1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security.keystore.recovery; 18 19 import android.annotation.NonNull; 20 import android.annotation.Nullable; 21 import android.annotation.RequiresPermission; 22 import android.annotation.SystemApi; 23 import android.app.KeyguardManager; 24 import android.app.PendingIntent; 25 import android.content.Context; 26 import android.os.RemoteException; 27 import android.os.ServiceManager; 28 import android.os.ServiceSpecificException; 29 import android.security.KeyStore; 30 import android.security.KeyStore2; 31 import android.security.keystore.KeyPermanentlyInvalidatedException; 32 import android.security.keystore2.AndroidKeyStoreProvider; 33 import android.system.keystore2.Domain; 34 import android.system.keystore2.KeyDescriptor; 35 36 import com.android.internal.widget.ILockSettings; 37 38 import java.security.Key; 39 import java.security.UnrecoverableKeyException; 40 import java.security.cert.CertPath; 41 import java.security.cert.CertificateException; 42 import java.security.cert.X509Certificate; 43 import java.util.ArrayList; 44 import java.util.List; 45 import java.util.Map; 46 47 /** 48 * Backs up cryptographic keys to remote secure hardware, encrypted with the user's lock screen. 49 * 50 * <p>A system app with the {@code android.permission.RECOVER_KEYSTORE} permission may generate or 51 * import recoverable keys using this class. To generate a key, the app must call 52 * {@link #generateKey(String)} with the desired alias for the key. This returns an AndroidKeyStore 53 * reference to a 256-bit {@link javax.crypto.SecretKey}, which can be used for AES/GCM/NoPadding. 54 * In order to get the same key again at a later time, the app can call {@link #getKey(String)} with 55 * the same alias. If a key is generated in this way the key's raw material is never directly 56 * exposed to the calling app. The system app may also import key material using 57 * {@link #importKey(String, byte[])}. The app may only generate and import keys for its own 58 * {@code uid}. 59 * 60 * <p>The same system app must also register a Recovery Agent to manage syncing recoverable keys to 61 * remote secure hardware. The Recovery Agent is a service that registers itself with the controller 62 * as follows: 63 * 64 * <ul> 65 * <li>Invokes {@link #initRecoveryService(String, byte[], byte[])} 66 * <ul> 67 * <li>The first argument is the alias of the root certificate used to verify trusted 68 * hardware modules. Each trusted hardware module must have a public key signed with this 69 * root of trust. Roots of trust must be shipped with the framework. The app can list all 70 * valid roots of trust by calling {@link #getRootCertificates()}. 71 * <li>The second argument is the UTF-8 bytes of the XML listing file. It lists the X509 72 * certificates containing the public keys of all available remote trusted hardware modules. 73 * Each of the X509 certificates can be validated against the chosen root of trust. 74 * <li>The third argument is the UTF-8 bytes of the XML signing file. The file contains a 75 * signature of the XML listing file. The signature can be validated against the chosen root 76 * of trust. 77 * </ul> 78 * <p>This will cause the controller to choose a random public key from the list. From then 79 * on the controller will attempt to sync the key chain with the trusted hardware module to whom 80 * that key belongs. 81 * <li>Invokes {@link #setServerParams(byte[])} with a byte string that identifies the device 82 * to a remote server. This server may act as the front-end to the trusted hardware modules. It 83 * is up to the Recovery Agent to decide how best to identify devices, but this could be, e.g., 84 * based on the <a href="https://developers.google.com/instance-id/">Instance ID</a> of the 85 * system app. 86 * <li>Invokes {@link #setRecoverySecretTypes(int[])} with a list of types of secret used to 87 * secure the recoverable key chain. For now only 88 * {@link KeyChainProtectionParams#TYPE_LOCKSCREEN} is supported. 89 * <li>Invokes {@link #setSnapshotCreatedPendingIntent(PendingIntent)} with a 90 * {@link PendingIntent} that is to be invoked whenever a new snapshot is created. Although the 91 * controller can create snapshots without the Recovery Agent registering this intent, it is a 92 * good idea to register the intent so that the Recovery Agent is able to sync this snapshot to 93 * the trusted hardware module as soon as it is available. 