying the previous device to the server. The server returns the |
| 135 | * X509 certificate identifying the trusted hardware module in which the encrypted Recovery Key is |
| 136 | * stored. It also returns some vault parameters identifying that particular Recovery Key to the |
| 137 | * trusted hardware module. And it also returns a vault challenge, which is used as part of the |
| 138 | * vault opening protocol to ensure the recovery claim is fresh. See the whitepaper for more |
| 139 | * details. |
| 140 | * |
| 141 | * <p>The key chain is recovered via a {@link RecoverySession}. A Recovery Agent creates one by |
| 142 | * invoking {@link #createRecoverySession()}. It then invokes |
| 143 | * {@link RecoverySession#start(String, CertPath, byte[], byte[], List)} with these arguments: |
| 144 | * |
| 145 | * <ul> |
| 146 | * <li>The alias of the root of trust used to verify the trusted hardware module. |
| 147 | * <li>The X509 certificate of the trusted hardware module. |
| 148 | * <li>The vault parameters used to identify the Recovery Key to the trusted hardware module. |
| 149 | * <li>The vault challenge, as issued by the trusted hardware module. |
| 150 | * <li>A list of secrets, corresponding to the secrets used to protect the key chain. At the |
| 151 | * moment this is a single {@link KeyChainProtectionParams} containing the lock screen of the |
| 152 | * device whose key chain is to be recovered. |
| 153 | * </ul> |
| 154 | * |
| 155 | * <p>This method returns a byte array containing the Recovery Claim, which can be issued to the |
| 156 | * remote trusted hardware module. It is encrypted with the trusted hardware module's public key |
| 157 | * (which has itself been certified with the root of trust). It also contains an ephemeral symmetric |
| 158 | * key generated for this recovery session, which the remote trusted hardware module uses to encrypt |
| 159 | * its responses. This is the Session Key. |
| 160 | * |
| 161 | * <p>If the lock screen provided is correct, the remote trusted hardware module decrypts one of the |
| 162 | * layers of lock-screen encryption from the Recovery Key. It then returns this key, encrypted with |
| 163 | * the Session Key to the Recovery Agent. As the Recovery Agent does not know the Session Key, it |
| 164 | * must then invoke {@link RecoverySession#recoverKeyChainSnapshot(byte[], List)} with the encrypted |
| 165 | * Recovery Key and the list of wrapped application keys. The controller then decrypts the layer of |
| 166 | * encryption provided by the Session Key, and uses the lock screen to decrypt the final layer of |
| 167 | * encryption. It then uses the Recovery Key to decrypt all of the wrapped application keys, and |
| 168 | * imports them into its own KeyStore. The Recovery Agent's app may then access these keys by |
| 169 | * calling {@link #getKey(String)}. Only this app's {@code uid} may access the keys that have been |
| 170 | * recovered. |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 171 | * |
| 172 | * @hide |
| 173 | */ |
Dmitry Dementyev | f8ae5de | 2018-01-08 18:08:23 -0800 | [diff] [blame] | 174 | @SystemApi |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 175 | public class RecoveryController { |
| 176 | private static final String TAG = "RecoveryController"; |
| 177 | |
| 178 | /** Key has been successfully synced. */ |
| 179 | public static final int RECOVERY_STATUS_SYNCED = 0; |
| 180 | /** Waiting for recovery agent to sync the key. */ |
| 181 | public static final int RECOVERY_STATUS_SYNC_IN_PROGRESS = 1; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 182 | /** Key cannot be synced. */ |
| 183 | public static final int RECOVERY_STATUS_PERMANENT_FAILURE = 3; |
| 184 | |
| 185 | /** |
| 186 | * Failed because no snapshot is yet pending to be synced for the user. |
| 187 | * |
| 188 | * @hide |
| 189 | */ |
| 190 | public static final int ERROR_NO_SNAPSHOT_PENDING = 21; |
