0ab28b78bd06a06a0ffa150cef5876d56212902a |
|
06-Aug-2016 |
Tucker Sylvestro <tuckeris@google.com> |
Support and use TAG_ALLOW_WHILE_ON_BODY There are three changes in this CL: 1. Persist all characteristics provided at the time of key creation. We do this to avoid device-specific keymaster implementations stripping keys they are not aware of. 2. Add an onDeviceOffBody API method that will be called whenever a wearable device is detected to have been removed. 3. Check whether a key was created with TAG_ALLOW_WHILE_ON_BODY and the device has gone off-body since the last auth event when deciding whether it can be used. BUG: 30701680 BUG: 28911985 Change-Id: I6be3af3dee8e576fe713dfdd726502d8b333f224
/system/security/keystore/IKeystoreService.cpp
|
3976b6c43e2809662940d52306e03b2733112d05 |
|
07-Feb-2016 |
Shawn Willden <swillden@google.com> |
Actually pass attestation requests through to keystore. Bug: 22914603 Change-Id: I49f2386943c90cd29a80556fd48087793dd5ca66
/system/security/keystore/IKeystoreService.cpp
|
067042f6d7be14cb0f01388c41af597caf8e60fe |
|
03-Feb-2016 |
Shawn Willden <swillden@google.com> |
Fix various memory errors. Bug: 26910835 Change-Id: I2973221a798b08bbde6dc7ac5464a99b2dc26b4d
/system/security/keystore/IKeystoreService.cpp
|
b3bb39218888c573c1b341d3ee11516b9ad2d3b4 |
|
29-Jan-2016 |
Shawn Willden <swillden@google.com> |
Merge changes from topic \'km_tag_allow_on_body\' am: a1433ee2f8 am: e30ca16ae0 * commit 'e30ca16ae0e41375201de9132866f5680a5d7baa': Add KM_TAG_ALLOW_WHILE_ON_BODY Add attestation support to keystore.
|
50eb1b2f89ca455b2e9caa635bfe0b5ed94b416a |
|
21-Jan-2016 |
Shawn Willden <swillden@google.com> |
Add attestation support to keystore. Bug: 22914603 Change-Id: I14fbfbe30b96c5c29278fa548e06b65f15942fe2
/system/security/keystore/IKeystoreService.cpp
|
ad6a7f5f988d4c7d1ac66c46052f29bb74745a3e |
|
09-Sep-2015 |
Chad Brubaker <cbrubaker@google.com> |
Allow uid to be passed for more operations This expands get, getmtime, exportKey, getKeyCharacteristcs and begin to accept a uid to run as. This is only for system to use keys owned by Wifi and VPN, and not something that can be used to do operations as another arbitrary application. Bug: 23978113 Change-Id: If076d61b0cc9d55e96272e49a58938c3961e2dda
/system/security/keystore/IKeystoreService.cpp
|
0ebf13dbf975028735a8afc42e39c6ea47cec704 |
|
25-Jun-2015 |
Shawn Willden <swillden@google.com> |
Rename keymaster tag types to clarify that integers are unsigned. Bug: 22008538 Change-Id: Id6e3ca5c1defc8149b7ae7de5787b3635e2a4262
/system/security/keystore/IKeystoreService.cpp
|
3a7d9e626fa6c0e116c07be912c319aad6e08614 |
|
05-Jun-2015 |
Chad Brubaker <cbrubaker@google.com> |
Rewrite legacy methods in terms of new methods Rewrite generate, import, get_pubkey, sign and verify using the new keymaster 1.0 methods (generateKey, exportKey, and begin/update/finish). This also removed DSA support from generate and import. Change-Id: I6c6baec4aa86325a2b9c171b9883ba5a0b47236e
/system/security/keystore/IKeystoreService.cpp
|
0d33e0babec356b1e69f1f15e8d9fe2ad878762c |
|
29-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add optional additional entropy to finish If provided the extra entropy will be added to the device before calling finish. If entropy is provided and the device does not support supplying additional entropy then finish will fail with KM_ERROR_UNIMPLEMENTED. (cherry-picked from commit 8cfb8ac6e9bd291e9d861a32de2719e3bc797191) Change-Id: If26be118bf382604f6f8e96e833b76e6f9e94d58
