RecoveryController.java revision 23174b7eaeb93918451c36bbbfad94bafd44bdd6 
1/*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.security.keystore.recovery;
18
19import android.annotation.NonNull;
20import android.annotation.Nullable;
21import android.annotation.RequiresPermission;
22import android.annotation.SystemApi;
23import android.app.PendingIntent;
24import android.content.Context;
25import android.content.pm.PackageManager.NameNotFoundException;
26import android.os.RemoteException;
27import android.os.ServiceManager;
28import android.os.ServiceSpecificException;
29import android.security.KeyStore;
30import android.security.keystore.AndroidKeyStoreProvider;
31
32import com.android.internal.widget.ILockSettings;
33
34import java.security.Key;
35import java.security.UnrecoverableKeyException;
36import java.security.cert.CertPath;
37import java.security.cert.CertificateException;
38import java.security.cert.X509Certificate;
39import java.util.ArrayList;
40import java.util.List;
41import java.util.Map;
42
43/**
44 * Backs up cryptographic keys to remote secure hardware, encrypted with the user's lock screen.
45 *
46 * <p>A system app with the {@code android.permission.RECOVER_KEYSTORE} permission may generate or
47 * import recoverable keys using this class. To generate a key, the app must call
48 * {@link #generateKey(String)} with the desired alias for the key. This returns an AndroidKeyStore
49 * reference to a 256-bit {@link javax.crypto.SecretKey}, which can be used for AES/GCM/NoPadding.
50 * In order to get the same key again at a later time, the app can call {@link #getKey(String)} with
51 * the same alias. If a key is generated in this way the key's raw material is never directly
52 * exposed to the calling app. The system app may also import key material using
53 * {@link #importKey(String, byte[])}. The app may only generate and import keys for its own
54 * {@code uid}.
55 *
56 * <p>The same system app must also register a Recovery Agent to manage syncing recoverable keys to
57 * remote secure hardware. The Recovery Agent is a service that registers itself with the controller
58 * as follows:
59 *
60 * <ul>
61 *     <li>Invokes {@link #initRecoveryService(String, byte[], byte[])}
62 *     <ul>
63 *         <li>The first argument is the alias of the root certificate used to verify trusted
64 *         hardware modules. Each trusted hardware module must have a public key signed with this
65 *         root of trust. Roots of trust must be shipped with the framework. The app can list all
66 *         valid roots of trust by calling {@link #getRootCertificates()}.
67 *         <li>The second argument is the UTF-8 bytes of the XML listing file. It lists the X509
68 *         certificates containing the public keys of all available remote trusted hardware modules.
69 *         Each of the X509 certificates can be validated against the chosen root of trust.
70 *         <li>The third argument is the UTF-8 bytes of the XML signing file. The file contains a
71 *         signature of the XML listing file. The signature can be validated against the chosen root
72 *         of trust.
73 *     </ul>
74 *     <p>This will cause the controller to choose a random public key from the list. From then
75 *     on the controller will attempt to sync the key chain with the trusted hardware module to whom
76 *     that key belongs.
77 *     <li>Invokes {@link #setServerParams(byte[])} with a byte string that identifies the device
78 *     to a remote server. This server may act as the front-end to the trusted hardware modules. It
79 *     is up to the Recovery Agent to decide how best to identify devices, but this could be, e.g.,
80 *     based on the <a href="https://developers.google.com/instance-id/">Instance ID</a> of the
81 *     system app.
82 *     <li>Invokes {@link #setRecoverySecretTypes(int[])} with a list of types of secret used to
83 *     secure the recoverable key chain. For now only
84 *     {@link KeyChainProtectionParams#TYPE_LOCKSCREEN} is supported.
85 *     <li>Invokes {@link #setSnapshotCreatedPendingIntent(PendingIntent)} with a
86 *     {@link PendingIntent} that is to be invoked whenever a new snapshot is created. Although the
87 *     controller can create snapshots without the Recovery Agent registering this intent, it is a
88 *     good idea to register the intent so that the Recovery Agent is able to sync this snapshot to
89 *     the trusted hardware module as soon as it is available.
