RecoveryController.java revision b95c90ce2d10a93c680b2ddbdf7ad61feb3abf5a 
1/*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.security.keystore.recovery;
18
19import android.annotation.NonNull;
20import android.annotation.Nullable;
21import android.annotation.RequiresPermission;
22import android.annotation.SystemApi;
23import android.app.KeyguardManager;
24import android.app.PendingIntent;
25import android.content.Context;
26import android.content.pm.PackageManager.NameNotFoundException;
27import android.os.RemoteException;
28import android.os.ServiceManager;
29import android.os.ServiceSpecificException;
30import android.security.KeyStore;
31import android.security.keystore.AndroidKeyStoreProvider;
32
33import com.android.internal.widget.ILockSettings;
34
35import java.security.Key;
36import java.security.UnrecoverableKeyException;
37import java.security.cert.CertPath;
38import java.security.cert.CertificateException;
39import java.security.cert.X509Certificate;
40import java.util.ArrayList;
41import java.util.List;
42import java.util.Map;
43
44/**
45 * Backs up cryptographic keys to remote secure hardware, encrypted with the user's lock screen.
46 *
47 * <p>A system app with the {@code android.permission.RECOVER_KEYSTORE} permission may generate or
48 * import recoverable keys using this class. To generate a key, the app must call
49 * {@link #generateKey(String)} with the desired alias for the key. This returns an AndroidKeyStore
50 * reference to a 256-bit {@link javax.crypto.SecretKey}, which can be used for AES/GCM/NoPadding.
51 * In order to get the same key again at a later time, the app can call {@link #getKey(String)} with
52 * the same alias. If a key is generated in this way the key's raw material is never directly
53 * exposed to the calling app. The system app may also import key material using
54 * {@link #importKey(String, byte[])}. The app may only generate and import keys for its own
55 * {@code uid}.
56 *
57 * <p>The same system app must also register a Recovery Agent to manage syncing recoverable keys to
58 * remote secure hardware. The Recovery Agent is a service that registers itself with the controller
59 * as follows:
60 *
61 * <ul>
62 *     <li>Invokes {@link #initRecoveryService(String, byte[], byte[])}
63 *     <ul>
64 *         <li>The first argument is the alias of the root certificate used to verify trusted
65 *         hardware modules. Each trusted hardware module must have a public key signed with this
66 *         root of trust. Roots of trust must be shipped with the framework. The app can list all
67 *         valid roots of trust by calling {@link #getRootCertificates()}.
68 *         <li>The second argument is the UTF-8 bytes of the XML listing file. It lists the X509
69 *         certificates containing the public keys of all available remote trusted hardware modules.
70 *         Each of the X509 certificates can be validated against the chosen root of trust.
71 *         <li>The third argument is the UTF-8 bytes of the XML signing file. The file contains a
72 *         signature of the XML listing file. The signature can be validated against the chosen root
73 *         of trust.
74 *     </ul>
75 *     <p>This will cause the controller to choose a random public key from the list. From then
76 *     on the controller will attempt to sync the key chain with the trusted hardware module to whom
77 *     that key belongs.
78 *     <li>Invokes {@link #setServerParams(byte[])} with a byte string that identifies the device
79 *     to a remote server. This server may act as the front-end to the trusted hardware modules. It
80 *     is up to the Recovery Agent to decide how best to identify devices, but this could be, e.g.,
81 *     based on the <a href="https://developers.google.com/instance-id/">Instance ID</a> of the
82 *     system app.
83 *     <li>Invokes {@link #setRecoverySecretTypes(int[])} with a list of types of secret used to
84 *     secure the recoverable key chain. For now only
85 *     {@link KeyChainProtectionParams#TYPE_LOCKSCREEN} is supported.
86 *     <li>Invokes {@link #setSnapshotCreatedPendingIntent(PendingIntent)} with a
87 *     {@link PendingIntent} that is to be invoked whenever a new snapshot is created. Although the
88 *     controller can create snapshots without the Recovery Agent registering this intent, it is a
89 *     good idea to register the intent so that the Recovery Agent is able to sync this snapshot to
90 *     the trusted hardware module as soon as it is available.