/system/security/keystore/IKeystoreService.cpp
|
57e106dc183744cdc05c62bea11bc285b3346846 |
|
01-Jun-2015 |
Chad Brubaker <cbrubaker@google.com> |
Track keymaster method changes Change-Id: If0b274118a2d238b18c0a06ee3fe7f0798a44a1c
/system/security/keystore/IKeystoreService.cpp
|
e6c3bfa8d39c7addbfbac0b2df63b0067bb664d8 |
|
13-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Cleanup keystore API Remove old methods that were replaced by onUser* methods, rename methods with unclear names, and add userId parameters to all operations that operate with per user state. (cherry-picked from commit 9443616391a705856b2cad026afb69dc23a346e9) Change-Id: I846fbb0a5ad17b4ee4c0c759fd1fd23f58b88d78
/system/security/keystore/IKeystoreService.cpp
|
c0f031a867a6c3fa05732fcd72bd284d56073cf8 |
|
12-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add onUserAdded/Removed methods These will handle the logic of Android users being added/removed from the device instead of the system calling the various reset/sync methods. (cherry-picked from commit fd777e7111ce01c672706867302db08371e5afce) Change-Id: Ic6be0de63cc1b0579a46e7101dcfeb1a9ffa4738
/system/security/keystore/IKeystoreService.cpp
|
96d6d7868303ad87f1f408c40d3c44bcb39f561e |
|
07-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Cleanup password change and removal logic. Replace password with notifyUserPasswordChanged for password changes, unlock should now be used to unlock keystore instead of calling password with the current password. When the user removes their password now only keystore entries that were created with FLAG_ENCRYPTED will be deleted. Unencrypted entries will remain. This makes it more concrete that the keystore could be non-empty while in STATE_UNINITIALIZED, though this was previously possible due to the state only being checked if FLAG_ENCRYPTED was set. Change-Id: I324914c00195d762cbaa8c63084e41fa796b7df8
/system/security/keystore/IKeystoreService.cpp
|
3aa55012241118820b12c565852c304cbd260b72 |
|
17-Apr-2015 |
Chad Brubaker <cbrubaker@google.com> |
am b362ae3d: am bb9c9dbc: am 9484bb01: Merge "Support KM_LONG_REP" * commit 'b362ae3d2fc8dd7c92c28322291814a6815dc1a1': Support KM_LONG_REP
|
686db068e9735b53a55f49975e11d2038f3d611d |
|
16-Apr-2015 |
Chad Brubaker <cbrubaker@google.com> |
Support KM_LONG_REP Change-Id: I37814bcb03dc8918e27226ec43230fa4218723d0
/system/security/keystore/IKeystoreService.cpp
|
28bfa10673ae0bef2b9500214510e2beb0d506fd |
|
13-Apr-2015 |
Andres Morales <anmorales@google.com> |
am 38beb106: am a11517f6: am 00300a11: Merge "Fix addAuthToken api" * commit '38beb106f37034c32298f258e07cddf3ce377fcd': Fix addAuthToken api
|
1690089cc886a8cb72c7fd3a86a75899241d8263 |
|
13-Apr-2015 |
Andres Morales <anmorales@google.com> |
Fix addAuthToken api A binder token is not written thus cannot be read Change-Id: Id44acf3e7001f2b027041ef8c7c324e687ab0fcd
/system/security/keystore/IKeystoreService.cpp
|
46552e74f266f3998e42d45d2d13eb1b44a7a01c |
|
31-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
am 026efd18: am eeb4e1e1: am 96cf1b1e: Merge "Include operation handle in OperationResult" * commit '026efd182ec465169dde8879d2717be580e15846': Include operation handle in OperationResult
|
96cf1b1ee907696cc4342c1b4992c657d0b6aa33 |
|
31-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Merge "Include operation handle in OperationResult"
|
36d1b897161385479d511b3c416dc81058e34221 |
|
30-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
am 534b1800: am ec129679: am 41efb6a5: Merge "Add authorization binder methods" * commit '534b1800f39b5b72de641cf7f3271bf9cd77ef4d': Add authorization binder methods
|
41efb6a58c7efd63d3493f9095284c74ed363d46 |
|
30-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Merge "Add authorization binder methods"
|
2a36a4f1d738185619b9aa48260fb34a39d04c37 |
|
28-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
am 3b8021da: am 56cba306: am 1cee95d5: Merge "Allow entropy to be provided to some operations" * commit '3b8021da70494509b46be903a8624a911e63ae08': Allow entropy to be provided to some operations
|
154d7699cc30ef5156d6497258c4dd350fcb1286 |
|
27-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Allow entropy to be provided to some operations generateKey and begin can now optionally take an array of bytes to add to the rng entropy of the device before the operation. If entropy is specified and the device does not support add_rng_entropy or the call fails then that device will not be used, leading to fallback or error depending on the situation. Change-Id: Id7d33e3cc959594dfa5483d002993ba35c1fb134
/system/security/keystore/IKeystoreService.cpp
|
bb219bcfcc868cd2a52483e32a5c33412ede83d3 |
|
25-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
am f44043da: am d020cf7f: am e3ec7541: Merge "Make client/app ids objects in the binder API" * commit 'f44043daf3ea073823b10f535b237b3ab624a291': Make client/app ids objects in the binder API
|
bc51718a230f691c25e841278baec5e03bb0235b |
|
24-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
am b3c00d6b: am fcd856db: am 9576d286: Merge "Add readByteArray" * commit 'b3c00d6b5805c43005069435c35ba2d90f6fcb68': Add readByteArray
|
d663442b590b59250062335cc057478001b8e439 |
|
22-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Make client/app ids objects in the binder API Previously a null client/app id was translated into a blob with length=0, data=NULL, but this was a bit janky and required null ids to be set on key creation/import. Change-Id: I27607a50f4dc5a898625b569f5293369f0039eba
/system/security/keystore/IKeystoreService.cpp
|
2ed2baa7de690b09430b40625e6b18d10757a2fd |
|
22-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add authorization binder methods Add methods for sending an auth token to keystore and to query the authorization state of a given operation. These methods are currently stubs until authorization is implemented. Change-Id: I0f97ffb3afe19c1f1d8a00bfc95e27616e7cb06c
/system/security/keystore/IKeystoreService.cpp
|
6432df7173778954f3e2dfe7d495ab5daa6983ab |
|
21-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add readByteArray Add a static method for reading const byte arrays from parcels since its used in most of the new APIs. Change-Id: Icb4b75d0d1fcbeab00d59dbdfdfca8dd93884928
/system/security/keystore/IKeystoreService.cpp
|
c3a1856bbe2e39d5b3430f5f088b12fd710a159f |
|
18-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Include operation handle in OperationResult Some authorization code needs to know the actual underlying operation handle, not simply a reference to it, so return it in case it is needed. Note that the handle cannot be used by the application to reference an operation. Change-Id: I4c883dde17168b7f6c1643d81741a4c2686d3159
/system/security/keystore/IKeystoreService.cpp
|
47f8edd24cf93a7e9dda01da82e8a579dc3be3f2 |
|
17-Mar-2015 |
Alex Klyubin <klyubin@google.com> |
am bf9efff8: am 3bfd091a: Merge "Implement keymaster 1.0 crypto operations" * commit 'bf9efff8dc8b9c6b48ca2b487c0f9c4a287733f2': Implement keymaster 1.0 crypto operations
|
