Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.server.locksettings.recoverablekeystore; |
| 18 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 19 | import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 20 | |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 21 | import android.annotation.Nullable; |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame^] | 22 | import android.annotation.NonNull; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 23 | import android.content.Context; |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 24 | import android.security.keystore.recovery.KeyChainProtectionParams; |
| 25 | import android.security.keystore.recovery.KeyChainSnapshot; |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame^] | 26 | import android.security.keystore.recovery.KeyDerivationParams; |
| 27 | import android.security.keystore.recovery.TrustedRootCertificates; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 28 | import android.security.keystore.recovery.WrappedApplicationKey; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 29 | import android.util.Log; |
| 30 | |
| 31 | import com.android.internal.annotations.VisibleForTesting; |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 32 | import com.android.internal.util.ArrayUtils; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 33 | import com.android.internal.widget.LockPatternUtils; |
| 34 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 35 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 36 | |
| 37 | import java.nio.ByteBuffer; |
| 38 | import java.nio.ByteOrder; |
| 39 | import java.nio.charset.StandardCharsets; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 40 | import java.security.GeneralSecurityException; |
Robert Berry | 26cbb6b | 2018-01-22 21:59:30 +0000 | [diff] [blame] | 41 | import java.security.InvalidAlgorithmParameterException; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 42 | import java.security.InvalidKeyException; |
| 43 | import java.security.KeyStoreException; |
| 44 | import java.security.MessageDigest; |
| 45 | import java.security.NoSuchAlgorithmException; |
| 46 | import java.security.PublicKey; |
| 47 | import java.security.SecureRandom; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 48 | import java.security.UnrecoverableKeyException; |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 49 | import java.security.cert.CertPath; |
Bo Zhu | 6361080 | 2018-03-09 12:32:13 -0800 | [diff] [blame] | 50 | import java.security.cert.CertificateException; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 51 | import java.util.ArrayList; |
| 52 | import java.util.List; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 53 | import java.util.Map; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 54 | |
| 55 | import javax.crypto.KeyGenerator; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 56 | import javax.crypto.NoSuchPaddingException; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 57 | import javax.crypto.SecretKey; |
| 58 | |
| 59 | /** |
| 60 | * Task to sync application keys to a remote vault service. |
| 61 | * |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 62 | * @hide |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 63 | */ |
| 64 | public class KeySyncTask implements Runnable { |
| 65 | private static final String TAG = "KeySyncTask"; |
| 66 | |
| 67 | private static final String RECOVERY_KEY_ALGORITHM = "AES"; |
| 68 | private static final int RECOVERY_KEY_SIZE_BITS = 256; |
| 69 | private static final int SALT_LENGTH_BYTES = 16; |
| 70 | private static final int LENGTH_PREFIX_BYTES = Integer.BYTES; |
| 71 | private static final String LOCK_SCREEN_HASH_ALGORITHM = "SHA-256"; |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 72 | private static final int TRUSTED_HARDWARE_MAX_ATTEMPTS = 10; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 73 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 74 | private final RecoverableKeyStoreDb mRecoverableKeyStoreDb; |
| 75 | private final int mUserId; |
| 76 | private final int mCredentialType; |
| 77 | private final String mCredential; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 78 | private final boolean mCredentialUpdated; |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 79 | private final PlatformKeyManager mPlatformKeyManager; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 80 | private final RecoverySnapshotStorage mRecoverySnapshotStorage; |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 81 | private final RecoverySnapshotListenersStorage mSnapshotListenersStorage; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 82 | |
| 83 | public static KeySyncTask newInstance( |