| 191 | |
| 192 | /** |
| 193 | * Failed due to an error internal to the recovery service. This is unexpected and indicates |
| 194 | * either a problem with the logic in the service, or a problem with a dependency of the |
| 195 | * service (such as AndroidKeyStore). |
| 196 | * |
| 197 | * @hide |
| 198 | */ |
| 199 | public static final int ERROR_SERVICE_INTERNAL_ERROR = 22; |
| 200 | |
| 201 | /** |
| 202 | * Failed because the user does not have a lock screen set. |
| 203 | * |
| 204 | * @hide |
| 205 | */ |
| 206 | public static final int ERROR_INSECURE_USER = 23; |
| 207 | |
| 208 | /** |
| 209 | * Error thrown when attempting to use a recovery session that has since been closed. |
| 210 | * |
| 211 | * @hide |
| 212 | */ |
| 213 | public static final int ERROR_SESSION_EXPIRED = 24; |
| 214 | |
| 215 | /** |
Bo Zhu | 7f414d9 | 2018-02-28 09:28:19 -0800 | [diff] [blame] | 216 | * Failed because the format of the provided certificate is incorrect, e.g., cannot be decoded |
| 217 | * properly or misses necessary fields. |
| 218 | * |
| 219 | * <p>Note that this is different from {@link #ERROR_INVALID_CERTIFICATE}, which implies the |
| 220 | * certificate has a correct format but cannot be validated. |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 221 | * |
| 222 | * @hide |
| 223 | */ |
| 224 | public static final int ERROR_BAD_CERTIFICATE_FORMAT = 25; |
| 225 | |
| 226 | /** |
| 227 | * Error thrown if decryption failed. This might be because the tag is wrong, the key is wrong, |
| 228 | * the data has become corrupted, the data has been tampered with, etc. |
| 229 | * |
| 230 | * @hide |
| 231 | */ |
| 232 | public static final int ERROR_DECRYPTION_FAILED = 26; |
| 233 | |
Bo Zhu | 2c8e538 | 2018-02-26 15:54:25 -0800 | [diff] [blame] | 234 | /** |
| 235 | * Error thrown if the format of a given key is invalid. This might be because the key has a |
| 236 | * wrong length, invalid content, etc. |
| 237 | * |
| 238 | * @hide |
| 239 | */ |
| 240 | public static final int ERROR_INVALID_KEY_FORMAT = 27; |
| 241 | |
Bo Zhu | 7f414d9 | 2018-02-28 09:28:19 -0800 | [diff] [blame] | 242 | /** |
| 243 | * Failed because the provided certificate cannot be validated, e.g., is expired or has invalid |
| 244 | * signatures. |
| 245 | * |
| 246 | * <p>Note that this is different from {@link #ERROR_BAD_CERTIFICATE_FORMAT}, which denotes |
| 247 | * incorrect certificate formats, e.g., due to wrong encoding or structure. |
| 248 | * |
| 249 | * @hide |
| 250 | */ |
| 251 | public static final int ERROR_INVALID_CERTIFICATE = 28; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 252 | |
Aseem Kumar | 23174b7 | 2018-04-03 11:35:51 -0700 | [diff] [blame] | 253 | |
| 254 | /** |
| 255 | * Failed because the provided certificate contained serial version which is lower that the |
| 256 | * version device is already initialized with. It is not possible to downgrade serial version of |
| 257 | * the provided certificate. |
| 258 | * |
| 259 | * @hide |
| 260 | */ |
| 261 | public static final int ERROR_DOWNGRADE_CERTIFICATE = 29; |
| 262 | |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 263 | private final ILockSettings mBinder; |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 264 | private final KeyStore mKeyStore; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 265 | |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 266 | private RecoveryController(ILockSettings binder, KeyStore keystore) { |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 267 | mBinder = binder; |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 268 | mKeyStore = keystore; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 269 | } |
| 270 | |
| 271 | /** |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 272 | * Internal method used by {@code RecoverySession}. |
| 273 | * |
| 274 | * @hide |
| 275 | */ |
