• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2017 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security.keystore.recovery;
18 
19 import android.annotation.NonNull;
20 import android.annotation.Nullable;
21 import android.annotation.RequiresPermission;
22 import android.annotation.SystemApi;
23 import android.app.KeyguardManager;
24 import android.app.PendingIntent;
25 import android.content.Context;
26 import android.os.RemoteException;
27 import android.os.ServiceManager;
28 import android.os.ServiceSpecificException;
29 import android.security.KeyStore;
30 import android.security.keystore.AndroidKeyStoreProvider;
31 import android.security.keystore.KeyPermanentlyInvalidatedException;
32 
33 import com.android.internal.widget.ILockSettings;
34 
35 import java.security.Key;
36 import java.security.UnrecoverableKeyException;
37 import java.security.cert.CertPath;
38 import java.security.cert.CertificateException;
39 import java.security.cert.X509Certificate;
40 import java.util.ArrayList;
41 import java.util.List;
42 import java.util.Map;
43 
44 /**
45  * Backs up cryptographic keys to remote secure hardware, encrypted with the user's lock screen.
46  *
47  * <p>A system app with the {@code android.permission.RECOVER_KEYSTORE} permission may generate or
48  * import recoverable keys using this class. To generate a key, the app must call
49  * {@link #generateKey(String)} with the desired alias for the key. This returns an AndroidKeyStore
50  * reference to a 256-bit {@link javax.crypto.SecretKey}, which can be used for AES/GCM/NoPadding.
51  * In order to get the same key again at a later time, the app can call {@link #getKey(String)} with
52  * the same alias. If a key is generated in this way the key's raw material is never directly
53  * exposed to the calling app. The system app may also import key material using
54  * {@link #importKey(String, byte[])}. The app may only generate and import keys for its own
55  * {@code uid}.
56  *
57  * <p>The same system app must also register a Recovery Agent to manage syncing recoverable keys to
58  * remote secure hardware. The Recovery Agent is a service that registers itself with the controller
59  * as follows:
60  *
61  * <ul>
62  *     <li>Invokes {@link #initRecoveryService(String, byte[], byte[])}
63  *     <ul>
64  *         <li>The first argument is the alias of the root certificate used to verify trusted
65  *         hardware modules. Each trusted hardware module must have a public key signed with this
66  *         root of trust. Roots of trust must be shipped with the framework. The app can list all
67  *         valid roots of trust by calling {@link #getRootCertificates()}.
68  *         <li>The second argument is the UTF-8 bytes of the XML listing file. It lists the X509
69  *         certificates containing the public keys of all available remote trusted hardware modules.
70  *         Each of the X509 certificates can be validated against the chosen root of trust.
71  *         <li>The third argument is the UTF-8 bytes of the XML signing file. The file contains a
72  *         signature of the XML listing file. The signature can be validated against the chosen root
73  *         of trust.
74  *     </ul>
75  *     <p>This will cause the controller to choose a random public key from the list. From then
76  *     on the controller will attempt to sync the key chain with the trusted hardware module to whom
77  *     that key belongs.
78  *     <li>Invokes {@link #setServerParams(byte[])} with a byte string that identifies the device
79  *     to a remote server. This server may act as the front-end to the trusted hardware modules. It
80  *     is up to the Recovery Agent to decide how best to identify devices, but this could be, e.g.,
81  *     based on the <a href="https://developers.google.com/instance-id/">Instance ID</a> of the
82  *     system app.
83  *     <li>Invokes {@link #setRecoverySecretTypes(int[])} with a list of types of secret used to
84  *     secure the recoverable key chain. For now only
85  *     {@link KeyChainProtectionParams#TYPE_LOCKSCREEN} is supported.
86  *     <li>Invokes {@link #setSnapshotCreatedPendingIntent(PendingIntent)} with a
87  *     {@link PendingIntent} that is to be invoked whenever a new snapshot is created. Although the
88  *     controller can create snapshots without the Recovery Agent registering this intent, it is a
89  *     good idea to register the intent so that the Recovery Agent is able to sync this snapshot to
90  *     the trusted hardware module as soon as it is available.
