Add "Unlocked device required" parameter to keys
Add a keymaster parameter for keys that should be inaccessible when the device screen is locked. "Locked" here is a state where the device can be used or accessed without any further trust factor such as a PIN, password, fingerprint, or trusted face or voice. This parameter is added to the Java keystore interface for key creation and import, as well as enums specified by and for the native keystore process. Test: go/asym-write-test-plan Bug: 67752510 Change-Id: I466dfad3e2e515c43e68f08e0ec6163e0e86b933
This commit is contained in:
Brian C. Young
parent
406406fb90
commit
5fe872413b
2 changed files with 23 additions and 12 deletions
|
|
@ -142,24 +142,28 @@ DECLARE_TYPED_TAG(ROOT_OF_TRUST);
|
||||||
DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT);
|
DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT);
|
||||||
DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED);
|
DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED);
|
||||||
DECLARE_TYPED_TAG(UNIQUE_ID);
|
DECLARE_TYPED_TAG(UNIQUE_ID);
|
||||||
|
DECLARE_TYPED_TAG(UNLOCKED_DEVICE_REQUIRED);
|
||||||
DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME);
|
DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME);
|
||||||
DECLARE_TYPED_TAG(USER_AUTH_TYPE);
|
DECLARE_TYPED_TAG(USER_AUTH_TYPE);
|
||||||
|
DECLARE_TYPED_TAG(USER_ID);
|
||||||
DECLARE_TYPED_TAG(USER_SECURE_ID);
|
DECLARE_TYPED_TAG(USER_SECURE_ID);
|
||||||
|
|
||||||
template <typename... Elems>
|
template <typename... Elems>
|
||||||
struct MetaList {};
|
struct MetaList {};
|
||||||
|
|
||||||
using all_tags_t = MetaList<
|
using all_tags_t =
|
||||||
TAG_INVALID_t, TAG_KEY_SIZE_t, TAG_MAC_LENGTH_t, TAG_CALLER_NONCE_t, TAG_MIN_MAC_LENGTH_t,
|
MetaList<TAG_INVALID_t, TAG_KEY_SIZE_t, TAG_MAC_LENGTH_t, TAG_CALLER_NONCE_t,
|
||||||
TAG_RSA_PUBLIC_EXPONENT_t, TAG_INCLUDE_UNIQUE_ID_t, TAG_ACTIVE_DATETIME_t,
|
TAG_MIN_MAC_LENGTH_t, TAG_RSA_PUBLIC_EXPONENT_t, TAG_INCLUDE_UNIQUE_ID_t,
|
||||||
TAG_ORIGINATION_EXPIRE_DATETIME_t, TAG_USAGE_EXPIRE_DATETIME_t, TAG_MIN_SECONDS_BETWEEN_OPS_t,
|
TAG_ACTIVE_DATETIME_t, TAG_ORIGINATION_EXPIRE_DATETIME_t, TAG_USAGE_EXPIRE_DATETIME_t,
|
||||||
TAG_MAX_USES_PER_BOOT_t, TAG_USER_SECURE_ID_t, TAG_NO_AUTH_REQUIRED_t, TAG_AUTH_TIMEOUT_t,
|
TAG_MIN_SECONDS_BETWEEN_OPS_t, TAG_MAX_USES_PER_BOOT_t, TAG_USER_ID_t,
|
||||||
TAG_ALLOW_WHILE_ON_BODY_t, TAG_APPLICATION_ID_t, TAG_APPLICATION_DATA_t,
|
TAG_USER_SECURE_ID_t, TAG_NO_AUTH_REQUIRED_t, TAG_AUTH_TIMEOUT_t,
|
||||||
TAG_CREATION_DATETIME_t, TAG_ROLLBACK_RESISTANCE_t, TAG_ROOT_OF_TRUST_t, TAG_ASSOCIATED_DATA_t,
|
TAG_ALLOW_WHILE_ON_BODY_t, TAG_UNLOCKED_DEVICE_REQUIRED_t, TAG_APPLICATION_ID_t,
|
||||||
TAG_NONCE_t, TAG_BOOTLOADER_ONLY_t, TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t,
|
TAG_APPLICATION_DATA_t, TAG_CREATION_DATETIME_t, TAG_ROLLBACK_RESISTANCE_t,
|
||||||
TAG_ATTESTATION_CHALLENGE_t, TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t,
|
TAG_ROOT_OF_TRUST_t, TAG_ASSOCIATED_DATA_t, TAG_NONCE_t, TAG_BOOTLOADER_ONLY_t,
|
||||||
TAG_PURPOSE_t, TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t,
|
TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t,
|
||||||
TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t>;
|
TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t,
|
||||||
|
TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t,
|
||||||
|
TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t>;
|
||||||
|
|
||||||
template <typename TypedTagType>
|
template <typename TypedTagType>
|
||||||
struct TypedTag2ValueType;
|
struct TypedTag2ValueType;
|
||||||
|
|
@ -343,6 +347,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) {
|
||||||
case Tag::BOOTLOADER_ONLY:
|
case Tag::BOOTLOADER_ONLY:
|
||||||
case Tag::NO_AUTH_REQUIRED:
|
case Tag::NO_AUTH_REQUIRED:
|
||||||
case Tag::ALLOW_WHILE_ON_BODY:
|
case Tag::ALLOW_WHILE_ON_BODY:
|
||||||
|
case Tag::UNLOCKED_DEVICE_REQUIRED:
|
||||||
case Tag::ROLLBACK_RESISTANCE:
|
case Tag::ROLLBACK_RESISTANCE:
|
||||||
case Tag::RESET_SINCE_ID_ROTATION:
|
case Tag::RESET_SINCE_ID_ROTATION:
|
||||||
case Tag::TRUSTED_CONFIRMATION_REQUIRED:
|
case Tag::TRUSTED_CONFIRMATION_REQUIRED:
|
||||||
|
|
@ -357,6 +362,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) {
|
||||||
case Tag::OS_VERSION:
|
case Tag::OS_VERSION:
|
||||||
case Tag::OS_PATCHLEVEL:
|
case Tag::OS_PATCHLEVEL:
|
||||||
case Tag::MAC_LENGTH:
|
case Tag::MAC_LENGTH:
|
||||||
|
case Tag::USER_ID:
|
||||||
case Tag::AUTH_TIMEOUT:
|
case Tag::AUTH_TIMEOUT:
|
||||||
case Tag::VENDOR_PATCHLEVEL:
|
case Tag::VENDOR_PATCHLEVEL:
|
||||||
case Tag::BOOT_PATCHLEVEL:
|
case Tag::BOOT_PATCHLEVEL:
|
||||||
|
|
|
||||||
|
|
@ -118,7 +118,8 @@ enum Tag : uint32_t {
|
||||||
* boot. */
|
* boot. */
|
||||||
|
|
||||||
/* User authentication */
|
/* User authentication */
|
||||||
// 500-501 reserved
|
// 500 reserved
|
||||||
|
USER_ID = TagType:UINT | 501, /* Android ID of authorized user or authenticator(s), */
|
||||||
USER_SECURE_ID = TagType:ULONG_REP | 502, /* Secure ID of authorized user or authenticator(s).
|
USER_SECURE_ID = TagType:ULONG_REP | 502, /* Secure ID of authorized user or authenticator(s).
|
||||||
* Disallowed if NO_AUTH_REQUIRED is present. */
|
* Disallowed if NO_AUTH_REQUIRED is present. */
|
||||||
NO_AUTH_REQUIRED = TagType:BOOL | 503, /* If key is usable without authentication. */
|
NO_AUTH_REQUIRED = TagType:BOOL | 503, /* If key is usable without authentication. */
|
||||||
|
|
@ -191,6 +192,9 @@ enum Tag : uint32_t {
|
||||||
* match the data described in the token, keymaster must return NO_USER_CONFIRMATION. */
|
* match the data described in the token, keymaster must return NO_USER_CONFIRMATION. */
|
||||||
TRUSTED_CONFIRMATION_REQUIRED = TagType:BOOL | 508,
|
TRUSTED_CONFIRMATION_REQUIRED = TagType:BOOL | 508,
|
||||||
|
|
||||||
|
UNLOCKED_DEVICE_REQUIRED = TagType:BOOL | 509, /* Require the device screen to be unlocked if
|
||||||
|
* the key is used. */
|
||||||
|
|
||||||
/* Application access control */
|
/* Application access control */
|
||||||
APPLICATION_ID = TagType:BYTES | 601, /* Byte string identifying the authorized application. */
|
APPLICATION_ID = TagType:BYTES | 601, /* Byte string identifying the authorized application. */
|
||||||
|
|
||||||
|
|
@ -471,6 +475,7 @@ enum ErrorCode : int32_t {
|
||||||
PROOF_OF_PRESENCE_REQUIRED = -69,
|
PROOF_OF_PRESENCE_REQUIRED = -69,
|
||||||
CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = -70,
|
CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = -70,
|
||||||
NO_USER_CONFIRMATION = -71,
|
NO_USER_CONFIRMATION = -71,
|
||||||
|
DEVICE_LOCKED = -72,
|
||||||
|
|
||||||
UNIMPLEMENTED = -100,
|
UNIMPLEMENTED = -100,
|
||||||
VERSION_MISMATCH = -101,
|
VERSION_MISMATCH = -101,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue