Merge "Use Builder instead for KeyChainProtectionParams." into pi-dev
diff --git a/core/java/android/security/keystore/recovery/KeyChainProtectionParams.java b/core/java/android/security/keystore/recovery/KeyChainProtectionParams.java
index d42424e..2a66206 100644
--- a/core/java/android/security/keystore/recovery/KeyChainProtectionParams.java
+++ b/core/java/android/security/keystore/recovery/KeyChainProtectionParams.java
@@ -94,21 +94,6 @@
private KeyDerivationParams mKeyDerivationParams;
private byte[] mSecret; // Derived from user secret. The field must have limited visibility.
- /**
- * @param secret Constructor creates a reference to the secret. Caller must use
- * @link {#clearSecret} to overwrite its value in memory.
- * @hide
- */
- public KeyChainProtectionParams(@UserSecretType int userSecretType,
- @LockScreenUiFormat int lockScreenUiFormat,
- @NonNull KeyDerivationParams keyDerivationParams,
- @NonNull byte[] secret) {
- mUserSecretType = userSecretType;
- mLockScreenUiFormat = lockScreenUiFormat;
- mKeyDerivationParams = Preconditions.checkNotNull(keyDerivationParams);
- mSecret = Preconditions.checkNotNull(secret);
- }
-
private KeyChainProtectionParams() {
}
@@ -158,6 +143,7 @@
/**
* Sets user secret type.
+ * Default value is {@link TYPE_LOCKSCREEN}.
*
* @see TYPE_LOCKSCREEN
* @param userSecretType The secret type
@@ -185,7 +171,7 @@
/**
* Sets parameters of the key derivation function.
*
- * @param keyDerivationParams Key derivation Params
+ * @param keyDerivationParams Key derivation parameters
* @return This builder.
*/
public Builder setKeyDerivationParams(@NonNull KeyDerivationParams
diff --git a/core/java/android/security/keystore/recovery/KeyChainSnapshot.java b/core/java/android/security/keystore/recovery/KeyChainSnapshot.java
index ccb627e..24ff182 100644
--- a/core/java/android/security/keystore/recovery/KeyChainSnapshot.java
+++ b/core/java/android/security/keystore/recovery/KeyChainSnapshot.java
@@ -252,12 +252,12 @@
/**
* Sets UI and key derivation parameters
*
- * @param recoveryMetadata The UI and key derivation parameters
+ * @param keyChainProtectionParams The UI and key derivation parameters
* @return This builder.
*/
public Builder setKeyChainProtectionParams(
- @NonNull List<KeyChainProtectionParams> recoveryMetadata) {
- mInstance.mKeyChainProtectionParams = recoveryMetadata;
+ @NonNull List<KeyChainProtectionParams> keyChainProtectionParams) {
+ mInstance.mKeyChainProtectionParams = keyChainProtectionParams;
return this;
}
@@ -292,7 +292,7 @@
*/
@NonNull public KeyChainSnapshot build() {
Preconditions.checkCollectionElementsNotNull(mInstance.mKeyChainProtectionParams,
- "recoveryMetadata");
+ "keyChainProtectionParams");
Preconditions.checkCollectionElementsNotNull(mInstance.mEntryRecoveryData,
"entryRecoveryData");
Preconditions.checkNotNull(mInstance.mEncryptedRecoveryKeyBlob);
diff --git a/core/java/android/security/keystore/recovery/RecoveryController.java b/core/java/android/security/keystore/recovery/RecoveryController.java
index 61b4dd8..ab52d32 100644
--- a/core/java/android/security/keystore/recovery/RecoveryController.java
+++ b/core/java/android/security/keystore/recovery/RecoveryController.java
@@ -159,7 +159,7 @@
* Gets a new instance of the class.
*/
@RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
- public static RecoveryController getInstance(Context context) {
+ @NonNull public static RecoveryController getInstance(@NonNull Context context) {
ILockSettings lockSettings =
ILockSettings.Stub.asInterface(ServiceManager.getService("lock_settings"));
return new RecoveryController(lockSettings, KeyStore.getInstance());
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java
index 445e50a..b7ce59d 100644
--- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java
@@ -144,6 +144,13 @@
private static final String ANDROID_KEY_STORE_PROVIDER = "AndroidKeyStore";
private static final String WRAPPING_KEY_ALIAS = "RecoverableKeyStoreManagerTest/WrappingKey";
private static final String TEST_ROOT_CERT_ALIAS = "";
+ private static final KeyChainProtectionParams TEST_PROTECTION_PARAMS =
+ new KeyChainProtectionParams.Builder()
+ .setUserSecretType(TYPE_LOCKSCREEN)
+ .setLockScreenUiFormat(UI_FORMAT_PASSWORD)
+ .setKeyDerivationParams(KeyDerivationParams.createSha256Params(TEST_SALT))
+ .setSecret(TEST_SECRET)
+ .build();
@Mock private Context mMockContext;
@Mock private RecoverySnapshotListenersStorage mMockListenersStorage;
@@ -459,12 +466,7 @@
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(
- new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
verify(mMockContext, times(1))
.enforceCallingOrSelfPermission(
@@ -481,12 +483,7 @@
RecoveryCertPath.createRecoveryCertPath(TestData.CERT_PATH_1),
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(
- new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
assertEquals(1, mRecoverySessionStorage.size());
RecoverySessionStorage.Entry entry =