91  * </ul>
92  *
93  * <p>The trusted hardware module's public key MUST be generated on secure hardware with protections
94  * equivalent to those described in the
95  * <a href="https://developer.android.com/preview/features/security/ckv-whitepaper.html">Google
96  * Cloud Key Vault Service whitepaper</a>. The trusted hardware module itself must protect the key
97  * chain from brute-forcing using the methods also described in the whitepaper: i.e., it should
98  * limit the number of allowed attempts to enter the lock screen. If the number of attempts is
99  * exceeded the key material must no longer be recoverable.
100  *
101  * <p>A recoverable key chain snapshot is considered pending if any of the following conditions
102  * are met:
103  *
104  * <ul>
105  *     <li>The system app mutates the key chain. i.e., generates, imports, or removes a key.
106  *     <li>The user changes their lock screen.
107  * </ul>
108  *
109  * <p>Whenever the user unlocks their device, if a snapshot is pending, the Recovery Controller
110  * generates a new snapshot. It follows these steps to do so:
111  *
112  * <ul>
113  *     <li>Generates a 256-bit AES key using {@link java.security.SecureRandom}. This is the
114  *     Recovery Key.
115  *     <li>Wraps the key material of all keys in the recoverable key chain with the Recovery Key.
116  *     <li>Encrypts the Recovery Key with both the public key of the trusted hardware module and a
117  *     symmetric key derived from the user's lock screen.
118  * </ul>
119  *
120  * <p>The controller then writes this snapshot to disk, and uses the {@link PendingIntent} that was
121  * set by the Recovery Agent during initialization to inform it that a new snapshot is available.
122  * The snapshot only contains keys for that Recovery Agent's {@code uid} - i.e., keys the agent's
123  * app itself generated. If multiple Recovery Agents exist on the device, each will be notified of
124  * their new snapshots, and each snapshots' keys will be only those belonging to the same
125  * {@code uid}.
126  *
127  * <p>The Recovery Agent retrieves its most recent snapshot by calling
128  * {@link #getKeyChainSnapshot()}. It syncs the snapshot to the remote server. The snapshot contains
129  * the public key used for encryption, which the server uses to forward the encrypted recovery key
130  * to the correct trusted hardware module. The snapshot also contains the server params, which are
131  * used to identify this device to the server.
132  *
133  * <p>The client uses the server params to identify a device whose key chain it wishes to restore.
134  * This may be on a different device to the device that originally synced the key chain. The client
135  * sends the server params identifying the previous device to the server. The server returns the
136  * X509 certificate identifying the trusted hardware module in which the encrypted Recovery Key is
137  * stored. It also returns some vault parameters identifying that particular Recovery Key to the
138  * trusted hardware module. And it also returns a vault challenge, which is used as part of the
139  * vault opening protocol to ensure the recovery claim is fresh. See the whitepaper for more
140  * details.
141  *
142  * <p>The key chain is recovered via a {@link RecoverySession}. A Recovery Agent creates one by
143  * invoking {@link #createRecoverySession()}. It then invokes
144  * {@link RecoverySession#start(String, CertPath, byte[], byte[], List)} with these arguments:
145  *
146  * <ul>
147  *     <li>The alias of the root of trust used to verify the trusted hardware module.
148  *     <li>The X509 certificate of the trusted hardware module.
149  *     <li>The vault parameters used to identify the Recovery Key to the trusted hardware module.
150  *     <li>The vault challenge, as issued by the trusted hardware module.
151  *     <li>A list of secrets, corresponding to the secrets used to protect the key chain. At the
152  *     moment this is a single {@link KeyChainProtectionParams} containing the lock screen of the
153  *     device whose key chain is to be recovered.
154  * </ul>
155  *
156  * <p>This method returns a byte array containing the Recovery Claim, which can be issued to the
157  * remote trusted hardware module. It is encrypted with the trusted hardware module's public key
158  * (which has itself been certified with the root of trust). It also contains an ephemeral symmetric
159  * key generated for this recovery session, which the remote trusted hardware module uses to encrypt
160  * its responses. This is the Session Key.
