| 0ab28b78bd06a06a0ffa150cef5876d56212902a |
|
06-Aug-2016 |
Tucker Sylvestro <tuckeris@google.com> |
Support and use TAG_ALLOW_WHILE_ON_BODY
There are three changes in this CL:
1. Persist all characteristics provided at the time of key creation.
We do this to avoid device-specific keymaster implementations
stripping keys they are not aware of.
2. Add an onDeviceOffBody API method that will be called whenever a
wearable device is detected to have been removed.
3. Check whether a key was created with TAG_ALLOW_WHILE_ON_BODY and
the device has gone off-body since the last auth event when
deciding whether it can be used.
BUG: 30701680
BUG: 28911985
Change-Id: I6be3af3dee8e576fe713dfdd726502d8b333f224
/system/security/keystore/IKeystoreService.cpp
|
| 3976b6c43e2809662940d52306e03b2733112d05 |
|
07-Feb-2016 |
Shawn Willden <swillden@google.com> |
Actually pass attestation requests through to keystore.
Bug: 22914603
Change-Id: I49f2386943c90cd29a80556fd48087793dd5ca66
/system/security/keystore/IKeystoreService.cpp
|
| 067042f6d7be14cb0f01388c41af597caf8e60fe |
|
03-Feb-2016 |
Shawn Willden <swillden@google.com> |
Fix various memory errors.
Bug: 26910835
Change-Id: I2973221a798b08bbde6dc7ac5464a99b2dc26b4d
/system/security/keystore/IKeystoreService.cpp
|
| b3bb39218888c573c1b341d3ee11516b9ad2d3b4 |
|
29-Jan-2016 |
Shawn Willden <swillden@google.com> |
Merge changes from topic \'km_tag_allow_on_body\' am: a1433ee2f8
am: e30ca16ae0
* commit 'e30ca16ae0e41375201de9132866f5680a5d7baa':
Add KM_TAG_ALLOW_WHILE_ON_BODY
Add attestation support to keystore.
|
| 50eb1b2f89ca455b2e9caa635bfe0b5ed94b416a |
|
21-Jan-2016 |
Shawn Willden <swillden@google.com> |
Add attestation support to keystore.
Bug: 22914603
Change-Id: I14fbfbe30b96c5c29278fa548e06b65f15942fe2
/system/security/keystore/IKeystoreService.cpp
|
| ad6a7f5f988d4c7d1ac66c46052f29bb74745a3e |
|
09-Sep-2015 |
Chad Brubaker <cbrubaker@google.com> |
Allow uid to be passed for more operations
This expands get, getmtime, exportKey, getKeyCharacteristcs and begin to
accept a uid to run as. This is only for system to use keys owned by
Wifi and VPN, and not something that can be used to do operations as
another arbitrary application.
Bug: 23978113
Change-Id: If076d61b0cc9d55e96272e49a58938c3961e2dda
/system/security/keystore/IKeystoreService.cpp
|
| 0ebf13dbf975028735a8afc42e39c6ea47cec704 |
|
25-Jun-2015 |
Shawn Willden <swillden@google.com> |
Rename keymaster tag types to clarify that integers are unsigned.
Bug: 22008538
Change-Id: Id6e3ca5c1defc8149b7ae7de5787b3635e2a4262
/system/security/keystore/IKeystoreService.cpp
|
| 3a7d9e626fa6c0e116c07be912c319aad6e08614 |
|
05-Jun-2015 |
Chad Brubaker <cbrubaker@google.com> |
Rewrite legacy methods in terms of new methods
Rewrite generate, import, get_pubkey, sign and verify using the new
keymaster 1.0 methods (generateKey, exportKey, and begin/update/finish).
This also removed DSA support from generate and import.
Change-Id: I6c6baec4aa86325a2b9c171b9883ba5a0b47236e
/system/security/keystore/IKeystoreService.cpp
|
| 0d33e0babec356b1e69f1f15e8d9fe2ad878762c |
|
29-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add optional additional entropy to finish
If provided the extra entropy will be added to the device before calling
finish. If entropy is provided and the device does not support supplying
additional entropy then finish will fail with KM_ERROR_UNIMPLEMENTED.