90 * </ul>
91 *
92 * <p>The trusted hardware module's public key MUST be generated on secure hardware with protections
93 * equivalent to those described in the
94 * <a href="https://developer.android.com/preview/features/security/ckv-whitepaper.html">Google
95 * Cloud Key Vault Service whitepaper</a>. The trusted hardware module itself must protect the key
96 * chain from brute-forcing using the methods also described in the whitepaper: i.e., it should
97 * limit the number of allowed attempts to enter the lock screen. If the number of attempts is
98 * exceeded the key material must no longer be recoverable.
99 *
100 * <p>A recoverable key chain snapshot is considered pending if any of the following conditions
101 * are met:
102 *
103 * <ul>
104 *     <li>The system app mutates the key chain. i.e., generates, imports, or removes a key.
105 *     <li>The user changes their lock screen.
106 * </ul>
107 *
108 * <p>Whenever the user unlocks their device, if a snapshot is pending, the Recovery Controller
109 * generates a new snapshot. It follows these steps to do so:
110 *
111 * <ul>
112 *     <li>Generates a 256-bit AES key using {@link java.security.SecureRandom}. This is the
113 *     Recovery Key.
114 *     <li>Wraps the key material of all keys in the recoverable key chain with the Recovery Key.
115 *     <li>Encrypts the Recovery Key with both the public key of the trusted hardware module and a
116 *     symmetric key derived from the user's lock screen.
117 * </ul>
118 *
119 * <p>The controller then writes this snapshot to disk, and uses the {@link PendingIntent} that was
120 * set by the Recovery Agent during initialization to inform it that a new snapshot is available.
121 * The snapshot only contains keys for that Recovery Agent's {@code uid} - i.e., keys the agent's
122 * app itself generated. If multiple Recovery Agents exist on the device, each will be notified of
123 * their new snapshots, and each snapshots' keys will be only those belonging to the same
124 * {@code uid}.
125 *
126 * <p>The Recovery Agent retrieves its most recent snapshot by calling
127 * {@link #getKeyChainSnapshot()}. It syncs the snapshot to the remote server. The snapshot contains
128 * the public key used for encryption, which the server uses to forward the encrypted recovery key
129 * to the correct trusted hardware module. The snapshot also contains the server params, which are
130 * used to identify this device to the server.
131 *
132 * <p>The client uses the server params to identify a device whose key chain it wishes to restore.
133 * This may be on a different device to the device that originally synced the key chain. The client
134 * sends the server params identifying the previous device to the server. The server returns the
135 * X509 certificate identifying the trusted hardware module in which the encrypted Recovery Key is
136 * stored. It also returns some vault parameters identifying that particular Recovery Key to the
137 * trusted hardware module. And it also returns a vault challenge, which is used as part of the
138 * vault opening protocol to ensure the recovery claim is fresh. See the whitepaper for more
139 * details.
140 *
141 * <p>The key chain is recovered via a {@link RecoverySession}. A Recovery Agent creates one by
142 * invoking {@link #createRecoverySession()}. It then invokes
143 * {@link RecoverySession#start(String, CertPath, byte[], byte[], List)} with these arguments:
144 *
145 * <ul>
146 *     <li>The alias of the root of trust used to verify the trusted hardware module.
147 *     <li>The X509 certificate of the trusted hardware module.
148 *     <li>The vault parameters used to identify the Recovery Key to the trusted hardware module.
149 *     <li>The vault challenge, as issued by the trusted hardware module.
150 *     <li>A list of secrets, corresponding to the secrets used to protect the key chain. At the
151 *     moment this is a single {@link KeyChainProtectionParams} containing the lock screen of the
152 *     device whose key chain is to be recovered.
153 * </ul>
154 *
155 * <p>This method returns a byte array containing the Recovery Claim, which can be issued to the
156 * remote trusted hardware module. It is encrypted with the trusted hardware module's public key
157 * (which has itself been certified with the root of trust). It also contains an ephemeral symmetric
158 * key generated for this recovery session, which the remote trusted hardware module uses to encrypt
159 * its responses. This is the Session Key.