91 * </ul>
92 *
93 * <p>The trusted hardware module's public key MUST be generated on secure hardware with protections
94 * equivalent to those described in the
95 * <a href="https://developer.android.com/preview/features/security/ckv-whitepaper.html">Google
96 * Cloud Key Vault Service whitepaper</a>. The trusted hardware module itself must protect the key
97 * chain from brute-forcing using the methods also described in the whitepaper: i.e., it should
98 * limit the number of allowed attempts to enter the lock screen. If the number of attempts is
99 * exceeded the key material must no longer be recoverable.
100 *
101 * <p>A recoverable key chain snapshot is considered pending if any of the following conditions
102 * are met:
103 *
104 * <ul>
105 *     <li>The system app mutates the key chain. i.e., generates, imports, or removes a key.
106 *     <li>The user changes their lock screen.
107 * </ul>
108 *
109 * <p>Whenever the user unlocks their device, if a snapshot is pending, the Recovery Controller
110 * generates a new snapshot. It follows these steps to do so:
111 *
112 * <ul>
113 *     <li>Generates a 256-bit AES key using {@link java.security.SecureRandom}. This is the
114 *     Recovery Key.
115 *     <li>Wraps the key material of all keys in the recoverable key chain with the Recovery Key.
116 *     <li>Encrypts the Recovery Key with both the public key of the trusted hardware module and a
117 *     symmetric key derived from the user's lock screen.
118 * </ul>
119 *
120 * <p>The controller then writes this snapshot to disk, and uses the {@link PendingIntent} that was
121 * set by the Recovery Agent during initialization to inform it that a new snapshot is available.
122 * The snapshot only contains keys for that Recovery Agent's {@code uid} - i.e., keys the agent's
123 * app itself generated. If multiple Recovery Agents exist on the device, each will be notified of
124 * their new snapshots, and each snapshots' keys will be only those belonging to the same
125 * {@code uid}.
126 *
127 * <p>The Recovery Agent retrieves its most recent snapshot by calling
128 * {@link #getKeyChainSnapshot()}. It syncs the snapshot to the remote server. The snapshot contains
129 * the public key used for encryption, which the server uses to forward the encrypted recovery key
130 * to the correct trusted hardware module. The snapshot also contains the server params, which are
131 * used to identify this device to the server.
132 *
133 * <p>The client uses the server params to identify a device whose key chain it wishes to restore.
134 * This may be on a different device to the device that originally synced the key chain. The client
135 * sends the server params identifying the previous device to the server. The server returns the
136 * X509 certificate identifying the trusted hardware module in which the encrypted Recovery Key is
137 * stored. It also returns some vault parameters identifying that particular Recovery Key to the
138 * trusted hardware module. And it also returns a vault challenge, which is used as part of the
139 * vault opening protocol to ensure the recovery claim is fresh. See the whitepaper for more
140 * details.
141 *
142 * <p>The key chain is recovered via a {@link RecoverySession}. A Recovery Agent creates one by
143 * invoking {@link #createRecoverySession()}. It then invokes
144 * {@link RecoverySession#start(String, CertPath, byte[], byte[], List)} with these arguments:
145 *
146 * <ul>
147 *     <li>The alias of the root of trust used to verify the trusted hardware module.
148 *     <li>The X509 certificate of the trusted hardware module.
149 *     <li>The vault parameters used to identify the Recovery Key to the trusted hardware module.
150 *     <li>The vault challenge, as issued by the trusted hardware module.
151 *     <li>A list of secrets, corresponding to the secrets used to protect the key chain. At the
152 *     moment this is a single {@link KeyChainProtectionParams} containing the lock screen of the
153 *     device whose key chain is to be recovered.
154 * </ul>
155 *
156 * <p>This method returns a byte array containing the Recovery Claim, which can be issued to the
157 * remote trusted hardware module. It is encrypted with the trusted hardware module's public key
158 * (which has itself been certified with the root of trust). It also contains an ephemeral symmetric
159 * key generated for this recovery session, which the remote trusted hardware module uses to encrypt
160 * its responses. This is the Session Key.
161 *
162 * <p>If the lock screen provided is correct, the remote trusted hardware module decrypts one of the
163 * layers of lock-screen encryption from the Recovery Key. It then returns this key, encrypted with
164 * the Session Key to the Recovery Agent. As the Recovery Agent does not know the Session Key, it
165 * must then invoke {@link RecoverySession#recoverKeyChainSnapshot(byte[], List)} with the encrypted
166 * Recovery Key and the list of wrapped application keys. The controller then decrypts the layer of
167 * encryption provided by the Session Key, and uses the lock screen to decrypt the final layer of
168 * encryption. It then uses the Recovery Key to decrypt all of the wrapped application keys, and
169 * imports them into its own KeyStore. The Recovery Agent's app may then access these keys by
170 * calling {@link #getKey(String)}. Only this app's {@code uid} may access the keys that have been
171 * recovered.