94 * </ul> 95 * 96 * <p>The trusted hardware module's public key MUST be generated on secure hardware with protections 97 * equivalent to those described in the 98 * <a href="https://developer.android.com/preview/features/security/ckv-whitepaper.html">Google 99 * Cloud Key Vault Service whitepaper</a>. The trusted hardware module itself must protect the key 100 * chain from brute-forcing using the methods also described in the whitepaper: i.e., it should 101 * limit the number of allowed attempts to enter the lock screen. If the number of attempts is 102 * exceeded the key material must no longer be recoverable. 103 * 104 * <p>A recoverable key chain snapshot is considered pending if any of the following conditions 105 * are met: 106 * 107 * <ul> 108 * <li>The system app mutates the key chain. i.e., generates, imports, or removes a key. 109 * <li>The user changes their lock screen. 110 * </ul> 111 * 112 * <p>Whenever the user unlocks their device, if a snapshot is pending, the Recovery Controller 113 * generates a new snapshot. It follows these steps to do so: 114 * 115 * <ul> 116 * <li>Generates a 256-bit AES key using {@link java.security.SecureRandom}. This is the 117 * Recovery Key. 118 * <li>Wraps the key material of all keys in the recoverable key chain with the Recovery Key. 119 * <li>Encrypts the Recovery Key with both the public key of the trusted hardware module and a 120 * symmetric key derived from the user's lock screen. 121 * </ul> 122 * 123 * <p>The controller then writes this snapshot to disk, and uses the {@link PendingIntent} that was 124 * set by the Recovery Agent during initialization to inform it that a new snapshot is available. 125 * The snapshot only contains keys for that Recovery Agent's {@code uid} - i.e., keys the agent's 126 * app itself generated. If multiple Recovery Agents exist on the device, each will be notified of 127 * their new snapshots, and each snapshots' keys will be only those belonging to the same 128 * {@code uid}. 129 * 130 * <p>The Recovery Agent retrieves its most recent snapshot by calling 131 * {@link #getKeyChainSnapshot()}. It syncs the snapshot to the remote server. The snapshot contains 132 * the public key used for encryption, which the server uses to forward the encrypted recovery key 133 * to the correct trusted hardware module. The snapshot also contains the server params, which are 134 * used to identify this device to the server. 135 * 136 * <p>The client uses the server params to identify a device whose key chain it wishes to restore. 137 * This may be on a different device to the device that originally synced the key chain. The client 138 * sends the server params identifying the previous device to the server. The server returns the 139 * X509 certificate identifying the trusted hardware module in which the encrypted Recovery Key is 140 * stored. It also returns some vault parameters identifying that particular Recovery Key to the 141 * trusted hardware module. And it also returns a vault challenge, which is used as part of the 142 * vault opening protocol to ensure the recovery claim is fresh. See the whitepaper for more 143 * details. 144 * 145 * <p>The key chain is recovered via a {@link RecoverySession}. A Recovery Agent creates one by 146 * invoking {@link #createRecoverySession()}. It then invokes 147 * {@link RecoverySession#start(String, CertPath, byte[], byte[], List)} with these arguments: 148 * 149 * <ul> 150 * <li>The alias of the root of trust used to verify the trusted hardware module. 151 * <li>The X509 certificate of the trusted hardware module. 152 * <li>The vault parameters used to identify the Recovery Key to the trusted hardware module. 153 * <li>The vault challenge, as issued by the trusted hardware module. 154 * <li>A list of secrets, corresponding to the secrets used to protect the key chain. At the 155 * moment this is a single {@link KeyChainProtectionParams} containing the lock screen of the 156 * device whose key chain is to be recovered. 