160 *
161 * <p>If the lock screen provided is correct, the remote trusted hardware module decrypts one of the
162 * layers of lock-screen encryption from the Recovery Key. It then returns this key, encrypted with
163 * the Session Key to the Recovery Agent. As the Recovery Agent does not know the Session Key, it
164 * must then invoke {@link RecoverySession#recoverKeyChainSnapshot(byte[], List)} with the encrypted
165 * Recovery Key and the list of wrapped application keys. The controller then decrypts the layer of
166 * encryption provided by the Session Key, and uses the lock screen to decrypt the final layer of
167 * encryption. It then uses the Recovery Key to decrypt all of the wrapped application keys, and
168 * imports them into its own KeyStore. The Recovery Agent's app may then access these keys by
169 * calling {@link #getKey(String)}. Only this app's {@code uid} may access the keys that have been
170 * recovered.
171 *
172 * @hide
173 */
174@SystemApi
175public class RecoveryController {
176    private static final String TAG = "RecoveryController";
177
178    /** Key has been successfully synced. */
179    public static final int RECOVERY_STATUS_SYNCED = 0;
180    /** Waiting for recovery agent to sync the key. */
181    public static final int RECOVERY_STATUS_SYNC_IN_PROGRESS = 1;
182    /** Key cannot be synced. */
183    public static final int RECOVERY_STATUS_PERMANENT_FAILURE = 3;
184
185    /**
186     * Failed because no snapshot is yet pending to be synced for the user.
187     *
188     * @hide
189     */
190    public static final int ERROR_NO_SNAPSHOT_PENDING = 21;
191
192    /**
193     * Failed due to an error internal to the recovery service. This is unexpected and indicates
194     * either a problem with the logic in the service, or a problem with a dependency of the
195     * service (such as AndroidKeyStore).
196     *
197     * @hide
198     */
199    public static final int ERROR_SERVICE_INTERNAL_ERROR = 22;
200
201    /**
202     * Failed because the user does not have a lock screen set.
203     *
204     * @hide
205     */
206    public static final int ERROR_INSECURE_USER = 23;
207
208    /**
209     * Error thrown when attempting to use a recovery session that has since been closed.
210     *
211     * @hide
212     */
213    public static final int ERROR_SESSION_EXPIRED = 24;
214
215    /**
216     * Failed because the format of the provided certificate is incorrect, e.g., cannot be decoded
217     * properly or misses necessary fields.
218     *
219     * <p>Note that this is different from {@link #ERROR_INVALID_CERTIFICATE}, which implies the
220     * certificate has a correct format but cannot be validated.
221     *
222     * @hide
223     */
224    public static final int ERROR_BAD_CERTIFICATE_FORMAT = 25;
225
226    /**
227     * Error thrown if decryption failed. This might be because the tag is wrong, the key is wrong,
228     * the data has become corrupted, the data has been tampered with, etc.
229     *
230     * @hide
231     */
232    public static final int ERROR_DECRYPTION_FAILED = 26;
233
234    /**
235     * Error thrown if the format of a given key is invalid. This might be because the key has a
236     * wrong length, invalid content, etc.
237     *
238     * @hide
239     */
240    public static final int ERROR_INVALID_KEY_FORMAT = 27;
241
242    /**
243     * Failed because the provided certificate cannot be validated, e.g., is expired or has invalid
244     * signatures.
245     *
246     * <p>Note that this is different from {@link #ERROR_BAD_CERTIFICATE_FORMAT}, which denotes
247     * incorrect certificate formats, e.g., due to wrong encoding or structure.
248     *
249     * @hide
250     */
251    public static final int ERROR_INVALID_CERTIFICATE = 28;
252
253
254    /**
255     * Failed because the provided certificate contained serial version which is lower that the
256     * version device is already initialized with. It is not possible to downgrade serial version of
257     * the provided certificate.
258     *
259     * @hide
260     */
261    public static final int ERROR_DOWNGRADE_CERTIFICATE = 29;
262
263    private final ILockSettings mBinder;
264    private final KeyStore mKeyStore;
265
266    private RecoveryController(ILockSettings binder, KeyStore keystore) {
267        mBinder = binder;
268        mKeyStore = keystore;
269    }
270
271    /**
272     * Internal method used by {@code RecoverySession}.
273     *
274     * @hide
275     */
276    ILockSettings getBinder() {
277        return mBinder;
278    }
279
280    /**
281     * Gets a new instance of the class.
282     */
283    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
284    @NonNull public static RecoveryController getInstance(@NonNull Context context) {
285        ILockSettings lockSettings =
286                ILockSettings.Stub.asInterface(ServiceManager.getService("lock_settings"));
287        return new RecoveryController(lockSettings, KeyStore.getInstance());
288    }
289
290    /**
291     * @deprecated Use {@link #initRecoveryService(String, byte[], byte[])} instead.