| 84 | Context context, |
| 85 | RecoverableKeyStoreDb recoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 86 | RecoverySnapshotStorage snapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 87 | RecoverySnapshotListenersStorage recoverySnapshotListenersStorage, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 88 | int userId, |
| 89 | int credentialType, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 90 | String credential, |
| 91 | boolean credentialUpdated |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 92 | ) throws NoSuchAlgorithmException, KeyStoreException, InsecureUserException { |
| 93 | return new KeySyncTask( |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 94 | recoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 95 | snapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 96 | recoverySnapshotListenersStorage, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 97 | userId, |
| 98 | credentialType, |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 99 | credential, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 100 | credentialUpdated, |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 101 | PlatformKeyManager.getInstance(context, recoverableKeyStoreDb)); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 102 | } |
| 103 | |
| 104 | /** |
| 105 | * A new task. |
| 106 | * |
| 107 | * @param recoverableKeyStoreDb Database where the keys are stored. |
| 108 | * @param userId The uid of the user whose profile has been unlocked. |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 109 | * @param credentialType The type of credential as defined in {@code LockPatternUtils} |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 110 | * @param credential The credential, encoded as a {@link String}. |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 111 | * @param credentialUpdated signals weather credentials were updated. |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 112 | * @param platformKeyManager platform key manager |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 113 | */ |
| 114 | @VisibleForTesting |
| 115 | KeySyncTask( |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 116 | RecoverableKeyStoreDb recoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 117 | RecoverySnapshotStorage snapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 118 | RecoverySnapshotListenersStorage recoverySnapshotListenersStorage, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 119 | int userId, |
| 120 | int credentialType, |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 121 | String credential, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 122 | boolean credentialUpdated, |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 123 | PlatformKeyManager platformKeyManager) { |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 124 | mSnapshotListenersStorage = recoverySnapshotListenersStorage; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 125 | mRecoverableKeyStoreDb = recoverableKeyStoreDb; |
| 126 | mUserId = userId; |
| 127 | mCredentialType = credentialType; |
| 128 | mCredential = credential; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 129 | mCredentialUpdated = credentialUpdated; |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 130 | mPlatformKeyManager = platformKeyManager; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 131 | mRecoverySnapshotStorage = snapshotStorage; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 132 | } |
| 133 | |
| 134 | @Override |
| 135 | public void run() { |
| 136 | try { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 137 | // Only one task is active If user unlocks phone many times in a short time interval. |
| 138 | synchronized(KeySyncTask.class) { |
| 139 | syncKeys(); |
| 140 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 141 | } catch (Exception e) { |
| 142 | Log.e(TAG, "Unexpected exception thrown during KeySyncTask", e); |
| 143 | } |
| 144 | } |
| 145 | |
| 146 | private void syncKeys() { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 147 | if (mCredentialType == LockPatternUtils.CREDENTIAL_TYPE_NONE) { |
| 148 | // Application keys for the user will not be available for sync. |
| 149 | Log.w(TAG, "Credentials are not set for user " + mUserId); |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 150 | int generation = mPlatformKeyManager.getGenerationId(mUserId); |
| 151 | mPlatformKeyManager.invalidatePlatformKey(mUserId, generation); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 152 | return; |
| 153 | } |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 154 | if (isCustomLockScreen()) { |
| 155 | Log.w(TAG, "Unsupported credential type " + mCredentialType + "for user " + mUserId); |
| 156 | mRecoverableKeyStoreDb.invalidateKeysForUserIdOnCustomScreenLock(mUserId); |
| 157 | return; |
| 158 | } |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 159 | |
| 160 | List<Integer> recoveryAgents = mRecoverableKeyStoreDb.getRecoveryAgents(mUserId); |
| 161 | for (int uid : recoveryAgents) { |
| 162 | syncKeysForAgent(uid); |
| 163 | } |
| 164 | if (recoveryAgents.isEmpty()) { |
| 165 | Log.w(TAG, "No recovery agent initialized for user " + mUserId); |
| 166 | } |
| 167 | } |
| 168 | |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 169 | private boolean isCustomLockScreen() { |
| 170 | return mCredentialType != LockPatternUtils.CREDENTIAL_TYPE_NONE |
| 171 | && mCredentialType != LockPatternUtils.CREDENTIAL_TYPE_PATTERN |
| 172 | && mCredentialType != LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; |
| 173 | } |
| 174 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 175 | private void syncKeysForAgent(int recoveryAgentUid) { |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 176 | boolean recreateCurrentVersion = false; |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 177 | if (!shouldCreateSnapshot(recoveryAgentUid)) { |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 178 | recreateCurrentVersion = |
| 179 | (mRecoverableKeyStoreDb.getSnapshotVersion(mUserId, recoveryAgentUid) != null) |
| 180 | && (mRecoverySnapshotStorage.get(recoveryAgentUid) == null); |
| 181 | if (recreateCurrentVersion) { |
| 182 | Log.d(TAG, "Recreating most recent snapshot"); |
| 183 | } else { |
| 184 | Log.d(TAG, "Key sync not needed."); |
| 185 | return; |
| 186 | } |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 187 | } |
| 188 | |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 189 | PublicKey publicKey; |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame^] | 190 | String rootCertAlias = |
| 191 | mRecoverableKeyStoreDb.getActiveRootOfTrust(mUserId, recoveryAgentUid); |
| 192 | |
| 193 | rootCertAlias = replaceEmptyValueWithSecureDefault(rootCertAlias); |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 194 | CertPath certPath = mRecoverableKeyStoreDb.getRecoveryServiceCertPath(mUserId, |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame^] | 195 | recoveryAgentUid, rootCertAlias); |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 196 | if (certPath != null) { |
| 197 | Log.d(TAG, "Using the public key in stored CertPath for syncing"); |
| 198 | publicKey = certPath.getCertificates().get(0).getPublicKey(); |
| 199 | } else { |
| 200 | Log.d(TAG, "Using the stored raw public key for syncing"); |
| 201 | publicKey = mRecoverableKeyStoreDb.getRecoveryServicePublicKey(mUserId, |
| 202 | recoveryAgentUid); |
| 203 | } |
Robert Berry | aa3f4ca | 2017-12-27 10:53:58 +0000 | [diff] [blame] | 204 | if (publicKey == null) { |
| 205 | Log.w(TAG, "Not initialized for KeySync: no public key set. Cancelling task."); |
| 206 | return; |
| 207 | } |
| 208 | |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 209 | byte[] vaultHandle = mRecoverableKeyStoreDb.getServerParams(mUserId, recoveryAgentUid); |
| 210 | if (vaultHandle == null) { |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 211 | Log.w(TAG, "No device ID set for user " + mUserId); |
| 212 | return; |
| 213 | } |
| 214 | |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame^] | 215 | // The only place in this class which uses credential value |
| 216 | if (!TrustedRootCertificates.GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS.equals( |
| 217 | rootCertAlias)) { |
| 218 | // TODO: allow only whitelisted LSKF usage |
| 219 | Log.w(TAG, "Untrusted root certificate is used by recovery agent " |
| 220 | + recoveryAgentUid); |
| 221 | } |
| 222 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 223 | byte[] salt = generateSalt(); |
| 224 | byte[] localLskfHash = hashCredentials(salt, mCredential); |
| 225 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 226 | Map<String, SecretKey> rawKeys; |
| 227 | try { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 228 | rawKeys = getKeysToSync(recoveryAgentUid); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 229 | } catch (GeneralSecurityException e) { |
| 230 | Log.e(TAG, "Failed to load recoverable keys for sync", e); |
| 231 | return; |
| 232 | } catch (InsecureUserException e) { |
| 233 | Log.wtf(TAG, "A screen unlock triggered the key sync flow, so user must have " |
| 234 | + "lock screen. This should be impossible.", e); |
| 235 | return; |
| 236 | } catch (BadPlatformKeyException e) { |
| 237 | Log.wtf(TAG, "Loaded keys for same generation ID as platform key, so " |