(cherry-picked from commit 8cfb8ac6e9bd291e9d861a32de2719e3bc797191)
Change-Id: If26be118bf382604f6f8e96e833b76e6f9e94d58
/system/security/keystore/IKeystoreService.cpp
|
| 57e106dc183744cdc05c62bea11bc285b3346846 |
|
01-Jun-2015 |
Chad Brubaker <cbrubaker@google.com> |
Track keymaster method changes
Change-Id: If0b274118a2d238b18c0a06ee3fe7f0798a44a1c
/system/security/keystore/IKeystoreService.cpp
|
| e6c3bfa8d39c7addbfbac0b2df63b0067bb664d8 |
|
13-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Cleanup keystore API
Remove old methods that were replaced by onUser* methods, rename methods
with unclear names, and add userId parameters to all operations that
operate with per user state.
(cherry-picked from commit 9443616391a705856b2cad026afb69dc23a346e9)
Change-Id: I846fbb0a5ad17b4ee4c0c759fd1fd23f58b88d78
/system/security/keystore/IKeystoreService.cpp
|
| c0f031a867a6c3fa05732fcd72bd284d56073cf8 |
|
12-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add onUserAdded/Removed methods
These will handle the logic of Android users being added/removed from
the device instead of the system calling the various reset/sync methods.
(cherry-picked from commit fd777e7111ce01c672706867302db08371e5afce)
Change-Id: Ic6be0de63cc1b0579a46e7101dcfeb1a9ffa4738
/system/security/keystore/IKeystoreService.cpp
|
| 96d6d7868303ad87f1f408c40d3c44bcb39f561e |
|
07-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Cleanup password change and removal logic.
Replace password with notifyUserPasswordChanged for password changes,
unlock should now be used to unlock keystore instead of calling password
with the current password.
When the user removes their password now only keystore entries that were
created with FLAG_ENCRYPTED will be deleted. Unencrypted entries will
remain. This makes it more concrete that the keystore could be non-empty
while in STATE_UNINITIALIZED, though this was previously possible due to
the state only being checked if FLAG_ENCRYPTED was set.
Change-Id: I324914c00195d762cbaa8c63084e41fa796b7df8
/system/security/keystore/IKeystoreService.cpp
|
| 3aa55012241118820b12c565852c304cbd260b72 |
|
17-Apr-2015 |
Chad Brubaker <cbrubaker@google.com> |
am b362ae3d: am bb9c9dbc: am 9484bb01: Merge "Support KM_LONG_REP"
* commit 'b362ae3d2fc8dd7c92c28322291814a6815dc1a1':
Support KM_LONG_REP
|
| 686db068e9735b53a55f49975e11d2038f3d611d |
|
16-Apr-2015 |
Chad Brubaker <cbrubaker@google.com> |
Support KM_LONG_REP
Change-Id: I37814bcb03dc8918e27226ec43230fa4218723d0
/system/security/keystore/IKeystoreService.cpp
|
| 28bfa10673ae0bef2b9500214510e2beb0d506fd |
|
13-Apr-2015 |
Andres Morales <anmorales@google.com> |
am 38beb106: am a11517f6: am 00300a11: Merge "Fix addAuthToken api"
* commit '38beb106f37034c32298f258e07cddf3ce377fcd':
Fix addAuthToken api
|
| 1690089cc886a8cb72c7fd3a86a75899241d8263 |
|
13-Apr-2015 |
Andres Morales <anmorales@google.com> |
Fix addAuthToken api
A binder token is not written thus cannot be read
Change-Id: Id44acf3e7001f2b027041ef8c7c324e687ab0fcd
/system/security/keystore/IKeystoreService.cpp
|
| 46552e74f266f3998e42d45d2d13eb1b44a7a01c |
|
31-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
am 026efd18: am eeb4e1e1: am 96cf1b1e: Merge "Include operation handle in OperationResult"
* commit '026efd182ec465169dde8879d2717be580e15846':
Include operation handle in OperationResult
|
| 96cf1b1ee907696cc4342c1b4992c657d0b6aa33 |
|
31-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Merge "Include operation handle in OperationResult"
|
| 36d1b897161385479d511b3c416dc81058e34221 |
|
30-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
am 534b1800: am ec129679: am 41efb6a5: Merge "Add authorization binder methods"
* commit '534b1800f39b5b72de641cf7f3271bf9cd77ef4d':
Add authorization binder methods
|
| 41efb6a58c7efd63d3493f9095284c74ed363d46 |
|
30-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Merge "Add authorization binder methods"
|
| 2a36a4f1d738185619b9aa48260fb34a39d04c37 |
|
28-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
am 3b8021da: am 56cba306: am 1cee95d5: Merge "Allow entropy to be provided to some operations"
* commit '3b8021da70494509b46be903a8624a911e63ae08':
Allow entropy to be provided to some operations
|
| 154d7699cc30ef5156d6497258c4dd350fcb1286 |
|
27-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Allow entropy to be provided to some operations
generateKey and begin can now optionally take an array of bytes to add
to the rng entropy of the device before the operation. If entropy is
specified and the device does not support add_rng_entropy or the call
fails then that device will not be used, leading to fallback or error
depending on the situation.