161  *
162  * <p>If the lock screen provided is correct, the remote trusted hardware module decrypts one of the
163  * layers of lock-screen encryption from the Recovery Key. It then returns this key, encrypted with
164  * the Session Key to the Recovery Agent. As the Recovery Agent does not know the Session Key, it
165  * must then invoke {@link RecoverySession#recoverKeyChainSnapshot(byte[], List)} with the encrypted
166  * Recovery Key and the list of wrapped application keys. The controller then decrypts the layer of
167  * encryption provided by the Session Key, and uses the lock screen to decrypt the final layer of
168  * encryption. It then uses the Recovery Key to decrypt all of the wrapped application keys, and
169  * imports them into its own KeyStore. The Recovery Agent's app may then access these keys by
170  * calling {@link #getKey(String)}. Only this app's {@code uid} may access the keys that have been
171  * recovered.
172  *
173  * @hide
174  */
175 @SystemApi
176 public class RecoveryController {
177     private static final String TAG = "RecoveryController";
178 
179     /** Key has been successfully synced. */
180     public static final int RECOVERY_STATUS_SYNCED = 0;
181     /** Waiting for recovery agent to sync the key. */
182     public static final int RECOVERY_STATUS_SYNC_IN_PROGRESS = 1;
183     /** Key cannot be synced. */
184     public static final int RECOVERY_STATUS_PERMANENT_FAILURE = 3;
185 
186     /**
187      * Failed because no snapshot is yet pending to be synced for the user.
188      *
189      * @hide
190      */
191     public static final int ERROR_NO_SNAPSHOT_PENDING = 21;
192 
193     /**
194      * Failed due to an error internal to the recovery service. This is unexpected and indicates
195      * either a problem with the logic in the service, or a problem with a dependency of the
196      * service (such as AndroidKeyStore).
197      *
198      * @hide
199      */
200     public static final int ERROR_SERVICE_INTERNAL_ERROR = 22;
201 
202     /**
203      * Failed because the user does not have a lock screen set.
204      *
205      * @hide
206      */
207     public static final int ERROR_INSECURE_USER = 23;
208 
209     /**
210      * Error thrown when attempting to use a recovery session that has since been closed.
211      *
212      * @hide
213      */
214     public static final int ERROR_SESSION_EXPIRED = 24;
215 
216     /**
217      * Failed because the format of the provided certificate is incorrect, e.g., cannot be decoded
218      * properly or misses necessary fields.
219      *
220      * <p>Note that this is different from {@link #ERROR_INVALID_CERTIFICATE}, which implies the
221      * certificate has a correct format but cannot be validated.
222      *
223      * @hide
224      */
225     public static final int ERROR_BAD_CERTIFICATE_FORMAT = 25;
226 
227     /**
228      * Error thrown if decryption failed. This might be because the tag is wrong, the key is wrong,
229      * the data has become corrupted, the data has been tampered with, etc.
230      *
231      * @hide
232      */
233     public static final int ERROR_DECRYPTION_FAILED = 26;
234 
235     /**
236      * Error thrown if the format of a given key is invalid. This might be because the key has a
237      * wrong length, invalid content, etc.
238      *
239      * @hide
240      */
241     public static final int ERROR_INVALID_KEY_FORMAT = 27;
242 
243     /**
244      * Failed because the provided certificate cannot be validated, e.g., is expired or has invalid
245      * signatures.
246      *
247      * <p>Note that this is different from {@link #ERROR_BAD_CERTIFICATE_FORMAT}, which denotes
248      * incorrect certificate formats, e.g., due to wrong encoding or structure.
249      *
250      * @hide
251      */
252     public static final int ERROR_INVALID_CERTIFICATE = 28;
253 
254 
255     /**
256      * Failed because the provided certificate contained serial version which is lower that the
257      * version device is already initialized with. It is not possible to downgrade serial version of
258      * the provided certificate.
259      *
260      * @hide
261      */
262     public static final int ERROR_DOWNGRADE_CERTIFICATE = 29;
263 
264     private final ILockSettings mBinder;
265     private final KeyStore mKeyStore;
266 
RecoveryController(ILockSettings binder, KeyStore keystore)267     private RecoveryController(ILockSettings binder, KeyStore keystore) {
268         mBinder = binder;
269         mKeyStore = keystore;
270     }
271 
272     /**
273      * Internal method used by {@code RecoverySession}.