| 238 | + "BadPlatformKeyException should be impossible.", e); |
| 239 | return; |
| 240 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 241 | |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame^] | 242 | // TODO: filter raw keys based on the root of trust. |
| 243 | // It is the only place in the class where raw key material is used. |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 244 | SecretKey recoveryKey; |
| 245 | try { |
| 246 | recoveryKey = generateRecoveryKey(); |
| 247 | } catch (NoSuchAlgorithmException e) { |
| 248 | Log.wtf("AES should never be unavailable", e); |
| 249 | return; |
| 250 | } |
| 251 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 252 | Map<String, byte[]> encryptedApplicationKeys; |
| 253 | try { |
| 254 | encryptedApplicationKeys = KeySyncUtils.encryptKeysWithRecoveryKey( |
| 255 | recoveryKey, rawKeys); |
| 256 | } catch (InvalidKeyException | NoSuchAlgorithmException e) { |
| 257 | Log.wtf(TAG, |
| 258 | "Should be impossible: could not encrypt application keys with random key", |
| 259 | e); |
| 260 | return; |
| 261 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 262 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 263 | Long counterId; |
| 264 | // counter id is generated exactly once for each credentials value. |
| 265 | if (mCredentialUpdated) { |
| 266 | counterId = generateAndStoreCounterId(recoveryAgentUid); |
| 267 | } else { |
| 268 | counterId = mRecoverableKeyStoreDb.getCounterId(mUserId, recoveryAgentUid); |
| 269 | if (counterId == null) { |
| 270 | counterId = generateAndStoreCounterId(recoveryAgentUid); |
| 271 | } |
| 272 | } |
Dmitry Dementyev | ae6ec6d | 2018-01-18 14:29:49 -0800 | [diff] [blame] | 273 | |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 274 | byte[] vaultParams = KeySyncUtils.packVaultParams( |
| 275 | publicKey, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 276 | counterId, |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 277 | TRUSTED_HARDWARE_MAX_ATTEMPTS, |
| 278 | vaultHandle); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 279 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 280 | byte[] encryptedRecoveryKey; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 281 | try { |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 282 | encryptedRecoveryKey = KeySyncUtils.thmEncryptRecoveryKey( |
Robert Berry | aa3f4ca | 2017-12-27 10:53:58 +0000 | [diff] [blame] | 283 | publicKey, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 284 | localLskfHash, |
| 285 | vaultParams, |
| 286 | recoveryKey); |
| 287 | } catch (NoSuchAlgorithmException e) { |
| 288 | Log.wtf(TAG, "SecureBox encrypt algorithms unavailable", e); |
| 289 | return; |
| 290 | } catch (InvalidKeyException e) { |
| 291 | Log.e(TAG,"Could not encrypt with recovery key", e); |
| 292 | return; |
| 293 | } |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 294 | KeyChainProtectionParams metadata = new KeyChainProtectionParams.Builder() |
| 295 | .setUserSecretType(TYPE_LOCKSCREEN) |
| 296 | .setLockScreenUiFormat(getUiFormat(mCredentialType, mCredential)) |
| 297 | .setKeyDerivationParams(KeyDerivationParams.createSha256Params(salt)) |
| 298 | .setSecret(new byte[0]) |
| 299 | .build(); |
| 300 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 301 | ArrayList<KeyChainProtectionParams> metadataList = new ArrayList<>(); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 302 | metadataList.add(metadata); |
| 303 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 304 | // If application keys are not updated, snapshot will not be created on next unlock. |
| 305 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(mUserId, recoveryAgentUid, false); |
| 306 | |
Bo Zhu | 6361080 | 2018-03-09 12:32:13 -0800 | [diff] [blame] | 307 | KeyChainSnapshot.Builder keyChainSnapshotBuilder = new KeyChainSnapshot.Builder() |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 308 | .setSnapshotVersion(getSnapshotVersion(recoveryAgentUid, recreateCurrentVersion)) |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 309 | .setMaxAttempts(TRUSTED_HARDWARE_MAX_ATTEMPTS) |
| 310 | .setCounterId(counterId) |
| 311 | .setTrustedHardwarePublicKey(SecureBox.encodePublicKey(publicKey)) |
| 312 | .setServerParams(vaultHandle) |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 313 | .setKeyChainProtectionParams(metadataList) |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 314 | .setWrappedApplicationKeys(createApplicationKeyEntries(encryptedApplicationKeys)) |
Bo Zhu | 6361080 | 2018-03-09 12:32:13 -0800 | [diff] [blame] | 315 | .setEncryptedRecoveryKeyBlob(encryptedRecoveryKey); |
| 316 | try { |
| 317 | keyChainSnapshotBuilder.setTrustedHardwareCertPath(certPath); |
