Add isUnlockedDeviceRequired() method to KeyInfo

Bug: 296475382 Test: atest CtsKeystoreTestCases:KeyInfoTest Change-Id: I30cc00ec39dc1552eb2b7c12b0fab41e844c952e

Add isUnlockedDeviceRequired() method to KeyInfo
baa651cb · Eric Biggers · d648615e · baa651cb · baa651cb · baa651cb
Commit baa651cb authored 1 year ago by Eric Biggers
--- a/core/api/current.txt
+++ b/core/api/current.txt
@@ -39247,6 +39247,7 @@ package android.security.keystore {
    method @Deprecated public boolean isInsideSecureHardware();
    method public boolean isInvalidatedByBiometricEnrollment();
    method public boolean isTrustedUserPresenceRequired();
+    method @FlaggedApi("android.security.keyinfo_unlocked_device_required") public boolean isUnlockedDeviceRequired();
    method public boolean isUserAuthenticationRequired();
    method public boolean isUserAuthenticationRequirementEnforcedBySecureHardware();
    method public boolean isUserAuthenticationValidWhileOnBody();
--- a/core/java/android/security/flags.aconfig
+++ b/core/java/android/security/flags.aconfig
@@ -30,6 +30,13 @@ flag {
    is_fixed_read_only: true
 }

+flag {
+    name: "keyinfo_unlocked_device_required"
+    namespace: "hardware_backed_security"
+    description: "Add the API android.security.keystore.KeyInfo#isUnlockedDeviceRequired()"
+    bug: "296475382"
+}
+
 flag {
    name: "deprecate_fsv_sig"
    namespace: "hardware_backed_security"

--- a/keystore/java/android/security/keystore/KeyInfo.java
+++ b/keystore/java/android/security/keystore/KeyInfo.java
@@ -16,6 +16,7 @@

 package android.security.keystore;

+import android.annotation.FlaggedApi;
 import android.annotation.NonNull;
 import android.annotation.Nullable;

@@ -81,6 +82,7 @@ public class KeyInfo implements KeySpec {
    private final @KeyProperties.AuthEnum int mUserAuthenticationType;
    private final boolean mUserAuthenticationRequirementEnforcedBySecureHardware;
    private final boolean mUserAuthenticationValidWhileOnBody;
+    private final boolean mUnlockedDeviceRequired;
    private final boolean mTrustedUserPresenceRequired;
    private final boolean mInvalidatedByBiometricEnrollment;
    private final boolean mUserConfirmationRequired;
@@ -107,6 +109,7 @@ public class KeyInfo implements KeySpec {
            @KeyProperties.AuthEnum int userAuthenticationType,
            boolean userAuthenticationRequirementEnforcedBySecureHardware,
            boolean userAuthenticationValidWhileOnBody,
+            boolean unlockedDeviceRequired,
            boolean trustedUserPresenceRequired,
            boolean invalidatedByBiometricEnrollment,
            boolean userConfirmationRequired,
@@ -132,6 +135,7 @@ public class KeyInfo implements KeySpec {
        mUserAuthenticationRequirementEnforcedBySecureHardware =
                userAuthenticationRequirementEnforcedBySecureHardware;
        mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody;
+        mUnlockedDeviceRequired = unlockedDeviceRequired;
        mTrustedUserPresenceRequired = trustedUserPresenceRequired;
        mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;
        mUserConfirmationRequired = userConfirmationRequired;
@@ -274,6 +278,20 @@ public class KeyInfo implements KeySpec {
        return mUserAuthenticationRequired;
    }

+    /**
+     * Returns {@code true} if the key is authorized to be used only when the device is unlocked.
+     *
+     * <p>This authorization applies only to secret key and private key operations. Public key
+     * operations are not restricted.
+     *
+     * @see KeyGenParameterSpec.Builder#setUnlockedDeviceRequired(boolean)
+     * @see KeyProtection.Builder#setUnlockedDeviceRequired(boolean)
+     */
+    @FlaggedApi(android.security.Flags.FLAG_KEYINFO_UNLOCKED_DEVICE_REQUIRED)
+    public boolean isUnlockedDeviceRequired() {
+        return mUnlockedDeviceRequired;
+    }
+
    /**
     * Returns {@code true} if the key is authorized to be used only for messages confirmed by the
     * user.

--- a/keystore/java/android/security/keystore2/AndroidKeyStoreSecretKeyFactorySpi.java
+++ b/keystore/java/android/security/keystore2/AndroidKeyStoreSecretKeyFactorySpi.java
@@ -93,6 +93,7 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi {
        long userAuthenticationValidityDurationSeconds = 0;
        boolean userAuthenticationRequired = true;
        boolean userAuthenticationValidWhileOnBody = false;
+        boolean unlockedDeviceRequired = false;
        boolean trustedUserPresenceRequired = false;
        boolean trustedUserConfirmationRequired = false;
        int remainingUsageCount = KeyProperties.UNRESTRICTED_USAGE_COUNT;
@@ -184,6 +185,9 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi {
                                    + userAuthenticationValidityDurationSeconds + " seconds");
                        }
                        break;
+                    case KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED:
+                        unlockedDeviceRequired = true;
+                        break;
                    case KeymasterDefs.KM_TAG_ALLOW_WHILE_ON_BODY:
                        userAuthenticationValidWhileOnBody =
                                KeyStore2ParameterUtils.isSecureHardware(a.securityLevel);
@@ -257,6 +261,7 @@ public class AndroidKeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi {
                        : keymasterSwEnforcedUserAuthenticators,
                userAuthenticationRequirementEnforcedBySecureHardware,
                userAuthenticationValidWhileOnBody,
+                unlockedDeviceRequired,
                trustedUserPresenceRequired,
                invalidatedByBiometricEnrollment,
                trustedUserConfirmationRequired,