Bug: b/174140443
Test: atest CtsKeystoreTestCases

The new CTS tests for this feature is introduced in aosp/1556464

Change-Id: I9620c4a3e5d2c10ed8a50d494e63eb2fb19dabef
Merged-In: I9620c4a3e5d2c10ed8a50d494e63eb2fb19dabef

* The Keystore SPI needs to return null if getKeyEntry is called on a
  pure certificate entry.
* Also checked the wrong purpose.

Test: Keystore CTS tests.
Change-Id: Ib668447a9ff56fc4cea550f547c6cbfea3590cb3

BackendBusyException now returns a back-off hint that API users can use
to implement their retry loop.

Bug: 174761871
Test: N/A
Change-Id: I95662a5a5432965de365017eae43c502eb5bfc06

Test: atest KeyAgreementTest
Bug: 171847641
Change-Id: I7cb0c713e3797bb738a6134c690824e762346d4f

Test: N/A
Change-Id: Ia54b912092431569cac64e228b902abd6383f728

AndroidKeyStorePublicKey now returns the encoded key instead of the
encoded certificate.

Test: Keystore CTS tests.
Bug: 178456047
Change-Id: I2c9b44bd13c702545b33ed0fb4c7e802c13851f6

Test: N/A
Change-Id: Ic07ca2329c6ebf3dacddf687cc85935e2bfa0cdd

This patch updates LockSettingService and TrustManagerService to use the
new Keystore 2.0 authorization api.

Bug: 166672367
Test: VTS test
Change-Id: I5494d7b923d33d447488a0c67ada43d1f9593861

Test: N/A
Change-Id: I20e925e2827a6485b187d20b737456e8a5d4c437

This CL introduces the Keystore SPI class for IKeystoreAuthorization
aidl interface and implements the calling code for addAuthToken method.

Bug: 166672367
Bug: 177830239
Bug: 177791435
Bug: 177787061
Bug: 177787180
Test: VTS test
Change-Id: I9f0adc97efadd0fa1a1f16dd5ec811f4151a2b03

Revert submission 1519257-rename_auth_service

Reason for revert: breaking WM presubmit, b/177787180
Reverted Changes:
Ib847b68d4:Integrate IKeystoreAuthorization aidl's addAuthTok...
I7893ab452:Integrate IKeystoreAuthorization aidl's addAuthTok...
I4a092119c:Implement addAuthToken method of IKeystoreAuthoriz...

Change-Id: Iea9bf7e7b3d1e968bbbe39f4ec08dcc3577cee07

The chunked streamer sent the chunk buffer prematurely leading to
oversized and garbage data sent to keystore.

Test: atest android.keystore.cts.SignatureTest#testSmallMsgKat
Change-Id: I84e40766b735f05b3fb7e0e692d26a25a0496649

This CL introduces the Keystore SPI class for IKeystoreAuthorization
aidl interface and implements the calling code for addAuthToken method.

Bug: 166672367
Test: VTS test
Change-Id: I7893ab4520b16533b9fddc9909297856e0b523ae

Test: CtsVerifier fingerprint bound key test.
Change-Id: I0aa897455b88d7a709e4de6b515eef43bc15d053

Test: Keystore cts tests.
Change-Id: I316fdb8beae018ac91c172dede735e6b0759368a

* Correctly recover public key from certificate.
* KeyStore2ParameterUtils: iterate through set flags instead of unset
  flags.
* Return private key on Keystore.getKey() instead of public key.

Test: Keystore CTS tests
Change-Id: I99c1bd49ff5cf7a2d89b54559504e67b3def0cd3

Test: Compiles
Change-Id: I54b0d7a97954eb45283cf48bf2372db5e7ffa61a

Bug: 160930927
Test: CtsVerifier
Change-Id: I9cc325eafbee2aa4257a3ccbe525091a1cae806d

So other packages can load the keystore with namespace.

Test: build
Change-Id: I7de3e51df438b794adb3793a189396999bdd1b88

Test: Keystore CTS test.
Change-Id: I097b58fa6c403ff426d99ed484ed324e1419b4e3

Revert "Revert "Keystore 2.0: Move keymint spec to security name..."