157 * </ul> 158 * 159 * <p>This method returns a byte array containing the Recovery Claim, which can be issued to the 160 * remote trusted hardware module. It is encrypted with the trusted hardware module's public key 161 * (which has itself been certified with the root of trust). It also contains an ephemeral symmetric 162 * key generated for this recovery session, which the remote trusted hardware module uses to encrypt 163 * its responses. This is the Session Key. 164 * 165 * <p>If the lock screen provided is correct, the remote trusted hardware module decrypts one of the 166 * layers of lock-screen encryption from the Recovery Key. It then returns this key, encrypted with 167 * the Session Key to the Recovery Agent. As the Recovery Agent does not know the Session Key, it 168 * must then invoke {@link RecoverySession#recoverKeyChainSnapshot(byte[], List)} with the encrypted 169 * Recovery Key and the list of wrapped application keys. The controller then decrypts the layer of 170 * encryption provided by the Session Key, and uses the lock screen to decrypt the final layer of 171 * encryption. It then uses the Recovery Key to decrypt all of the wrapped application keys, and 172 * imports them into its own KeyStore. The Recovery Agent's app may then access these keys by 173 * calling {@link #getKey(String)}. Only this app's {@code uid} may access the keys that have been 174 * recovered. 175 * 176 * @hide 177 */ 178 @SystemApi 179 public class RecoveryController { 180 private static final String TAG = "RecoveryController"; 181 182 /** Key has been successfully synced. */ 183 public static final int RECOVERY_STATUS_SYNCED = 0; 184 /** Waiting for recovery agent to sync the key. */ 185 public static final int RECOVERY_STATUS_SYNC_IN_PROGRESS = 1; 186 /** Key cannot be synced. */ 187 public static final int RECOVERY_STATUS_PERMANENT_FAILURE = 3; 188 189 /** 190 * Failed because no snapshot is yet pending to be synced for the user. 191 * 192 * @hide 193 */ 194 public static final int ERROR_NO_SNAPSHOT_PENDING = 21; 195 196 /** 197 * Failed due to an error internal to the recovery service. This is unexpected and indicates 198 * either a problem with the logic in the service, or a problem with a dependency of the 199 * service (such as AndroidKeyStore). 200 * 201 * @hide 202 */ 203 public static final int ERROR_SERVICE_INTERNAL_ERROR = 22; 204 205 /** 206 * Failed because the user does not have a lock screen set. 207 * 208 * @hide 209 */ 210 public static final int ERROR_INSECURE_USER = 23; 211 212 /** 213 * Error thrown when attempting to use a recovery session that has since been closed. 214 * 215 * @hide 216 */ 217 public static final int ERROR_SESSION_EXPIRED = 24; 218 219 /** 220 * Failed because the format of the provided certificate is incorrect, e.g., cannot be decoded 221 * properly or misses necessary fields. 222 * 223 * <p>Note that this is different from {@link #ERROR_INVALID_CERTIFICATE}, which implies the 224 * certificate has a correct format but cannot be validated. 225 * 226 * @hide 227 */ 228 public static final int ERROR_BAD_CERTIFICATE_FORMAT = 25; 229 230 /** 231 * Error thrown if decryption failed. This might be because the tag is wrong, the key is wrong, 232 * the data has become corrupted, the data has been tampered with, etc. 233 * 234 * @hide 235 */ 236 public static final int ERROR_DECRYPTION_FAILED = 26; 237 238 /** 239 * Error thrown if the format of a given key is invalid. This might be because the key has a 240 * wrong length, invalid content, etc. 241 * 242 * @hide 243 */ 244 public static final int ERROR_INVALID_KEY_FORMAT = 27; 245 246 /** 247 * Failed because the provided certificate cannot be validated, e.g., is expired or has invalid 248 * signatures. 249 * 250 * <p>Note that this is different from {@link #ERROR_BAD_CERTIFICATE_FORMAT}, which denotes 251 * incorrect certificate formats, e.g., due to wrong encoding or structure. 252 * 253 * @hide 254 */ 255 public static final int ERROR_INVALID_CERTIFICATE = 28; 256 257 258 /** 259 * Failed because the provided certificate contained serial version which is lower that the 260 * version device is already initialized with. It is not possible to downgrade serial version of 261 * the provided certificate. 262 * 263 * @hide 264 */ 265 public static final int ERROR_DOWNGRADE_CERTIFICATE = 29; 266 267 /** 268 * Requested key is not available in AndroidKeyStore. 269 * 270 * @hide 271 */ 272 public static final int ERROR_KEY_NOT_FOUND = 30; 273 274 private final ILockSettings mBinder; 275 private final KeyStore mKeyStore; 276 RecoveryController(ILockSettings binder, KeyStore keystore)277 private RecoveryController(ILockSettings binder, KeyStore keystore) { 278 mBinder = binder; 279 mKeyStore = keystore; 280 } 281 282 /** 283 * Internal method used by {@code RecoverySession}. 