172 *
173 * @hide
174 */
175@SystemApi
176public class RecoveryController {
177    private static final String TAG = "RecoveryController";
178
179    /** Key has been successfully synced. */
180    public static final int RECOVERY_STATUS_SYNCED = 0;
181    /** Waiting for recovery agent to sync the key. */
182    public static final int RECOVERY_STATUS_SYNC_IN_PROGRESS = 1;
183    /** Key cannot be synced. */
184    public static final int RECOVERY_STATUS_PERMANENT_FAILURE = 3;
185
186    /**
187     * Failed because no snapshot is yet pending to be synced for the user.
188     *
189     * @hide
190     */
191    public static final int ERROR_NO_SNAPSHOT_PENDING = 21;
192
193    /**
194     * Failed due to an error internal to the recovery service. This is unexpected and indicates
195     * either a problem with the logic in the service, or a problem with a dependency of the
196     * service (such as AndroidKeyStore).
197     *
198     * @hide
199     */
200    public static final int ERROR_SERVICE_INTERNAL_ERROR = 22;
201
202    /**
203     * Failed because the user does not have a lock screen set.
204     *
205     * @hide
206     */
207    public static final int ERROR_INSECURE_USER = 23;
208
209    /**
210     * Error thrown when attempting to use a recovery session that has since been closed.
211     *
212     * @hide
213     */
214    public static final int ERROR_SESSION_EXPIRED = 24;
215
216    /**
217     * Failed because the format of the provided certificate is incorrect, e.g., cannot be decoded
218     * properly or misses necessary fields.
219     *
220     * <p>Note that this is different from {@link #ERROR_INVALID_CERTIFICATE}, which implies the
221     * certificate has a correct format but cannot be validated.
222     *
223     * @hide
224     */
225    public static final int ERROR_BAD_CERTIFICATE_FORMAT = 25;
226
227    /**
228     * Error thrown if decryption failed. This might be because the tag is wrong, the key is wrong,
229     * the data has become corrupted, the data has been tampered with, etc.
230     *
231     * @hide
232     */
233    public static final int ERROR_DECRYPTION_FAILED = 26;
234
235    /**
236     * Error thrown if the format of a given key is invalid. This might be because the key has a
237     * wrong length, invalid content, etc.
238     *
239     * @hide
240     */
241    public static final int ERROR_INVALID_KEY_FORMAT = 27;
242
243    /**
244     * Failed because the provided certificate cannot be validated, e.g., is expired or has invalid
245     * signatures.
246     *
247     * <p>Note that this is different from {@link #ERROR_BAD_CERTIFICATE_FORMAT}, which denotes
248     * incorrect certificate formats, e.g., due to wrong encoding or structure.
249     *
250     * @hide
251     */
252    public static final int ERROR_INVALID_CERTIFICATE = 28;
253
254
255    /**
256     * Failed because the provided certificate contained serial version which is lower that the
257     * version device is already initialized with. It is not possible to downgrade serial version of
258     * the provided certificate.
259     *
260     * @hide
261     */
262    public static final int ERROR_DOWNGRADE_CERTIFICATE = 29;
263
264    private final ILockSettings mBinder;
265    private final KeyStore mKeyStore;
266
267    private RecoveryController(ILockSettings binder, KeyStore keystore) {
268        mBinder = binder;
269        mKeyStore = keystore;
270    }
271
272    /**
273     * Internal method used by {@code RecoverySession}.
274     *
275     * @hide
276     */
277    ILockSettings getBinder() {
278        return mBinder;
279    }
280
281    /**
282     * Gets a new instance of the class.
283     */
284    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
285    @NonNull public static RecoveryController getInstance(@NonNull Context context) {
286        ILockSettings lockSettings =
287                ILockSettings.Stub.asInterface(ServiceManager.getService("lock_settings"));
288        return new RecoveryController(lockSettings, KeyStore.getInstance());
289    }
290
291    /**
292     * Checks whether the recoverable key store is currently available.