Revert "Revert "Keystore 2.0: Move keymint spec to security name..."

Revert^2 "Remove references to keymint1"

34536a352803a08776cc4f373d93a94e1fcbf98e

Bug: 175345910
Bug: 171429297
Change-Id: I694e677e4e20419440f12cb7981f0c0c4ca29e08

Revert "Keystore 2.0: Move keymint spec to security namespace."

Revert "Keystore 2.0: Move keymint spec to security namespace."

Revert "Move keymint to android.hardware.security."

Revert "Configure CF to start KeyMint service by default."

Revert "Move keymint to android.hardware.security."

Revert "Move keymint to android.hardware.security."

Revert submission 1522123-move_keymint

Reason for revert: Build breakage
Bug: 175345910
Bug: 171429297
Reverted Changes:
Ief0e9884a:Keystore 2.0: Move keymint spec to security namesp...
Idb54e8846:Keystore 2.0: Move keymint spec to security namesp...
I9f70db0e4:Remove references to keymint1
I2b4ce3349:Keystore 2.0 SPI: Move keymint spec to security na...
I2498073aa:Move keymint to android.hardware.security.
I098711e7d:Move keymint to android.hardware.security.
I3ec8d70fe:Configure CF to start KeyMint service by default.
Icbb373c50:Move keymint to android.hardware.security.
I86bccf40e:Move keymint to android.hardware.security.

Change-Id: Icd279f358db2387bf2bf232b0548762fab51e67d

Test: N/A
Change-Id: I2b4ce3349baf29eb67a31f0c436b964d69d70b02

Priviously we installed the legacy keystore SPI by the name
KeyStore.AndroidKeyStore and set an alias to
KeyStore.AndroidKeyStoreLegacy. This conflicted with with the Keystore
provider which also registers as KeyStore.AndroidKeyStore.
This patch registers the old provider only by the name
KeyStore.AndroidKeyStore.

Test: CtsLibcoreTestCases:libcore.java.security.ProviderTest#test_Provider_Properties
      Also, the device boots.
Change-Id: I38a248a996839f397bdcae30fd1b03a883209df2

Test: CtsLibcoreTestCases:libcore.java.security.ProviderTest#test_Provider_Properties
Bug: 173480441
Change-Id: I188cd778a25d221991280eb461a7ec052503790c

We are now using KeyMint types for KeyParameter and SecurityLevel.

Test: None
Change-Id: I3db72c17a9cb999a0248df4c37588dfc2ad84f74

With this patch we install the old Keystore provider as
AndroidKeyStoreLegacy when the Keystore 2.0 provider is installed as
AndroidKeyStore. This allows system components to keep using the old
keystore while we can run CTS tests against the new provider.

The tests are still mostly failing at this point. Installing the new SPI
can be enabled by setting the property
ro.android.security.keystore2.enable=true

Bug: 159476414
Test: This enables running CTS tests against Keystore 2.0.
Change-Id: I9731d9783ccf8f2705a5ca7335e00c8f4c8debba

We delegate the generation of self signed certificates to the KeyMint
backend. Also we use the KeyParamter AIDL type instead of
KeymasterArguments to construct parameter lists.

Bug: 159476414
Test: None
Change-Id: I441a4d4df4ef04e3da8aeaff3274c609d549c979

We no longer need to get the key characteristics from the Keystore
daemon to construct the KeyInfo for a key. Also we have to extract the
key info from the KeyParameter AIDL type rather than from the hand
written KeymasterArguments.

This patch also exposes the correct security level for a key through
KeyInfo.

Bug: 159476414
Test: None
Change-Id: I86a85e481e19fdadfed38a42aeac4ffe5f8b83fa

This patch adjusts the AndroidKeyStoreProvider to register all services
with the correct packages names. And the utility functions load key
using the correct Keystore 2.0 methods.

Bug: 159476414
Test: None
Change-Id: I9268fd66d28e89e188e85991bcf90c7f19809232

This patch evolves the Crypto SPI to use the new Keystore 2.0 shim.
The main changes are:
 * The SPI uses the AIDL defined KeyParameter instead of
   KeymasterArguments.
 * Operations are created directly from the KeystoreSecurityLevel that
   is part of the AndroidKeyStoreKey object.