274      *
275      * @hide
276      */
getBinder()277     ILockSettings getBinder() {
278         return mBinder;
279     }
280 
281     /**
282      * Gets a new instance of the class.
283      */
284     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
getInstance(@onNull Context context)285     @NonNull public static RecoveryController getInstance(@NonNull Context context) {
286         // lockSettings may be null.
287         ILockSettings lockSettings =
288                 ILockSettings.Stub.asInterface(ServiceManager.getService("lock_settings"));
289         return new RecoveryController(lockSettings, KeyStore.getInstance());
290     }
291 
292     /**
293      * Checks whether the recoverable key store is currently available.
294      *
295      * <p>If it returns true, the device must currently be using a screen lock that is supported for
296      * use with the recoverable key store, i.e. AOSP PIN, pattern or password.
297      */
298     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
isRecoverableKeyStoreEnabled(@onNull Context context)299     public static boolean isRecoverableKeyStoreEnabled(@NonNull Context context) {
300         KeyguardManager keyguardManager = context.getSystemService(KeyguardManager.class);
301         return keyguardManager != null && keyguardManager.isDeviceSecure();
302     }
303 
304     /**
305      * Initializes the recovery service for the calling application. The detailed steps should be:
306      * <ol>
307      *     <li>Parse {@code signatureFile} to get relevant information.
308      *     <li>Validate the signer's X509 certificate, contained in {@code signatureFile}, against
309      *         the root certificate pre-installed in the OS and chosen by {@code
310      *         rootCertificateAlias}.
311      *     <li>Verify the public-key signature, contained in {@code signatureFile}, and verify it
312      *         against the entire {@code certificateFile}.
313      *     <li>Parse {@code certificateFile} to get relevant information.
314      *     <li>Check the serial number, contained in {@code certificateFile}, and skip the following
315      *         steps if the serial number is not larger than the one previously stored.
316      *     <li>Randomly choose a X509 certificate from the endpoint X509 certificates, contained in
317      *         {@code certificateFile}, and validate it against the root certificate pre-installed
318      *         in the OS and chosen by {@code rootCertificateAlias}.
319      *     <li>Store the chosen X509 certificate and the serial in local database for later use.
320      * </ol>
321      *
322      * @param rootCertificateAlias the alias of a root certificate pre-installed in the OS
323      * @param certificateFile the binary content of the XML file containing a list of recovery
324      *     service X509 certificates, and other metadata including the serial number
325      * @param signatureFile the binary content of the XML file containing the public-key signature
326      *     of the entire certificate file, and a signer's X509 certificate
327      * @throws CertificateException if the given certificate files cannot be parsed or validated
328      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
329      *     service.
330      */
331     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
initRecoveryService( @onNull String rootCertificateAlias, @NonNull byte[] certificateFile, @NonNull byte[] signatureFile)332     public void initRecoveryService(
333             @NonNull String rootCertificateAlias, @NonNull byte[] certificateFile,
334             @NonNull byte[] signatureFile)
335             throws CertificateException, InternalRecoveryServiceException {
336         try {
337             mBinder.initRecoveryServiceWithSigFile(
338                     rootCertificateAlias, certificateFile, signatureFile);
339         } catch (RemoteException e) {
340             throw e.rethrowFromSystemServer();
341         } catch (ServiceSpecificException e) {
342             if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT
343                     || e.errorCode == ERROR_INVALID_CERTIFICATE) {
344                 throw new CertificateException("Invalid certificate for recovery service", e);
345             }
346             if (e.errorCode == ERROR_DOWNGRADE_CERTIFICATE) {
347                 throw new CertificateException(
348                         "Downgrading certificate serial version isn't supported.", e);
349             }
350             throw wrapUnexpectedServiceSpecificException(e);
351         }
352     }
353 
354     /**
355      * Returns data necessary to store all recoverable keys. Key material is
356      * encrypted with user secret and recovery public key.
357      *
358      * @return Data necessary to recover keystore or {@code null} if snapshot is not available.
359      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
360      *     service.