292     */
293    @Deprecated
294    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
295    public void initRecoveryService(
296            @NonNull String rootCertificateAlias, @NonNull byte[] signedPublicKeyList)
297            throws CertificateException, InternalRecoveryServiceException {
298        try {
299            mBinder.initRecoveryService(rootCertificateAlias, signedPublicKeyList);
300        } catch (RemoteException e) {
301            throw e.rethrowFromSystemServer();
302        } catch (ServiceSpecificException e) {
303            if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT
304                    || e.errorCode == ERROR_INVALID_CERTIFICATE) {
305                throw new CertificateException("Invalid certificate for recovery service", e);
306            }
307            throw wrapUnexpectedServiceSpecificException(e);
308        }
309    }
310
311    /**
312     * Initializes the recovery service for the calling application. The detailed steps should be:
313     * <ol>
314     *     <li>Parse {@code signatureFile} to get relevant information.
315     *     <li>Validate the signer's X509 certificate, contained in {@code signatureFile}, against
316     *         the root certificate pre-installed in the OS and chosen by {@code
317     *         rootCertificateAlias}.
318     *     <li>Verify the public-key signature, contained in {@code signatureFile}, and verify it
319     *         against the entire {@code certificateFile}.
320     *     <li>Parse {@code certificateFile} to get relevant information.
321     *     <li>Check the serial number, contained in {@code certificateFile}, and skip the following
322     *         steps if the serial number is not larger than the one previously stored.
323     *     <li>Randomly choose a X509 certificate from the endpoint X509 certificates, contained in
324     *         {@code certificateFile}, and validate it against the root certificate pre-installed
325     *         in the OS and chosen by {@code rootCertificateAlias}.
326     *     <li>Store the chosen X509 certificate and the serial in local database for later use.
327     * </ol>
328     *
329     * @param rootCertificateAlias the alias of a root certificate pre-installed in the OS
330     * @param certificateFile the binary content of the XML file containing a list of recovery
331     *     service X509 certificates, and other metadata including the serial number
332     * @param signatureFile the binary content of the XML file containing the public-key signature
333     *     of the entire certificate file, and a signer's X509 certificate
334     * @throws CertificateException if the given certificate files cannot be parsed or validated
335     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
336     *     service.
337     */
338    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
339    public void initRecoveryService(
340            @NonNull String rootCertificateAlias, @NonNull byte[] certificateFile,
341            @NonNull byte[] signatureFile)
342            throws CertificateException, InternalRecoveryServiceException {
343        try {
344            mBinder.initRecoveryServiceWithSigFile(
345                    rootCertificateAlias, certificateFile, signatureFile);
346        } catch (RemoteException e) {
347            throw e.rethrowFromSystemServer();
348        } catch (ServiceSpecificException e) {
349            if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT
350                    || e.errorCode == ERROR_INVALID_CERTIFICATE) {
351                throw new CertificateException("Invalid certificate for recovery service", e);
352            }
353            if (e.errorCode == ERROR_DOWNGRADE_CERTIFICATE) {
354                throw new CertificateException(
355                        "Downgrading certificate serial version isn't supported.", e);
356            }
357            throw wrapUnexpectedServiceSpecificException(e);
358        }
359    }
360
361    /**
362     * @deprecated Use {@link #getKeyChainSnapshot()}
363     */
364    @Deprecated
365    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
366    public @Nullable KeyChainSnapshot getRecoveryData() throws InternalRecoveryServiceException {
367        return getKeyChainSnapshot();
368    }
369
370    /**
371     * Returns data necessary to store all recoverable keys. Key material is
372     * encrypted with user secret and recovery public key.
373     *
374     * @return Data necessary to recover keystore or {@code null} if snapshot is not available.
375     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
376     *     service.