293     *
294     * <p>If it returns true, the device must currently be using a screen lock that is supported for
295     * use with the recoverable key store, i.e. AOSP PIN, pattern or password.
296     */
297    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
298    public static boolean isRecoverableKeyStoreEnabled(@NonNull Context context) {
299        KeyguardManager keyguardManager = context.getSystemService(KeyguardManager.class);
300        return keyguardManager != null && keyguardManager.isDeviceSecure();
301    }
302
303    /**
304     * @deprecated Use {@link #initRecoveryService(String, byte[], byte[])} instead.
305     */
306    @Deprecated
307    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
308    public void initRecoveryService(
309            @NonNull String rootCertificateAlias, @NonNull byte[] signedPublicKeyList)
310            throws CertificateException, InternalRecoveryServiceException {
311        try {
312            mBinder.initRecoveryService(rootCertificateAlias, signedPublicKeyList);
313        } catch (RemoteException e) {
314            throw e.rethrowFromSystemServer();
315        } catch (ServiceSpecificException e) {
316            if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT
317                    || e.errorCode == ERROR_INVALID_CERTIFICATE) {
318                throw new CertificateException("Invalid certificate for recovery service", e);
319            }
320            throw wrapUnexpectedServiceSpecificException(e);
321        }
322    }
323
324    /**
325     * Initializes the recovery service for the calling application. The detailed steps should be:
326     * <ol>
327     *     <li>Parse {@code signatureFile} to get relevant information.
328     *     <li>Validate the signer's X509 certificate, contained in {@code signatureFile}, against
329     *         the root certificate pre-installed in the OS and chosen by {@code
330     *         rootCertificateAlias}.
331     *     <li>Verify the public-key signature, contained in {@code signatureFile}, and verify it
332     *         against the entire {@code certificateFile}.
333     *     <li>Parse {@code certificateFile} to get relevant information.
334     *     <li>Check the serial number, contained in {@code certificateFile}, and skip the following
335     *         steps if the serial number is not larger than the one previously stored.
336     *     <li>Randomly choose a X509 certificate from the endpoint X509 certificates, contained in
337     *         {@code certificateFile}, and validate it against the root certificate pre-installed
338     *         in the OS and chosen by {@code rootCertificateAlias}.
339     *     <li>Store the chosen X509 certificate and the serial in local database for later use.
340     * </ol>
341     *
342     * @param rootCertificateAlias the alias of a root certificate pre-installed in the OS
343     * @param certificateFile the binary content of the XML file containing a list of recovery
344     *     service X509 certificates, and other metadata including the serial number
345     * @param signatureFile the binary content of the XML file containing the public-key signature
346     *     of the entire certificate file, and a signer's X509 certificate
347     * @throws CertificateException if the given certificate files cannot be parsed or validated
348     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
349     *     service.
350     */
351    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
352    public void initRecoveryService(
353            @NonNull String rootCertificateAlias, @NonNull byte[] certificateFile,
354            @NonNull byte[] signatureFile)
355            throws CertificateException, InternalRecoveryServiceException {
356        try {
357            mBinder.initRecoveryServiceWithSigFile(
358                    rootCertificateAlias, certificateFile, signatureFile);
359        } catch (RemoteException e) {
360            throw e.rethrowFromSystemServer();
361        } catch (ServiceSpecificException e) {
362            if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT
363                    || e.errorCode == ERROR_INVALID_CERTIFICATE) {
364                throw new CertificateException("Invalid certificate for recovery service", e);
365            }
366            if (e.errorCode == ERROR_DOWNGRADE_CERTIFICATE) {
367                throw new CertificateException(
368                        "Downgrading certificate serial version isn't supported.", e);
369            }
370            throw wrapUnexpectedServiceSpecificException(e);
371        }
372    }
373
374    /**
375     * @deprecated Use {@link #getKeyChainSnapshot()}
376     */
377    @Deprecated
378    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
379    public @Nullable KeyChainSnapshot getRecoveryData() throws InternalRecoveryServiceException {
380        return getKeyChainSnapshot();
381    }
382
383    /**
384     * Returns data necessary to store all recoverable keys. Key material is
385     * encrypted with user secret and recovery public key.
386     *
387     * @return Data necessary to recover keystore or {@code null} if snapshot is not available.
388     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
389     *     service.