284 * 285 * @hide 286 */ getBinder()287 ILockSettings getBinder() { 288 return mBinder; 289 } 290 291 /** 292 * Gets a new instance of the class. 293 */ 294 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) getInstance(@onNull Context context)295 @NonNull public static RecoveryController getInstance(@NonNull Context context) { 296 // lockSettings may be null. 297 ILockSettings lockSettings = 298 ILockSettings.Stub.asInterface(ServiceManager.getService("lock_settings")); 299 return new RecoveryController(lockSettings, KeyStore.getInstance()); 300 } 301 302 /** 303 * Checks whether the recoverable key store is currently available. 304 * 305 * <p>If it returns true, the device must currently be using a screen lock that is supported for 306 * use with the recoverable key store, i.e. AOSP PIN, pattern or password. 307 */ 308 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) isRecoverableKeyStoreEnabled(@onNull Context context)309 public static boolean isRecoverableKeyStoreEnabled(@NonNull Context context) { 310 KeyguardManager keyguardManager = context.getSystemService(KeyguardManager.class); 311 return keyguardManager != null && keyguardManager.isDeviceSecure(); 312 } 313 314 /** 315 * Initializes the recovery service for the calling application. The detailed steps should be: 316 * <ol> 317 * <li>Parse {@code signatureFile} to get relevant information. 318 * <li>Validate the signer's X509 certificate, contained in {@code signatureFile}, against 319 * the root certificate pre-installed in the OS and chosen by {@code 320 * rootCertificateAlias}. 321 * <li>Verify the public-key signature, contained in {@code signatureFile}, and verify it 322 * against the entire {@code certificateFile}. 323 * <li>Parse {@code certificateFile} to get relevant information. 324 * <li>Check the serial number, contained in {@code certificateFile}, and skip the following 325 * steps if the serial number is not larger than the one previously stored. 326 * <li>Randomly choose a X509 certificate from the endpoint X509 certificates, contained in 327 * {@code certificateFile}, and validate it against the root certificate pre-installed 328 * in the OS and chosen by {@code rootCertificateAlias}. 329 * <li>Store the chosen X509 certificate and the serial in local database for later use. 330 * </ol> 331 * 332 * @param rootCertificateAlias the alias of a root certificate pre-installed in the OS 333 * @param certificateFile the binary content of the XML file containing a list of recovery 334 * service X509 certificates, and other metadata including the serial number 335 * @param signatureFile the binary content of the XML file containing the public-key signature 336 * of the entire certificate file, and a signer's X509 certificate 337 * @throws CertificateException if the given certificate files cannot be parsed or validated 338 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 339 * service. 340 */ 341 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) initRecoveryService( @onNull String rootCertificateAlias, @NonNull byte[] certificateFile, @NonNull byte[] signatureFile)342 public void initRecoveryService( 343 @NonNull String rootCertificateAlias, @NonNull byte[] certificateFile, 344 @NonNull byte[] signatureFile) 345 throws CertificateException, InternalRecoveryServiceException { 346 try { 347 mBinder.initRecoveryServiceWithSigFile( 348 rootCertificateAlias, certificateFile, signatureFile); 349 } catch (RemoteException e) { 350 throw e.rethrowFromSystemServer(); 351 } catch (ServiceSpecificException e) { 352 if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT 353 || e.errorCode == ERROR_INVALID_CERTIFICATE) { 354 throw new CertificateException("Invalid certificate for recovery service", e); 355 } 356 if (e.errorCode == ERROR_DOWNGRADE_CERTIFICATE) { 357 throw new CertificateException( 358 "Downgrading certificate serial version isn't supported.", e); 359 } 360 throw wrapUnexpectedServiceSpecificException(e); 361 } 362 } 363 364 /** 365 * Returns data necessary to store all recoverable keys. Key material is 366 * encrypted with user secret and recovery public key. 367 * 368 * @return Data necessary to recover keystore or {@code null} if snapshot is not available. 