Example 11 with ProviderException
use of java.security.ProviderException in project platform_frameworks_base by android.
the class AndroidKeyStoreUnauthenticatedAESCipherSpi method loadAlgorithmSpecificParametersFromBeginResult.
@Override
protected final void loadAlgorithmSpecificParametersFromBeginResult(@NonNull KeymasterArguments keymasterArgs) {
mIvHasBeenUsed = true;
// NOTE: Keymaster doesn't always return an IV, even if it's used.
byte[] returnedIv = keymasterArgs.getBytes(KeymasterDefs.KM_TAG_NONCE, null);
if ((returnedIv != null) && (returnedIv.length == 0)) {
returnedIv = null;
}
if (mIvRequired) {
if (mIv == null) {
mIv = returnedIv;
} else if ((returnedIv != null) && (!Arrays.equals(returnedIv, mIv))) {
throw new ProviderException("IV in use differs from provided IV");
}
} else {
if (returnedIv != null) {
throw new ProviderException("IV in use despite IV not being used by this transformation");
}
}
}
Also used :
ProviderException(java.security.ProviderException)
Example 12 with ProviderException
use of java.security.ProviderException in project platform_frameworks_base by android.
the class KeymasterUtils method addUserAuthArgs.
/**
* Adds keymaster arguments to express the key's authorization policy supported by user
* authentication.
*
* @param userAuthenticationRequired whether user authentication is required to authorize the
* use of the key.
* @param userAuthenticationValidityDurationSeconds duration of time (seconds) for which user
* authentication is valid as authorization for using the key or {@code -1} if every
* use of the key needs authorization.
*
* @throws IllegalStateException if user authentication is required but the system is in a wrong
* state (e.g., secure lock screen not set up) for generating or importing keys that
* require user authentication.
*/
public static void addUserAuthArgs(KeymasterArguments args, boolean userAuthenticationRequired, int userAuthenticationValidityDurationSeconds, boolean userAuthenticationValidWhileOnBody, boolean invalidatedByBiometricEnrollment) {
if (!userAuthenticationRequired) {
args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);
return;
}
if (userAuthenticationValidityDurationSeconds == -1) {
// Every use of this key needs to be authorized by the user. This currently means
// fingerprint-only auth.
FingerprintManager fingerprintManager = KeyStore.getApplicationContext().getSystemService(FingerprintManager.class);
// TODO: Restore USE_FINGERPRINT permission check in
// FingerprintManager.getAuthenticatorId once the ID is no longer needed here.
long fingerprintOnlySid = (fingerprintManager != null) ? fingerprintManager.getAuthenticatorId() : 0;
if (fingerprintOnlySid == 0) {
throw new IllegalStateException("At least one fingerprint must be enrolled to create keys requiring user" + " authentication for every use");
}
long sid;
if (invalidatedByBiometricEnrollment) {
// The fingerprint-only SID will change on fingerprint enrollment or removal of all,
// enrolled fingerprints, invalidating the key.
sid = fingerprintOnlySid;
} else {
// The root SID will *not* change on fingerprint enrollment, or removal of all
// enrolled fingerprints, allowing the key to remain valid.
sid = getRootSid();
}
args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(sid));
args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, KeymasterDefs.HW_AUTH_FINGERPRINT);
if (userAuthenticationValidWhileOnBody) {
throw new ProviderException("Key validity extension while device is on-body is not " + "supported for keys requiring fingerprint authentication");
}
} else {
// The key is authorized for use for the specified amount of time after the user has
// authenticated. Whatever unlocks the secure lock screen should authorize this key.
long rootSid = getRootSid();
args.addUnsignedLong(KeymasterDefs.KM_TAG_USER_SECURE_ID, KeymasterArguments.toUint64(rootSid));
args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, KeymasterDefs.HW_AUTH_PASSWORD | KeymasterDefs.HW_AUTH_FINGERPRINT);
args.addUnsignedInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT, userAuthenticationValidityDurationSeconds);
if (userAuthenticationValidWhileOnBody) {
args.addBoolean(KeymasterDefs.KM_TAG_ALLOW_WHILE_ON_BODY);
}
}
}
Also used :
ProviderException(java.security.ProviderException)
FingerprintManager(android.hardware.fingerprint.FingerprintManager)
Example 13 with ProviderException
use of java.security.ProviderException in project platform_frameworks_base by android.
the class AndroidKeyStoreAuthenticatedAESCipherSpi method loadAlgorithmSpecificParametersFromBeginResult.
