a173064047d304837d907b9b39ece5c14adf2b25 |
|
11-Dec-2017 |
Eran Messeri <eranm@google.com> |
DevicePolicyManager: Support attestation for generated keys. If the KeyGenParameterSpec passed into DevicePolicyManager.generateKeyPair contains an attestation challenge, request an attestation record for the newly-generated key with the challenge provided. This particular implementation was chosen, rather than letting the attestation record be generated at the same time as key generation, to avoid having the attestation chain stored in Keystore and associated with the generated alias. The rationale is that this is a key that is potentially accessible by multiple applications and the attestation chain may end up being sent as a TLS client certificate chain, for example. As the attestation challenge should be unique per device, to avoid the potential of sending / sharing unique device information, by explicitly requesting an attestation record after key generation, the attestation record is only returned to the generateKeyPair client and not persistend in Keystore. Bug: 63388672 Test: New CTS test to be run with: 'cts-tradefed run commandAndExit cts-dev -a armeabi-v7a -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement -l DEBUG' Change-Id: I95a9aef179173b571b533301ac438c675e8fe702
/frameworks/base/keystore/tests/src/android/security/ParcelableKeyGenParameterSpecTest.java
|
852c8f121f2e502e1e8503bfc230dccb81b681d4 |
|
15-Nov-2017 |
Eran Messeri <eranm@google.com> |
DevicePolicyManager: Add key generation functionality. This is the crux of the Verified Access feature implementation: Adding the ability to generate KeyChain keys directly by the secure hardware, rather than installing software-generated keys into KeyChain. Add generateKeyPair to the DevicePolicyManager, which delegates key generation (via the DevicePolicyManagerService) to the KeyChainService. Design highlights: * The key generation is delegated via the DevicePolicyManagerService to check that only authorized callers request key generation in KeyChain. * KeyChainService performs the actual key generation so it owns the key in Keystore outright. * DevicePolicyManagerService then grants the calling app access to the Keystore key, so it can actually be used. * Loading the public/private key pair, as well as attestation certificate chain, is done in the client code (DevicePolicyManager) to save parceling / unparceling those objects across process boundaries twice (for no good reason). NOTE: The key attestation functionality (that includes Device ID) is missing/untested. Will be added in a follow-up CL as this one is quite big already. HIGHLIGHT FOR REVIEWERS: * API: New API in DevicePolicyManager. Bug: 63388672 Test: cts-tradefed run commandAndExit cts-dev -a armeabi-v7a -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement -l DEBUG; adb shell am instrument 'android.security.tests/android.support.test.runner.AndroidJUnitRunner' (After building the KeystoreTests target and installing the apk) Change-Id: I73762c9123f32a94d454ba4f8b533883b55c44cc
/frameworks/base/keystore/tests/src/android/security/ParcelableKeyGenParameterSpecTest.java
|