40a1a9b306d4e3c85b24f80ff39841507cf42357 |
|
20-Feb-2015 |
Chad Brubaker <cbrubaker@google.com> |
Implement keymaster 1.0 crypto operations Change-Id: I365ea9082e14bccb83018e8ea67a10408362c550
/system/security/keystore/IKeystoreService.cpp
|
efd601baf982e17c09f581d6a462c0de046acd9a |
|
08-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
resolved conflicts for merge of 41ceb7db to master Change-Id: I72c429dbf30f3313ca12ccee3cceb7ff6e49f719
|
9899d6b392e8223c3c00bfccadd43b18cdc96b4f |
|
03-Feb-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add Keymaster 1.0 binder methods Add all the serialization required for the new keystore binder API to support keymaster 1.0. The keystore methods themselves are left as stubs, will be filled in in later commits. Change-Id: Ibb5855dba879ae35c375c087c54d1bcdca53163f
/system/security/keystore/IKeystoreService.cpp
|
6266c9670154d33488c2d31d1715b2a35f5e631b |
|
05-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Revert "Add Keymaster 0.4 binder methods" This reverts commit c5b1ae13eca39a1f63cc690369d1eee445d3c399. Change-Id: Ib46a54493c332811c0aa84aa7c1cf12938daedbe
/system/security/keystore/IKeystoreService.cpp
|
c5b1ae13eca39a1f63cc690369d1eee445d3c399 |
|
03-Feb-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add Keymaster 0.4 binder methods Add all the serialization required for the new keystore binder API to support keymaster 0.4. The keystore methods themselves are left as stubs, will be filled in in later commits. Change-Id: I52f36c92f6398c71b0ec6b4c8afbffbd226e0afe
/system/security/keystore/IKeystoreService.cpp
|
ed4f566a926d935ee7e2a158d75bbd050ef85778 |
|
15-Jan-2015 |
Chad Brubaker <cbrubaker@google.com> |
resolved conflicts for merge of 4e6d3b7f to master Change-Id: I35dfcc7918b1f343d214979bf27a78cbd86972e2
|
468fc6935176d1615002956fcbe01fd3341c75ec |
|
14-Jan-2015 |
Chad Brubaker <cbrubaker@google.com> |
Update the IKeystoreService Binder API The Framework side of IKeystoreService is moving to using an aidl to generate the stubs instead of hand written code, as a side effect some changes need to be made to keep Keystore consistent. The interface name is to change to android.security.IKeystoreService The deserialization of arguments for generate is changed to be based off a Parcelable object instead of a byte[][] since aidl/Parcel don't support writing byte[][] directly. Change-Id: I3fd59f2e4b9257d194ca9c36e9597d8d5144aada
/system/security/keystore/IKeystoreService.cpp
|
77d71ca20c30a5e7ecfa20980ade9b90cc7ca65c |
|
13-Nov-2014 |
Shawn Willden <swillden@google.com> |
Limit number of keygen args to prevent memory allocation local DOS. Bug: 18340653 Change-Id: I1202d99bb556c8a21741dbffefc07702d9585aaa
/system/security/keystore/IKeystoreService.cpp
|
4e865753346fc6a075966972a7a98051818859db |
|
19-Aug-2014 |
Robin Lee <rgl@google.com> |
APIs for syncing password between profiles Bug: 16233206. Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
/system/security/keystore/IKeystoreService.cpp
|
1b0e3933900c7ea21189704d5db64e7346aee7af |
|
05-Sep-2013 |
Kenny Root <kroot@google.com> |
Add argument to binder call to check key types Before there was only one key type supported, so we didn't need to query a key type. Now there is DSA, EC, and RSA, so there needs to be another argument. Bug: 10600582 Change-Id: I864e5aa0484ae44ccfaf859560700cfc34f58711
/system/security/keystore/IKeystoreService.cpp
|
96427baf0094d50047049d329b0779c3c910402c |
|
16-Aug-2013 |
Kenny Root <kroot@google.com> |