390     */
391    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
392    public @Nullable KeyChainSnapshot getKeyChainSnapshot()
393            throws InternalRecoveryServiceException {
394        try {
395            return mBinder.getKeyChainSnapshot();
396        } catch (RemoteException e) {
397            throw e.rethrowFromSystemServer();
398        } catch (ServiceSpecificException e) {
399            if (e.errorCode == ERROR_NO_SNAPSHOT_PENDING) {
400                return null;
401            }
402            throw wrapUnexpectedServiceSpecificException(e);
403        }
404    }
405
406    /**
407     * Sets a listener which notifies recovery agent that new recovery snapshot is available. {@link
408     * #getKeyChainSnapshot} can be used to get the snapshot. Note that every recovery agent can
409     * have at most one registered listener at any time.
410     *
411     * @param intent triggered when new snapshot is available. Unregisters listener if the value is
412     *     {@code null}.
413     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
414     *     service.
415     */
416    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
417    public void setSnapshotCreatedPendingIntent(@Nullable PendingIntent intent)
418            throws InternalRecoveryServiceException {
419        try {
420            mBinder.setSnapshotCreatedPendingIntent(intent);
421        } catch (RemoteException e) {
422            throw e.rethrowFromSystemServer();
423        } catch (ServiceSpecificException e) {
424            throw wrapUnexpectedServiceSpecificException(e);
425        }
426    }
427
428    /**
429     * Server parameters used to generate new recovery key blobs. This value will be included in
430     * {@code KeyChainSnapshot.getEncryptedRecoveryKeyBlob()}. The same value must be included
431     * in vaultParams {@link RecoverySession#start(CertPath, byte[], byte[], List)}.
432     *
433     * @param serverParams included in recovery key blob.
434     * @see #getKeyChainSnapshot
435     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
436     *     service.
437     */
438    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
439    public void setServerParams(@NonNull byte[] serverParams)
440            throws InternalRecoveryServiceException {
441        try {
442            mBinder.setServerParams(serverParams);
443        } catch (RemoteException e) {
444            throw e.rethrowFromSystemServer();
445        } catch (ServiceSpecificException e) {
446            throw wrapUnexpectedServiceSpecificException(e);
447        }
448    }
449
450    /**
451     * @deprecated Use {@link #getAliases()}.
452     */
453    @Deprecated
454    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
455    public List<String> getAliases(@Nullable String packageName)
456            throws InternalRecoveryServiceException {
457        return getAliases();
458    }
459
460    /**
461     * Returns a list of aliases of keys belonging to the application.
462     */
463    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
464    public @NonNull List<String> getAliases() throws InternalRecoveryServiceException {
465        try {
466            Map<String, Integer> allStatuses = mBinder.getRecoveryStatus();
467            return new ArrayList<>(allStatuses.keySet());
468        } catch (RemoteException e) {
469            throw e.rethrowFromSystemServer();
470        } catch (ServiceSpecificException e) {
471            throw wrapUnexpectedServiceSpecificException(e);
472        }
473    }
474
475    /**
476     * @deprecated Use {@link #setRecoveryStatus(String, int)}
477     */
478    @Deprecated
479    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
480    public void setRecoveryStatus(
481            @NonNull String packageName, String alias, int status)
482            throws NameNotFoundException, InternalRecoveryServiceException {
483        setRecoveryStatus(alias, status);
484    }
485
486    /**
487     * Sets the recovery status for given key. It is used to notify the keystore that the key was
488     * successfully stored on the server or that there was an error. An application can check this
489     * value using {@link #getRecoveryStatus(String, String)}.
490     *
491     * @param alias The alias of the key whose status to set.
492     * @param status The status of the key. One of {@link #RECOVERY_STATUS_SYNCED},
493     *     {@link #RECOVERY_STATUS_SYNC_IN_PROGRESS} or {@link #RECOVERY_STATUS_PERMANENT_FAILURE}.
494     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
495     *     service.
496     */
497    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
498    public void setRecoveryStatus(@NonNull String alias, int status)
499            throws InternalRecoveryServiceException {
500        try {
501            mBinder.setRecoveryStatus(alias, status);
502        } catch (RemoteException e) {
503            throw e.rethrowFromSystemServer();
504        } catch (ServiceSpecificException e) {
505            throw wrapUnexpectedServiceSpecificException(e);
506        }
507    }
508
509    /**
510     * @deprecated Use {@link #getRecoveryStatus(String)}.