Change-Id: Id7d33e3cc959594dfa5483d002993ba35c1fb134
/system/security/keystore/IKeystoreService.cpp
|
| bb219bcfcc868cd2a52483e32a5c33412ede83d3 |
|
25-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
am f44043da: am d020cf7f: am e3ec7541: Merge "Make client/app ids objects in the binder API"
* commit 'f44043daf3ea073823b10f535b237b3ab624a291':
Make client/app ids objects in the binder API
|
| bc51718a230f691c25e841278baec5e03bb0235b |
|
24-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
am b3c00d6b: am fcd856db: am 9576d286: Merge "Add readByteArray"
* commit 'b3c00d6b5805c43005069435c35ba2d90f6fcb68':
Add readByteArray
|
| d663442b590b59250062335cc057478001b8e439 |
|
22-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Make client/app ids objects in the binder API
Previously a null client/app id was translated into a blob with
length=0, data=NULL, but this was a bit janky and required null ids to
be set on key creation/import.
Change-Id: I27607a50f4dc5a898625b569f5293369f0039eba
/system/security/keystore/IKeystoreService.cpp
|
| 2ed2baa7de690b09430b40625e6b18d10757a2fd |
|
22-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add authorization binder methods
Add methods for sending an auth token to keystore and to query the
authorization state of a given operation. These methods are currently
stubs until authorization is implemented.
Change-Id: I0f97ffb3afe19c1f1d8a00bfc95e27616e7cb06c
/system/security/keystore/IKeystoreService.cpp
|
| 6432df7173778954f3e2dfe7d495ab5daa6983ab |
|
21-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add readByteArray
Add a static method for reading const byte arrays from parcels since its
used in most of the new APIs.
Change-Id: Icb4b75d0d1fcbeab00d59dbdfdfca8dd93884928
/system/security/keystore/IKeystoreService.cpp
|
| c3a1856bbe2e39d5b3430f5f088b12fd710a159f |
|
18-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Include operation handle in OperationResult
Some authorization code needs to know the actual underlying operation
handle, not simply a reference to it, so return it in case it is needed.
Note that the handle cannot be used by the application to reference an
operation.
Change-Id: I4c883dde17168b7f6c1643d81741a4c2686d3159
/system/security/keystore/IKeystoreService.cpp
|
| 47f8edd24cf93a7e9dda01da82e8a579dc3be3f2 |
|
17-Mar-2015 |
Alex Klyubin <klyubin@google.com> |
am bf9efff8: am 3bfd091a: Merge "Implement keymaster 1.0 crypto operations"
* commit 'bf9efff8dc8b9c6b48ca2b487c0f9c4a287733f2':
Implement keymaster 1.0 crypto operations
|
| 40a1a9b306d4e3c85b24f80ff39841507cf42357 |
|
20-Feb-2015 |
Chad Brubaker <cbrubaker@google.com> |
Implement keymaster 1.0 crypto operations
Change-Id: I365ea9082e14bccb83018e8ea67a10408362c550
/system/security/keystore/IKeystoreService.cpp
|
| efd601baf982e17c09f581d6a462c0de046acd9a |
|
08-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
resolved conflicts for merge of 41ceb7db to master
Change-Id: I72c429dbf30f3313ca12ccee3cceb7ff6e49f719
|
| 9899d6b392e8223c3c00bfccadd43b18cdc96b4f |
|
03-Feb-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add Keymaster 1.0 binder methods
Add all the serialization required for the new keystore binder API to
support keymaster 1.0. The keystore methods themselves are left as
stubs, will be filled in in later commits.