361      */
362     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
getKeyChainSnapshot()363     public @Nullable KeyChainSnapshot getKeyChainSnapshot()
364             throws InternalRecoveryServiceException {
365         try {
366             return mBinder.getKeyChainSnapshot();
367         } catch (RemoteException e) {
368             throw e.rethrowFromSystemServer();
369         } catch (ServiceSpecificException e) {
370             if (e.errorCode == ERROR_NO_SNAPSHOT_PENDING) {
371                 return null;
372             }
373             throw wrapUnexpectedServiceSpecificException(e);
374         }
375     }
376 
377     /**
378      * Sets a listener which notifies recovery agent that new recovery snapshot is available. {@link
379      * #getKeyChainSnapshot} can be used to get the snapshot. Note that every recovery agent can
380      * have at most one registered listener at any time.
381      *
382      * @param intent triggered when new snapshot is available. Unregisters listener if the value is
383      *     {@code null}.
384      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
385      *     service.
386      */
387     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
setSnapshotCreatedPendingIntent(@ullable PendingIntent intent)388     public void setSnapshotCreatedPendingIntent(@Nullable PendingIntent intent)
389             throws InternalRecoveryServiceException {
390         try {
391             mBinder.setSnapshotCreatedPendingIntent(intent);
392         } catch (RemoteException e) {
393             throw e.rethrowFromSystemServer();
394         } catch (ServiceSpecificException e) {
395             throw wrapUnexpectedServiceSpecificException(e);
396         }
397     }
398 
399     /**
400      * Server parameters used to generate new recovery key blobs. This value will be included in
401      * {@code KeyChainSnapshot.getEncryptedRecoveryKeyBlob()}. The same value must be included
402      * in vaultParams {@link RecoverySession#start(CertPath, byte[], byte[], List)}.
403      *
404      * @param serverParams included in recovery key blob.
405      * @see #getKeyChainSnapshot
406      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
407      *     service.
408      */
409     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
setServerParams(@onNull byte[] serverParams)410     public void setServerParams(@NonNull byte[] serverParams)
411             throws InternalRecoveryServiceException {
412         try {
413             mBinder.setServerParams(serverParams);
414         } catch (RemoteException e) {
415             throw e.rethrowFromSystemServer();
416         } catch (ServiceSpecificException e) {
417             throw wrapUnexpectedServiceSpecificException(e);
418         }
419     }
420 
421     /**
422      * Returns a list of aliases of keys belonging to the application.
423      */
424     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
getAliases()425     public @NonNull List<String> getAliases() throws InternalRecoveryServiceException {
426         try {
427             Map<String, Integer> allStatuses = mBinder.getRecoveryStatus();
428             return new ArrayList<>(allStatuses.keySet());
429         } catch (RemoteException e) {
430             throw e.rethrowFromSystemServer();
431         } catch (ServiceSpecificException e) {
432             throw wrapUnexpectedServiceSpecificException(e);
433         }
434     }
435 
436     /**
437      * Sets the recovery status for given key. It is used to notify the keystore that the key was
438      * successfully stored on the server or that there was an error. An application can check this
439      * value using {@link #getRecoveryStatus(String, String)}.
440      *
441      * @param alias The alias of the key whose status to set.
442      * @param status The status of the key. One of {@link #RECOVERY_STATUS_SYNCED},
443      *     {@link #RECOVERY_STATUS_SYNC_IN_PROGRESS} or {@link #RECOVERY_STATUS_PERMANENT_FAILURE}.
444      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
445      *     service.
446      */
447     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
setRecoveryStatus(@onNull String alias, int status)448     public void setRecoveryStatus(@NonNull String alias, int status)
449             throws InternalRecoveryServiceException {
450         try {
451             mBinder.setRecoveryStatus(alias, status);
452         } catch (RemoteException e) {
453             throw e.rethrowFromSystemServer();
454         } catch (ServiceSpecificException e) {
455             throw wrapUnexpectedServiceSpecificException(e);
456         }
457     }
458 
459     /**
460      * Returns the recovery status for the key with the given {@code alias}.
461      *
462      * <ul>
463      *   <li>{@link #RECOVERY_STATUS_SYNCED}
464      *   <li>{@link #RECOVERY_STATUS_SYNC_IN_PROGRESS}
465      *   <li>{@link #RECOVERY_STATUS_PERMANENT_FAILURE}
466      * </ul>
467      *
468      * @see #setRecoveryStatus(String, int)
469      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
470      *     service.