511     */
512    @Deprecated
513    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
514    public int getRecoveryStatus(String packageName, String alias)
515            throws InternalRecoveryServiceException {
516        return getRecoveryStatus(alias);
517    }
518
519    /**
520     * Returns the recovery status for the key with the given {@code alias}.
521     *
522     * <ul>
523     *   <li>{@link #RECOVERY_STATUS_SYNCED}
524     *   <li>{@link #RECOVERY_STATUS_SYNC_IN_PROGRESS}
525     *   <li>{@link #RECOVERY_STATUS_PERMANENT_FAILURE}
526     * </ul>
527     *
528     * @see #setRecoveryStatus(String, int)
529     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
530     *     service.
531     */
532    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
533    public int getRecoveryStatus(@NonNull String alias) throws InternalRecoveryServiceException {
534        try {
535            Map<String, Integer> allStatuses = mBinder.getRecoveryStatus();
536            Integer status = allStatuses.get(alias);
537            if (status == null) {
538                return RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE;
539            } else {
540                return status;
541            }
542        } catch (RemoteException e) {
543            throw e.rethrowFromSystemServer();
544        } catch (ServiceSpecificException e) {
545            throw wrapUnexpectedServiceSpecificException(e);
546        }
547    }
548
549    /**
550     * Specifies a set of secret types used for end-to-end keystore encryption. Knowing all of them
551     * is necessary to recover data.
552     *
553     * @param secretTypes {@link KeyChainProtectionParams#TYPE_LOCKSCREEN}
554     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
555     *     service.
556     */
557    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
558    public void setRecoverySecretTypes(
559            @NonNull @KeyChainProtectionParams.UserSecretType int[] secretTypes)
560            throws InternalRecoveryServiceException {
561        try {
562            mBinder.setRecoverySecretTypes(secretTypes);
563        } catch (RemoteException e) {
564            throw e.rethrowFromSystemServer();
565        } catch (ServiceSpecificException e) {
566            throw wrapUnexpectedServiceSpecificException(e);
567        }
568    }
569
570    /**
571     * Defines a set of secret types used for end-to-end keystore encryption. Knowing all of them is
572     * necessary to generate KeyChainSnapshot.
573     *
574     * @return list of recovery secret types
575     * @see KeyChainSnapshot
576     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
577     *     service.
578     */
579    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
580    public @NonNull @KeyChainProtectionParams.UserSecretType int[] getRecoverySecretTypes()
581            throws InternalRecoveryServiceException {
582        try {
583            return mBinder.getRecoverySecretTypes();
584        } catch (RemoteException e) {
585            throw e.rethrowFromSystemServer();
586        } catch (ServiceSpecificException e) {
587            throw wrapUnexpectedServiceSpecificException(e);
588        }
589    }
590
591    /**
592     * Deprecated.
593     * Generates a AES256/GCM/NoPADDING key called {@code alias} and loads it into the recoverable
594     * key store. Returns the raw material of the key.
595     *
596     * @param alias The key alias.
597     * @param account The account associated with the key
598     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
599     *     service.
600     * @throws LockScreenRequiredException if the user has not set a lock screen. This is required
601     *     to generate recoverable keys, as the snapshots are encrypted using a key derived from the
602     *     lock screen.
603     */
604    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
605    public byte[] generateAndStoreKey(@NonNull String alias, byte[] account)
606            throws InternalRecoveryServiceException, LockScreenRequiredException {
607        throw new UnsupportedOperationException("Operation is not supported, use generateKey");
608    }
609
610    /**
611     * @deprecated Use {@link #generateKey(String)}.
612     */
613    @Deprecated
614    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
615    public Key generateKey(@NonNull String alias, byte[] account)
616            throws InternalRecoveryServiceException, LockScreenRequiredException {
617        return generateKey(alias);
618    }
619
620    /**
621     * Generates a recoverable key with the given {@code alias}.
622     *
623     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
624     *     service.
625     * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock
626     *     screen is required to generate recoverable keys.