377     */
378    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
379    public @Nullable KeyChainSnapshot getKeyChainSnapshot()
380            throws InternalRecoveryServiceException {
381        try {
382            return mBinder.getKeyChainSnapshot();
383        } catch (RemoteException e) {
384            throw e.rethrowFromSystemServer();
385        } catch (ServiceSpecificException e) {
386            if (e.errorCode == ERROR_NO_SNAPSHOT_PENDING) {
387                return null;
388            }
389            throw wrapUnexpectedServiceSpecificException(e);
390        }
391    }
392
393    /**
394     * Sets a listener which notifies recovery agent that new recovery snapshot is available. {@link
395     * #getKeyChainSnapshot} can be used to get the snapshot. Note that every recovery agent can
396     * have at most one registered listener at any time.
397     *
398     * @param intent triggered when new snapshot is available. Unregisters listener if the value is
399     *     {@code null}.
400     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
401     *     service.
402     */
403    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
404    public void setSnapshotCreatedPendingIntent(@Nullable PendingIntent intent)
405            throws InternalRecoveryServiceException {
406        try {
407            mBinder.setSnapshotCreatedPendingIntent(intent);
408        } catch (RemoteException e) {
409            throw e.rethrowFromSystemServer();
410        } catch (ServiceSpecificException e) {
411            throw wrapUnexpectedServiceSpecificException(e);
412        }
413    }
414
415    /**
416     * Server parameters used to generate new recovery key blobs. This value will be included in
417     * {@code KeyChainSnapshot.getEncryptedRecoveryKeyBlob()}. The same value must be included
418     * in vaultParams {@link RecoverySession#start(CertPath, byte[], byte[], List)}.
419     *
420     * @param serverParams included in recovery key blob.
421     * @see #getKeyChainSnapshot
422     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
423     *     service.
424     */
425    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
426    public void setServerParams(@NonNull byte[] serverParams)
427            throws InternalRecoveryServiceException {
428        try {
429            mBinder.setServerParams(serverParams);
430        } catch (RemoteException e) {
431            throw e.rethrowFromSystemServer();
432        } catch (ServiceSpecificException e) {
433            throw wrapUnexpectedServiceSpecificException(e);
434        }
435    }
436
437    /**
438     * @deprecated Use {@link #getAliases()}.
439     */
440    @Deprecated
441    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
442    public List<String> getAliases(@Nullable String packageName)
443            throws InternalRecoveryServiceException {
444        return getAliases();
445    }
446
447    /**
448     * Returns a list of aliases of keys belonging to the application.
449     */
450    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
451    public @NonNull List<String> getAliases() throws InternalRecoveryServiceException {
452        try {
453            Map<String, Integer> allStatuses = mBinder.getRecoveryStatus();
454            return new ArrayList<>(allStatuses.keySet());
455        } catch (RemoteException e) {
456            throw e.rethrowFromSystemServer();
457        } catch (ServiceSpecificException e) {
458            throw wrapUnexpectedServiceSpecificException(e);
459        }
460    }
461
462    /**
463     * @deprecated Use {@link #setRecoveryStatus(String, int)}
464     */
465    @Deprecated
466    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
467    public void setRecoveryStatus(
468            @NonNull String packageName, String alias, int status)
469            throws NameNotFoundException, InternalRecoveryServiceException {
470        setRecoveryStatus(alias, status);
471    }
472
473    /**
474     * Sets the recovery status for given key. It is used to notify the keystore that the key was
475     * successfully stored on the server or that there was an error. An application can check this
476     * value using {@link #getRecoveryStatus(String, String)}.
477     *
478     * @param alias The alias of the key whose status to set.
479     * @param status The status of the key. One of {@link #RECOVERY_STATUS_SYNCED},
480     *     {@link #RECOVERY_STATUS_SYNC_IN_PROGRESS} or {@link #RECOVERY_STATUS_PERMANENT_FAILURE}.
481     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
482     *     service.
483     */
484    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
485    public void setRecoveryStatus(@NonNull String alias, int status)
486            throws InternalRecoveryServiceException {
487        try {
488            mBinder.setRecoveryStatus(alias, status);
489        } catch (RemoteException e) {
490            throw e.rethrowFromSystemServer();
491        } catch (ServiceSpecificException e) {
492            throw wrapUnexpectedServiceSpecificException(e);
493        }
494    }
495
496    /**
497     * @deprecated Use {@link #getRecoveryStatus(String)}.
498     */
499    @Deprecated
500    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
501    public int getRecoveryStatus(String packageName, String alias)
502            throws InternalRecoveryServiceException {
503        return getRecoveryStatus(alias);
504    }
505
506    /**
507     * Returns the recovery status for the key with the given {@code alias}.