| 276 | ILockSettings getBinder() { |
| 277 | return mBinder; |
| 278 | } |
| 279 | |
| 280 | /** |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 281 | * Gets a new instance of the class. |
| 282 | */ |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 283 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 16d9db5 | 2018-03-26 11:31:46 -0700 | [diff] [blame] | 284 | @NonNull public static RecoveryController getInstance(@NonNull Context context) { |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 285 | ILockSettings lockSettings = |
| 286 | ILockSettings.Stub.asInterface(ServiceManager.getService("lock_settings")); |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 287 | return new RecoveryController(lockSettings, KeyStore.getInstance()); |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 288 | } |
| 289 | |
| 290 | /** |
Bo Zhu | b95c90c | 2018-04-10 13:58:25 -0700 | [diff] [blame] | 291 | * Checks whether the recoverable key store is currently available. |
| 292 | * |
| 293 | * <p>If it returns true, the device must currently be using a screen lock that is supported for |
| 294 | * use with the recoverable key store, i.e. AOSP PIN, pattern or password. |
| 295 | */ |
| 296 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
| 297 | public static boolean isRecoverableKeyStoreEnabled(@NonNull Context context) { |
| 298 | KeyguardManager keyguardManager = context.getSystemService(KeyguardManager.class); |
| 299 | return keyguardManager != null && keyguardManager.isDeviceSecure(); |
| 300 | } |
| 301 | |
| 302 | /** |
Bo Zhu | 7f414d9 | 2018-02-28 09:28:19 -0800 | [diff] [blame] | 303 | * Initializes the recovery service for the calling application. The detailed steps should be: |
| 304 | * <ol> |
| 305 | * <li>Parse {@code signatureFile} to get relevant information. |
| 306 | * <li>Validate the signer's X509 certificate, contained in {@code signatureFile}, against |
| 307 | * the root certificate pre-installed in the OS and chosen by {@code |
| 308 | * rootCertificateAlias}. |
| 309 | * <li>Verify the public-key signature, contained in {@code signatureFile}, and verify it |
| 310 | * against the entire {@code certificateFile}. |
| 311 | * <li>Parse {@code certificateFile} to get relevant information. |
| 312 | * <li>Check the serial number, contained in {@code certificateFile}, and skip the following |
| 313 | * steps if the serial number is not larger than the one previously stored. |
| 314 | * <li>Randomly choose a X509 certificate from the endpoint X509 certificates, contained in |
| 315 | * {@code certificateFile}, and validate it against the root certificate pre-installed |
| 316 | * in the OS and chosen by {@code rootCertificateAlias}. |
| 317 | * <li>Store the chosen X509 certificate and the serial in local database for later use. |
| 318 | * </ol> |
| 319 | * |
| 320 | * @param rootCertificateAlias the alias of a root certificate pre-installed in the OS |
| 321 | * @param certificateFile the binary content of the XML file containing a list of recovery |
| 322 | * service X509 certificates, and other metadata including the serial number |
| 323 | * @param signatureFile the binary content of the XML file containing the public-key signature |
| 324 | * of the entire certificate file, and a signer's X509 certificate |
| 325 | * @throws CertificateException if the given certificate files cannot be parsed or validated |
| 326 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 327 | * service. |
| 328 | */ |
| 329 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
| 330 | public void initRecoveryService( |
| 331 | @NonNull String rootCertificateAlias, @NonNull byte[] certificateFile, |
| 332 | @NonNull byte[] signatureFile) |
| 333 | throws CertificateException, InternalRecoveryServiceException { |
| 334 | try { |
| 335 | mBinder.initRecoveryServiceWithSigFile( |
| 336 | rootCertificateAlias, certificateFile, signatureFile); |
| 337 | } catch (RemoteException e) { |
| 338 | throw e.rethrowFromSystemServer(); |
| 339 | } catch (ServiceSpecificException e) { |
| 340 | if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT |
| 341 | || e.errorCode == ERROR_INVALID_CERTIFICATE) { |
Bo Zhu | 41d2dd2 | 2018-03-30 12:20:06 -0700 | [diff] [blame] | 342 | throw new CertificateException("Invalid certificate for recovery service", e); |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 343 | } |
Aseem Kumar | 23174b7 | 2018-04-03 11:35:51 -0700 | [diff] [blame] | 344 | if (e.errorCode == ERROR_DOWNGRADE_CERTIFICATE) { |
| 345 | throw new CertificateException( |
| 346 | "Downgrading certificate serial version isn't supported.", e); |
| 347 | } |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 348 | throw wrapUnexpectedServiceSpecificException(e); |
| 349 | } |
| 350 | } |
| 351 | |
| 352 | /** |
Dmitry Dementyev | b4fb987 | 2018-01-26 11:49:34 -0800 | [diff] [blame] | 353 | * Returns data necessary to store all recoverable keys. Key material is |
| 354 | * encrypted with user secret and recovery public key. |
| 355 | * |
| 356 | * @return Data necessary to recover keystore or {@code null} if snapshot is not available. |
| 357 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 358 | * service. |
Dmitry Dementyev | b4fb987 | 2018-01-26 11:49:34 -0800 | [diff] [blame] | 359 | */ |
| 360 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
| 361 | public @Nullable KeyChainSnapshot getKeyChainSnapshot() |
| 362 | throws InternalRecoveryServiceException { |
| 363 | try { |
| 364 | return mBinder.getKeyChainSnapshot(); |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 365 | } catch (RemoteException e) { |
| 366 | throw e.rethrowFromSystemServer(); |
| 367 | } catch (ServiceSpecificException e) { |
| 368 | if (e.errorCode == ERROR_NO_SNAPSHOT_PENDING) { |
| 369 | return null; |
| 370 | } |
| 371 | throw wrapUnexpectedServiceSpecificException(e); |
| 372 | } |
| 373 | } |
| 374 | |
| 375 | /** |
| 376 | * Sets a listener which notifies recovery agent that new recovery snapshot is available. {@link |
Dmitry Dementyev | 1e6a9dc | 2018-03-21 13:52:00 -0700 | [diff] [blame] | 377 | * #getKeyChainSnapshot} can be used to get the snapshot. Note that every recovery agent can |
| 378 | * have at most one registered listener at any time. |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 379 | * |
| 380 | * @param intent triggered when new snapshot is available. Unregisters listener if the value is |
| 381 | * {@code null}. |
| 382 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 383 | * service. |
| 384 | */ |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 385 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 386 | public void setSnapshotCreatedPendingIntent(@Nullable PendingIntent intent) |
| 387 | throws InternalRecoveryServiceException { |
| 388 | try { |
| 389 | mBinder.setSnapshotCreatedPendingIntent(intent); |
| 390 | } catch (RemoteException e) { |
| 391 | throw e.rethrowFromSystemServer(); |
| 392 | } catch (ServiceSpecificException e) { |
| 393 | throw wrapUnexpectedServiceSpecificException(e); |
| 394 | } |
| 395 | } |
| 396 | |
| 397 | /** |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 398 | * Server parameters used to generate new recovery key blobs. This value will be included in |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 399 | * {@code KeyChainSnapshot.getEncryptedRecoveryKeyBlob()}. The same value must be included |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 400 | * in vaultParams {@link RecoverySession#start(CertPath, byte[], byte[], List)}. |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 401 | * |
| 402 | * @param serverParams included in recovery key blob. |