627     */
628    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
629    public @NonNull Key generateKey(@NonNull String alias) throws InternalRecoveryServiceException,
630            LockScreenRequiredException {
631        try {
632            String grantAlias = mBinder.generateKey(alias);
633            if (grantAlias == null) {
634                throw new InternalRecoveryServiceException("null grant alias");
635            }
636            return getKeyFromGrant(grantAlias);
637        } catch (RemoteException e) {
638            throw e.rethrowFromSystemServer();
639        } catch (UnrecoverableKeyException e) {
640            throw new InternalRecoveryServiceException("Failed to get key from keystore", e);
641        } catch (ServiceSpecificException e) {
642            if (e.errorCode == ERROR_INSECURE_USER) {
643                throw new LockScreenRequiredException(e.getMessage());
644            }
645            throw wrapUnexpectedServiceSpecificException(e);
646        }
647    }
648
649    /**
650     * Imports a 256-bit recoverable AES key with the given {@code alias} and the raw bytes {@code
651     * keyBytes}.
652     *
653     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
654     *     service.
655     * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock
656     *     screen is required to generate recoverable keys.
657     *
658     */
659    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
660    public @NonNull Key importKey(@NonNull String alias, @NonNull byte[] keyBytes)
661            throws InternalRecoveryServiceException, LockScreenRequiredException {
662        try {
663            String grantAlias = mBinder.importKey(alias, keyBytes);
664            if (grantAlias == null) {
665                throw new InternalRecoveryServiceException("Null grant alias");
666            }
667            return getKeyFromGrant(grantAlias);
668        } catch (RemoteException e) {
669            throw e.rethrowFromSystemServer();
670        } catch (UnrecoverableKeyException e) {
671            throw new InternalRecoveryServiceException("Failed to get key from keystore", e);
672        } catch (ServiceSpecificException e) {
673            if (e.errorCode == ERROR_INSECURE_USER) {
674                throw new LockScreenRequiredException(e.getMessage());
675            }
676            throw wrapUnexpectedServiceSpecificException(e);
677        }
678    }
679
680    /**
681     * Gets a key called {@code alias} from the recoverable key store.
682     *
683     * @param alias The key alias.
684     * @return The key.
685     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
686     *     service.
687     * @throws UnrecoverableKeyException if key is permanently invalidated or not found.
688     */
689    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
690    public @Nullable Key getKey(@NonNull String alias)
691            throws InternalRecoveryServiceException, UnrecoverableKeyException {
692        try {
693            String grantAlias = mBinder.getKey(alias);
694            if (grantAlias == null || "".equals(grantAlias)) {
695                return null;
696            }
697            return getKeyFromGrant(grantAlias);
698        } catch (RemoteException e) {
699            throw e.rethrowFromSystemServer();
700        } catch (ServiceSpecificException e) {
701            throw wrapUnexpectedServiceSpecificException(e);
702        }
703    }
704
705    /**
706     * Returns the key with the given {@code grantAlias}.
707     */
708    @NonNull Key getKeyFromGrant(@NonNull String grantAlias) throws UnrecoverableKeyException {
709        return AndroidKeyStoreProvider.loadAndroidKeyStoreKeyFromKeystore(
710                mKeyStore,
711                grantAlias,
712                KeyStore.UID_SELF);
713    }
714
715    /**
716     * Removes a key called {@code alias} from the recoverable key store.
717     *
718     * @param alias The key alias.
719     * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
720     *     service.
721     */
722    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
723    public void removeKey(@NonNull String alias) throws InternalRecoveryServiceException {
724        try {
725            mBinder.removeKey(alias);
726        } catch (RemoteException e) {
727            throw e.rethrowFromSystemServer();
728        } catch (ServiceSpecificException e) {
729            throw wrapUnexpectedServiceSpecificException(e);
730        }
731    }
732
733    /**
734     * Returns a new {@link RecoverySession}.
735     *
736     * <p>A recovery session is required to restore keys from a remote store.
737     */
738    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
739    public @NonNull RecoverySession createRecoverySession() {
740        return RecoverySession.newInstance(this);
741    }
742
743    @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
744    public @NonNull Map<String, X509Certificate> getRootCertificates() {
745        return TrustedRootCertificates.getRootCertificates();
746    }
747
748    InternalRecoveryServiceException wrapUnexpectedServiceSpecificException(
749            ServiceSpecificException e) {
750        if (e.errorCode == ERROR_SERVICE_INTERNAL_ERROR) {
751            return new InternalRecoveryServiceException(e.getMessage());
752        }
753
754        // Should never happen. If it does, it's a bug, and we need to update how the method that
755        // called this throws its exceptions.
756        return new InternalRecoveryServiceException("Unexpected error code for method: "
757                + e.errorCode, e);
758    }
759}
760