Change-Id: Ibb5855dba879ae35c375c087c54d1bcdca53163f
/system/security/keystore/IKeystoreService.cpp
|
| 6266c9670154d33488c2d31d1715b2a35f5e631b |
|
05-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Revert "Add Keymaster 0.4 binder methods"
This reverts commit c5b1ae13eca39a1f63cc690369d1eee445d3c399.
Change-Id: Ib46a54493c332811c0aa84aa7c1cf12938daedbe
/system/security/keystore/IKeystoreService.cpp
|
| c5b1ae13eca39a1f63cc690369d1eee445d3c399 |
|
03-Feb-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add Keymaster 0.4 binder methods
Add all the serialization required for the new keystore binder API to
support keymaster 0.4. The keystore methods themselves are left as
stubs, will be filled in in later commits.
Change-Id: I52f36c92f6398c71b0ec6b4c8afbffbd226e0afe
/system/security/keystore/IKeystoreService.cpp
|
| ed4f566a926d935ee7e2a158d75bbd050ef85778 |
|
15-Jan-2015 |
Chad Brubaker <cbrubaker@google.com> |
resolved conflicts for merge of 4e6d3b7f to master
Change-Id: I35dfcc7918b1f343d214979bf27a78cbd86972e2
|
| 468fc6935176d1615002956fcbe01fd3341c75ec |
|
14-Jan-2015 |
Chad Brubaker <cbrubaker@google.com> |
Update the IKeystoreService Binder API
The Framework side of IKeystoreService is moving to using an aidl to
generate the stubs instead of hand written code, as a side effect some
changes need to be made to keep Keystore consistent.
The interface name is to change to android.security.IKeystoreService
The deserialization of arguments for generate is changed to be based off
a Parcelable object instead of a byte[][] since aidl/Parcel don't
support writing byte[][] directly.
Change-Id: I3fd59f2e4b9257d194ca9c36e9597d8d5144aada
/system/security/keystore/IKeystoreService.cpp
|
| 77d71ca20c30a5e7ecfa20980ade9b90cc7ca65c |
|
13-Nov-2014 |
Shawn Willden <swillden@google.com> |
Limit number of keygen args to prevent memory allocation local DOS.
Bug: 18340653
Change-Id: I1202d99bb556c8a21741dbffefc07702d9585aaa
/system/security/keystore/IKeystoreService.cpp
|
| 4e865753346fc6a075966972a7a98051818859db |
|
19-Aug-2014 |
Robin Lee <rgl@google.com> |
APIs for syncing password between profiles
Bug: 16233206.
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
/system/security/keystore/IKeystoreService.cpp
|
| 1b0e3933900c7ea21189704d5db64e7346aee7af |
|
05-Sep-2013 |
Kenny Root <kroot@google.com> |
Add argument to binder call to check key types
Before there was only one key type supported, so we didn't need to query
a key type. Now there is DSA, EC, and RSA, so there needs to be another
argument.
Bug: 10600582
Change-Id: I864e5aa0484ae44ccfaf859560700cfc34f58711
/system/security/keystore/IKeystoreService.cpp
|
| 96427baf0094d50047049d329b0779c3c910402c |
|
16-Aug-2013 |
Kenny Root <kroot@google.com> |
Add support for DSA and ECDSA key types
(cherry picked from commit 6071179a371fcd4c238375068ffd7d3cedea615d)
Bug: 10600582
Change-Id: I0d851bbe1230a31033614c9f9b9de94f1f842618
/system/security/keystore/IKeystoreService.cpp
|
| 0c540aad5915e6aa34345049be96f28b64d0e84c |
|
03-Apr-2013 |
Kenny Root <kroot@google.com> |
keystore: Add flag for blobs to be unencrypted
In order to let apps use keystore more productively, make the blob
encryption optional. As more hardware-assisted keystores (i.e., hardware
that has a Keymaster HAL) come around, encrypting blobs start to make
less sense since the thing it's encrypting is usually a token and not
any raw key material.