369 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 370 * service. 371 */ 372 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) getKeyChainSnapshot()373 public @Nullable KeyChainSnapshot getKeyChainSnapshot() 374 throws InternalRecoveryServiceException { 375 try { 376 return mBinder.getKeyChainSnapshot(); 377 } catch (RemoteException e) { 378 throw e.rethrowFromSystemServer(); 379 } catch (ServiceSpecificException e) { 380 if (e.errorCode == ERROR_NO_SNAPSHOT_PENDING) { 381 return null; 382 } 383 throw wrapUnexpectedServiceSpecificException(e); 384 } 385 } 386 387 /** 388 * Sets a listener which notifies recovery agent that new recovery snapshot is available. {@link 389 * #getKeyChainSnapshot} can be used to get the snapshot. Note that every recovery agent can 390 * have at most one registered listener at any time. 391 * 392 * @param intent triggered when new snapshot is available. Unregisters listener if the value is 393 * {@code null}. 394 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 395 * service. 396 */ 397 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) setSnapshotCreatedPendingIntent(@ullable PendingIntent intent)398 public void setSnapshotCreatedPendingIntent(@Nullable PendingIntent intent) 399 throws InternalRecoveryServiceException { 400 try { 401 mBinder.setSnapshotCreatedPendingIntent(intent); 402 } catch (RemoteException e) { 403 throw e.rethrowFromSystemServer(); 404 } catch (ServiceSpecificException e) { 405 throw wrapUnexpectedServiceSpecificException(e); 406 } 407 } 408 409 /** 410 * Server parameters used to generate new recovery key blobs. This value will be included in 411 * {@code KeyChainSnapshot.getEncryptedRecoveryKeyBlob()}. The same value must be included 412 * in vaultParams {@link RecoverySession#start(CertPath, byte[], byte[], List)}. 413 * 414 * @param serverParams included in recovery key blob. 415 * @see #getKeyChainSnapshot 416 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 417 * service. 418 */ 419 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) setServerParams(@onNull byte[] serverParams)420 public void setServerParams(@NonNull byte[] serverParams) 421 throws InternalRecoveryServiceException { 422 try { 423 mBinder.setServerParams(serverParams); 424 } catch (RemoteException e) { 425 throw e.rethrowFromSystemServer(); 426 } catch (ServiceSpecificException e) { 427 throw wrapUnexpectedServiceSpecificException(e); 428 } 429 } 430 431 /** 432 * Returns a list of aliases of keys belonging to the application. 433 */ 434 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) getAliases()435 public @NonNull List<String> getAliases() throws InternalRecoveryServiceException { 436 try { 437 Map<String, Integer> allStatuses = mBinder.getRecoveryStatus(); 438 return new ArrayList<>(allStatuses.keySet()); 439 } catch (RemoteException e) { 440 throw e.rethrowFromSystemServer(); 441 } catch (ServiceSpecificException e) { 442 throw wrapUnexpectedServiceSpecificException(e); 443 } 444 } 445 446 /** 447 * Sets the recovery status for given key. It is used to notify the keystore that the key was 448 * successfully stored on the server or that there was an error. An application can check this 449 * value using {@link #getRecoveryStatus(String, String)}. 450 * 451 * @param alias The alias of the key whose status to set. 452 * @param status The status of the key. One of {@link #RECOVERY_STATUS_SYNCED}, 453 * {@link #RECOVERY_STATUS_SYNC_IN_PROGRESS} or {@link #RECOVERY_STATUS_PERMANENT_FAILURE}. 454 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 455 * service. 456 */ 457 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) setRecoveryStatus(@onNull String alias, int status)458 public void setRecoveryStatus(@NonNull String alias, int status) 459 throws InternalRecoveryServiceException { 460 try { 461 mBinder.setRecoveryStatus(alias, status); 462 } catch (RemoteException e) { 463 throw e.rethrowFromSystemServer(); 464 } catch (ServiceSpecificException e) { 465 throw wrapUnexpectedServiceSpecificException(e); 466 } 467 } 468 469 /** 470 * Returns the recovery status for the key with the given {@code alias}. 471 * 472 * <ul> 473 * <li>{@link #RECOVERY_STATUS_SYNCED} 474 * <li>{@link #RECOVERY_STATUS_SYNC_IN_PROGRESS} 475 * <li>{@link #RECOVERY_STATUS_PERMANENT_FAILURE} 476 * </ul> 477 * 478 * @see #setRecoveryStatus(String, int) 479 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 480 * service. 