| 318 | } catch(CertificateException e) { |
| 319 | // Should not happen, as it's just deserialized from bytes stored in the db |
| 320 | Log.wtf(TAG, "Cannot serialize CertPath when calling setTrustedHardwareCertPath", e); |
| 321 | return; |
| 322 | } |
| 323 | mRecoverySnapshotStorage.put(recoveryAgentUid, keyChainSnapshotBuilder.build()); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 324 | mSnapshotListenersStorage.recoverySnapshotAvailable(recoveryAgentUid); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 325 | } |
| 326 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 327 | @VisibleForTesting |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 328 | int getSnapshotVersion(int recoveryAgentUid, boolean recreateCurrentVersion) { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 329 | Long snapshotVersion = mRecoverableKeyStoreDb.getSnapshotVersion(mUserId, recoveryAgentUid); |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 330 | if (recreateCurrentVersion) { |
| 331 | // version shouldn't be null at this moment. |
| 332 | snapshotVersion = snapshotVersion == null ? 1 : snapshotVersion; |
| 333 | } else { |
| 334 | snapshotVersion = snapshotVersion == null ? 1 : snapshotVersion + 1; |
| 335 | } |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 336 | mRecoverableKeyStoreDb.setSnapshotVersion(mUserId, recoveryAgentUid, snapshotVersion); |
| 337 | |
| 338 | return snapshotVersion.intValue(); |
| 339 | } |
| 340 | |
| 341 | private long generateAndStoreCounterId(int recoveryAgentUid) { |
| 342 | long counter = new SecureRandom().nextLong(); |
| 343 | mRecoverableKeyStoreDb.setCounterId(mUserId, recoveryAgentUid, counter); |
| 344 | return counter; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 345 | } |
| 346 | |
| 347 | /** |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 348 | * Returns all of the recoverable keys for the user. |
| 349 | */ |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 350 | private Map<String, SecretKey> getKeysToSync(int recoveryAgentUid) |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 351 | throws InsecureUserException, KeyStoreException, UnrecoverableKeyException, |
Robert Berry | 26cbb6b | 2018-01-22 21:59:30 +0000 | [diff] [blame] | 352 | NoSuchAlgorithmException, NoSuchPaddingException, BadPlatformKeyException, |
| 353 | InvalidKeyException, InvalidAlgorithmParameterException { |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 354 | PlatformDecryptionKey decryptKey = mPlatformKeyManager.getDecryptKey(mUserId);; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 355 | Map<String, WrappedKey> wrappedKeys = mRecoverableKeyStoreDb.getAllKeys( |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 356 | mUserId, recoveryAgentUid, decryptKey.getGenerationId()); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 357 | return WrappedKey.unwrapKeys(decryptKey, wrappedKeys); |
| 358 | } |
| 359 | |
| 360 | /** |
| 361 | * Returns {@code true} if a sync is pending. |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 362 | * @param recoveryAgentUid uid of the recovery agent. |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 363 | */ |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 364 | private boolean shouldCreateSnapshot(int recoveryAgentUid) { |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 365 | int[] types = mRecoverableKeyStoreDb.getRecoverySecretTypes(mUserId, recoveryAgentUid); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 366 | if (!ArrayUtils.contains(types, KeyChainProtectionParams.TYPE_LOCKSCREEN)) { |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 367 | // Only lockscreen type is supported. |
| 368 | // We will need to pass extra argument to KeySyncTask to support custom pass phrase. |
| 369 | return false; |
| 370 | } |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 371 | if (mCredentialUpdated) { |
| 372 | // Sync credential if at least one snapshot was created. |
| 373 | if (mRecoverableKeyStoreDb.getSnapshotVersion(mUserId, recoveryAgentUid) != null) { |
| 374 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(mUserId, recoveryAgentUid, true); |
| 375 | return true; |
| 376 | } |
| 377 | } |
| 378 | |
| 379 | return mRecoverableKeyStoreDb.getShouldCreateSnapshot(mUserId, recoveryAgentUid); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 380 | } |
| 381 | |
| 382 | /** |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 383 | * The UI best suited to entering the given lock screen. This is synced with the vault so the |
| 384 | * user can be shown the same UI when recovering the vault on another device. |
| 385 | * |
| 386 | * @return The format - either pattern, pin, or password. |