Dmitry Dementyev | 1e6a9dc | 2018-03-21 13:52:00 -0700 | [diff] [blame] | 403 | * @see #getKeyChainSnapshot |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 404 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 405 | * service. |
| 406 | */ |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 407 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 1e6a9dc | 2018-03-21 13:52:00 -0700 | [diff] [blame] | 408 | public void setServerParams(@NonNull byte[] serverParams) |
| 409 | throws InternalRecoveryServiceException { |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 410 | try { |
| 411 | mBinder.setServerParams(serverParams); |
| 412 | } catch (RemoteException e) { |
| 413 | throw e.rethrowFromSystemServer(); |
| 414 | } catch (ServiceSpecificException e) { |
| 415 | throw wrapUnexpectedServiceSpecificException(e); |
| 416 | } |
| 417 | } |
| 418 | |
| 419 | /** |
Robert Berry | 56f06b4 | 2018-02-23 13:31:32 +0000 | [diff] [blame] | 420 | * Returns a list of aliases of keys belonging to the application. |
| 421 | */ |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 422 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 1e6a9dc | 2018-03-21 13:52:00 -0700 | [diff] [blame] | 423 | public @NonNull List<String> getAliases() throws InternalRecoveryServiceException { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 424 | try { |
Robert Berry | 56f06b4 | 2018-02-23 13:31:32 +0000 | [diff] [blame] | 425 | Map<String, Integer> allStatuses = mBinder.getRecoveryStatus(); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 426 | return new ArrayList<>(allStatuses.keySet()); |
| 427 | } catch (RemoteException e) { |
| 428 | throw e.rethrowFromSystemServer(); |
| 429 | } catch (ServiceSpecificException e) { |
| 430 | throw wrapUnexpectedServiceSpecificException(e); |
| 431 | } |
| 432 | } |
| 433 | |
| 434 | /** |
Robert Berry | bbe02ae | 2018-02-20 19:47:43 +0000 | [diff] [blame] | 435 | * Sets the recovery status for given key. It is used to notify the keystore that the key was |
| 436 | * successfully stored on the server or that there was an error. An application can check this |
| 437 | * value using {@link #getRecoveryStatus(String, String)}. |
| 438 | * |
| 439 | * @param alias The alias of the key whose status to set. |
| 440 | * @param status The status of the key. One of {@link #RECOVERY_STATUS_SYNCED}, |
| 441 | * {@link #RECOVERY_STATUS_SYNC_IN_PROGRESS} or {@link #RECOVERY_STATUS_PERMANENT_FAILURE}. |
| 442 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 443 | * service. |
| 444 | */ |
| 445 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 1e6a9dc | 2018-03-21 13:52:00 -0700 | [diff] [blame] | 446 | public void setRecoveryStatus(@NonNull String alias, int status) |
Robert Berry | bbe02ae | 2018-02-20 19:47:43 +0000 | [diff] [blame] | 447 | throws InternalRecoveryServiceException { |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 448 | try { |
Robert Berry | bbe02ae | 2018-02-20 19:47:43 +0000 | [diff] [blame] | 449 | mBinder.setRecoveryStatus(alias, status); |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 450 | } catch (RemoteException e) { |
| 451 | throw e.rethrowFromSystemServer(); |
| 452 | } catch (ServiceSpecificException e) { |
| 453 | throw wrapUnexpectedServiceSpecificException(e); |
| 454 | } |
| 455 | } |
| 456 | |
| 457 | /** |
Robert Berry | 56f06b4 | 2018-02-23 13:31:32 +0000 | [diff] [blame] | 458 | * Returns the recovery status for the key with the given {@code alias}. |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 459 | * |
| 460 | * <ul> |
| 461 | * <li>{@link #RECOVERY_STATUS_SYNCED} |
| 462 | * <li>{@link #RECOVERY_STATUS_SYNC_IN_PROGRESS} |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 463 | * <li>{@link #RECOVERY_STATUS_PERMANENT_FAILURE} |
| 464 | * </ul> |
| 465 | * |
Robert Berry | 56f06b4 | 2018-02-23 13:31:32 +0000 | [diff] [blame] | 466 | * @see #setRecoveryStatus(String, int) |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 467 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 468 | * service. |