481 */ 482 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) getRecoveryStatus(@onNull String alias)483 public int getRecoveryStatus(@NonNull String alias) throws InternalRecoveryServiceException { 484 try { 485 Map<String, Integer> allStatuses = mBinder.getRecoveryStatus(); 486 Integer status = allStatuses.get(alias); 487 if (status == null) { 488 return RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE; 489 } else { 490 return status; 491 } 492 } catch (RemoteException e) { 493 throw e.rethrowFromSystemServer(); 494 } catch (ServiceSpecificException e) { 495 throw wrapUnexpectedServiceSpecificException(e); 496 } 497 } 498 499 /** 500 * Specifies a set of secret types used for end-to-end keystore encryption. Knowing all of them 501 * is necessary to recover data. 502 * 503 * @param secretTypes {@link KeyChainProtectionParams#TYPE_LOCKSCREEN} 504 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 505 * service. 506 */ 507 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) setRecoverySecretTypes( @onNull @eyChainProtectionParams.UserSecretType int[] secretTypes)508 public void setRecoverySecretTypes( 509 @NonNull @KeyChainProtectionParams.UserSecretType int[] secretTypes) 510 throws InternalRecoveryServiceException { 511 try { 512 mBinder.setRecoverySecretTypes(secretTypes); 513 } catch (RemoteException e) { 514 throw e.rethrowFromSystemServer(); 515 } catch (ServiceSpecificException e) { 516 throw wrapUnexpectedServiceSpecificException(e); 517 } 518 } 519 520 /** 521 * Defines a set of secret types used for end-to-end keystore encryption. Knowing all of them is 522 * necessary to generate KeyChainSnapshot. 523 * 524 * @return list of recovery secret types 525 * @see KeyChainSnapshot 526 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 527 * service. 528 */ 529 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) getRecoverySecretTypes()530 public @NonNull @KeyChainProtectionParams.UserSecretType int[] getRecoverySecretTypes() 531 throws InternalRecoveryServiceException { 532 try { 533 return mBinder.getRecoverySecretTypes(); 534 } catch (RemoteException e) { 535 throw e.rethrowFromSystemServer(); 536 } catch (ServiceSpecificException e) { 537 throw wrapUnexpectedServiceSpecificException(e); 538 } 539 } 540 541 /** 542 * Generates a recoverable key with the given {@code alias}. 543 * 544 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 545 * service. 546 * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock 547 * screen is required to generate recoverable keys. 548 * 549 * @deprecated Use the method {@link #generateKey(String, byte[])} instead. 550 */ 551 @Deprecated 552 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) generateKey(@onNull String alias)553 public @NonNull Key generateKey(@NonNull String alias) throws InternalRecoveryServiceException, 554 LockScreenRequiredException { 555 try { 556 String grantAlias = mBinder.generateKey(alias); 557 if (grantAlias == null) { 558 throw new InternalRecoveryServiceException("null grant alias"); 559 } 560 return getKeyFromGrant(grantAlias); 561 } catch (RemoteException e) { 562 throw e.rethrowFromSystemServer(); 563 } catch (KeyPermanentlyInvalidatedException | UnrecoverableKeyException e) { 564 throw new InternalRecoveryServiceException("Failed to get key from keystore", e); 565 } catch (ServiceSpecificException e) { 566 if (e.errorCode == ERROR_INSECURE_USER) { 567 throw new LockScreenRequiredException(e.getMessage()); 568 } 569 throw wrapUnexpectedServiceSpecificException(e); 570 } 571 } 572 573 /** 574 * Generates a recoverable key with the given {@code alias} and {@code metadata}. 575 * 576 * <p>The metadata should contain any data that needs to be cryptographically bound to the 577 * generated key, but does not need to be encrypted by the key. For example, the metadata can 578 * be a byte string describing the algorithms and non-secret parameters to be used with the 579 * key. The supplied metadata can later be obtained via 580 * {@link WrappedApplicationKey#getMetadata()}. 581 * 582 * <p>During the key recovery process, the same metadata has to be supplied via 583 * {@link WrappedApplicationKey.Builder#setMetadata(byte[])}; otherwise, the recovery process 584 * will fail due to the checking of the cryptographic binding. This can help prevent 585 * potential attacks that try to swap key materials on the backup server and trick the 586 * application to use keys with different algorithms or parameters. 