508     *
509     * <ul>
510     *   <li>{@link #RECOVERY_STATUS_SYNCED}
511     *   <li>{@link #RECOVERY_STATUS_SYNC_IN_PROGRESS}
512     *   <li>{@link #RECOVERY_STATUS_PERMANENT_FAILURE}
513     * </ul>
514     *
515     * @see #setRecoveryStatus(String, int)
516     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
517     *     service.
518     */
519    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
520    public int getRecoveryStatus(@NonNull String alias) throws InternalRecoveryServiceException {
521        try {
522            Map<String, Integer> allStatuses = mBinder.getRecoveryStatus();
523            Integer status = allStatuses.get(alias);
524            if (status == null) {
525                return RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE;
526            } else {
527                return status;
528            }
529        } catch (RemoteException e) {
530            throw e.rethrowFromSystemServer();
531        } catch (ServiceSpecificException e) {
532            throw wrapUnexpectedServiceSpecificException(e);
533        }
534    }
535
536    /**
537     * Specifies a set of secret types used for end-to-end keystore encryption. Knowing all of them
538     * is necessary to recover data.
539     *
540     * @param secretTypes {@link KeyChainProtectionParams#TYPE_LOCKSCREEN}
541     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
542     *     service.
543     */
544    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
545    public void setRecoverySecretTypes(
546            @NonNull @KeyChainProtectionParams.UserSecretType int[] secretTypes)
547            throws InternalRecoveryServiceException {
548        try {
549            mBinder.setRecoverySecretTypes(secretTypes);
550        } catch (RemoteException e) {
551            throw e.rethrowFromSystemServer();
552        } catch (ServiceSpecificException e) {
553            throw wrapUnexpectedServiceSpecificException(e);
554        }
555    }
556
557    /**
558     * Defines a set of secret types used for end-to-end keystore encryption. Knowing all of them is
559     * necessary to generate KeyChainSnapshot.
560     *
561     * @return list of recovery secret types
562     * @see KeyChainSnapshot
563     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
564     *     service.
565     */
566    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
567    public @NonNull @KeyChainProtectionParams.UserSecretType int[] getRecoverySecretTypes()
568            throws InternalRecoveryServiceException {
569        try {
570            return mBinder.getRecoverySecretTypes();
571        } catch (RemoteException e) {
572            throw e.rethrowFromSystemServer();
573        } catch (ServiceSpecificException e) {
574            throw wrapUnexpectedServiceSpecificException(e);
575        }
576    }
577
578    /**
579     * Deprecated.
580     * Generates a AES256/GCM/NoPADDING key called {@code alias} and loads it into the recoverable
581     * key store. Returns the raw material of the key.
582     *
583     * @param alias The key alias.
584     * @param account The account associated with the key
585     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
586     *     service.
587     * @throws LockScreenRequiredException if the user has not set a lock screen. This is required
588     *     to generate recoverable keys, as the snapshots are encrypted using a key derived from the
589     *     lock screen.
590     */
591    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
592    public byte[] generateAndStoreKey(@NonNull String alias, byte[] account)
593            throws InternalRecoveryServiceException, LockScreenRequiredException {
594        throw new UnsupportedOperationException("Operation is not supported, use generateKey");
595    }
596
597    /**
598     * @deprecated Use {@link #generateKey(String)}.
599     */
600    @Deprecated
601    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
602    public Key generateKey(@NonNull String alias, byte[] account)
603            throws InternalRecoveryServiceException, LockScreenRequiredException {
604        return generateKey(alias);
605    }
606
607    /**
608     * Generates a recoverable key with the given {@code alias}.
609     *
610     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
611     *     service.
612     * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock
613     *     screen is required to generate recoverable keys.