| 387 | */ |
| 388 | @VisibleForTesting |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 389 | @KeyChainProtectionParams.LockScreenUiFormat static int getUiFormat( |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 390 | int credentialType, String credential) { |
| 391 | if (credentialType == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 392 | return KeyChainProtectionParams.UI_FORMAT_PATTERN; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 393 | } else if (isPin(credential)) { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 394 | return KeyChainProtectionParams.UI_FORMAT_PIN; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 395 | } else { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 396 | return KeyChainProtectionParams.UI_FORMAT_PASSWORD; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 397 | } |
| 398 | } |
| 399 | |
| 400 | /** |
| 401 | * Generates a salt to include with the lock screen hash. |
| 402 | * |
| 403 | * @return The salt. |
| 404 | */ |
| 405 | private byte[] generateSalt() { |
| 406 | byte[] salt = new byte[SALT_LENGTH_BYTES]; |
| 407 | new SecureRandom().nextBytes(salt); |
| 408 | return salt; |
| 409 | } |
| 410 | |
| 411 | /** |
| 412 | * Returns {@code true} if {@code credential} looks like a pin. |
| 413 | */ |
| 414 | @VisibleForTesting |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 415 | static boolean isPin(@Nullable String credential) { |
| 416 | if (credential == null) { |
| 417 | return false; |
| 418 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 419 | int length = credential.length(); |
| 420 | for (int i = 0; i < length; i++) { |
| 421 | if (!Character.isDigit(credential.charAt(i))) { |
| 422 | return false; |
| 423 | } |
| 424 | } |
| 425 | return true; |
| 426 | } |
| 427 | |
| 428 | /** |
| 429 | * Hashes {@code credentials} with the given {@code salt}. |
| 430 | * |
| 431 | * @return The SHA-256 hash. |
| 432 | */ |
| 433 | @VisibleForTesting |
| 434 | static byte[] hashCredentials(byte[] salt, String credentials) { |
| 435 | byte[] credentialsBytes = credentials.getBytes(StandardCharsets.UTF_8); |
| 436 | ByteBuffer byteBuffer = ByteBuffer.allocate( |
| 437 | salt.length + credentialsBytes.length + LENGTH_PREFIX_BYTES * 2); |
| 438 | byteBuffer.order(ByteOrder.LITTLE_ENDIAN); |
| 439 | byteBuffer.putInt(salt.length); |
| 440 | byteBuffer.put(salt); |
| 441 | byteBuffer.putInt(credentialsBytes.length); |
| 442 | byteBuffer.put(credentialsBytes); |
| 443 | byte[] bytes = byteBuffer.array(); |
| 444 | |
| 445 | try { |
| 446 | return MessageDigest.getInstance(LOCK_SCREEN_HASH_ALGORITHM).digest(bytes); |
| 447 | } catch (NoSuchAlgorithmException e) { |
| 448 | // Impossible, SHA-256 must be supported on Android. |
| 449 | throw new RuntimeException(e); |
| 450 | } |
| 451 | } |
| 452 | |
| 453 | private static SecretKey generateRecoveryKey() throws NoSuchAlgorithmException { |
| 454 | KeyGenerator keyGenerator = KeyGenerator.getInstance(RECOVERY_KEY_ALGORITHM); |
| 455 | keyGenerator.init(RECOVERY_KEY_SIZE_BITS); |
| 456 | return keyGenerator.generateKey(); |
| 457 | } |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 458 | |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 459 | private static List<WrappedApplicationKey> createApplicationKeyEntries( |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 460 | Map<String, byte[]> encryptedApplicationKeys) { |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 461 | ArrayList<WrappedApplicationKey> keyEntries = new ArrayList<>(); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 462 | for (String alias : encryptedApplicationKeys.keySet()) { |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 463 | keyEntries.add(new WrappedApplicationKey.Builder() |
| 464 | .setAlias(alias) |
| 465 | .setEncryptedKeyMaterial(encryptedApplicationKeys.get(alias)) |
| 466 | .build()); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 467 | } |
| 468 | return keyEntries; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 469 | } |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame^] | 470 | |
| 471 | private @NonNull String replaceEmptyValueWithSecureDefault( |
| 472 | @Nullable String rootCertificateAlias) { |
| 473 | if (rootCertificateAlias == null || rootCertificateAlias.isEmpty()) { |
| 474 | Log.e(TAG, "rootCertificateAlias is null or empty"); |
| 475 | // Use the default Google Key Vault Service CA certificate if the alias is not provided |
| 476 | rootCertificateAlias = TrustedRootCertificates.GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS; |
| 477 | } |
| 478 | return rootCertificateAlias; |
| 479 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 480 | } |