587 * 588 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 589 * service. 590 * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock 591 * screen is required to generate recoverable keys. 592 */ 593 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) generateKey(@onNull String alias, @Nullable byte[] metadata)594 public @NonNull Key generateKey(@NonNull String alias, @Nullable byte[] metadata) 595 throws InternalRecoveryServiceException, LockScreenRequiredException { 596 try { 597 String grantAlias = mBinder.generateKeyWithMetadata(alias, metadata); 598 if (grantAlias == null) { 599 throw new InternalRecoveryServiceException("null grant alias"); 600 } 601 return getKeyFromGrant(grantAlias); 602 } catch (RemoteException e) { 603 throw e.rethrowFromSystemServer(); 604 } catch (KeyPermanentlyInvalidatedException | UnrecoverableKeyException e) { 605 throw new InternalRecoveryServiceException("Failed to get key from keystore", e); 606 } catch (ServiceSpecificException e) { 607 if (e.errorCode == ERROR_INSECURE_USER) { 608 throw new LockScreenRequiredException(e.getMessage()); 609 } 610 throw wrapUnexpectedServiceSpecificException(e); 611 } 612 } 613 614 /** 615 * Imports a 256-bit recoverable AES key with the given {@code alias} and the raw bytes {@code 616 * keyBytes}. 617 * 618 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 619 * service. 620 * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock 621 * screen is required to generate recoverable keys. 622 * 623 * @deprecated Use the method {@link #importKey(String, byte[], byte[])} instead. 624 */ 625 @Deprecated 626 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) importKey(@onNull String alias, @NonNull byte[] keyBytes)627 public @NonNull Key importKey(@NonNull String alias, @NonNull byte[] keyBytes) 628 throws InternalRecoveryServiceException, LockScreenRequiredException { 629 try { 630 String grantAlias = mBinder.importKey(alias, keyBytes); 631 if (grantAlias == null) { 632 throw new InternalRecoveryServiceException("Null grant alias"); 633 } 634 return getKeyFromGrant(grantAlias); 635 } catch (RemoteException e) { 636 throw e.rethrowFromSystemServer(); 637 } catch (KeyPermanentlyInvalidatedException | UnrecoverableKeyException e) { 638 throw new InternalRecoveryServiceException("Failed to get key from keystore", e); 639 } catch (ServiceSpecificException e) { 640 if (e.errorCode == ERROR_INSECURE_USER) { 641 throw new LockScreenRequiredException(e.getMessage()); 642 } 643 throw wrapUnexpectedServiceSpecificException(e); 644 } 645 } 646 647 /** 648 * Imports a recoverable 256-bit AES key with the given {@code alias}, the raw bytes {@code 649 * keyBytes}, and the {@code metadata}. 650 * 651 * <p>The metadata should contain any data that needs to be cryptographically bound to the 652 * imported key, but does not need to be encrypted by the key. For example, the metadata can 653 * be a byte string describing the algorithms and non-secret parameters to be used with the 654 * key. The supplied metadata can later be obtained via 655 * {@link WrappedApplicationKey#getMetadata()}. 656 * 657 * <p>During the key recovery process, the same metadata has to be supplied via 658 * {@link WrappedApplicationKey.Builder#setMetadata(byte[])}; otherwise, the recovery process 659 * will fail due to the checking of the cryptographic binding. This can help prevent 660 * potential attacks that try to swap key materials on the backup server and trick the 661 * application to use keys with different algorithms or parameters. 662 * 663 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 664 * service. 