| 469 | */ |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 470 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 1e6a9dc | 2018-03-21 13:52:00 -0700 | [diff] [blame] | 471 | public int getRecoveryStatus(@NonNull String alias) throws InternalRecoveryServiceException { |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 472 | try { |
Robert Berry | 56f06b4 | 2018-02-23 13:31:32 +0000 | [diff] [blame] | 473 | Map<String, Integer> allStatuses = mBinder.getRecoveryStatus(); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 474 | Integer status = allStatuses.get(alias); |
| 475 | if (status == null) { |
| 476 | return RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE; |
| 477 | } else { |
| 478 | return status; |
| 479 | } |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 480 | } catch (RemoteException e) { |
| 481 | throw e.rethrowFromSystemServer(); |
| 482 | } catch (ServiceSpecificException e) { |
| 483 | throw wrapUnexpectedServiceSpecificException(e); |
| 484 | } |
| 485 | } |
| 486 | |
| 487 | /** |
| 488 | * Specifies a set of secret types used for end-to-end keystore encryption. Knowing all of them |
| 489 | * is necessary to recover data. |
| 490 | * |
Aseem Kumar | 933dfc1 | 2018-03-22 22:09:34 -0700 | [diff] [blame] | 491 | * @param secretTypes {@link KeyChainProtectionParams#TYPE_LOCKSCREEN} |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 492 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 493 | * service. |
| 494 | */ |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 495 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 496 | public void setRecoverySecretTypes( |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 497 | @NonNull @KeyChainProtectionParams.UserSecretType int[] secretTypes) |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 498 | throws InternalRecoveryServiceException { |
| 499 | try { |
| 500 | mBinder.setRecoverySecretTypes(secretTypes); |
| 501 | } catch (RemoteException e) { |
| 502 | throw e.rethrowFromSystemServer(); |
| 503 | } catch (ServiceSpecificException e) { |
| 504 | throw wrapUnexpectedServiceSpecificException(e); |
| 505 | } |
| 506 | } |
| 507 | |
| 508 | /** |
| 509 | * Defines a set of secret types used for end-to-end keystore encryption. Knowing all of them is |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 510 | * necessary to generate KeyChainSnapshot. |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 511 | * |
| 512 | * @return list of recovery secret types |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 513 | * @see KeyChainSnapshot |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 514 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 515 | * service. |
| 516 | */ |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 517 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 518 | public @NonNull @KeyChainProtectionParams.UserSecretType int[] getRecoverySecretTypes() |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 519 | throws InternalRecoveryServiceException { |
| 520 | try { |
| 521 | return mBinder.getRecoverySecretTypes(); |
| 522 | } catch (RemoteException e) { |
| 523 | throw e.rethrowFromSystemServer(); |
| 524 | } catch (ServiceSpecificException e) { |
| 525 | throw wrapUnexpectedServiceSpecificException(e); |
| 526 | } |
| 527 | } |
| 528 | |
| 529 | /** |
Robert Berry | a3b9947 | 2018-02-23 15:59:02 +0000 | [diff] [blame] | 530 | * Generates a recoverable key with the given {@code alias}. |
| 531 | * |
| 532 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 533 | * service. |
| 534 | * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock |
| 535 | * screen is required to generate recoverable keys. |