Also this patch deletes the DeletatingX509Certificate class. This is no
longer needed, because public key operations are no longer performed by
Keystore 2.0. We can delegate public certificate operations simply by
wrapping such certificates into public keys that are understood by other
providers, such as BouncyCastle.

Bug: 159476414
Test: None
Change-Id: Ice874a8121d80bf788da059b4e8420c7dd799d81

The wire type for key parameters is now generated from AIDL rather than
the hand written parcelable KeymasterArguments. So we need some of the
utilities for creating key parameters that the latter provided.
We also nicked some utility function from KeymasterUtils.

Bug: 159476414
Test: None
Change-Id: I12c674b6a00dd3abbed4972d80ceb766a73881e8

This patch makes the chunked streamer observe the simplified
Keystore 2.0 operation interface. Keystore is now required to consume
all supplied data or reject data outright if too much (more than 32KiB)
is supplied in a single transaction. This allows for a simplified
streamer logic and a simplified interface. We also no longer send
entropy to Keystore. This will be handled by the Keystore 2.0 daemon.

Test: None
Bug: 159476414
Change-Id: Ie75d10fd5d5ac0da60e23e35467d0a7873230dea

Keystore 2.0 does no longer report an error code if an operation
requires user authorization. Instead this is indicated by sending us
an operation challenge. In that case we have to check if the
authorization can possibly succeed. We changed the utility class by
adding a predicate function that checks exactly that, and we handle
other errors separately instead of having one exception handling path
that does all.

Test: None
Bug: 159476414
Change-Id: I9a373cf8f0a0b181df54c26fe314d71b6835bb97

KeyStoreKeys can now be constructed from key entry metadata and key
descriptors as defined by the new Keystore AIDL spec.
AndroidKeystorePublicKey can now create the private key proxy.
KeyStoreKeys also cache the key characteristic, which should drastically
reduce the frequency by which the SPI has to call into the Keystore 2.0
daemon.

Test: None
Bug: 159476414
Change-Id: Ia0a7841582621897760be49d39dd5442b70b3aa0

This patch adds a shim around the Keystore 2.0 AIDL spec. The new shim
is modularized like the AIDL spec into the base Keystore module
Keystore2, the security level specific interface KeystoreSecurityLevel,
and the operation specific interface KeystoreOperation.

Other system maintenance specific interfaces have yet to be added.

Bug: 159476414
Bug: 171305684
Test: None
Change-Id: I070f73739e4b37ce10568939ac666e40b14a52a8

This patch copies the relevant portion of the Keystore SPI to the new
package name android.security.keystore2. The purpose of this is to
illustrate the evolution from the existing Keystore SPI to the
Keystore 2.0 SPI while keeping the existing Keystore SPI intact.
Reviewers are advised to check the equivalence of this code to the
corresponding files in
    android/security/keystore (<-- no 2 here).
Subsequent patches can them be reviewed as evolution towards the new SPI
rather than completely new code.

Test: None. When the evolution is complete, Keystore CTS tests can be
used to check for regressions.
Bug: 159476414

Change-Id: I21a01a679e789868ce820b5f73221e616a456a61

This patch adds a forEach function for int arrays to
android.security.keystore.ArrayUtils. A utility function with the
intendet use in Keystore 2.0 Key paramter handling.

Test: None
Change-Id: I2c02b300ee68fcd548c128deb0266fe603226807

This patch adds set/getSecurityLevel to KeyInfo and KeyGenParameterSpec
and it deprecates the superseded function isInSecureHardware.

It also deprecates the system API set/getUid and replaces it with the
more generic set/getNamespace.

Test: None
Change-Id: Id2f54596510954862b5077a935f3daf07211f29c

In anticipation of the new Keystore 2.0 SPI we made this nested class
public (like its siblings) so that the new SPI which resides in a
different package may access it. It is hidden though because it does not
constitute public API surface.

Test: None
Bug: 171305684
Change-Id: I1dbe3d02c03f97f843813c26c16aaef7152ca478