471      */
472     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
getRecoveryStatus(@onNull String alias)473     public int getRecoveryStatus(@NonNull String alias) throws InternalRecoveryServiceException {
474         try {
475             Map<String, Integer> allStatuses = mBinder.getRecoveryStatus();
476             Integer status = allStatuses.get(alias);
477             if (status == null) {
478                 return RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE;
479             } else {
480                 return status;
481             }
482         } catch (RemoteException e) {
483             throw e.rethrowFromSystemServer();
484         } catch (ServiceSpecificException e) {
485             throw wrapUnexpectedServiceSpecificException(e);
486         }
487     }
488 
489     /**
490      * Specifies a set of secret types used for end-to-end keystore encryption. Knowing all of them
491      * is necessary to recover data.
492      *
493      * @param secretTypes {@link KeyChainProtectionParams#TYPE_LOCKSCREEN}
494      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
495      *     service.
496      */
497     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
setRecoverySecretTypes( @onNull @eyChainProtectionParams.UserSecretType int[] secretTypes)498     public void setRecoverySecretTypes(
499             @NonNull @KeyChainProtectionParams.UserSecretType int[] secretTypes)
500             throws InternalRecoveryServiceException {
501         try {
502             mBinder.setRecoverySecretTypes(secretTypes);
503         } catch (RemoteException e) {
504             throw e.rethrowFromSystemServer();
505         } catch (ServiceSpecificException e) {
506             throw wrapUnexpectedServiceSpecificException(e);
507         }
508     }
509 
510     /**
511      * Defines a set of secret types used for end-to-end keystore encryption. Knowing all of them is
512      * necessary to generate KeyChainSnapshot.
513      *
514      * @return list of recovery secret types
515      * @see KeyChainSnapshot
516      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
517      *     service.
518      */
519     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
getRecoverySecretTypes()520     public @NonNull @KeyChainProtectionParams.UserSecretType int[] getRecoverySecretTypes()
521             throws InternalRecoveryServiceException {
522         try {
523             return mBinder.getRecoverySecretTypes();
524         } catch (RemoteException e) {
525             throw e.rethrowFromSystemServer();
526         } catch (ServiceSpecificException e) {
527             throw wrapUnexpectedServiceSpecificException(e);
528         }
529     }
530 
531     /**
532      * Generates a recoverable key with the given {@code alias}.
533      *
534      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
535      *     service.
536      * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock
537      *     screen is required to generate recoverable keys.
538      *
539      * @deprecated Use the method {@link #generateKey(String, byte[])} instead.
540      */
541     @Deprecated
542     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
generateKey(@onNull String alias)543     public @NonNull Key generateKey(@NonNull String alias) throws InternalRecoveryServiceException,
544             LockScreenRequiredException {
545         try {
546             String grantAlias = mBinder.generateKey(alias);
547             if (grantAlias == null) {
548                 throw new InternalRecoveryServiceException("null grant alias");
549             }
550             return getKeyFromGrant(grantAlias);
551         } catch (RemoteException e) {
552             throw e.rethrowFromSystemServer();
553         } catch (KeyPermanentlyInvalidatedException | UnrecoverableKeyException e) {
554             throw new InternalRecoveryServiceException("Failed to get key from keystore", e);
555         } catch (ServiceSpecificException e) {
556             if (e.errorCode == ERROR_INSECURE_USER) {
557                 throw new LockScreenRequiredException(e.getMessage());
558             }
559             throw wrapUnexpectedServiceSpecificException(e);
560         }
561     }
562 
563     /**
564      * Generates a recoverable key with the given {@code alias} and {@code metadata}.
565      *
566      * <p>The metadata should contain any data that needs to be cryptographically bound to the
567      * generated key, but does not need to be encrypted by the key. For example, the metadata can
568      * be a byte string describing the algorithms and non-secret parameters to be used with the
569      * key. The supplied metadata can later be obtained via
570      * {@link WrappedApplicationKey#getMetadata()}.