Bug: 8122243
Change-Id: I7d70122beb32b59f06a923ade93234393b75a2cd
/system/security/keystore/IKeystoreService.cpp
|
| 2ecc7a1efbb21d86d38b9e0348dfbf0e1213d920 |
|
02-Apr-2013 |
Kenny Root <kroot@google.com> |
keystore: command to clear all keys for UID
Add ability for system UID to clear all entries for a different UID.
(cherry picked from commit a9bb549868035e05450a9b918f8d7de9deca5343)
Bug: 3020069
Change-Id: Ibd5ce287f024b89df3dd7bfc3a4e5f979a34c75c
/system/security/keystore/IKeystoreService.cpp
|
| 4306123e81371bd8bd85f77c2375d29ac53ff771 |
|
29-Mar-2013 |
Kenny Root <kroot@google.com> |
keystore: add API to query storage type
Add an API to query the HAL to see what kind of storage it reports the
device is.
(cherry picked from commit 8ddf35a6e1fd80a7d0685041d2bfc77078277c9d)
Change-Id: I04a9421053a0b8bbe4f0dd73fefdfdbe4ab4add9
/system/security/keystore/IKeystoreService.cpp
|
| d53bc92f1cc4eb669ec015480cebe5ae7aaaf7cf |
|
21-Mar-2013 |
Kenny Root <kroot@google.com> |
keystore: change migrate to duplicate
After discussion, it was determined that duplicate would be less
disruptive and it still fit in the current HAL model.
Change-Id: Id6ff97bfa5ec4cca9def177677263e9be1c9619f
/system/security/keystore/IKeystoreService.cpp
|
| 0225407783ee339164a0cd8ca5ef04c99d27c59a |
|
20-Mar-2013 |
Kenny Root <kroot@google.com> |
keystore: add "migrate" command
To support the WiFi service, we need to support migration from the
system UID to the wifi UID. This adds a command to achieve the
migration.
Bug: 8122243
Change-Id: I31e2ba3b3a92c582a6f8d71bbb139c408c06814f
/system/security/keystore/IKeystoreService.cpp
|
| e289c404b9d2735fbd67c42086e33c972b46aa33 |
|
14-Feb-2013 |
Kenny Root <kroot@google.com> |
KeyStore: return null instead of empty list
During a failure, return a null value instead of an empty list.
Change-Id: I34763c90eb65b0ed6bbe2757310992541feeb1a8
/system/security/keystore/IKeystoreService.cpp
|
| b88c3eb96625513df4cc998d739d17266ebaf89f |
|
13-Feb-2013 |
Kenny Root <kroot@google.com> |
keystore: add UID to certain APIs
This will allow explicit indication of which UID to put things under for
trusted UIDs (e.g., system UID) in a future change instead of putting
things only in the calling UID.
Change-Id: Ifc321a714d874a1142890138101ce4166906f413
/system/security/keystore/IKeystoreService.cpp
|
| b03c9fb5f9c058a8ae0485c986a8ab934ab73eaa |
|
05-Feb-2013 |
Kenny Root <kroot@google.com> |
Fix for error condition in IKeystoreService
When an error condition happens, keystore might memcpy a NULL pointer
which would cause a SIGSEGV. Avoid trying to copy it in that case.
Bug: 8019596
Change-Id: Ifcfc75401c41595fc2c2f0172c718c8d3bb93020
/system/security/keystore/IKeystoreService.cpp
|
| 07438c8d7256d3788dac323b4d0055f201e0bec9 |
|
02-Nov-2012 |
Kenny Root <kroot@google.com> |
Switch keystore to binder
Change-Id: I6dacdc43bcc1a56e47655e37e825ee6a205eb56b
/system/security/keystore/IKeystoreService.cpp
|