| 536 | */ |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 537 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 0bbaf18 | 2018-03-23 17:36:58 -0700 | [diff] [blame] | 538 | public @NonNull Key generateKey(@NonNull String alias) throws InternalRecoveryServiceException, |
Robert Berry | a3b9947 | 2018-02-23 15:59:02 +0000 | [diff] [blame] | 539 | LockScreenRequiredException { |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 540 | try { |
Robert Berry | a3b9947 | 2018-02-23 15:59:02 +0000 | [diff] [blame] | 541 | String grantAlias = mBinder.generateKey(alias); |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 542 | if (grantAlias == null) { |
Robert Berry | a3b9947 | 2018-02-23 15:59:02 +0000 | [diff] [blame] | 543 | throw new InternalRecoveryServiceException("null grant alias"); |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 544 | } |
Robert Berry | 4a5c87d | 2018-03-19 18:00:46 +0000 | [diff] [blame] | 545 | return getKeyFromGrant(grantAlias); |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 546 | } catch (RemoteException e) { |
| 547 | throw e.rethrowFromSystemServer(); |
| 548 | } catch (UnrecoverableKeyException e) { |
Robert Berry | a3b9947 | 2018-02-23 15:59:02 +0000 | [diff] [blame] | 549 | throw new InternalRecoveryServiceException("Failed to get key from keystore", e); |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 550 | } catch (ServiceSpecificException e) { |
| 551 | if (e.errorCode == ERROR_INSECURE_USER) { |
| 552 | throw new LockScreenRequiredException(e.getMessage()); |
| 553 | } |
| 554 | throw wrapUnexpectedServiceSpecificException(e); |
| 555 | } |
| 556 | } |
| 557 | |
| 558 | /** |
Bo Zhu | 2c8e538 | 2018-02-26 15:54:25 -0800 | [diff] [blame] | 559 | * Imports a 256-bit recoverable AES key with the given {@code alias} and the raw bytes {@code |
| 560 | * keyBytes}. |
| 561 | * |
| 562 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 563 | * service. |
| 564 | * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock |
| 565 | * screen is required to generate recoverable keys. |
| 566 | * |
Bo Zhu | 2c8e538 | 2018-02-26 15:54:25 -0800 | [diff] [blame] | 567 | */ |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 568 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 0bbaf18 | 2018-03-23 17:36:58 -0700 | [diff] [blame] | 569 | public @NonNull Key importKey(@NonNull String alias, @NonNull byte[] keyBytes) |
Bo Zhu | 2c8e538 | 2018-02-26 15:54:25 -0800 | [diff] [blame] | 570 | throws InternalRecoveryServiceException, LockScreenRequiredException { |
| 571 | try { |
| 572 | String grantAlias = mBinder.importKey(alias, keyBytes); |
| 573 | if (grantAlias == null) { |
| 574 | throw new InternalRecoveryServiceException("Null grant alias"); |
| 575 | } |
Bo Zhu | c5ab694 | 2018-03-21 14:33:15 -0700 | [diff] [blame] | 576 | return getKeyFromGrant(grantAlias); |
Bo Zhu | 2c8e538 | 2018-02-26 15:54:25 -0800 | [diff] [blame] | 577 | } catch (RemoteException e) { |
| 578 | throw e.rethrowFromSystemServer(); |
| 579 | } catch (UnrecoverableKeyException e) { |
| 580 | throw new InternalRecoveryServiceException("Failed to get key from keystore", e); |
| 581 | } catch (ServiceSpecificException e) { |
| 582 | if (e.errorCode == ERROR_INSECURE_USER) { |
| 583 | throw new LockScreenRequiredException(e.getMessage()); |
| 584 | } |
| 585 | throw wrapUnexpectedServiceSpecificException(e); |
| 586 | } |
| 587 | } |
| 588 | |
| 589 | /** |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 590 | * Gets a key called {@code alias} from the recoverable key store. |
| 591 | * |
| 592 | * @param alias The key alias. |
| 593 | * @return The key. |
| 594 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 595 | * service. |
| 596 | * @throws UnrecoverableKeyException if key is permanently invalidated or not found. |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 597 | */ |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 598 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 599 | public @Nullable Key getKey(@NonNull String alias) |