571      *
572      * <p>During the key recovery process, the same metadata has to be supplied via
573      * {@link WrappedApplicationKey.Builder#setMetadata(byte[])}; otherwise, the recovery process
574      * will fail due to the checking of the cryptographic binding. This can help prevent
575      * potential attacks that try to swap key materials on the backup server and trick the
576      * application to use keys with different algorithms or parameters.
577      *
578      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
579      *     service.
580      * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock
581      *     screen is required to generate recoverable keys.
582      */
583     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
generateKey(@onNull String alias, @Nullable byte[] metadata)584     public @NonNull Key generateKey(@NonNull String alias, @Nullable byte[] metadata)
585             throws InternalRecoveryServiceException, LockScreenRequiredException {
586         try {
587             String grantAlias = mBinder.generateKeyWithMetadata(alias, metadata);
588             if (grantAlias == null) {
589                 throw new InternalRecoveryServiceException("null grant alias");
590             }
591             return getKeyFromGrant(grantAlias);
592         } catch (RemoteException e) {
593             throw e.rethrowFromSystemServer();
594         } catch (KeyPermanentlyInvalidatedException | UnrecoverableKeyException  e) {
595             throw new InternalRecoveryServiceException("Failed to get key from keystore", e);
596         } catch (ServiceSpecificException e) {
597             if (e.errorCode == ERROR_INSECURE_USER) {
598                 throw new LockScreenRequiredException(e.getMessage());
599             }
600             throw wrapUnexpectedServiceSpecificException(e);
601         }
602     }
603 
604     /**
605      * Imports a 256-bit recoverable AES key with the given {@code alias} and the raw bytes {@code
606      * keyBytes}.
607      *
608      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
609      *     service.
610      * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock
611      *     screen is required to generate recoverable keys.
612      *
613      * @deprecated Use the method {@link #importKey(String, byte[], byte[])} instead.
614      */
615     @Deprecated
616     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
importKey(@onNull String alias, @NonNull byte[] keyBytes)617     public @NonNull Key importKey(@NonNull String alias, @NonNull byte[] keyBytes)
618             throws InternalRecoveryServiceException, LockScreenRequiredException {
619         try {
620             String grantAlias = mBinder.importKey(alias, keyBytes);
621             if (grantAlias == null) {
622                 throw new InternalRecoveryServiceException("Null grant alias");
623             }
624             return getKeyFromGrant(grantAlias);
625         } catch (RemoteException e) {
626             throw e.rethrowFromSystemServer();
627         } catch (KeyPermanentlyInvalidatedException | UnrecoverableKeyException e) {
628             throw new InternalRecoveryServiceException("Failed to get key from keystore", e);
629         } catch (ServiceSpecificException e) {
630             if (e.errorCode == ERROR_INSECURE_USER) {
631                 throw new LockScreenRequiredException(e.getMessage());
632             }
633             throw wrapUnexpectedServiceSpecificException(e);
634         }
635     }
636 
637     /**
638      * Imports a recoverable 256-bit AES key with the given {@code alias}, the raw bytes {@code
639      * keyBytes}, and the {@code metadata}.
640      *
641      * <p>The metadata should contain any data that needs to be cryptographically bound to the
642      * imported key, but does not need to be encrypted by the key. For example, the metadata can
643      * be a byte string describing the algorithms and non-secret parameters to be used with the
644      * key. The supplied metadata can later be obtained via
645      * {@link WrappedApplicationKey#getMetadata()}.
646      *
647      * <p>During the key recovery process, the same metadata has to be supplied via
648      * {@link WrappedApplicationKey.Builder#setMetadata(byte[])}; otherwise, the recovery process
649      * will fail due to the checking of the cryptographic binding. This can help prevent
650      * potential attacks that try to swap key materials on the backup server and trick the
651      * application to use keys with different algorithms or parameters.
652      *
653      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
654      *     service.
655      * @throws LockScreenRequiredException if the user does not have a lock screen set. A lock
656      *     screen is required to generate recoverable keys.