614     */
615    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
616    public @NonNull Key generateKey(@NonNull String alias) throws InternalRecoveryServiceException,
617            LockScreenRequiredException {
618        try {
619            String grantAlias = mBinder.generateKey(alias);
620            if (grantAlias == null) {
621                throw new InternalRecoveryServiceException("null grant alias");
622            }
623            return getKeyFromGrant(grantAlias);
624        } catch (RemoteException e) {
625            throw e.rethrowFromSystemServer();
626        } catch (UnrecoverableKeyException e) {
627            throw new InternalRecoveryServiceException("Failed to get key from keystore", e);
628        } catch (ServiceSpecificException e) {
629            if (e.errorCode == ERROR_INSECURE_USER) {
630                throw new LockScreenRequiredException(e.getMessage());
631            }
632            throw wrapUnexpectedServiceSpecificException(e);
633        }
634    }
635
636    /**
637     * Imports a 256-bit recoverable AES key with the given {@code alias} and the raw bytes {@code
638     * keyBytes}.
639     *
640     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
641     *     service.
642     * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock
643     *     screen is required to generate recoverable keys.
644     *
645     */
646    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
647    public @NonNull Key importKey(@NonNull String alias, @NonNull byte[] keyBytes)
648            throws InternalRecoveryServiceException, LockScreenRequiredException {
649        try {
650            String grantAlias = mBinder.importKey(alias, keyBytes);
651            if (grantAlias == null) {
652                throw new InternalRecoveryServiceException("Null grant alias");
653            }
654            return getKeyFromGrant(grantAlias);
655        } catch (RemoteException e) {
656            throw e.rethrowFromSystemServer();
657        } catch (UnrecoverableKeyException e) {
658            throw new InternalRecoveryServiceException("Failed to get key from keystore", e);
659        } catch (ServiceSpecificException e) {
660            if (e.errorCode == ERROR_INSECURE_USER) {
661                throw new LockScreenRequiredException(e.getMessage());
662            }
663            throw wrapUnexpectedServiceSpecificException(e);
664        }
665    }
666
667    /**
668     * Gets a key called {@code alias} from the recoverable key store.
669     *
670     * @param alias The key alias.
671     * @return The key.
672     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
673     *     service.
674     * @throws UnrecoverableKeyException if key is permanently invalidated or not found.
675     */
676    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
677    public @Nullable Key getKey(@NonNull String alias)
678            throws InternalRecoveryServiceException, UnrecoverableKeyException {
679        try {
680            String grantAlias = mBinder.getKey(alias);
681            if (grantAlias == null || "".equals(grantAlias)) {
682                return null;
683            }
684            return getKeyFromGrant(grantAlias);
685        } catch (RemoteException e) {
686            throw e.rethrowFromSystemServer();
687        } catch (ServiceSpecificException e) {
688            throw wrapUnexpectedServiceSpecificException(e);
689        }
690    }
691
692    /**
693     * Returns the key with the given {@code grantAlias}.
694     */
695    @NonNull Key getKeyFromGrant(@NonNull String grantAlias) throws UnrecoverableKeyException {
696        return AndroidKeyStoreProvider.loadAndroidKeyStoreKeyFromKeystore(
697                mKeyStore,
698                grantAlias,
699                KeyStore.UID_SELF);
700    }
701
702    /**
703     * Removes a key called {@code alias} from the recoverable key store.
704     *
705     * @param alias The key alias.
706     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
707     *     service.
708     */
709    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
710    public void removeKey(@NonNull String alias) throws InternalRecoveryServiceException {
711        try {
712            mBinder.removeKey(alias);
713        } catch (RemoteException e) {
714            throw e.rethrowFromSystemServer();
715        } catch (ServiceSpecificException e) {
716            throw wrapUnexpectedServiceSpecificException(e);
717        }
718    }
719
720    /**
721     * Returns a new {@link RecoverySession}.
722     *
723     * <p>A recovery session is required to restore keys from a remote store.
724     */
725    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
726    public @NonNull RecoverySession createRecoverySession() {
727        return RecoverySession.newInstance(this);
728    }
729
730    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
731    public @NonNull Map<String, X509Certificate> getRootCertificates() {
732        return TrustedRootCertificates.getRootCertificates();
733    }
734
735    InternalRecoveryServiceException wrapUnexpectedServiceSpecificException(
736            ServiceSpecificException e) {
737        if (e.errorCode == ERROR_SERVICE_INTERNAL_ERROR) {
738            return new InternalRecoveryServiceException(e.getMessage());
739        }
740
741        // Should never happen. If it does, it's a bug, and we need to update how the method that
742        // called this throws its exceptions.
743        return new InternalRecoveryServiceException("Unexpected error code for method: "
744                + e.errorCode, e);
745    }
746}
747