@@ -503,12 +500,7 @@
RecoveryCertPath.createRecoveryCertPath(TestData.CERT_PATH_1),
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(
- new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
verify(mMockContext, times(2))
.enforceCallingOrSelfPermission(
@@ -522,12 +514,7 @@
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(
- new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
assertEquals(1, mRecoverySessionStorage.size());
RecoverySessionStorage.Entry entry =
@@ -543,12 +530,7 @@
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(
- new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
mRecoverableKeyStoreManager.closeSession(TEST_SESSION_ID);
@@ -562,12 +544,7 @@
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(
- new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
mRecoverableKeyStoreManager.closeSession("some random session");
@@ -604,18 +581,14 @@
public void startRecoverySession_throwsIfPublicKeysMismatch() throws Exception {
byte[] vaultParams = TEST_VAULT_PARAMS.clone();
vaultParams[1] ^= (byte) 1; // Flip 1 bit
+
try {
mRecoverableKeyStoreManager.startRecoverySession(
TEST_SESSION_ID,
TEST_PUBLIC_KEY,
vaultParams,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(
- new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
fail("should have thrown");
} catch (ServiceSpecificException e) {
assertThat(e.getMessage()).contains("do not match");
@@ -650,12 +623,7 @@
RecoveryCertPath.createRecoveryCertPath(TestData.CERT_PATH_1),
vaultParams,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(
- new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
fail("should have thrown");
} catch (ServiceSpecificException e) {
assertThat(e.getMessage()).contains("do not match");
@@ -673,12 +641,7 @@
RecoveryCertPath.createRecoveryCertPath(emptyCertPath),
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(
- new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
fail("should have thrown");
} catch (ServiceSpecificException e) {
assertThat(e.getMessage()).contains("empty");
@@ -698,12 +661,7 @@
RecoveryCertPath.createRecoveryCertPath(shortCertPath),
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(
- new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
fail("should have thrown");
} catch (ServiceSpecificException e) {
// expected
@@ -734,11 +692,7 @@
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
try {
mRecoverableKeyStoreManager.recoverKeyChainSnapshot(
@@ -758,11 +712,7 @@
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
.getKeyClaimant();
SecretKey recoveryKey = randomRecoveryKey();
@@ -792,11 +742,7 @@
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
.getKeyClaimant();
SecretKey recoveryKey = randomRecoveryKey();
@@ -816,11 +762,7 @@
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
.getKeyClaimant();
SecretKey recoveryKey = randomRecoveryKey();
@@ -850,11 +792,7 @@
TEST_PUBLIC_KEY,
TEST_VAULT_PARAMS,
TEST_VAULT_CHALLENGE,
- ImmutableList.of(new KeyChainProtectionParams(
- TYPE_LOCKSCREEN,
- UI_FORMAT_PASSWORD,
- KeyDerivationParams.createSha256Params(TEST_SALT),
- TEST_SECRET)));
+ ImmutableList.of(TEST_PROTECTION_PARAMS));
byte[] keyClaimant = mRecoverySessionStorage.get(Binder.getCallingUid(), TEST_SESSION_ID)
.getKeyClaimant();
SecretKey recoveryKey = randomRecoveryKey();
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java
index d61a294..ead817a 100644
--- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java
@@ -15,6 +15,15 @@
@SmallTest
@RunWith(AndroidJUnit4.class)
public class RecoverySnapshotStorageTest {
+ private static final KeyChainSnapshot MINIMAL_KEYCHAIN_SNAPSHOT = new KeyChainSnapshot.Builder()
+ .setCounterId(1)
+ .setSnapshotVersion(1)
+ .setServerParams(new byte[0])
+ .setMaxAttempts(10)
+ .setEncryptedRecoveryKeyBlob(new byte[0])
+ .setKeyChainProtectionParams(new ArrayList<>())
+ .setWrappedApplicationKeys(new ArrayList<>())
+ .build();
private final RecoverySnapshotStorage mRecoverySnapshotStorage = new RecoverySnapshotStorage();
@@ -26,26 +35,17 @@
@Test
public void get_returnsSetSnapshot() {
int userId = 1000;
- KeyChainSnapshot keyChainSnapshot = new KeyChainSnapshot(
- /*snapshotVersion=*/ 1,
- new ArrayList<>(),
- new ArrayList<>(),
- new byte[0]);
- mRecoverySnapshotStorage.put(userId, keyChainSnapshot);
- assertEquals(keyChainSnapshot, mRecoverySnapshotStorage.get(userId));
+ mRecoverySnapshotStorage.put(userId, MINIMAL_KEYCHAIN_SNAPSHOT);
+
+ assertEquals(MINIMAL_KEYCHAIN_SNAPSHOT, mRecoverySnapshotStorage.get(userId));
}
@Test
public void remove_removesSnapshots() {
int userId = 1000;
- KeyChainSnapshot keyChainSnapshot = new KeyChainSnapshot(
- /*snapshotVersion=*/ 1,
- new ArrayList<>(),
- new ArrayList<>(),
- new byte[0]);
- mRecoverySnapshotStorage.put(userId, keyChainSnapshot);
+ mRecoverySnapshotStorage.put(userId, MINIMAL_KEYCHAIN_SNAPSHOT);
mRecoverySnapshotStorage.remove(userId);
assertNull(mRecoverySnapshotStorage.get(1000));