657      */
658     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
importKey(@onNull String alias, @NonNull byte[] keyBytes, @Nullable byte[] metadata)659     public @NonNull Key importKey(@NonNull String alias, @NonNull byte[] keyBytes,
660             @Nullable byte[] metadata)
661             throws InternalRecoveryServiceException, LockScreenRequiredException {
662         try {
663             String grantAlias = mBinder.importKeyWithMetadata(alias, keyBytes, metadata);
664             if (grantAlias == null) {
665                 throw new InternalRecoveryServiceException("Null grant alias");
666             }
667             return getKeyFromGrant(grantAlias);
668         } catch (RemoteException e) {
669             throw e.rethrowFromSystemServer();
670         } catch (KeyPermanentlyInvalidatedException | UnrecoverableKeyException e) {
671             throw new InternalRecoveryServiceException("Failed to get key from keystore", e);
672         } catch (ServiceSpecificException e) {
673             if (e.errorCode == ERROR_INSECURE_USER) {
674                 throw new LockScreenRequiredException(e.getMessage());
675             }
676             throw wrapUnexpectedServiceSpecificException(e);
677         }
678     }
679 
680     /**
681      * Gets a key called {@code alias} from the recoverable key store.
682      *
683      * @param alias The key alias.
684      * @return The key.
685      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
686      *     service.
687      * @throws UnrecoverableKeyException if key is permanently invalidated or not found.
688      */
689     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
getKey(@onNull String alias)690     public @Nullable Key getKey(@NonNull String alias)
691             throws InternalRecoveryServiceException, UnrecoverableKeyException {
692         try {
693             String grantAlias = mBinder.getKey(alias);
694             if (grantAlias == null || "".equals(grantAlias)) {
695                 return null;
696             }
697             return getKeyFromGrant(grantAlias);
698         } catch (RemoteException e) {
699             throw e.rethrowFromSystemServer();
700         } catch (KeyPermanentlyInvalidatedException | UnrecoverableKeyException e) {
701             throw new UnrecoverableKeyException(e.getMessage());
702         } catch (ServiceSpecificException e) {
703             throw wrapUnexpectedServiceSpecificException(e);
704         }
705     }
706 
707     /**
708      * Returns the key with the given {@code grantAlias}.
709      */
getKeyFromGrant(@onNull String grantAlias)710     @NonNull Key getKeyFromGrant(@NonNull String grantAlias)
711             throws UnrecoverableKeyException, KeyPermanentlyInvalidatedException {
712         return AndroidKeyStoreProvider.loadAndroidKeyStoreKeyFromKeystore(
713                 mKeyStore,
714                 grantAlias,
715                 KeyStore.UID_SELF);
716     }
717 
718     /**
719      * Removes a key called {@code alias} from the recoverable key store.
720      *
721      * @param alias The key alias.
722      * @throws InternalRecoveryServiceException if an unexpected error occurred in the recovery
723      *     service.
724      */
725     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
removeKey(@onNull String alias)726     public void removeKey(@NonNull String alias) throws InternalRecoveryServiceException {
727         try {
728             mBinder.removeKey(alias);
729         } catch (RemoteException e) {
730             throw e.rethrowFromSystemServer();
731         } catch (ServiceSpecificException e) {
732             throw wrapUnexpectedServiceSpecificException(e);
733         }
734     }
735 
736     /**
737      * Returns a new {@link RecoverySession}.
738      *
739      * <p>A recovery session is required to restore keys from a remote store.
740      */
741     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
createRecoverySession()742     public @NonNull RecoverySession createRecoverySession() {
743         return RecoverySession.newInstance(this);
744     }
745 
746     @RequiresPermission(android.Manifest.permission.RECOVER_KEYSTORE)
getRootCertificates()747     public @NonNull Map<String, X509Certificate> getRootCertificates() {
748         return TrustedRootCertificates.getRootCertificates();
749     }
750 
wrapUnexpectedServiceSpecificException( ServiceSpecificException e)751     InternalRecoveryServiceException wrapUnexpectedServiceSpecificException(
752             ServiceSpecificException e) {
753         if (e.errorCode == ERROR_SERVICE_INTERNAL_ERROR) {
754             return new InternalRecoveryServiceException(e.getMessage());
755         }
756 
757         // Should never happen. If it does, it's a bug, and we need to update how the method that
758         // called this throws its exceptions.
759         return new InternalRecoveryServiceException("Unexpected error code for method: "
760                 + e.errorCode, e);
761     }
762 }
763