| 600 | throws InternalRecoveryServiceException, UnrecoverableKeyException { |
| 601 | try { |
| 602 | String grantAlias = mBinder.getKey(alias); |
Robert Berry | 72f5755 | 2018-03-23 08:08:02 +0000 | [diff] [blame] | 603 | if (grantAlias == null || "".equals(grantAlias)) { |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 604 | return null; |
| 605 | } |
Robert Berry | 4a5c87d | 2018-03-19 18:00:46 +0000 | [diff] [blame] | 606 | return getKeyFromGrant(grantAlias); |
Dmitry Dementyev | 29b9de5 | 2018-01-31 16:09:32 -0800 | [diff] [blame] | 607 | } catch (RemoteException e) { |
| 608 | throw e.rethrowFromSystemServer(); |
| 609 | } catch (ServiceSpecificException e) { |
| 610 | throw wrapUnexpectedServiceSpecificException(e); |
| 611 | } |
| 612 | } |
| 613 | |
| 614 | /** |
Robert Berry | 4a5c87d | 2018-03-19 18:00:46 +0000 | [diff] [blame] | 615 | * Returns the key with the given {@code grantAlias}. |
| 616 | */ |
Dmitry Dementyev | 0bbaf18 | 2018-03-23 17:36:58 -0700 | [diff] [blame] | 617 | @NonNull Key getKeyFromGrant(@NonNull String grantAlias) throws UnrecoverableKeyException { |
Robert Berry | 4a5c87d | 2018-03-19 18:00:46 +0000 | [diff] [blame] | 618 | return AndroidKeyStoreProvider.loadAndroidKeyStoreKeyFromKeystore( |
| 619 | mKeyStore, |
| 620 | grantAlias, |
| 621 | KeyStore.UID_SELF); |
| 622 | } |
| 623 | |
| 624 | /** |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 625 | * Removes a key called {@code alias} from the recoverable key store. |
| 626 | * |
| 627 | * @param alias The key alias. |
| 628 | * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery |
| 629 | * service. |
| 630 | */ |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 631 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 632 | public void removeKey(@NonNull String alias) throws InternalRecoveryServiceException { |
| 633 | try { |
| 634 | mBinder.removeKey(alias); |
| 635 | } catch (RemoteException e) { |
| 636 | throw e.rethrowFromSystemServer(); |
| 637 | } catch (ServiceSpecificException e) { |
| 638 | throw wrapUnexpectedServiceSpecificException(e); |
| 639 | } |
| 640 | } |
| 641 | |
Robert Berry | e04e09a | 2018-02-22 15:24:05 +0000 | [diff] [blame] | 642 | /** |
| 643 | * Returns a new {@link RecoverySession}. |
| 644 | * |
| 645 | * <p>A recovery session is required to restore keys from a remote store. |
| 646 | */ |
Aseem Kumar | c1742e5 | 2018-03-12 14:34:58 -0700 | [diff] [blame] | 647 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 1e6a9dc | 2018-03-21 13:52:00 -0700 | [diff] [blame] | 648 | public @NonNull RecoverySession createRecoverySession() { |
Robert Berry | e04e09a | 2018-02-22 15:24:05 +0000 | [diff] [blame] | 649 | return RecoverySession.newInstance(this); |
| 650 | } |
| 651 | |
Robert Berry | 93d002c | 2018-03-21 21:57:07 +0000 | [diff] [blame] | 652 | @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) |
Dmitry Dementyev | 0bbaf18 | 2018-03-23 17:36:58 -0700 | [diff] [blame] | 653 | public @NonNull Map<String, X509Certificate> getRootCertificates() { |
Robert Berry | 93d002c | 2018-03-21 21:57:07 +0000 | [diff] [blame] | 654 | return TrustedRootCertificates.getRootCertificates(); |
| 655 | } |
| 656 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 657 | InternalRecoveryServiceException wrapUnexpectedServiceSpecificException( |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 658 | ServiceSpecificException e) { |
| 659 | if (e.errorCode == ERROR_SERVICE_INTERNAL_ERROR) { |
| 660 | return new InternalRecoveryServiceException(e.getMessage()); |
| 661 | } |
| 662 | |
| 663 | // Should never happen. If it does, it's a bug, and we need to update how the method that |
| 664 | // called this throws its exceptions. |
| 665 | return new InternalRecoveryServiceException("Unexpected error code for method: " |
| 666 | + e.errorCode, e); |
| 667 | } |
| 668 | } |