@Override
protected final void loadAlgorithmSpecificParametersFromBeginResult(@NonNull KeymasterArguments keymasterArgs) {
mIvHasBeenUsed = true;
// NOTE: Keymaster doesn't always return an IV, even if it's used.
byte[] returnedIv = keymasterArgs.getBytes(KeymasterDefs.KM_TAG_NONCE, null);
if ((returnedIv != null) && (returnedIv.length == 0)) {
returnedIv = null;
}
if (mIv == null) {
mIv = returnedIv;
} else if ((returnedIv != null) && (!Arrays.equals(returnedIv, mIv))) {
throw new ProviderException("IV in use differs from provided IV");
}
}
Also used :
ProviderException(java.security.ProviderException)
Example 14 with ProviderException
use of java.security.ProviderException in project platform_frameworks_base by android.
the class AndroidKeyStoreCipherSpiBase method ensureKeystoreOperationInitialized.
private void ensureKeystoreOperationInitialized() throws InvalidKeyException, InvalidAlgorithmParameterException {
if (mMainDataStreamer != null) {
return;
}
if (mCachedException != null) {
return;
}
if (mKey == null) {
throw new IllegalStateException("Not initialized");
}
KeymasterArguments keymasterInputArgs = new KeymasterArguments();
addAlgorithmSpecificParametersToBegin(keymasterInputArgs);
byte[] additionalEntropy = KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng(mRng, getAdditionalEntropyAmountForBegin());
int purpose;
if (mKeymasterPurposeOverride != -1) {
purpose = mKeymasterPurposeOverride;
} else {
purpose = mEncrypting ? KeymasterDefs.KM_PURPOSE_ENCRYPT : KeymasterDefs.KM_PURPOSE_DECRYPT;
}
OperationResult opResult = mKeyStore.begin(mKey.getAlias(), purpose, // permit aborting this operation if keystore runs out of resources
true, keymasterInputArgs, additionalEntropy, mKey.getUid());
if (opResult == null) {
throw new KeyStoreConnectException();
}
// Store operation token and handle regardless of the error code returned by KeyStore to
// ensure that the operation gets aborted immediately if the code below throws an exception.
mOperationToken = opResult.token;
mOperationHandle = opResult.operationHandle;
// If necessary, throw an exception due to KeyStore operation having failed.
GeneralSecurityException e = KeyStoreCryptoOperationUtils.getExceptionForCipherInit(mKeyStore, mKey, opResult.resultCode);
if (e != null) {
if (e instanceof InvalidKeyException) {
throw (InvalidKeyException) e;
} else if (e instanceof InvalidAlgorithmParameterException) {
throw (InvalidAlgorithmParameterException) e;
} else {
throw new ProviderException("Unexpected exception type", e);
}
}
if (mOperationToken == null) {
throw new ProviderException("Keystore returned null operation token");
}
if (mOperationHandle == 0) {
throw new ProviderException("Keystore returned invalid operation handle");
}
loadAlgorithmSpecificParametersFromBeginResult(opResult.outParams);
mMainDataStreamer = createMainDataStreamer(mKeyStore, opResult.token);
mAdditionalAuthenticationDataStreamer = createAdditionalAuthenticationDataStreamer(mKeyStore, opResult.token);
mAdditionalAuthenticationDataStreamerClosed = false;
}
Also used :
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
KeymasterArguments(android.security.keymaster.KeymasterArguments)
ProviderException(java.security.ProviderException)
GeneralSecurityException(java.security.GeneralSecurityException)
OperationResult(android.security.keymaster.OperationResult)
InvalidKeyException(java.security.InvalidKeyException)
Example 15 with ProviderException
use of java.security.ProviderException in project platform_frameworks_base by android.
the class AndroidKeyStoreHmacSpi method engineDoFinal.
@Override
protected byte[] engineDoFinal() {
try {
ensureKeystoreOperationInitialized();
} catch (InvalidKeyException e) {
throw new ProviderException("Failed to reinitialize MAC", e);
}
byte[] result;
try {
result = mChunkedStreamer.doFinal(null, 0, 0, // no signature provided -- this invocation will generate one
null, // no additional entropy needed -- HMAC is deterministic
null);
} catch (KeyStoreException e) {
throw new ProviderException("Keystore operation failed", e);
}
resetWhilePreservingInitState();
return result;
}
Also used :
ProviderException(java.security.ProviderException)
KeyStoreException(android.security.KeyStoreException)
InvalidKeyException(java.security.InvalidKeyException)
Aggregations
ProviderException (java.security.ProviderException)128
KeymasterArguments (android.security.keymaster.KeymasterArguments)30
InvalidKeyException (java.security.InvalidKeyException)26
OperationResult (android.security.keymaster.OperationResult)25
KeyStoreException (android.security.KeyStoreException)20
KeyCharacteristics (android.security.keymaster.KeyCharacteristics)20
DERBitString (com.android.org.bouncycastle.asn1.DERBitString)15
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)15
BigInteger (java.math.BigInteger)13
IOException (java.io.IOException)12
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)12
ASN1Integer (com.android.org.bouncycastle.asn1.ASN1Integer)10
DERInteger (com.android.org.bouncycastle.asn1.DERInteger)10
ByteArrayOutputStream (java.io.ByteArrayOutputStream)10
RSAKeyGenParameterSpec (java.security.spec.RSAKeyGenParameterSpec)10
GeneralSecurityException (java.security.GeneralSecurityException)6
KeyStoreException (java.security.KeyStoreException)6
NoSuchProviderException (java.security.NoSuchProviderException)6
KeymasterCertificateChain (android.security.keymaster.KeymasterCertificateChain)5
KeyProtection (android.security.keystore.KeyProtection)5