Add support for DSA and ECDSA key types (cherry picked from commit 6071179a371fcd4c238375068ffd7d3cedea615d) Bug: 10600582 Change-Id: I0d851bbe1230a31033614c9f9b9de94f1f842618
/system/security/keystore/IKeystoreService.cpp
|
0c540aad5915e6aa34345049be96f28b64d0e84c |
|
03-Apr-2013 |
Kenny Root <kroot@google.com> |
keystore: Add flag for blobs to be unencrypted In order to let apps use keystore more productively, make the blob encryption optional. As more hardware-assisted keystores (i.e., hardware that has a Keymaster HAL) come around, encrypting blobs start to make less sense since the thing it's encrypting is usually a token and not any raw key material. Bug: 8122243 Change-Id: I7d70122beb32b59f06a923ade93234393b75a2cd
/system/security/keystore/IKeystoreService.cpp
|
2ecc7a1efbb21d86d38b9e0348dfbf0e1213d920 |
|
02-Apr-2013 |
Kenny Root <kroot@google.com> |
keystore: command to clear all keys for UID Add ability for system UID to clear all entries for a different UID. (cherry picked from commit a9bb549868035e05450a9b918f8d7de9deca5343) Bug: 3020069 Change-Id: Ibd5ce287f024b89df3dd7bfc3a4e5f979a34c75c
/system/security/keystore/IKeystoreService.cpp
|
4306123e81371bd8bd85f77c2375d29ac53ff771 |
|
29-Mar-2013 |
Kenny Root <kroot@google.com> |
keystore: add API to query storage type Add an API to query the HAL to see what kind of storage it reports the device is. (cherry picked from commit 8ddf35a6e1fd80a7d0685041d2bfc77078277c9d) Change-Id: I04a9421053a0b8bbe4f0dd73fefdfdbe4ab4add9
/system/security/keystore/IKeystoreService.cpp
|
d53bc92f1cc4eb669ec015480cebe5ae7aaaf7cf |
|
21-Mar-2013 |
Kenny Root <kroot@google.com> |
keystore: change migrate to duplicate After discussion, it was determined that duplicate would be less disruptive and it still fit in the current HAL model. Change-Id: Id6ff97bfa5ec4cca9def177677263e9be1c9619f
/system/security/keystore/IKeystoreService.cpp
|
0225407783ee339164a0cd8ca5ef04c99d27c59a |
|
20-Mar-2013 |
Kenny Root <kroot@google.com> |
keystore: add "migrate" command To support the WiFi service, we need to support migration from the system UID to the wifi UID. This adds a command to achieve the migration. Bug: 8122243 Change-Id: I31e2ba3b3a92c582a6f8d71bbb139c408c06814f
/system/security/keystore/IKeystoreService.cpp
|
e289c404b9d2735fbd67c42086e33c972b46aa33 |
|
14-Feb-2013 |
Kenny Root <kroot@google.com> |
KeyStore: return null instead of empty list During a failure, return a null value instead of an empty list. Change-Id: I34763c90eb65b0ed6bbe2757310992541feeb1a8
/system/security/keystore/IKeystoreService.cpp
|
b88c3eb96625513df4cc998d739d17266ebaf89f |
|
13-Feb-2013 |
Kenny Root <kroot@google.com> |
keystore: add UID to certain APIs This will allow explicit indication of which UID to put things under for trusted UIDs (e.g., system UID) in a future change instead of putting things only in the calling UID. Change-Id: Ifc321a714d874a1142890138101ce4166906f413
/system/security/keystore/IKeystoreService.cpp
|
b03c9fb5f9c058a8ae0485c986a8ab934ab73eaa |
|
05-Feb-2013 |
Kenny Root <kroot@google.com> |
Fix for error condition in IKeystoreService When an error condition happens, keystore might memcpy a NULL pointer which would cause a SIGSEGV. Avoid trying to copy it in that case. Bug: 8019596 Change-Id: Ifcfc75401c41595fc2c2f0172c718c8d3bb93020
/system/security/keystore/IKeystoreService.cpp
|
07438c8d7256d3788dac323b4d0055f201e0bec9 |
|
02-Nov-2012 |
Kenny Root <kroot@google.com> |
Switch keystore to binder Change-Id: I6dacdc43bcc1a56e47655e37e825ee6a205eb56b
/system/security/keystore/IKeystoreService.cpp
|