665 * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock 666 * screen is required to generate recoverable keys. 667 */ 668 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) importKey(@onNull String alias, @NonNull byte[] keyBytes, @Nullable byte[] metadata)669 public @NonNull Key importKey(@NonNull String alias, @NonNull byte[] keyBytes, 670 @Nullable byte[] metadata) 671 throws InternalRecoveryServiceException, LockScreenRequiredException { 672 try { 673 String grantAlias = mBinder.importKeyWithMetadata(alias, keyBytes, metadata); 674 if (grantAlias == null) { 675 throw new InternalRecoveryServiceException("Null grant alias"); 676 } 677 return getKeyFromGrant(grantAlias); 678 } catch (RemoteException e) { 679 throw e.rethrowFromSystemServer(); 680 } catch (KeyPermanentlyInvalidatedException | UnrecoverableKeyException e) { 681 throw new InternalRecoveryServiceException("Failed to get key from keystore", e); 682 } catch (ServiceSpecificException e) { 683 if (e.errorCode == ERROR_INSECURE_USER) { 684 throw new LockScreenRequiredException(e.getMessage()); 685 } 686 throw wrapUnexpectedServiceSpecificException(e); 687 } 688 } 689 690 /** 691 * Gets a key called {@code alias} from the recoverable key store. 692 * 693 * @param alias The key alias. 694 * @return The key. 695 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 696 * service. 697 * @throws UnrecoverableKeyException if key is permanently invalidated or not found. 698 */ 699 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) getKey(@onNull String alias)700 public @Nullable Key getKey(@NonNull String alias) 701 throws InternalRecoveryServiceException, UnrecoverableKeyException { 702 try { 703 String grantAlias = mBinder.getKey(alias); 704 if (grantAlias == null || "".equals(grantAlias)) { 705 return null; 706 } 707 return getKeyFromGrant(grantAlias); 708 } catch (RemoteException e) { 709 throw e.rethrowFromSystemServer(); 710 } catch (KeyPermanentlyInvalidatedException | UnrecoverableKeyException e) { 711 throw new UnrecoverableKeyException(e.getMessage()); 712 } catch (ServiceSpecificException e) { 713 if (e.errorCode == ERROR_KEY_NOT_FOUND) { 714 throw new UnrecoverableKeyException(e.getMessage()); 715 } 716 throw wrapUnexpectedServiceSpecificException(e); 717 } 718 } 719 720 /** 721 * Returns the key with the given {@code grantAlias}. 722 */ getKeyFromGrant(@onNull String grantAlias)723 @NonNull Key getKeyFromGrant(@NonNull String grantAlias) 724 throws UnrecoverableKeyException, KeyPermanentlyInvalidatedException { 725 return AndroidKeyStoreProvider 726 .loadAndroidKeyStoreSecretKeyFromKeystore( 727 KeyStore2.getInstance(), 728 getGrantDescriptor(grantAlias)); 729 } 730 731 private static final String APPLICATION_KEY_GRANT_PREFIX = "recoverable_key:"; 732 getGrantDescriptor(String grantAlias)733 private static @Nullable KeyDescriptor getGrantDescriptor(String grantAlias) { 734 KeyDescriptor result = new KeyDescriptor(); 735 result.domain = Domain.GRANT; 736 result.blob = null; 737 result.alias = null; 738 try { 739 result.nspace = Long.parseUnsignedLong( 740 grantAlias.substring(APPLICATION_KEY_GRANT_PREFIX.length()), 16); 741 } catch (NumberFormatException e) { 742 return null; 743 } 744 return result; 745 } 746 747 /** 748 * Removes a key called {@code alias} from the recoverable key store. 749 * 750 * @param alias The key alias. 751 * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery 752 * service. 753 */ 754 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) removeKey(@onNull String alias)755 public void removeKey(@NonNull String alias) throws InternalRecoveryServiceException { 756 try { 757 mBinder.removeKey(alias); 758 } catch (RemoteException e) { 759 throw e.rethrowFromSystemServer(); 760 } catch (ServiceSpecificException e) { 761 throw wrapUnexpectedServiceSpecificException(e); 762 } 763 } 764 765 /** 766 * Returns a new {@link RecoverySession}. 767 * 768 * <p>A recovery session is required to restore keys from a remote store. 769 */ 770 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) createRecoverySession()771 public @NonNull RecoverySession createRecoverySession() { 772 return RecoverySession.newInstance(this); 773 } 774 775 @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE) getRootCertificates()776 public @NonNull Map<String, X509Certificate> getRootCertificates() { 777 return TrustedRootCertificates.getRootCertificates(); 778 } 779 wrapUnexpectedServiceSpecificException( ServiceSpecificException e)780 InternalRecoveryServiceException wrapUnexpectedServiceSpecificException( 781 ServiceSpecificException e) { 782 if (e.errorCode == ERROR_SERVICE_INTERNAL_ERROR) { 783 return new InternalRecoveryServiceException(e.getMessage(), e); 784 } 785 786 // Should never happen. If it does, it's a bug, and we need to update how the method that 787 // called this throws its exceptions. 788 return new InternalRecoveryServiceException("Unexpected error code for method: " 789 + e.errorCode, e); 790 } 791 } 792